Quick Offset Finder

Hi all,

just a quick post… I was following a patching topic on a friend’s forum where someone asked for a fast way to find the offset of a known pattern in a PE file. So I just wrote down this small python script that works by using pefile and pydasm.

So here is a 2-minutes python code: it searches for a given pattern in a PE file and it shows both “offset and instructions” for each match.

Here is an example of the output:

find offset

Here is the source code:

# by ratsoul

import pefile
import pydasm

#your PE file target
TARGET  = r""
#your pattern
PATTERN = "\xC4\xFF\xE0"
#number of instructions showed for each offset
NUM_INSTR = 5

lenPattern = len(PATTERN)
pe = pefile.PE(TARGET, fast_load=True)
codes = {}

for idx in xrange(len(pe.__data__)):
    if PATTERN in pe.__data__[idx:lenPattern+idx]:
        off = idx
        count = 0
        code = ""
        while count  " + pydasm.get_instruction_string(i, pydasm.FORMAT_INTEL, off) + '\n'
            off += i.length
            count += 1
        codes[idx] = code

print "[*] Found: %d" %len(codes)
for offset in codes.keys():
    print "\t[+] %08X:" %offset
    for c in codes[offset].split("\n"):
        print "\t\t%s" %c

The code is available here.

Sorry for the short post because I’m a little bit busy in this period… see you next post 🙂

Advertisements


%d bloggers like this: