-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathupx_unpacker.py
154 lines (112 loc) · 4.18 KB
/
upx_unpacker.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
from ctypes import *
import sys
# You must set your path to pyemu
sys.path.append("C:\\PyEmu")
sys.path.append("C:\\PyEmu\\lib")
from PyEmu import PEPyEmu
'''
HMODULE WINAPI LoadLibrary(
__in LPCTSTR lpFileName
);
'''
def loadlibrary(name, address):
# Retrieve the DLL name
dllname = emu.get_memory_string(emu.get_memory(emu.get_register("ESP") + 4))
# Make a real call to LoadLibrary and return the handle
dllhandle = windll.kernel32.LoadLibraryA(dllname)
emu.set_register("EAX", dllhandle)
# Reset the stack and return from the handler
return_address = emu.get_memory(emu.get_register("ESP"))
emu.set_register("ESP", emu.get_register("ESP") + 8)
emu.set_register("EIP", return_address)
return True
'''
FARPROC WINAPI GetProcAddress(
__in HMODULE hModule,
__in LPCSTR lpProcName
);
'''
def getprocaddress(name, address):
# Get both arguments, which are a handle and the procedure name
handle = emu.get_memory(emu.get_register("ESP") + 4)
proc_name = emu.get_memory(emu.get_register("ESP") + 8)
# lpProcName can be a name or ordinal, if top word is null its an ordinal
if (proc_name >> 16):
procname = emu.get_memory_string(emu.get_memory(emu.get_register("ESP") + 8))
else:
procname = arg2
# Add the procedure to the emulator
emu.os.add_library(handle, procname)
import_address = emu.os.get_library_address(procname)
# Return the import address
emu.set_register("EAX", import_address)
# Reset the stack and return from our handler
return_address = emu.get_memory(emu.get_register("ESP"))
emu.set_register("ESP", emu.get_register("ESP") + 8)
emu.set_register("EIP", return_address)
return True
'''
BOOL WINAPI VirtualProtect(
__in LPVOID lpAddress,
__in SIZE_T dwSize,
__in DWORD flNewProtect,
__out PDWORD lpflOldProtect
);
'''
def virtualprotect(name, address):
# Just return TRUE
emu.set_register("EAX", 1)
# Reset the stack and return from our handler
return_address = emu.get_memory(emu.get_register("ESP"))
emu.set_register("ESP", emu.get_register("ESP") + 16)
emu.set_register("EIP", return_address)
return True
# When the unpacking routine is finished, handle the JMP to the OEP
def jmp_handler(emu, mnemonic, eip, op1, op2, op3):
# The UPX1 section
if eip < emu.sections["UPX1"]["base"]:
print "[*] We are jumping out of the unpacking routine."
print "[*] OEP = 0x%08x" % eip
# Dump the unpacked binary to disk
dump_unpacked(emu)
# We can stop emulating now
emu.emulating = False
return True
# Dump out our newly unpacked binary
def dump_unpacked(emu):
global outputfile
fh = open(outputfile, 'wb')
print "[*] Dumping UPX0 Section"
base = emu.sections["UPX0"]["base"]
length = emu.sections["UPX0"]["vsize"]
print "[*] Base: 0x%08x Vsize: %08x" % (base, length)
for x in range(length):
fh.write("%c" % emu.get_memory(base + x, 1))
print "[*] Dumping UPX1 Section"
base = emu.sections["UPX1"]["base"]
length = emu.sections["UPX1"]["vsize"]
print "[*] Base: 0x%08x Vsize: %08x" % (base, length)
for x in range(length):
fh.write("%c" % emu.get_memory(base + x, 1))
print "[*] Finished."
# Commandline arguments
exename = sys.argv[1]
outputfile = sys.argv[2]
# Instantiate our emulator object
emu = PEPyEmu()
if exename:
# Load the binary into PyEmu
if not emu.load(exename):
print "[!] Problem loading %s" % exename
sys.exit(2)
else:
print "[!] Blank filename specified"
sys.exit(3)
# Set our library handlers
emu.set_library_handler("LoadLibraryA", loadlibrary)
emu.set_library_handler("GetProcAddress", getprocaddress)
emu.set_library_handler("VirtualProtect", virtualprotect)
# Set a breakpoint at the real entry point to dump binary
emu.set_mnemonic_handler( "jmp", jmp_handler )
# Execute starting from the header entry point
emu.execute( start=emu.entry_point )