Merge pull request #1448 from cea-sec/generic-unpack

Generic import recovery (cheap ImpRec style)

1 files changed, 53 insertions, 0 deletions

diff --git a/example/jitter/unpack_generic.py b/example/jitter/unpack_generic.py
new file mode 100644
index 00000000..3329d2a9
--- /dev/null
+++ b/example/jitter/unpack_generic.py
@@ -0,0 +1,53 @@
+from __future__ import print_function
+import os
+import logging
+from miasm.analysis.sandbox import Sandbox_Win_x86_32
+from miasm.jitter.loader.pe import vm2pe, ImpRecStrategy
+from miasm.core.locationdb import LocationDB
+from miasm.jitter.jitload import JitterException
+
+parser = Sandbox_Win_x86_32.parser(description="Generic & dummy unpacker")
+parser.add_argument("filename", help="PE Filename")
+parser.add_argument("--oep", help="Stop and dump if this address is reached")
+parser.add_argument('-v', "--verbose",
+                    help="verbose mode", action="store_true")
+options = parser.parse_args()
+
+loc_db = LocationDB()
+sb = Sandbox_Win_x86_32(
+    loc_db, options.filename, options, globals(),
+    parse_reloc=False
+)
+
+if options.verbose is True:
+    logging.basicConfig(level=logging.INFO)
+else:
+    logging.basicConfig(level=logging.WARNING)
+
+if options.verbose is True:
+    print(sb.jitter.vm)
+
+def stop(jitter):
+    logging.info('User provided OEP reached')
+    # Stop execution
+    return False
+
+if options.oep:
+    # Set callbacks
+    sb.jitter.add_breakpoint(int(options.oep, 0), stop)
+    
+# Run until an error is encountered - IT IS UNLIKELY THE ORIGINAL ENTRY POINT
+try:
+    sb.run()
+except (JitterException, ValueError) as e:
+    logging.exception(e)
+
+out_fname = "%s.dump" % (options.filename)
+
+# Try a generic approach to rebuild the Import Table
+imprec = ImpRecStrategy(sb.jitter, sb.libs, 32)
+imprec.recover_import()
+
+# Rebuild the PE and dump it
+print("Dump to %s" % out_fname)
+vm2pe(sb.jitter, out_fname, libs=sb.libs, e_orig=sb.pe)