admin/white_patch_detect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix up bug

Browse Source
This commit is contained in:
Huoji's
2024-08-03 19:53:27 +08:00
parent bb4ab85b58
commit e4145480c5
2 changed files with 175 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
white_patch_detect/pe/pe.cpp
View File

@@ -243,6 +243,10 @@ PIMAGE_SECTION_HEADER pe64::create_section(std::string name, uint32_t size,
return this->get_section(name); return this->get_section(name);
} }
uint64_t pe64::get_image_base() { uint64_t pe64::get_image_base() {
if (this->is_32_pe()) {
PIMAGE_NT_HEADERS32 ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS32>(this->get_nt());
return ntHeaders->OptionalHeader.ImageBase;
}
PIMAGE_NT_HEADERS ntHeaders = this->get_nt(); PIMAGE_NT_HEADERS ntHeaders = this->get_nt();
return ntHeaders->OptionalHeader.ImageBase; return ntHeaders->OptionalHeader.ImageBase;
} }

377
white_patch_detect/white_patch_detect.cpp
View File

@@ -37,16 +37,15 @@ auto calculateEntropy(void* data, size_t size) -> double {
return entropy; return entropy;
} }
auto buildFunctionMaps(pe64* pe) //@todo: 有个bug,32位这里获取的地址不准管他呢这个pe64本来就不是为了32位写的
-> std::vector<std::shared_ptr<_functionDetail>> { auto buildFunctionMaps(pe64* pe) -> std::vector<std::shared_ptr<_functionDetail>> {
std::vector<std::shared_ptr<_functionDetail>> functionList; std::vector<std::shared_ptr<_functionDetail>> functionList;
cs_insn* insn = nullptr; cs_insn* insn = nullptr;
size_t disasmCount = 0; size_t disasmCount = 0;
csh capstone_handle; csh capstone_handle;
do { do {
if (cs_open(CS_ARCH_X86, pe->is_32_pe() ? CS_MODE_32 : CS_MODE_64, if (cs_open(CS_ARCH_X86, pe->is_32_pe() ? CS_MODE_32 : CS_MODE_64, &capstone_handle) != CS_ERR_OK) {
&capstone_handle) != CS_ERR_OK) {
break; break;
} }
cs_option(capstone_handle, CS_OPT_DETAIL, CS_OPT_ON); cs_option(capstone_handle, CS_OPT_DETAIL, CS_OPT_ON);
@@ -58,8 +57,8 @@ auto buildFunctionMaps(pe64* pe)
disasmCount = disasmCount =
cs_disasm(capstone_handle, cs_disasm(capstone_handle,
reinterpret_cast<const uint8_t*>(codeAddressInMemory), reinterpret_cast<const uint8_t*>(codeAddressInMemory),
textSection->Misc.VirtualSize, 0, 0, &insn); textSection->Misc.VirtualSize, 0, 0, &insn);
if (disasmCount == 0) { if (disasmCount == 0) {
break; break;
} }
@@ -80,36 +79,32 @@ auto buildFunctionMaps(pe64* pe)
backTrackCodeList.push_back(codeMnemonic); backTrackCodeList.push_back(codeMnemonic);
if ((codeMnemonic != "int3" && codeMnemonic != "nop") && if ((codeMnemonic != "int3" && codeMnemonic != "nop") &&
((backTrackCodeList.size() > 2) && ((backTrackCodeList.size() > 2) &&
(backTrackCodeList[0] == "int3" || (backTrackCodeList[0] == "int3" ||
backTrackCodeList[0] == "nop") && backTrackCodeList[0] == "nop") &&
(backTrackCodeList[1] == "int3" || (backTrackCodeList[1] == "int3" ||
backTrackCodeList[1] == "nop") && backTrackCodeList[1] == "nop") &&
(backTrackCodeList[2] == "int3" || (backTrackCodeList[2] == "int3" ||
backTrackCodeList[2] == "nop")) && backTrackCodeList[2] == "nop")) &&
isEnterFunction == false) { isEnterFunction == false) {
// printf("进入函数 开始地址: %llx\n", codeAddressInMemory + // printf("进入函数 开始地址: %llx\n", codeAddressInMemory + offset);
// offset); printf("address: 0x%llx | size: %d code: %s %s \n", // printf("address: 0x%llx | size: %d code: %s %s \n",
// code.address, code.size, code.mnemonic, code.op_str); // code.address, code.size, code.mnemonic, code.op_str);
currentFuncAddress = codeAddressInMemory + offset; currentFuncAddress = codeAddressInMemory + offset;
isEnterFunction = true; isEnterFunction = true;
backTrackCodeList.clear(); backTrackCodeList.clear();
} else if ((codeMnemonic == "int3" || codeMnemonic == "nop") && }
((backTrackCodeList.size() > 2) && else if ((codeMnemonic == "int3" || codeMnemonic == "nop") &&
(backTrackCodeList[0] != "int3" && ((backTrackCodeList.size() > 2) &&
backTrackCodeList[0] != "nop")) && (backTrackCodeList[0] != "int3" &&
isEnterFunction) { backTrackCodeList[0] != "nop")) &&
// printf("退出函数 结束地址: %llx 当前大小: %d \n", isEnterFunction) {
// codeAddressInMemory + code.address, currentFuncAddress - //printf("退出函数 结束地址: %llx 当前大小: %d \n", codeAddressInMemory + code.address, currentFuncAddress - codeAddressInMemory);
// codeAddressInMemory);
auto func = _functionDetail{ auto func = _functionDetail{ .start_address = currentFuncAddress,
.start_address = currentFuncAddress, .end_address = codeAddressInMemory + code.address,
.end_address = codeAddressInMemory + code.address, .size = (codeAddressInMemory + code.address) - currentFuncAddress };
.size = (codeAddressInMemory + code.address) -
currentFuncAddress};
functionList.push_back(std::make_shared<_functionDetail>(func)); functionList.push_back(std::make_shared<_functionDetail>(func));
// printf("退出函数 结束地址: %llx 当前大小: %d \n", //printf("退出函数 结束地址: %llx 当前大小: %d \n", func.end_address, func.size);
// func.end_address, func.size);
isFirst = false; isFirst = false;
isEnterFunction = false; isEnterFunction = false;
@@ -125,7 +120,7 @@ auto buildFunctionMaps(pe64* pe)
.start_address = static_cast<uint64_t>(codeAddressInMemory), .start_address = static_cast<uint64_t>(codeAddressInMemory),
.end_address = static_cast<uint64_t>( .end_address = static_cast<uint64_t>(
codeAddressInMemory + textSection->Misc.VirtualSize), codeAddressInMemory + textSection->Misc.VirtualSize),
.size = textSection->Misc.VirtualSize})); .size = textSection->Misc.VirtualSize }));
} }
} while (false); } while (false);
cs_free(insn, disasmCount); cs_free(insn, disasmCount);
@@ -134,47 +129,48 @@ auto buildFunctionMaps(pe64* pe)
} }
return functionList; return functionList;
} }
class super_huoji_tracker { class super_huoji_tracker
public: {
public:
auto print_asm(const cs_insn* code) -> void; auto print_asm(const cs_insn* code) -> void;
super_huoji_tracker(uint64_t startAddr, size_t sizeOfCode, super_huoji_tracker(uint64_t startAddr, size_t sizeOfCode, uint64_t current_function_rva, bool is_32_pe);
uint64_t current_function_rva, bool is_32_pe);
~super_huoji_tracker(); ~super_huoji_tracker();
auto track_gs_access_64_i() -> void; auto track_gs_access_64_i() -> void;
auto track_gs_access_32_i() -> void; auto track_gs_access_32_i() -> void;
auto track_gs_access() -> void; auto track_gs_access() -> void;
private: private:
bool is_x32 = false; bool is_x32 = false;
std::vector<std::shared_ptr<cs_insn>> ins_list; std::vector<std::shared_ptr<cs_insn>> ins_list;
cs_insn* insn = nullptr; cs_insn* insn = nullptr;
size_t disasmCount = 0; size_t disasmCount = 0;
csh capstone_handle_i; csh capstone_handle_i;
uint64_t ins_ip, ins_ip_address, current_function_rva; uint64_t ins_ip, ins_ip_address, current_function_rva;
auto get_next_ins() -> std::shared_ptr<cs_insn>; auto get_next_ins()->std::shared_ptr<cs_insn>;
template <typename T, typename B> template<typename T, typename B>
auto match_code( auto match_code(T match_fn, B process_fn, std::optional<uint32_t> num_operands, std::vector<std::optional<x86_op_type>> operand_types) -> bool;
T match_fn, B process_fn, std::optional<uint32_t> num_operands,
std::vector<std::optional<x86_op_type>> operand_types) -> bool;
}; };
auto super_huoji_tracker::print_asm(const cs_insn* code) -> void { auto super_huoji_tracker::print_asm(const cs_insn* code) -> void {
printf("0x%08X :\t\t%s\t%s\t\n", code->address, code->mnemonic, printf("0x%08X :\t\t%s\t%s\t\n", code->address, code->mnemonic,
code->op_str); code->op_str);
for (int x = 0; x < code->size; x++) {
printf("%02X ", code->bytes[x]);
}
} }
super_huoji_tracker::super_huoji_tracker(uint64_t startAddr, size_t sizeOfCode, super_huoji_tracker::super_huoji_tracker(uint64_t startAddr, size_t sizeOfCode, uint64_t current_function_rva, bool is_32_pe)
uint64_t current_function_rva, {
bool is_32_pe) { if (cs_open(CS_ARCH_X86, is_32_pe ? CS_MODE_32 : CS_MODE_64, &capstone_handle_i) != CS_ERR_OK) {
if (cs_open(CS_ARCH_X86, is_32_pe ? CS_MODE_32 : CS_MODE_64,
&capstone_handle_i) != CS_ERR_OK) {
__debugbreak(); __debugbreak();
} }
cs_option(capstone_handle_i, CS_OPT_DETAIL, CS_OPT_ON); cs_option(capstone_handle_i, CS_OPT_DETAIL, CS_OPT_ON);
cs_option(capstone_handle_i, CS_OPT_SKIPDATA, CS_OPT_ON); cs_option(capstone_handle_i, CS_OPT_SKIPDATA, CS_OPT_ON);
is_x32 = is_32_pe; is_x32 = is_32_pe;
do { do
disasmCount = cs_disasm(capstone_handle_i, {
reinterpret_cast<const uint8_t*>(startAddr), disasmCount =
sizeOfCode, 0, 0, &insn); cs_disasm(capstone_handle_i,
reinterpret_cast<const uint8_t*>(startAddr),
sizeOfCode, 0, 0, &insn);
if (disasmCount == 0) { if (disasmCount == 0) {
break; break;
} }
@@ -186,7 +182,8 @@ super_huoji_tracker::super_huoji_tracker(uint64_t startAddr, size_t sizeOfCode,
this->current_function_rva = current_function_rva; this->current_function_rva = current_function_rva;
} }
super_huoji_tracker::~super_huoji_tracker() { super_huoji_tracker::~super_huoji_tracker()
{
if (insn) { if (insn) {
cs_free(insn, disasmCount); cs_free(insn, disasmCount);
} }
@@ -202,7 +199,8 @@ auto super_huoji_tracker::get_next_ins() -> std::shared_ptr<cs_insn> {
} }
template <typename T, typename B> template <typename T, typename B>
auto super_huoji_tracker::match_code( auto super_huoji_tracker::match_code(
T match_fn, B process_fn, std::optional<uint32_t> num_operands, T match_fn, B process_fn,
std::optional<uint32_t> num_operands,
std::vector<std::optional<x86_op_type>> operand_types) -> bool { std::vector<std::optional<x86_op_type>> operand_types) -> bool {
while (auto instruction = get_next_ins()) { while (auto instruction = get_next_ins()) {
if (&process_fn != nullptr) { if (&process_fn != nullptr) {
@@ -226,34 +224,28 @@ auto super_huoji_tracker::match_code(
return false; return false;
} }
auto super_huoji_tracker::track_gs_access_64_i() -> void { auto super_huoji_tracker::track_gs_access_64_i() -> void {
// const auto matched_gs_access = match_code([&](cs_insn* instruction) {}, //const auto matched_gs_access = match_code([&](cs_insn* instruction) {}, [&](cs_insn* instruction) {}, {}, {});
// [&](cs_insn* instruction) {}, {}, {}); const auto isGsRegAccess = match_code([&](cs_insn* instruction) {
const auto isGsRegAccess = match_code( //@todo: other access gs reg code...
[&](cs_insn* instruction) { if (instruction->id != X86_INS_MOV && instruction->id != X86_INS_MOVZX) {
//@todo: other access gs reg code... return false;
if (instruction->id != X86_INS_MOV && }
instruction->id != X86_INS_MOVZX) {
return false;
}
if (instruction->detail->x86.operands[1].mem.segment != if (instruction->detail->x86.operands[1].mem.segment != X86_REG_GS) {
X86_REG_GS) { return false;
return false; }
} /*
/* gs:[0x30] TEB
gs:[0x30] TEB gs:[0x40] Pid
gs:[0x40] Pid gs:[0x48] Tid
gs:[0x48] Tid gs:[0x60] PEB
gs:[0x60] PEB gs:[0x68] LastError
gs:[0x68] LastError */
*/ if (instruction->detail->x86.operands[1].mem.disp != 0x30 && instruction->detail->x86.operands[1].mem.disp != 0x60) {
if (instruction->detail->x86.operands[1].mem.disp != 0x30 && return false;
instruction->detail->x86.operands[1].mem.disp != 0x60) { }
return false; return true;
} }, [&](cs_insn* instruction) {}, {}, {});
return true;
},
[&](cs_insn* instruction) {}, {}, {});
if (isGsRegAccess == false) { if (isGsRegAccess == false) {
return; return;
} }
@@ -262,82 +254,71 @@ auto super_huoji_tracker::track_gs_access_64_i() -> void {
x86_reg ldrAccessReg; x86_reg ldrAccessReg;
bool isPebAccess = false; bool isPebAccess = false;
if (currentIns->detail->x86.operands[1].mem.disp == 0x30) { if (currentIns->detail->x86.operands[1].mem.disp == 0x30) {
// 从TEB访问的PEB->ldr //从TEB访问的PEB->ldr
isPebAccess = match_code( isPebAccess = match_code([&](cs_insn* instruction) {
[&](cs_insn* instruction) { //@todo: other access gs reg code...
//@todo: other access gs reg code... if (instruction->id != X86_INS_MOV && instruction->id != X86_INS_MOVZX) {
if (instruction->id != X86_INS_MOV && return false;
instruction->id != X86_INS_MOVZX) { }
return false;
}
if (instruction->detail->x86.operands[1].mem.base != if (instruction->detail->x86.operands[1].mem.base != gsAccessReg) {
gsAccessReg) { return false;
return false; }
} if (instruction->detail->x86.operands[1].mem.disp != 0x60) {
if (instruction->detail->x86.operands[1].mem.disp != 0x60) { return false;
return false; }
} ldrAccessReg = instruction->detail->x86.operands[0].reg;
ldrAccessReg = instruction->detail->x86.operands[0].reg; return true;
return true; }, [&](cs_insn* instruction) {}, {}, {});
}, }
[&](cs_insn* instruction) {}, {}, {}); else {
} else { //直接访问的GS->peb
// 直接访问的GS->peb
isPebAccess = true; isPebAccess = true;
ldrAccessReg = gsAccessReg; ldrAccessReg = gsAccessReg;
} }
if (isPebAccess == false) { if (isPebAccess == false) {
return; return;
} }
// 访问了PEB的ldr //访问了PEB的ldr
const auto isPebLdrAccess = match_code( const auto isPebLdrAccess = match_code([&](cs_insn* instruction) {
[&](cs_insn* instruction) { //@todo: other access gs reg code...
//@todo: other access gs reg code... if (instruction->id != X86_INS_MOV && instruction->id != X86_INS_MOVZX) {
if (instruction->id != X86_INS_MOV && return false;
instruction->id != X86_INS_MOVZX) { }
return false; if (instruction->detail->x86.operands[1].mem.base != ldrAccessReg) {
} return false;
if (instruction->detail->x86.operands[1].mem.base != ldrAccessReg) { }
return false; if (instruction->detail->x86.operands[1].mem.disp != 0x18) {
} return false;
if (instruction->detail->x86.operands[1].mem.disp != 0x18) { }
return false; return true;
} }, [&](cs_insn* instruction) {}, {}, {});
return true;
},
[&](cs_insn* instruction) {}, {}, {});
if (isPebLdrAccess == false) { if (isPebLdrAccess == false) {
return; return;
} }
printf( //rva不准因为函数识别不准
"malware function detected at address: 0x%llx by gs access peb->ldr \n", printf("malware function detected at address:0x%llx rva:0x%llx by gs access peb->ldr \n", this->current_function_rva + currentIns->address, this->current_function_rva);
this->current_function_rva);
this->print_asm(currentIns); this->print_asm(currentIns);
} }
auto super_huoji_tracker::track_gs_access_32_i() -> void { auto super_huoji_tracker::track_gs_access_32_i() -> void {
bool isMalwareDetect = false; bool isMalwareDetect = false;
cs_insn* currentIns; cs_insn* currentIns;
do { do
const auto isFsRegAccess = match_code( {
[&](cs_insn* instruction) { const auto isFsRegAccess = match_code([&](cs_insn* instruction) {
if (instruction->id != X86_INS_MOV && if (instruction->id != X86_INS_MOV && instruction->id != X86_INS_MOVZX) {
instruction->id != X86_INS_MOVZX) { return false;
return false; }
}
if (instruction->detail->x86.operands[1].mem.segment != if (instruction->detail->x86.operands[1].mem.segment != X86_REG_FS) {
X86_REG_FS) { return false;
return false; }
} // todo: SEH(FS:[00])
// todo: SEH(FS:[00]) if (instruction->detail->x86.operands[1].mem.disp != 0x30 && instruction->detail->x86.operands[1].mem.disp != 0x18) {
if (instruction->detail->x86.operands[1].mem.disp != 0x30 && return false;
instruction->detail->x86.operands[1].mem.disp != 0x18) { }
return false; return true;
} }, [&](cs_insn* instruction) {}, {}, {});
return true;
},
[&](cs_insn* instruction) {}, {}, {});
if (isFsRegAccess == false) { if (isFsRegAccess == false) {
return; return;
} }
@@ -356,32 +337,30 @@ auto super_huoji_tracker::track_gs_access_32_i() -> void {
cmp word ptr [ eax ], 0x5a4d // "MZ" cmp word ptr [ eax ], 0x5a4d // "MZ"
jne find_kernel32_base // 循 环遍 历 ,找到 则 返回 eax jne find_kernel32_base // 循 环遍 历 ,找到 则 返回 eax
*/ */
const auto isTebAccess = match_code( const auto isTebAccess = match_code([&](cs_insn* instruction) {
[&](cs_insn* instruction) { if (instruction->id != X86_INS_MOV && instruction->id != X86_INS_MOVZX) {
if (instruction->id != X86_INS_MOV && return false;
instruction->id != X86_INS_MOVZX) { }
return false;
}
if (instruction->detail->x86.operands[1].mem.base !=
fsAccessReg) {
return false;
}
if (instruction->detail->x86.operands[1].mem.disp != 0x4) {
return false;
}
return true;
},
[&](cs_insn* instruction) {}, {}, {});
if (instruction->detail->x86.operands[1].mem.base != fsAccessReg) {
return false;
}
if (instruction->detail->x86.operands[1].mem.disp != 0x4) {
return false;
}
return true;
}, [&](cs_insn* instruction) {}, {}, {});
if (isTebAccess) { if (isTebAccess) {
isMalwareDetect = true; isMalwareDetect = true;
break; break;
} else { }
else {
// todo , teb获取PEB然后访问ldr... // todo , teb获取PEB然后访问ldr...
DebugBreak(); DebugBreak();
} }
} else if (currentIns->detail->x86.operands[1].mem.disp == 0x30) { }
else if (currentIns->detail->x86.operands[1].mem.disp == 0x30) {
/* /*
mov eax,fs:[30h] ;得到PEB结构地址 mov eax,fs:[30h] ;得到PEB结构地址
mov eax,[eax + 0ch] ;得到PEB_LDR_DATA结构地址 mov eax,[eax + 0ch] ;得到PEB_LDR_DATA结构地址
@@ -391,84 +370,70 @@ auto super_huoji_tracker::track_gs_access_32_i() -> void {
mov eax,[eax];win7要加 mov eax,[eax];win7要加
mov edx,[eax + 8h] ;得到BaseAddress既Kernel32.dll基址 mov edx,[eax + 8h] ;得到BaseAddress既Kernel32.dll基址
*/ */
const auto isPebLdrAccess = match_code( const auto isPebLdrAccess = match_code([&](cs_insn* instruction) {
[&](cs_insn* instruction) { if (instruction->id != X86_INS_MOV && instruction->id != X86_INS_MOVZX) {
if (instruction->id != X86_INS_MOV && return false;
instruction->id != X86_INS_MOVZX) { }
return false;
}
if (instruction->detail->x86.operands[1].mem.base != if (instruction->detail->x86.operands[1].mem.base != fsAccessReg) {
fsAccessReg) { return false;
return false; }
} if (instruction->detail->x86.operands[1].mem.disp != 0xc) {
if (instruction->detail->x86.operands[1].mem.disp != 0xc) { return false;
return false; }
} return true;
return true; }, [&](cs_insn* instruction) {}, {}, {});
},
[&](cs_insn* instruction) {}, {}, {});
isMalwareDetect = isPebLdrAccess; isMalwareDetect = isPebLdrAccess;
break; break;
} else { }
// todo: fs:00 SEH访问 else {
//todo: fs:00 SEH访问
//__debugbreak(); //__debugbreak();
} }
} while (false); } while (false);
if (isMalwareDetect) { if (isMalwareDetect) {
printf( //这个rva只能说仅供参考因为识别不准!
"malware function detected at address: 0x%llx by gs access " printf("malware function detected at address:0x%llx rva:0x%llx by fs access peb->ldr \n", this->current_function_rva + currentIns->address, this->current_function_rva);
"peb->ldr \n",
this->current_function_rva);
this->print_asm(currentIns); this->print_asm(currentIns);
} }
} }
auto super_huoji_tracker::track_gs_access() -> void { auto super_huoji_tracker::track_gs_access() -> void
{
this->is_x32 ? this->track_gs_access_32_i() : this->track_gs_access_64_i(); this->is_x32 ? this->track_gs_access_32_i() : this->track_gs_access_64_i();
} }
auto functionAnalysis( auto functionAnalysis(std::vector<std::shared_ptr<_functionDetail>> functionlist, pe64* peFileObject) -> void {
std::vector<std::shared_ptr<_functionDetail>> functionlist,
pe64* peFileObject) -> void {
double maxEntropy = -1.0; double maxEntropy = -1.0;
uint64_t maxEntropyAddress = 0; uint64_t maxEntropyAddress = 0;
for (auto& func : functionlist) { for (auto& func : functionlist) {
auto entropy =
calculateEntropy(reinterpret_cast<void*>(func.get()->start_address), auto entropy = calculateEntropy(reinterpret_cast<void*>(func.get()->start_address), func.get()->size);
func.get()->size);
if (entropy > maxEntropy) { if (entropy > maxEntropy) {
maxEntropy = entropy; maxEntropy = entropy;
maxEntropyAddress = maxEntropyAddress = func.get()->start_address - reinterpret_cast<uint64_t>(peFileObject->get_buffer()->data());
func.get()->start_address -
reinterpret_cast<uint64_t>(peFileObject->get_buffer()->data());
} }
auto tracker = new super_huoji_tracker( auto tracker = new super_huoji_tracker(func.get()->start_address, func.get()->size, func.get()->start_address - reinterpret_cast<uint64_t>(peFileObject->get_buffer()->data()), peFileObject->is_32_pe());
func.get()->start_address, func.get()->size,
func.get()->start_address -
reinterpret_cast<uint64_t>(peFileObject->get_buffer()->data()),
peFileObject->is_32_pe());
tracker->track_gs_access(); tracker->track_gs_access();
delete tracker; delete tracker;
} }
if (maxEntropy > 7.0f) { if (maxEntropy > 7.0f) {
printf( printf("malware function detected at address: 0x%08x + 0x%llx = 0x%llx entropy %f \n", maxEntropyAddress, peFileObject->get_image_base(), (peFileObject->get_image_base() + maxEntropyAddress), maxEntropy);
"malware function detected at address: 0x%08x + 0x%llx = 0x%llx "
"entropy %f \n",
maxEntropyAddress, peFileObject->get_image_base(),
(peFileObject->get_image_base() + maxEntropyAddress), maxEntropy);
} }
} }
int main() { int main()
const std::string filePath = "z:\\huoji.bin"; {
const std::string filePath = "z:\\c5d2400f16c15e4a5bce60ccaf47bd341db23235a5ee073ebd3b3fd5e982ac72";
pe64* peFileObject = NULL; pe64* peFileObject = NULL;
do { do
{
try { try {
srand(time(NULL)); srand(time(NULL));
peFileObject = new pe64(filePath); peFileObject = new pe64(filePath);
} catch (std::runtime_error e) { }
catch (std::runtime_error e) {
std::cout << "Runtime error: " << e.what() << std::endl; std::cout << "Runtime error: " << e.what() << std::endl;
break; break;
} }
@@ -485,6 +450,6 @@ int main() {
functionAnalysis(functionlist, peFileObject); functionAnalysis(functionlist, peFileObject);
} }
} while (false); } while (false);
return 0; return 0;
} }