In [80]:
import os, sys, re
import pymongo as pm
db_address = "afruizc-office.cs.unm.edu"
username = 'populator'
password = 'malware_challenge'
mg = pm.MongoClient(db_address)
if not mg.malware.authenticate(username, password):
sys.stderr.write("Authentication error. Terminating...")
sys.stderr.flush()
# Obtain the collection
samples = mg.malware.samples
In [81]:
In [14]:
In [77]:
In [108]:
def open_asm(filename):
datapath = '/Users/carlyhendrickson/git/microsoft_malware_challenge/data/train/' + filename + '.asm'
#datapath = '/nfs/research/agonzales/git/microsoft_malware_challenge/data/train/' + filename + '.asm'
with open(datapath, 'rb') as f:
asm = [line for line in f.readlines()]
return asm
In [78]:
def to_utf(line):
utf_line = ''
try:
utf_line = str(line, 'utf8')
return utf_line
except UnicodeDecodeError as u:
# print(u)
return None
In [119]:
def filter_comments(asm_utf):
"""Filters over an assembly file and gives the IDA pro comments
Requires a UTF8 set of strings."""
comments = []
# removes nones
a = list(filter(lambda x: x != None, asm_utf))
# splits on comment token
comments = [re.split(";", line) for line in a]
# takes only those that have a comment token
comments = list(filter(lambda x: len(x) > 1, comments))
# strips the whitespace from those tokens
comments = [line[1].strip() for line in comments]
# removes the singleton chars
comments = list(filter(lambda x: len(x) > 1, comments))
# regex to remove section markers and extraneous tabs left over by poor reading of files
comments = [re.sub('([-=].*[-=]|\t)', '',line) for line in comments]
comments = list(filter(lambda x: x != '', comments))
return comments
In [ ]:
names = [post['id'] for post in samples.find({'class':'5'})]
In [69]:
for name in names:
asm = open_asm(name)
asm = [to_utf(line) for line in asm]
comments = filter_comments(asm)
samples.update({'id': name},
{"$set": {"ida_comments": comments}})
In [103]:
test_file = names[0]
test_file
Out[103]:
'0qjuDC7Rhx9rHkLlItAp'
In [120]:
test_asm = open_asm(test_file)
In [121]:
test_asm = [to_utf(line) for line in test_asm]
test_comments = filter_comments(test_asm)
In [127]:
samples.update({'id': test_file}, {"$set": {'ida_comments': test_comments }})
Out[127]:
{'n': 1, 'ok': 1, 'updatedExisting': True, 'nModified': 1}
In [130]:
for line in samples.find({'id': test_file}):
comments = line['ida_comments']
In [131]:
Out[131]:
['++',
'| This filehas been generated by The Interactive Disassembler (IDA) |',
'| Copyright(c) 2013 Hexrays.com> |',
'| License info: |',
'| Microsoft |',
'++',
'[00001000 BYTES: COLLAPSED SEGMENT HEADER. PRESS KEYPAD CTRL-"+" TO EXPAND]',
'[00002000 BYTES: COLLAPSED SEGMENT _edata. PRESS KEYPAD CTRL-"+" TO EXPAND]',
'Section 2. (virtual address 00003000)',
'Virtual size: 00004000 ( 16384.)',
'Section size in file: 00003800 ( 14336.)',
'Offset to rawdata for section: 00001A00',
'Flags60000020: Text Executable Readable',
'Alignment: default',
'Segment type:Pure code',
'Segment permissions: Read/Execute',
'org 403000h',
'DATA XREF: HEADER:004000AC\x18o',
'HEADER:004001AC\x18o',
'DATA XREF: .data:off_4324A5\x19o',
'Attributes: bp-based frame',
'CODE XREF: start+40E\x19p',
'start+421\x19p',
'CODE XREF: sub_4035A8+35\x18j',
'Attributes: bp-based frame',
'CODE XREF: start+4D7\x19p',
'start+8FB\x19p ...',
'lpWndClass',
'lpClassName',
'hInstance',
'CODE XREF: sub_40362C+4B\x18j',
'CODE XREF: start+2E0\x19p',
'start+705\x19p ...',
'CODE XREF: sub_4036C4+2B\x18j',
'CODE XREF: sub_4036C4+64\x18j',
'CODE XREF: start+5F0\x19p',
'start+718\x19p ...',
'Attributes: bp-based frame',
'CODE XREF: start+526\x19p',
'CODE XREF: .icode:00403776\x18j',
'CODE XREF: sub_4037DC+1C\x18j',
'CODE XREF: sub_4037DC+9F\x18j',
'CODE XREF: start+A3F\x19p',
'color',
'plpal',
'CODE XREF: sub_4038B8+4A\x18j',
'Attributes: bp-based frame',
'CODE XREF: start+914\x19p',
'lpName',
'GetEnhMetaFileA',
'CODE XREF: start+499\x19p',
'start+5BC\x19p ...',
'phkResult',
'samDesired',
'ulOptions',
'lpSubKey',
'hKey',
'RegOpenKeyExW',
'CODE XREF: sub_4039E0+67\x18j',
'CODE XREF: .icode:00403AEA\x18j',
'Attributes: bp-based frame',
'CODE XREF: start+25D\x19p',
'start+2F9\x19p ...',
'GdiGetBatchLimit',
'CODE XREF: sub_403B30+56\x18j',
'CODE XREF: start+686\x19p',
'start+873\x19p',
'lpFileName',
'CODE XREF: sub_403BB4+2F\x18j',
'CODE XREF: sub_403BB4+63\x18j',
'Attributes: bp-based frame',
'CODE XREF: start+8DD\x19p',
'start+9A4\x19p',
'CODE XREF: sub_403C54+5F\x18j',
'Attributes: bp-based frame',
'CODE XREF: start+62A\x19p',
'CODE XREF: sub_403CC8+92\x18j',
'CODE XREF: .icode:00403DCD\x18j',
'Attributes: bp-based frame',
'CODE XREF: start+6F8\x19p',
'phkResult',
'samDesired',
'ulOptions',
'lpSubKey',
'hKey',
'CODE XREF: sub_403DFC+68\x18j',
'Attributes: bp-based frame',
'CODE XREF: start+3E9\x19p',
'CODE XREF: sub_403EA4+89\x18j',
'CODE XREF: start+215\x19p',
'start+597\x19p ...',
'command',
'lpszFileName',
'lpszCMID',
'reserved',
'UpdateICMRegKeyA',
'CODE XREF: sub_403F54+6B\x18j',
'CODE XREF: start+4B\x19p',
'bEnable',
'hWnd',
'CODE XREF: start+96D\x19p',
'CODE XREF: start+2D2\x19p',
'start+396\x19p ...',
'color',
'CreateSolidBrush',
'CODE XREF: sub_40414C+43\x18j',
'CODE XREF: sub_40414C+60\x18j',
'CODE XREF: sub_40414C+87\x18j',
'Attributes: bp-based frame',
'CODE XREF: start+941\x19p',
'start+9CA\x19p ...',
'Attributes: bp-based frame',
'CODE XREF: start+202\x19p',
'start+315\x19p ...',
'CODE XREF: start+1AF\x19p',
'STARTOF FUNCTION CHUNK FOR start',
'CODE XREF: start+17F\x19j',
'start+81C\x19j',
'CODE XREF: start-A8B\x19j',
'END OF FUNCTION CHUNKFOR start',
'CODE XREF: sub_4043B9+7B\x19p',
'start+644\x19j',
'CODE XREF: start+238\x19j',
'CODE XREF: start+1CB\x19j',
'CODE XREF: start+606\x19j',
'start+6CE\x19j',
'CODE XREF: start+2C2\x19j',
'start+5E9\x19j',
'CODE XREF: start+153\x19j',
'sp-analysis failed',
'CODE XREF: start-9B1\x19p',
'start+1F9\x19j',
'CODE XREF: start+56A\x19j',
'sp-analysis failed',
'STARTOF FUNCTION CHUNK FOR start',
'CODE XREF: start+197\x19j',
'CODE XREF: start-9A1\x19j',
'END OF FUNCTION CHUNKFOR start',
'CODE XREF: start-9A4\x18j',
'CODE XREF: .icode:0040454E\x18j',
'CODE XREF: .icode:00404819\x19j',
'CODE XREF: .icode:004048B0\x18j',
'CODE XREF: .icode:00404A52\x18j',
'CODE XREF: .icode:00404AD0\x18j',
'CODE XREF: .icode:00404B43\x18j',
'CODE XREF: .icode:00404B7A\x18j',
'CODE XREF: .icode:00404BC8\x18j',
'Attributes: bp-based frame',
'FUNCTION CHUNK AT .icode:00404389 SIZE 00000030 BYTES',
'FUNCTION CHUNK AT .icode:00404441 SIZE 00000064 BYTES',
'bDeleteExistingResources',
'pFileName',
'CODE XREF: start+52\x18j',
'LPCSTR',
'GetStockObject',
'color',
'CreateSolidBrush',
'bDeleteExistingResources',
'pFileName',
'CODE XREF: start+300\x18j',
'phkResult',
'samDesired',
'ulOptions',
'lpSubKey',
'hKey',
'CODE XREF: start+380\x18j',
'CODE XREF: start+39D\x18j',
'CODE XREF: start+3FE\x18j',
'CODE XREF: start+415\x18j',
'CODE XREF: start+428\x18j',
'CODE XREF: start+44D\x18j',
'CODE XREF: start+4F1\x18j',
'CODE XREF: start+531\x18j',
'CODE XREF: start+52D\x18j',
'CODE XREF: start+552\x18j',
'dwMilliseconds',
'hHandle',
'ho',
'CODE XREF: start+68D\x18j',
'CODE XREF: start+70F\x18j',
'CODE XREF: start+72B\x18j',
'CODE XREF: start+78B\x18j',
'CODE XREF: start+7BC\x18j',
'CODE XREF: start+7B8\x18j',
'CODE XREF: start+85A\x18j',
'CODE XREF: start+899\x18j',
'sp-analysis failed',
'Section 3. (virtual address 00007000)',
'Virtual size: 000043CE ( 17358.)',
'Section size in file: 00000C00 ( 3072.)',
'Offset to rawdata for section: 00005200',
'Flags40000040: Data Readable',
'Alignment: default',
'Imports from KERNEL32.dll',
'Segment type:Externs',
'_idata',
'BOOL __stdcall FreeLibrary(HMODULE hLibModule)',
'DATA XREF: HEADER:004000B0\x18o',
'HEADER:00400158\x18o ...',
'HMODULE __stdcall GetModuleHandleW(LPCWSTR lpModuleName)',
'HMODULE __stdcall LoadLibraryW(LPCWSTR lpLibFileName)',
'CODE XREF: .icode:00403AB6\x18p',
'DATA XREF: .icode:00403AB6\x18r',
'DWORD__stdcall GetModuleFileNameW(HMODULE hModule, LPWSTR lpFilename, DWORD nSize)',
'BOOL __stdcall SetEvent(HANDLE hEvent)',
'void __stdcall Sleep(DWORD dwMilliseconds)',
'DWORD__stdcall GetLastError()',
'BOOL __stdcall GetExitCodeThread(HANDLE hThread, LPDWORD lpExitCode)',
'DWORD__stdcall GetTempPathW(DWORD nBufferLength, LPWSTR lpBuffer)',
'DWORD__stdcall WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds)',
'CODE XREF: start+5DF\x18p',
'DATA XREF: start+5DF\x18r',
'void __stdcall GetStartupInfoW(LPSTARTUPINFOWlpStartupInfo)',
'LPTOP_LEVEL_EXCEPTION_FILTER __stdcall SetUnhandledExceptionFilter(LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter)',
'BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)',
'DWORD__stdcall GetTickCount()',
'DWORD__stdcall GetCurrentThreadId()',
'CODE XREF: sub_403C54+8\x18p',
'DATA XREF: sub_403C54+8\x18r',
'DWORD__stdcall GetCurrentProcessId()',
'HANDLE __stdcall GetCurrentProcess()',
'CODE XREF: start-A97\x18p',
'DATA XREF: start-A97\x18r',
'BOOL __stdcall IsDebuggerPresent()',
'BOOL __stdcall GetVersionExW(LPOSVERSIONINFOWlpVersionInformation)',
'HLOCAL __stdcall LocalFree(HLOCAL hMem)',
'HLOCAL __stdcall LocalAlloc(UINT uFlags, SIZE_T uBytes)',
'int __stdcallMulDiv(int nNumber, intnNumerator, intnDenominator)',
'HANDLE __stdcall BeginUpdateResourceW(LPCWSTRpFileName, BOOLbDeleteExistingResources)',
'CODE XREF: start+27\x18p',
'start+27A\x18p',
'DATA XREF: ...',
'FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)',
'HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)',
'CODE XREF: .icode:00404A40\x18p',
'DATA XREF: .icode:00404A40\x18r',
'Imports from USER32.DLL',
'HWND __stdcall GetActiveWindow()',
'CODE XREF: sub_404204+8\x18p',
'DATA XREF: sub_404204+8\x18r ...',
'BOOL __stdcall GetIconInfo(HICON hIcon, PICONINFO piconinfo)',
'HWND __stdcall GetFocus()',
'BOOL __stdcall IsWindow(HWND hWnd)',
'BOOL __stdcall CopyRect(LPRECT lprcDst, constRECT *lprcSrc)',
'HANDLE __stdcall LoadImageW(HINSTANCEhInst, LPCWSTR name, UINT type,int cx,int cy,UINT fuLoad)',
'BOOL __stdcall InvalidateRect(HWND hWnd, const RECT *lpRect, BOOL bErase)',
'BOOL __stdcall DestroyIcon(HICON hIcon)',
'int wsprintfW(LPWSTR,LPCWSTR, ...)',
'HICON__stdcall LoadIconW(HINSTANCE hInstance, LPCWSTR lpIconName)',
'BOOL __stdcall EnableWindow(HWND hWnd, BOOL bEnable)',
'CODE XREF: sub_404070+E\x18p',
'DATA XREF: sub_404070+E\x18r',
'BOOL __stdcall IsIconic(HWND hWnd)',
'BOOL __stdcall PostMessageW(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)',
'int __stdcallGetSystemMetrics(int nIndex)',
'int __stdcallMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)',
'LRESULT __stdcall SendMessageW(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)',
'HMENU__stdcall LoadMenuIndirectA(const MENUTEMPLATEA*lpMenuTemplate)',
'LPWSTR __stdcall CharLowerW(LPWSTR lpsz)',
'void __stdcall mouse_event(DWORD dwFlags, DWORD dx, DWORD dy,DWORD dwData, ULONG_PTRdwExtraInfo)',
'BOOL __stdcall GetMenuInfo(HMENU, LPMENUINFO)',
'LPWSTR __stdcall CharPrevW(LPCWSTR lpszStart,LPCWSTRlpszCurrent)',
'BOOL __stdcall GetClassInfoW(HINSTANCE hInstance, LPCWSTR lpClassName, LPWNDCLASSW lpWndClass)',
'CODE XREF: sub_40362C+2B\x18p',
'DATA XREF: sub_40362C+2B\x18r',
'BOOL __stdcall SetDlgItemInt(HWND hDlg, int nIDDlgItem, UINT uValue, BOOL bSigned)',
'BOOL __stdcall GetMenuItemRect(HWND hWnd, HMENU hMenu, UINT uItem, LPRECT lprcItem)',
'int __stdcallMessageBoxIndirectA(const MSGBOXPARAMSA*lpmbp)',
'BOOL __stdcall SetDlgItemTextA(HWND hDlg, intnIDDlgItem, LPCSTR lpString)',
'INT_PTR __stdcall DialogBoxIndirectParamA(HINSTANCE hInstance, LPCDLGTEMPLATEA hDialogTemplate, HWND hWndParent, DLGPROC lpDialogFunc, LPARAMdwInitParam)',
'BOOL __stdcall WinHelpW(HWND hWndMain, LPCWSTR lpszHelp, UINTuCommand, ULONG_PTR dwData)',
'int __stdcallGetKeyboardType(int nTypeFlag)',
'BOOL __stdcall IsChild(HWND hWndParent, HWND hWnd)',
'BOOL __stdcall SetMenu(HWND hWnd, HMENU hMenu)',
'DWORD__stdcall GetSysColor(int nIndex)',
'HICON__stdcall CopyIcon(HICON hIcon)',
