-
Notifications
You must be signed in to change notification settings - Fork 232
/
emu_exe.py
69 lines (50 loc) · 1.86 KB
/
emu_exe.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import argparse
import speakeasy
import logging
def get_logger():
"""
Get the default logger for speakeasy
"""
logger = logging.getLogger('emu_exe')
if not logger.handlers:
sh = logging.StreamHandler()
logger.addHandler(sh)
logger.setLevel(logging.INFO)
return logger
def hook_ntreadfile(emu, api_name, func, params):
"""
API hook that is installed to intercept MessageBox calls as an example
Args:
api_name: The full name including module of the hooked API
func: the real emulated function provided by the framework
Users can call this by passing in "params" whenever they choose
params: the argments passed to the function
"""
# Call the NtReadFile function
rv = func(params)
logger = get_logger()
hnd, evt, apcf, apcc, ios, buf, size, offset, key = params
# Read the buffer containing the file data
data = emu.mem_read(buf, size)
logger.log(logging.INFO, data)
# Write something to the buffer instead
emu.mem_write(buf, b'A' * size)
return rv
def main(args):
# Init the speakeasy object, an optional logger can be supplied
se = speakeasy.Speakeasy(logger=get_logger())
# Hook ntdll!NtReadFile so we can modify the returned buffer
se.add_api_hook(hook_ntreadfile,
'ntdll',
'NtReadFile'
)
# Load the module into the emulation space
module = se.load_module(args.file)
# Begin emulating the EXE at its defined entry point.
se.run_module(module)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Emulate an EXE and call its entry point')
parser.add_argument('-f', '--file', action='store', dest='file',
required=True, help='Path of EXE to emulate')
args = parser.parse_args()
main(args)