python unicorn引擎模拟执行部分代码

import unicorn
import pefile
import capstone

# 要分析的样本路径
sample_file_path = 'C:\\Users\\asdf\\Desktop\\a9542676ee9a25c64a9fec1466664511f6059b51d8192025f95855b02ffe9620\\' \
              'a9542676ee9a25c64a9fec1466664511f6059b51d8192025f95855b02ffe9620.malware'

# 初始化unicorn
uc = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32)
# 初始化pe
pe = pefile.PE(sample_file_path)

address = 0x400000                # 32位PE文件起始地址
stack = 0x2000                    # 初始rsp或者esp可以设置为0x10000
analyse_address = 0x422154        # 要分析的起始地址
analyse_address_end = 0x42219E    # 尾地址

assert(pe.OPTIONAL_HEADER.ImageBase == address)

uc.mem_map(address, 1024*1024*10)  # 10MB
uc.mem_map(stack,1024*1024)        # 1M栈

buffer = pe.get_memory_mapped_image();

# 将样本映射
uc.mem_write(address,buffer)

uc.reg_write(unicorn.x86_const.UC_X86_REG_ESP,0x10000)
uc.emu_start(analyse_address,analyse_address_end)

esp = uc.reg_read(unicorn.x86_const.UC_X86_REG_ESP)
data = uc.mem_read(esp,0xf)

print('{}'.format(data))