'UINT __stdcall GetDlgItemInt(HWND hDlg, int nIDDlgItem, BOOL *lpTranslated, BOOL bSigned)',
'HWND __stdcall CreateDialogIndirectParamW(HINSTANCE hInstance, LPCDLGTEMPLATEW lpTemplate, HWND hWndParent, DLGPROC lpDialogFunc, LPARAM dwInitParam)',
'void __stdcall keybd_event(BYTE bVk, BYTE bScan, DWORD dwFlags, ULONG_PTR dwExtraInfo)',
'BOOL __stdcall PeekMessageA(LPMSG lpMsg, HWNDhWnd, UINT wMsgFilterMin, UINT wMsgFilterMax, UINT wRemoveMsg)',
'HWND __stdcall GetCapture()',
'UINT __stdcall RegisterWindowMessageW(LPCWSTRlpString)',
'Imports from GDI32.DLL',
'HBRUSH __stdcall CreatePatternBrush(HBITMAP hbm)',
'DATA XREF: .rdata:004071E4\x19o',
'BOOL __stdcall DeleteObject(HGDIOBJ ho)',
'CODE XREF: start+5FB\x18p',
'DATA XREF: start+5FB\x18r',
'HDC __stdcallCreateCompatibleDC(HDC hdc)',
'HPEN __stdcall CreatePen(int iStyle, int cWidth, COLORREF color)',
'HFONT__stdcall CreateFontIndirectW(const LOGFONTW *lplf)',
'HPALETTE __stdcall CreatePalette(const LOGPALETTE *plpal)',
'CODE XREF: sub_4038B8+25\x18p',
'DATA XREF: sub_4038B8+25\x18r',
'HBRUSH __stdcall CreateSolidBrush(COLORREF color)',
'CODE XREF: sub_4038B8+8\x18p',
'sub_40414C+F\x18p ...',
'HGDIOBJ __stdcall GetStockObject(int i)',
'CODE XREF: sub_4043B9+1B\x18p',
'start+190\x18p',
'DATA XREF: ...',
'HDC __stdcallCreateMetaFileW(LPCWSTRpszFile)',
'HENHMETAFILE __stdcall GetEnhMetaFileA(LPCSTRlpName)',
'CODE XREF: sub_40397C+1E\x18p',
'DATA XREF: sub_40397C+18\x18r',
'HENHMETAFILE __stdcall SetWinMetaFileBits(UINT nSize,const BYTE *lpMeta16Data, HDC hdcRef, const METAFILEPICT *lpMFP)',
'int __stdcallAddFontResourceA(LPCSTR)',
'CODE XREF: start+174\x18p',
'DATA XREF: start+174\x18r',
'DWORD__stdcall GdiGetBatchLimit()',
'CODE XREF: sub_403B30+15\x18p',
'DATA XREF: sub_403B30+F\x18r',
'BOOL __stdcall UpdateICMRegKeyA(DWORDreserved, LPSTRlpszCMID, LPSTRlpszFileName, UINT command)',
'CODE XREF: sub_403F54+1C\x18p',
'DATA XREF: sub_403F54+16\x18r',
'BOOL __stdcall RemoveFontResourceA(LPCSTR lpFileName)',
'CODE XREF: sub_403BB4+F\x18p',
'DATA XREF: sub_403BB4+F\x18r',
'Imports from ADVAPI32.DLL',
'LSTATUS __stdcall RegOpenKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions,REGSAM samDesired, PHKEY phkResult)',
'CODE XREF: sub_4039E0+3E\x18p',
'.icode:00403DB5\x18p ...',
'LSTATUS __stdcall RegCloseKey(HKEY hKey)',
'LSTATUS __stdcall RegQueryValueExW(HKEY hKey,LPCWSTRlpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTElpData,LPDWORDlpcbData)',
'Imports from COMCTL32.DLL',
'void __stdcall InitCommonControls()',
'DATA XREF: .rdata:0040720C\x19o',
'Imports from URLMON.DLL',
'HRESULT __stdcall IsValidURL(LPBC pBC, LPCWSTR szURL,DWORD dwReserved)',
'DATA XREF: .rdata:00407220\x19o',
'HRESULT __stdcall URLDownloadToFileW(LPUNKNOWN, LPCWSTR, LPCWSTR, DWORD, LPBINDSTATUSCALLBACK)',
'Imports from WINIPSEC.DLL',
'DATA XREF: .rdata:00407234\x19o',
'Imports from avifil32.dll',
'DATA XREF: .rdata:00407248\x19o',
'Segment type:Pure data',
'Segment permissions: Read',
'org 4071ACh',
'DATA XREF: HEADER:00400100\x18o',
'Import Name Table',
'Time stamp',
'Forwarder Chain',
'DLL Name',
'Import Address Table',
'Import Name Table',
'Time stamp',
'Forwarder Chain',
'DLL Name',
'Import Address Table',
'Import Name Table',
'Time stamp',
'Forwarder Chain',
'DLL Name',
'Import Address Table',
'ImportName Table',
'Time stamp',
'Forwarder Chain',
'DLL Name',
'Import Address Table',
'Import Name Table',
'Time stamp',
'Forwarder Chain',
'DLL Name',
'Import Address Table',
'Import Name Table',
'Time stamp',
'Forwarder Chain',
'DLL Name',
'Import Address Table',
'ImportName Table',
'Time stamp',
'Forwarder Chain',
'DLL Name',
'Import Address Table',
'ImportName Table',
'Time stamp',
'Forwarder Chain',
'DLL Name',
'Import Address Table',
'Import names for KERNEL32.dll',
'DATA XREF: .rdata:__IMPORT_DESCRIPTOR_KERNEL32\x18o',
'Import names for USER32.DLL',
'DATA XREF: .rdata:__IMPORT_DESCRIPTOR_USER32\x18o',
'Import names for GDI32.DLL',
'DATA XREF: .rdata:__IMPORT_DESCRIPTOR_GDI32\x18o',
'Import names for ADVAPI32.DLL',
'DATA XREF: .rdata:__IMPORT_DESCRIPTOR_ADVAPI32\x18o',
'Import names for COMCTL32.DLL',
'DATA XREF: .rdata:__IMPORT_DESCRIPTOR_COMCTL32\x18o',
'Import names for URLMON.DLL',
'DATA XREF: .rdata:__IMPORT_DESCRIPTOR_URLMON\x18o',
'Import names for WINIPSEC.DLL',
'DATA XREF: .rdata:__IMPORT_DESCRIPTOR_WINIPSEC\x18o',
'Import names for avifil32.dll',
'DATA XREF: .rdata:__IMPORT_DESCRIPTOR_avifil32\x18o',
'DATA XREF: .rdata:off_407260\x18o',
'DATA XREF: .rdata:00407264\x18o',
'DATA XREF: .rdata:00407268\x18o',
'DATA XREF: .rdata:0040726C\x18o',
'DATA XREF: .rdata:00407270\x18o',
'DATA XREF: .rdata:00407274\x18o',
'DATA XREF: .rdata:00407278\x18o',
'DATA XREF: .rdata:0040727C\x18o',
'DATA XREF: .rdata:00407280\x18o',
'DATA XREF: .rdata:00407284\x18o',
'DATA XREF: .rdata:00407288\x18o',
'DATA XREF: .rdata:0040728C\x18o',
'DATA XREF: .rdata:00407290\x18o',
'DATA XREF: .rdata:00407294\x18o',
'DATA XREF: .rdata:00407298\x18o',
'DATA XREF: .rdata:0040729C\x18o',
'DATA XREF: .rdata:004072A0\x18o',
'DATA XREF: .rdata:004072A4\x18o',
'DATA XREF: .rdata:004072A8\x18o',
'DATA XREF: .rdata:004072AC\x18o',
'DATA XREF: .rdata:004072B0\x18o',
'DATA XREF: .rdata:004072B4\x18o',
'DATA XREF: .rdata:004072B8\x18o',
'DATA XREF: .rdata:004072BC\x18o',
'DATA XREF: .rdata:004072C0\x18o',
'DATA XREF: .rdata:004071B8\x18o',
'DATA XREF: .rdata:off_4072C8\x18o',
'DATA XREF: .rdata:004072CC\x18o',
'DATA XREF: .rdata:004072D0\x18o',
'DATA XREF: .rdata:004072D4\x18o',
'DATA XREF: .rdata:004072D8\x18o',
'DATA XREF: .rdata:004072DC\x18o',
'DATA XREF: .rdata:004072E0\x18o',
'DATA XREF: .rdata:004072E4\x18o',
'DATA XREF: .rdata:004072E8\x18o',
'DATA XREF: .rdata:004072EC\x18o',
'DATA XREF: .rdata:004072F0\x18o',
'DATA XREF: .rdata:004072F4\x18o',
'DATA XREF: .rdata:004072F8\x18o',
'DATA XREF: .rdata:004072FC\x18o',
'DATA XREF: .rdata:00407300\x18o',
'DATA XREF: .rdata:00407304\x18o',
'DATA XREF: .rdata:00407308\x18o',
'DATA XREF: .rdata:0040730C\x18o',
'DATA XREF: .rdata:00407310\x18o',
'DATA XREF: .rdata:00407314\x18o',
'DATA XREF: .rdata:00407318\x18o',
'DATA XREF: .rdata:0040731C\x18o',
'DATA XREF: .rdata:00407320\x18o',
'DATA XREF: .rdata:00407324\x18o',
'DATA XREF: .rdata:00407328\x18o',
'DATA XREF: .rdata:0040732C\x18o',
'DATA XREF: .rdata:00407330\x18o',
'DATA XREF: .rdata:00407334\x18o',
'DATA XREF: .rdata:00407338\x18o',
'DATA XREF: .rdata:0040733C\x18o',
'DATA XREF: .rdata:00407340\x18o',
'DATA XREF: .rdata:00407344\x18o',
'DATA XREF: .rdata:00407348\x18o',
'DATA XREF: .rdata:0040734C\x18o',
'DATA XREF: .rdata:00407350\x18o',
'DATA XREF: .rdata:00407354\x18o',
'DATA XREF: .rdata:00407358\x18o',
'DATA XREF: .rdata:0040735C\x18o',
'DATA XREF: .rdata:00407360\x18o',
'DATA XREF: .rdata:004071CC\x18o',
'DATA XREF: .rdata:off_407368\x18o',
'DATA XREF: .rdata:0040736C\x18o',
'DATA XREF: .rdata:00407370\x18o',
'DATA XREF: .rdata:00407374\x18o',
'DATA XREF: .rdata:00407378\x18o',
'DATA XREF: .rdata:0040737C\x18o',
'DATA XREF: .rdata:00407380\x18o',
'DATA XREF: .rdata:00407384\x18o',
'DATA XREF: .rdata:00407388\x18o',
'DATA XREF: .rdata:0040738C\x18o',
'DATA XREF: .rdata:00407390\x18o',
'DATA XREF: .rdata:00407394\x18o',
'DATA XREF: .rdata:00407398\x18o',
'DATA XREF: .rdata:0040739C\x18o',
'DATA XREF: .rdata:004073A0\x18o',
'DATA XREF: .rdata:004071E0\x18o',
'DATA XREF: .rdata:off_4073A8\x18o',
'DATA XREF: .rdata:004073AC\x18o',
'DATA XREF: .rdata:004073B0\x18o',
'DATA XREF: .rdata:004071F4\x18o',
'DATA XREF: .rdata:00407208\x18o',
'DATA XREF: .rdata:off_4073C0\x18o',
'DATA XREF: .rdata:004073C4\x18o',
'DATA XREF: .rdata:0040721C\x18o',
'DATA XREF: .rdata:off_4073CC\x18o',
'DATA XREF: .rdata:004073D0\x18o',
'DATA XREF: .rdata:00407230\x18o',
'DATA XREF: .rdata:off_4073D8\x18o',
'DATA XREF: .rdata:004073DC\x18o',
'DATA XREF: .rdata:004073E0\x18o',
'DATA XREF: .rdata:004073E4\x18o',
'DATA XREF: .rdata:004073E8\x18o',
'DATA XREF: .rdata:004073EC\x18o',
'DATA XREF: .rdata:004073F0\x18o',
'DATA XREF: .rdata:004073F4\x18o',
'DATA XREF: .rdata:004073F8\x18o',
'DATA XREF: .rdata:004073FC\x18o',
'DATA XREF: .rdata:00407400\x18o',
'DATA XREF: .rdata:00407404\x18o',
'DATA XREF: .rdata:00407244\x18o',
'Section 4. (virtual address 0000C000)',
'Virtual size : 00025517 ( 152855.)',
'Section size in file : 0001AC00 ( 109568.)',
'Offset toraw data for section: 00005E00',
'Flags 40000040: Data Readable',
'Alignment : default',
'Segment type: Pure data',
'Segment permissions: Read',
'org 40C000h',
'DATA XREF: HEADER:004001FC\x18o',
'Section 5. (virtual address 00032000)',
'Virtual size : 00052D37 ( 339255.)',
'Section size in file : 00001C00 ( 7168.)',
'Offsetto raw data forsection: 00020A00',
'Flags C0000040: Data Readable Writable',
'Alignment : default',
'Segment type: Pure data',
'Segment permissions: Read/Write',
'org 432000h',
'DATA XREF: .icode:00404AD9\x18w',
'DATA XREF: start+163\x18w',
'start+16D\x18r',
'DATA XREF: .icode:00404A39\x18w',
'start+29C\x18w ...',
'DATA XREF: .icode:00404D6C\x18w',
'sub_403CC8+74\x18w',
'DATA XREF: sub_40414C+45\x18w',
'DATA XREF: start+983\x18o',
'DATA XREF: sub_4036C4+6D\x18w',
'sub_403BB4+1A\x18w',
'DATA XREF: sub_403778+39\x18w',
'DATA XREF: sub_403EA4+49\x18w',
'.icode:00404DA2\x18w',
'DATA XREF: .icode:00404BE5\x18w',
'DATA XREF: sub_403778+4C\x18w',
'DATA XREF: .icode:loc_404B58\x18w',
'DATA XREF: .icode:00404CE7\x18w',
'start+82C\x18o',
'DATA XREF: .icode:004049AC\x18r',
'sub_4036C4+78\x18w',
'DATA XREF: start+4FE\x18w',
'DATA XREF: start-A9D\x18w',
'DATA XREF: .icode:00403AD7\x18w',
'DATA XREF: start-A91\x18w',
'DATA XREF: sub_4036C4+A8\x18w',
'.icode:004047FA\x18w',
'DATA XREF: sub_403BB4+8A\x18w',
'DATA XREF: .icode:004049F9\x18w',
'sub_40397C+23\x18w ...',
'DATA XREF: start:loc_405293\x18w',
'DATA XREF: .icode:00403AF2\x18w',
'DATA XREF: start+A19\x18o',
'DATA XREF: .icode:00403ABC\x18w',
'start+9F0\x18o',
'DATA XREF: start+713\x18o',
'DATA XREF: start+77F\x18o',
'start+8BC\x18o',
'DATA XREF: start+991\x18o',
'DATA XREF: start+69C\x18r',
'DATA XREF: sub_4038B8+2B\x18w',
'DATA XREF: start+A5D\x18w',
'start+2EA\x18r ...',
'DATA XREF: .icode:00404058\x18w',
'start+650\x18o ...',
'DATA XREF: start+44\x18w',
'sub_4037DC+21\x18w ...',
'DATA XREF: sub_4035A8+3D\x18w',
'sub_403BB4+31\x18w ...',
'DATA XREF: .icode:00404A75\x18r',
'start+92E\x18o',
'DATA XREF: .icode:004049CA\x18w',
'start+878\x18w ...',
'DATA XREF: .icode:00404BF2\x18r',
'DATA XREF: sub_4039E0+40\x18w',
'DATA XREF: start+4CC\x18o',
'DATA XREF: .icode:004044D9\x18w',
'.icode:0040404C\x18w',
'DATA XREF: start+23E\x18o',
'start+681\x18o',
'DATA XREF: start+6F0\x18r',
'DATA XREF: sub_40362C+87\x18w',
'DATA XREF: sub_4038B8+E\x18w',
'DATA XREF: .icode:004045D2\x18w',
'sub_403778+1B\x18w',
'DATA XREF: .icode:00404862\x18w',
'DATA XREF: sub_403DFC:loc_403E7A\x18w',
'sub_403EA4+90\x18w',
'DATA XREF: sub_4038B8+3E\x18r',
'.icode:00404ABE\x18r ...',
'DATA XREF: start+519\x18r',
'DATA XREF: sub_4043B9+26\x18w',
'DATA XREF: sub_403778+55\x18w',
'start+1DF\x18w ...',
'DATA XREF: start+101\x18w',
'start+10B\x18r ...',
'DATA XREF: sub_4035A8+20\x18w',
'DATA XREF: sub_404204+E\x18w',
'DATA XREF: sub_4043B9+32\x18w',
'sub_4043B9+3C\x18r ...',
'DATA XREF: .icode:00404BF8\x18w',
'DATA XREF: start+760\x18w',
'sub_403C54+48\x18w',
'DATA XREF: sub_403C54+4E\x18w',
'sub_4043B9+21\x18w ...',
'DATA XREF: sub_4038B8+52\x18w',
'DATA XREF: start+464\x18o',
'DATA XREF: sub_404270+7C\x18w',
'.icode:00404572\x18w ...',
'DATA XREF: sub_4043B9+6E\x18w',
'DATA XREF: start+286\x18w',
'start+290\x18r ...',
'DATA XREF: sub_40414C+11\x18w',
'sub_403B30+35\x18w',
'DATA XREF: start+4F3\x18w',
'sub_4037DC+AE\x18w ...',
'DATA XREF: sub_403BB4+29\x18r',
'.icode:00404B4B\x18w ...',
'DATA XREF: .icode:00404C7E\x18w',
'DATA XREF: start+3DD\x18r',
'DATA XREF: sub_403B30+41\x18w',
'DATA XREF: sub_40414C:loc_4041E2\x18w',
'.icode:004049DC\x18w ...',
'DATA XREF: .icode:00404B52\x18w',
'DATA XREF: sub_403EA4+5A\x18w',
'start+58F\x18o',
'DATA XREF: sub_40414C:loc_4041B4\x18w',
'DATA XREF: sub_4040F4+F\x18w',
'.icode:0040403F\x18r',
'DATA XREF: start+1A9\x18r',
'start+64A\x18o',
'DATA XREF: .icode:00404B83\x18w',
'.icode:00403B06\x18r',
'DATA XREF: .icode:00404DBB\x18w',
'DATA XREF: start+2E5\x18w',
'start+38E\x18o ...',
'DATA XREF: sub_4040F4+14\x18w',
'.icode:004044FD\x18w ...',
'DATA XREF: sub_40414C+81\x18r',
'sub_40414C+50\x18w',
'DATA XREF: sub_403CC8+2D\x18w',
'DATA XREF: .icode:00404982\x18w',
'DATA XREF: sub_4035A8+60\x18w',
'sub_40362C+34\x18w ...',
'DATA XREF: start-9B9\x18w',
'start+140\x18r ...',
'DATA XREF: start+735\x18w',
'sub_403B30+1A\x18w',
'DATA XREF: sub_4037DC+99\x18r',
'DATA XREF: sub_403CC8+36\x18r',
'DATA XREF: .icode:00404833\x18r',
'DATA XREF: .icode:0040451E\x18w',
'.icode:004047BD\x18w',
'DATA XREF: sub_403F54+3D\x18w',
'DATA XREF: sub_403BB4+70\x18w',
'DATA XREF: .icode:00404C11\x18w',
'DATA XREF: sub_403B30+50\x18r',
'DATA XREF: start:loc_40557A\x18w',
'DATA XREF: .icode:00404039\x18r',
'sub_4039E0+9F\x18w ...',
'DATA XREF: start+A47\x18r',
'DATA XREF: .icode:loc_4048C2\x18w',
'sub_4036C4+66\x18w',
'DATA XREF: sub_40362C+5A\x18w',
'DATA XREF: sub_403DFC+6D\x18w',
'start+6E9\x18o',
'DATA XREF: sub_403EA4+73\x18w',
'sub_404070+28\x18r',
'DATA XREF: sub_404270+75\x18r',
'DATA XREF: .icode:00404968\x18w',
'start+3E3\x18r',
'DATA XREF: .icode:004049B2\x18w',
'start+48C\x18o ...',
'DATA XREF: sub_403BB4+48\x18w',
'DATA XREF: sub_40397C+43\x18r',
'DATA XREF: sub_4039E0+7B\x18w',
'start-9BE\x18w ...',
'DATA XREF: .icode:00404B0B\x18w',
'start+479\x18w ...',
'DATA XREF: .icode:00404893\x18w',
'start+3B8\x18r',
'DATA XREF: start+245\x18r',
'DATA XREF: sub_404270+35\x18w',
'DATA XREF: start+510\x18w',
'DATA XREF: sub_403F54+23\x18w',
'DATA XREF: sub_4035A8:loc_4035EC\x18w',
'.icode:00404AED\x18w',
'DATA XREF: sub_4038B8+30\x18w',
'DATA XREF: sub_4036C4+25\x18r',
'DATA XREF: .icode:004045BF\x18w',
'DATA XREF: .icode:00404BCA\x18w',
'DATA XREF: sub_40414C+1E\x18r',
'DATA XREF: .icode:00404A8E\x18w',
'DATA XREF: start+207\x18w',
'sub_404070+14\x18w',
'DATA XREF: start+2C8\x18o',
'DATA XREF: .icode:004048B9\x18w',
'start+DC\x18w ...',
'DATA XREF: sub_403B30+5D\x18w',
'DATA XREF: sub_4037DC+66\x18r',
'DATA XREF: start+341\x18w',
'start+34B\x18r',
'DATA XREF: .icode:00404D06\x18w',
'.icode:00404D10\x18r',
'DATA XREF: sub_403C54+33\x18w',
'.icode:00404CBE\x18w',
'DATA XREF: sub_404070+5E\x18w',
'sub_4036C4:loc_40370A\x18w',
'DATA XREF: .icode:00403D7E\x18w',
'.icode:00403D88\x18r ...',
'DATA XREF: sub_4038B8:loc_403910\x18w',
'start+933\x18o',
'DATA XREF: sub_40414C+30\x18w',
'sub_4039E0+4\x18w',
'DATA XREF: sub_40414C+71\x18r',
'sub_40414C+24\x18r',
'DATA XREF: .icode:00404870\x18w',
'DATA XREF: sub_403CC8:loc_403D5F\x18w',
'sub_4038B8+B6\x18w',
'DATA XREF: start+750\x18w',
'start+84C\x18o',
'DATA XREF: sub_4037DC+A1\x18w',
'.icode:00404D00\x18w',
'DATA XREF: .icode:004045AE\x18w',
'DATA XREF: .icode:00404C1C\x18r',
'.icode:00404D59\x18w ...',
'DATA XREF: sub_404270+46\x18w',
'DATA XREF: sub_404204+13\x18w',
'DATA XREF: start+1C4\x18w',
'sub_40362C+45\x18r',
'DATA XREF: sub_403C54:loc_403CB8\x18w',
'sub_403DFC+8\x18r...',
'DATA XREF: .icode:004045E5\x18w',
'start+670\x18r ...',
'DATA XREF: sub_4040F4+4B\x18w',
'DATA XREF: start+121\x18w',
'DATA XREF: sub_4040F4+24\x18w',
'DATA XREF: sub_403F54+6D\x18w',
'.icode:00404B45\x18w ...',
'DATA XREF: .icode:00404A54\x18w',
'sub_4038B8+AF\x18w',
'DATA XREF: .icode:00404934\x18w',
'DATA XREF: sub_4039E0+54\x18w',
'start+546\x18r',
'DATA XREF: .icode:00404D26\x18w',
'DATA XREF: .icode:00404886\x18w',
'sub_403EA4+2C\x18w',
'DATA XREF: start+6A3\x18r',
'DATA XREF: sub_4036C4+39\x18w',
'start+D5\x18r',
'DATA XREF: .icode:00404953\x18r',
'DATA XREF: sub_40362C+4D\x18w',
'DATA XREF: start:loc_4054D3\x18w',
'DATA XREF: sub_40414C+16\x18w',
'DATA XREF: .icode:004047C7\x18w',
'.icode:00404878\x18r',
'DATA XREF: start+19D\x18w',
'DATA XREF: start+6D4\x18o',
'DATA XREF: sub_404270+40\x18r',
'DATA XREF: start+7C6\x18o',
'DATA XREF: .icode:00404C6C\x18w',
'DATA XREF: .icode:004049BE\x18r',
