问题描述
我正在尝试将 Node.js 的 PE 可执行文件解释为一个研究项目。
我正在使用 Ghidra 和 built out all my x86-64 registers(JSFiddle,就注册表而言工作但指令解析还有很长的路要走)来反汇编指令,如下所示:
#!/bin/bash
files=`ls /mnt/c/...snip.../executable-disassembler-ghidra/node/executables`
for file in $files
do
/mnt/c/Users/...snip.../executable-disassembler-ghidra/node/ghidra/support/analyzeHeadless /mnt/c/Users/...snip.../executable-disassembler-ghidra/node/project my-project -import /mnt/c/Users/...snip.../executable-disassembler-ghidra/node/executables/$file -postScript IterateInstructionsScript.java -scriptlog /mnt/c/Users/...snip.../data/disassembled/ghidra/raw/$file.txt
done
稍微解析一下:
[
{
"source": "0040205c ADD byte ptr [EDX + 0x1] DH ","addressHex": "0040205c","addressDec": 4202588,"instruct": "ADD byte ptr [EDX + 0x1] DH","instructParts": [
"ADD","byte","ptr","[EDX","+","0x1]","DH"
]
},{
"source": "0040205f ADD byte ptr [EAX] AL ","addressHex": "0040205f","addressDec": 4202591,"instruct": "ADD byte ptr [EAX] AL","[EAX]","AL"
]
},{
"source": "00402061 JO 0x0040208b ","addressHex": "00402061","addressDec": 4202593,"instruct": "JO 0x0040208b","instructParts": [
"JO","0x0040208b"
]
},{
"source": "00402063 SLDT dword ptr [EAX] ","addressHex": "00402063","addressDec": 4202595,"instruct": "SLDT dword ptr [EAX]","instructParts": [
"SLDT","dword","[EAX]"
]
},...
]
当我按照说明进行操作时,我会解释它们并向注册表、内存和存储读取/写入值:
instructionData {instruct: "ADD byte ptr [EDX + 0x1] DH",nextAddress: 4202591}
mnemonic: ADD
operandsstr: byte ptr [EDX + 0x1] DH
operandParts: (4) ["byte","[EDX + 0x1]","DH"]
但是我还没有解析出 exe 的 .data 部分,尽管我是 reading the PE file format documentation,并且在文件,我不确定这是否正确:
有人可以准确解释我需要哪些部分,以及如何使用 Node.js 提取这些部分(或仅提取 .data)?如果有微不足道的替代方案或更简单的答案,我不想为我的项目的每个组件重新发明轮子。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)