pynasm/runtime.py at main · sha0coder/pynasm · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
'''
    deprecated, use: import winapi
'''

def get_kernel32():
    rdi = rax = rdx = 0
    rbx = PEB
    rbx = mem[rbx+0x18] # LDR
    rbx = mem[rbx+0x20] # ntdll
    rbx = mem[rbx] # kernelbase
    rbx = mem[rbx] # kernel32
    rbx = mem[rbx+0x20] # kernel32 base
    r8 = rbx
    return rbx


def get_export_address(rbx):
    ebx = mem[rbx+0x3c]
    rbx += r8
    rcx = 0x88
    edx = mem[rbx+rcx]
    rdx += r8
    return rdx


def names_and_pointers():
    r10 = 0
    r10d = mem[rdx+0x1c]
    r10 += r8
    r11 = 0
    r11d = mem[rdx+0x20]
    r11 += r8
    r12 = 0
    r12d = mem[rdx+0x24]
    r12 += r8
    return 0


def get_api(rdx, rcx): # rdx: api_name rcx: api_size
    rax = 0
    while True:
        rdi = 0
        edi = mem[r11+rax*4]
        rdi += r8
        rsi = rdx
        push(rcx)
        if str(rsi) == str(rdi):  # repe cmpsb
            #ax = mem[r12+rax*2]
            rax = mem[r10+rax*4]
            rax += r8
            push(rbx)
            return rax
        pop(rcx)
        rax += 1


def resolve_addr():
    #ax = mem[r12+rax*2]
    rax = mem[r10+rax*4]
    rax += r8
    return rax


def runtime():
    rbx = get_kernel32()
    rbx = get_export_address(rbx)
    names_and_pointers()
    return 0

'''
def main():
    runtime()
    rax = 'WinExec'
    rax = get_api(rax, 7)
    rcx = 'calc.exe'
    rax(rcx, 1)  # pretty huh?
    return 0
'''