'DATA XREF: sub_4038B8+4C\x18w',
'sub_40397C+52\x18w ...',
'DATA XREF: start+F7\x18w',
'DATA XREF: .icode:00404C4B\x18r',
'sub_40414C+90\x18w',
'DATA XREF: start+972\x18w',
'DATA XREF: sub_403F54+1E\x18w',
'DATA XREF: start+8\x18w',
'start+580\x18w ...',
'DATA XREF: start+1A3\x18r',
'DATA XREF: .icode:00404843\x18w',
'sub_40414C+62\x18w ...',
'DATA XREF: .icode:0040457F\x18r',
'DATA XREF: sub_403CC8+6E\x18r',
'.icode:0040452D\x18r',
'DATA XREF: start+7DC\x18r',
'sub_403DFC+8A\x18w ...',
'DATA XREF: sub_40414C+89\x18w',
'.icode:00404550\x18w ...',
'DATA XREF: start+63D\x18w',
'start+6A9\x18w',
'HANDLEhHandle',
'DATA XREF: start+5CE\x18w',
'start+5D8\x18r ...',
'DATA XREF: .icode:00404AA8\x18w',
'DATA XREF: start+5C1\x18w',
'sub_4040F4+33\x18w ...',
'DATA XREF: start+A2B\x18o',
'DATA XREF: sub_403DFC+78\x18w',
'start+14A\x18w ...',
'DATA XREF: .icode:00404A06\x18w',
'start+588\x18o',
'DATA XREF: .icode:00404CA5\x18w',
'DATA XREF: .icode:00403AF8\x18w',
'DATA XREF: start+7AA\x18o',
'DATA XREF: sub_4039E0+70\x18w',
'sub_403C54+E\x18w',
'DATA XREF: start:loc_4051C5\x18w',
'start+87D\x18r ...',
'DATA XREF: start+560\x18w',
'sub_4039E0+45\x18w',
'DATA XREF: .icode:00403AEC\x18w',
'DATA XREF: sub_40397C+32\x18w',
'DATA XREF: sub_4036C4+8E\x18w',
'start+51F\x18o',
'DATA XREF: sub_404070+19\x18w',
'DATA XREF: sub_4035A8+37\x18w',
'DATA XREF: .icode:00403DBB\x18w',
'DATA XREF: sub_4037DC+43\x18w',
'.icode:00404A11\x18w',
'DATA XREF: sub_4037DC+83\x18r',
'.icode:00404978\x18w',
'DATA XREF: sub_4038B8+97\x18w',
'DATA XREF: sub_4036C4+1F\x18r',
'DATA XREF: .icode:0040489E\x18r',
'start+A34\x18r',
'DATA XREF: .icode:00404585\x18w',
'sub_403F54+5F\x18r',
'DATA XREF: sub_40362C:loc_40368D\x18w',
'sub_403F54+82\x18w',
'DATA XREF: start+A10\x18o',
'DATA XREF: start+9CF\x18w',
'DATA XREF: .icode:00403AA0\x18w',
'start+554\x18w ...',
'DATA XREF: .icode:00404B7C\x18w',
'start+8C8\x18r ...',
'DATA XREF: sub_4036C4+F\x18w',
'DATA XREF: sub_403BB4+15\x18w',
'sub_40414C+77\x18w',
'DATA XREF: sub_4039E0+88\x18w',
'sub_4036C4+4F\x18r',
'DATA XREF: .icode:00404512\x18w',
'DATA XREF: .icode:00404D3C\x18w',
'DATA XREF: start+2F1\x18r',
'sub_403BB4+65\x18w',
'DATA XREF: start+919\x18w',
'DATA XREF: sub_403BB4+50\x18r',
'.icode:00403AE4\x18r',
'DATA XREF: .icode:00404C84\x18w',
'.icode:00404C8E\x18r ...',
'DATA XREF: .icode:00404A7B\x18w',
'DATA XREF: .icode:004049F3\x18w',
'sub_4037DC+73\x18w',
'DATA XREF: start+49E\x18w',
'.icode:00404A4C\x18r',
'DATA XREF: sub_4035A8+6B\x18w',
'DATA XREF: start+959\x18w',
'DATA XREF: .icode:00404030\x18w',
'DATA XREF: start:loc_4056DD\x18w',
'DATA XREF: start+9DA\x18o',
'DATA XREF: sub_404270+30\x18w',
'.icode:loc_404BD0\x18w ...',
'DATA XREF: sub_4036C4+14\x18w',
'sub_404070+6F\x18w',
'DATA XREF: start+5B0\x18r',
'DATA XREF: start+2DA\x18r',
'DATA XREF: sub_403EA4+3E\x18w',
'sub_403B30+A\x18w',
'DATA XREF: .icode:00404813\x18o',
'DATA XREF: start+6E1\x18r',
'DATA XREF: start+765\x18r',
'DATA XREF: start+78D\x18r',
'DATA XREF: .icode:004048E4\x18r',
'DATA XREF: start+302\x18r',
'DATA XREF: .icode:004046D3\x18r',
'Section 6. (virtual address 00085000)',
'Virtual size : 00029A35 ( 170549.)',
'Section sizein file : 0001C200 ( 115200.)',
'Offset to raw data for section: 00022600',
'Flags 40000040: DataReadable',
'Alignment : default',
'Segment type: Pure data',
'Segment permissions:Read',
'org 485000h',
'[00002000 BYTES: COLLAPSED SEGMENT _rsrc. PRESS KEYPADCTRL-"+" TO EXPAND]']
In [131]:
In [131]:
In [131]:
In [132]:
# lists and stuff
chris = [ 1, 2, 3, 4, 5]
noor = [6 , 6 , 7, 8]
In [141]:
chris = [i**2 for i in range(1,6)]
In [140]:
tmp = []
for i in range(1,6):
tmp.append(i)
print(tmp)
[1, 2, 3, 4, 5]
In [142]:
chris
Out[142]:
[1, 4, 9, 16, 25]
In [143]:
for item in chris:
print(item)
1
4
9
16
25
In [144]:
for i, item in enumerate(chris):
print(str(i), item)
0 1
1 4
2 9
3 16
4 25
In [150]:
for i,j in zip(chris, noor):
print(j+i)
7
10
16
24
In [ ]:
Content source: afruizc/microsoft_malware_challenge
Similar notebooks: