蓝队的反制(2)
还有几天,某大型全国性交友活动就要开始了,特此为蓝队的朋友们献上一篇简单的反制文章。
该方法操作简单,一个wireshark即可操作,但准确性没有之前的准确。众所周知,在Cs或Msf的stage上线时,一般会去请求一个4位的随机网址来下发后续的payload来获取一个beacon。而我们今天就是用到了这个特性,来进行操作。
http.request.uri.matches "^/....$"
用该方法来提取特定url,然后将其保存下来。
然后使用工具获取详细信息:
工具下载地址:http://didierstevens.com/files/software/1768_v0_0_4.zip
网速不好的可以直接复制下面的代码:
#!/usr/bin/env python
from __future__ import print_function
__description__ = 'Analyze Cobalt Strike beacons'
__author__ = 'Didier Stevens'
__version__ = '0.0.4'
__date__ = '2020/11/29'
"""
Source code put in the public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2019/05/15: start
2019/05/18: continue
2019/05/25: continue
2019/12/06: continue
2019/12/07: continue
2019/12/17: continue
2020/02/03: 0.0.2 some changes for CS4: xor key is '.' in stead of 'i'
2020/10/11: 0.0.3 Python 3 fixes
2020/10/17: improve parsing
2020/10/18: updated some config identifiers: found https://github.com/JPCERTCC/aa-tools https://github.com/sysopfb/malware_decoders/tree/master/cs_beacon https://github.com/Sentinel-One/CobaltStrikeParser
2020/10/21: Python 3 fix in cBinaryFile
2020/10/28: refactoring
2020/10/29: man
2020/11/04: added xor chain decoding
2020/11/07: 0.0.4 updated shellcode analysis
2020/11/12: updated shellcode analysis
2020/11/16: added option -l
2020/11/17: continue
2020/11/29: added rule_shellcode_00_end
Todo:
add JSON output
"""
import optparse
import sys
import os
import zipfile
import binascii
import random
import gzip
import collections
import glob
import textwrap
import re
import struct
import string
import math
import fnmatch
import json
import time
if sys.version_info[0] >= 3:
from io import BytesIO as DataIO
else:
from cStringIO import StringIO as DataIO
if sys.version_info[0] >= 3:
from io import StringIO
else:
from cStringIO import StringIO
try:
import pefile
import peutils
except ImportError:
print('Missing pefile and/or peutils Python module, please check if it is installed.')
sys.exit()
def PrintManual():
manual = r'''
Manual:
1768 Kelvin is the melting point of the metal cobalt.
This tool decrypts and dumps the configuration of Cobalt Strike Windows beacons (PE files), shellcode and memory dumps.
Option -s (--select) can be used to select a particular configuration item (by decimal of hexadecimal number) for more information. For the moment, this option displays the complete item's data (hexadecimal in cleartext, encoded with 'i' (0x69) and encoded with '.' (0x2e). These hexadecimal values can be used to create detection rules, like YARA rules.
Option -l (--licenseid) is used to generate YARA rules to detect a beacon or shellcode with the given license ID. The id can be provided as an integer or an hexadecimal value (prefixed by 0x).
More than one license id can be provided: separate them by commas (,).
Each license id can be previded by a name for the license is (use : as a separator).
Example : 1768.py -l ATP_1:12345678,pentester_2:87654321
It reads one or more files or stdin. This tool is very versatile when it comes to handling files, later full details will be provided.
This Python script was first developed with Python 2.7 and tested with Python 2.7 and 3.7, now it is developed with Python 3.8 and tested with Python 3.8 and 2.7.
As stated at the beginning of this manual, this tool is very versatile when it comes to handling files. This will be explained now.
This tool reads files in binary mode. It can read files from disk, from standard input (stdin) and from "generated" files via the command line.
It can also partially read files (this is done with the cut operator).
If no file arguments are provided to this tool, it will read data from standard input (stdin). This way, this tool can be used in a piped chain of commands, like this:
oledump.py -s 4 -d sample.doc.vir | tool.py
When one or more file arguments are provided to this tool, it will read the files and process the content.
How the files are read, depends on the type of file arguments that are provided. File arguments that start with character @ or # have special meaning, and will be explained later.
If a file argument does not start with @ or #, it is considered to be a file on disk and the content will be read from disk.
If the file is not a compressed file, the binary content of the file is read from disk for processing.
Compressed files are solely recognized based on their extension: .zip and .gz.
If a file argument with extension .gz is provided, the tool will decompress the gzip file in memory and process the decompressed content. No checks are made to ensure that the file with extension .gz is an actual gzip compressed file.
If a file argument with extension .zip is provided and it contains a single file, the tool will extract the file from the ZIP file in memory and process the decompressed content. No checks are made to ensure that the file with extension .zip is an actual ZIP compressed file.
Password protected ZIP files can be processed too. The tool uses password 'infected' (without quotes) as default password. A different password can be provided using option --password.
Example:
tool.py sample.zip
To prevent the tool from decompressing .zip or .gz files, but to process the compressed file itself, use option --noextraction.
File arguments that start with character @ ("here files"), are read as text files that contain file arguments (one per line) to be processed.
For example, we take a text file with filename list.txt and following content:
sample-1.bin
sample-5.bin
sample-7.bin
When using this file (list.txt) in the following command:
tool.py @list.txt
the tool will process the following files: sample-1.bin, sample-5.bin and sample-7.bin.
A single @ character as filename is a here file read from stdin.
Wildcards are supported too. The classic *, ? and [] wildcard characters are supported. For example, use the following command to process all .exe and .dll files in the Windows directory:
tool.py C:\Windows\*.exe C:\Windows\*.dll
To prevent the tool from processing file arguments with wildcard characters or special initial characters (@ and #) differently, but to process them as normal files, use option --literalfilenames.
The content of folders can be processed too: use option --recursedir and provide folder names as argument. Wildcards and here files (for folder names) can be used too.
File arguments that start with character # have special meaning. These are not processed as actual files on disk (except when option --literalfilenames is used), but as file arguments that specify how to "generate" the file content.
File arguments that start with #, #h#, #b# or #e# are used to "generate" the file content.
Arguments that start with #c# are not file arguments, but cut operators (explained later).
Arguments that start with #f# are not file arguments, but flags (explained later).
Generating the file content with a # file argument means that the file content is not read from disk, but generated in memory based on the characteristics provided via the file argument.
When a file argument starts with # (and not with #h#, #b#, #e# or #c#), all characters that follow the # character specify the content of the generated file.
For example, file argument #ABCDE specifies a file containing exactly 5 bytes: ASCII characters A, B, C, D and E.
Thus the following command:
tool.py #ABCDE
will make the tool process data with binary content ABCDE. #ABCDE is not an actual file written on disk, but it is a notational convention to provide data via the command line.
Since this notation can not be used to specify all possible byte values, hexadecimal encoding (#h#) and BASE64 encoding (#b#) notation is supported too.
For example, #h#4142434445 is an hexadecimal notation that generates data ABCDE. Hexadecimal notation allows the generation of non-printable characters for example, like NULL bytes: #h#00
File argument #b#QUJDREU= is another example, this time BASE64 notation, that generates data ABCDE.
File arguments that start with #e# are a notational convention to use expressions to generate data. An expression is a single function/string or the concatenation of several functions/strings (using character + as concatenation operator).
Strings can be characters enclosed by single quotes ('example') or hexadecimal strings prefixed by 0x (0xBEEF).
4 functions are available: random, loremipsum, repeat and chr.
Function random takes exactly one argument: an integer (with value 1 or more). Integers can be specified using decimal notation or hexadecimal notation (prefix 0x).
The random function generates a sequence of bytes with a random value (between 0 and 255), the argument specifies how many bytes need to be generated. Remark that the random number generator that is used is just the Python random number generator, not a cryptographic random number generator.
Example:
tool.py #e#random(100)
will make the tool process data consisting of a sequence of 100 random bytes.
Function loremipsum takes exactly one argument: an integer (with value 1 or more).
The loremipsum function generates "lorem ipsum" text (fake latin), the argument specifies the number of sentences to generate.
Example: #e#loremipsum(2) generates this text:
Ipsum commodo proin pulvinar hac vel nunc dignissim neque eget odio erat magna lorem urna cursus fusce facilisis porttitor congue eleifend taciti. Turpis duis suscipit facilisi tristique dictum praesent natoque sem mi egestas venenatis per dui sit sodales est condimentum habitasse ipsum phasellus non bibendum hendrerit.
Function chr takes one argument or two arguments.
chr with one argument takes an integer between 0 and 255, and generates a single byte with the value specified by the integer.
chr with two arguments takes two integers between 0 and 255, and generates a byte sequence with the values specified by the integers.
For example #e#chr(0x41,0x45) generates data ABCDE.
Function repeat takes two arguments: an integer (with value 1 or more) and a byte sequence. This byte sequence can be a quoted string of characters (single quotes), like 'ABCDE' or an hexadecimal string prefixed with 0x, like 0x4142434445.
The repeat function will create a sequence of bytes consisting of the provided byte sequence (the second argument) repeated as many times as specified by the first argument.
For example, #e#repeat(3, 'AB') generates byte sequence ABABAB.
When more than one function needs to be used, the byte sequences generated by the functions can be concatenated with the + operator.
For example, #e#repeat(10,0xFF)+random(100) will generate a byte sequence of 10 FF bytes followed by 100 random bytes.
The cut argument (or cut operator) allows for the partial selection of the content of a file. This argument starts with #c# followed by a "cut-expression". Use this expression to "cut out" part of the content.
The cut-argument must be put in front of a file argument, like in this example:
tool.py #c#0:100l data.bin
With these arguments, tool.py will only process the first 100 bytes (0:100l) of file data.bin.
A cut argument is applied to all file arguments that follow it. Example:
tool.py #c#0:100l data-1.bin data-2.bin
With these arguments, tool.py will only process the first 100 bytes (0:100l) of file data-1.bin and the first 100 bytes file data-2.bin.
More than one cut argument can be used, like in this example:
tool.py #c#0:100l data-1.bin #c#0:200l data-2.bin
With these arguments, tool.py will only process the first 100 bytes (0:100l) of file data-1.bin and the first 200 bytes (0:200l) of file data-2.bin.
A cut-expression is composed of 2 terms separated by a colon (:), like this:
termA:termB
termA and termB can be:
- nothing (an empty string)
- a positive decimal number; example: 10
- an hexadecimal number (to be preceded by 0x); example: 0x10
- a case sensitive ASCII string to search for (surrounded by square brackets and single quotes); example: ['MZ']
- a case sensitive UNICODE string to search for (surrounded by square brackets and single quotes prefixed with u); example: [u'User']
- an hexadecimal string to search for (surrounded by square brackets); example: [d0cf11e0]
If termA is nothing, then the cut section of bytes starts with the byte at position 0.
If termA is a number, then the cut section of bytes starts with the byte at the position given by the number (first byte has index 0).
If termA is a string to search for, then the cut section of bytes starts with the byte at the position where the string is first found. If the string is not found, the cut is empty (0 bytes).
If termB is nothing, then the cut section of bytes ends with the last byte.
If termB is a number, then the cut section of bytes ends with the byte at the position given by the number (first byte has index 0).
When termB is a number, it can have suffix letter l. This indicates that the number is a length (number of bytes), and not a position.
termB can also be a negative number (decimal or hexademical): in that case the position is counted from the end of the file. For example, :-5 selects the complete file except the last 5 bytes.
If termB is a string to search for, then the cut section of bytes ends with the last byte at the position where the string is first found. If the string is not found, the cut is empty (0 bytes).
No checks are made to assure that the position specified by termA is lower than the position specified by termB. This is left up to the user.
Search string expressions (ASCII, UNICODE and hexadecimal) can be followed by an instance (a number equal to 1 or greater) to indicate which instance needs to be taken. For example, ['ABC']2 will search for the second instance of string 'ABC'. If this instance is not found, then nothing is selected.
Search string expressions (ASCII, UNICODE and hexadecimal) can be followed by an offset (+ or - a number) to add (or substract) an offset to the found instance. This number can be a decimal or hexadecimal (prefix 0x) value. For example, ['ABC']+3 will search for the first instance of string 'ABC' and then select the bytes after ABC (+ 3).
Finally, search string expressions (ASCII, UNICODE and hexadecimal) can be followed by an instance and an offset.
Examples:
This cut-expression can be used to dump the first 256 bytes of a PE file located inside the file content: ['MZ']:0x100l
This cut-expression can be used to dump the OLE file located inside the file content: [d0cf11e0]:
A flag argument starts with #f# and is passed on for all files that are provided after the flag argument. It can be used to change the behavior of the tool for certain files.
Example:
tool.py data-1.bin #f#-l data-2.bin
data-2.bin will be processed differently (using flag option -l) than file data-1.bin.
With option --jsoninput, the tool will parse the output produced by another tool using option --jsonoutput.
Example:
zipdump.py --jsonoutput Book1.xlsm | file-magic.py --jsoninput
[Content_Types].xml XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
_rels/.rels XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
xl/_rels/workbook.xml.rels XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
xl/workbook.xml XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
xl/drawings/drawing1.xml XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
xl/worksheets/_rels/sheet1.xml.rels XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
xl/theme/theme1.xml XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
xl/styles.xml XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
xl/worksheets/sheet1.xml XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
xl/vbaProject.bin Composite Document File V2 Document, Cannot read section info
xl/drawings/vmlDrawing1.vml ASCII text, with CRLF line terminators
docProps/app.xml XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
xl/ctrlProps/ctrlProp1.xml XML 1.0 document, ASCII text, with CRLF line terminators
docProps/core.xml XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
In this example, zipdump is used to produce JSON data with the content of each file contained inside file Book1.xlsm (a ZIP container), which is then consumed by file-magic.py to identify (libmagic) the type of each file.
With option --ignoreprocessingerrors, the tool will continue processing the next file when an error occurs while processing the current file. Files that can not be opened will always be skipped to move to the next file.
Option --logfile direct the tool to create a logfile, and option --logcomment can be used to add a comment to the log file. The log file will contain metadata and a list of processed files, it does not contain processing results.
It is best to use this option when option --ignoreprocessingerrors is used, to have a record of file processing errors.
The lines are written to standard output, except when option -o is used. When option -o is used, the lines are written to the filename specified by option -o.
Filenames used with option -o starting with # have special meaning.
#c#example.txt will write output both to the console (stdout) and file example.txt.
#g# will write output to a file with a filename generated by the tool like this: toolname-date-time.txt.
#g#KEYWORD will write output to a file with a filename generated by the tool like this: toolname-KEYWORD-date-time.txt.
Use #p#filename to display execution progress.
To process several files while creating seperate output files for each input file, use -o #s#%f%.result *.
This will create output files with the name of the inputfile and extension .result.
There are several variables available when creating separate output files:
%f% is the full filename (with directory if present)
%b% is the base name: the filename without directory
%d% is the directory
%r% is the root: the filename without extension
%ru% is the root made unique by appending a counter (if necessary)
%e% is the extension
#h# is like the head command: only the first 10 lines will be outputed.
#t# is like the tail command: only the last 10 lines will be outputed.
Most options can be combined, like #ps# for example.
#l# is used for literal filenames: if the output filename has to start with # (#example.txt for example), use filename #l##example.txt for example.
'''
for line in manual.split('\n'):
print(textwrap.fill(line, 79))
DEFAULT_SEPARATOR = ','
QUOTE = '"'
def PrintError(*args, **kwargs):
print(*args, file=sys.stderr, **kwargs)
#Convert 2 Bytes If Python 3
def C2BIP3(string):
if sys.version_info[0] > 2:
return bytes([ord(x) for x in string])
else:
return string
#Convert 2 String If Python 3
def C2SIP3(bytes):
if sys.version_info[0] > 2:
return ''.join([chr(byte) for byte in bytes])
else:
return bytes
#Convert 2 Integer If Python 2
def C2IIP2(data):
if sys.version_info[0] > 2:
return data
else:
return ord(data)
# CIC: Call If Callable
def CIC(expression):
if callable(expression):
return expression()
else:
return expression
# IFF: IF Function
def IFF(expression, valueTrue, valueFalse):
if expression:
return CIC(valueTrue)
else:
return CIC(valueFalse)
#-BEGINCODE cBinaryFile------------------------------------------------------------------------------
#import random
#import binascii
#import zipfile
#import gzip
#import sys
#if sys.version_info[0] >= 3:
# from io import BytesIO as DataIO
#else:
# from cStringIO import StringIO as DataIO
def LoremIpsumSentence(minimum, maximum):
words = ['lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'etiam', 'tortor', 'metus', 'cursus', 'sed', 'sollicitudin', 'ac', 'sagittis', 'eget', 'massa', 'praesent', 'sem', 'fermentum', 'dignissim', 'in', 'vel', 'augue', 'scelerisque', 'auctor', 'libero', 'nam', 'a', 'gravida', 'odio', 'duis', 'vestibulum', 'vulputate', 'quam', 'nec', 'cras', 'nibh', 'feugiat', 'ut', 'vitae', 'ornare', 'justo', 'orci', 'varius', 'natoque', 'penatibus', 'et', 'magnis', 'dis', 'parturient', 'montes', 'nascetur', 'ridiculus', 'mus', 'curabitur', 'nisl', 'egestas', 'urna', 'iaculis', 'lectus', 'maecenas', 'ultrices', 'velit', 'eu', 'porta', 'hac', 'habitasse', 'platea', 'dictumst', 'integer', 'id', 'commodo', 'mauris', 'interdum', 'malesuada', 'fames', 'ante', 'primis', 'faucibus', 'accumsan', 'pharetra', 'aliquam', 'nunc', 'at', 'est', 'non', 'leo', 'nulla', 'sodales', 'porttitor', 'facilisis', 'aenean', 'condimentum', 'rutrum', 'facilisi', 'tincidunt', 'laoreet', 'ultricies', 'neque', 'diam', 'euismod', 'consequat', 'tempor', 'elementum', 'lobortis', 'erat', 'ligula', 'risus', 'donec', 'phasellus', 'quisque', 'vivamus', 'pellentesque', 'tristique', 'venenatis', 'purus', 'mi', 'dictum', 'posuere', 'fringilla', 'quis', 'magna', 'pretium', 'felis', 'pulvinar', 'lacinia', 'proin', 'viverra', 'lacus', 'suscipit', 'aliquet', 'dui', 'molestie', 'dapibus', 'mollis', 'suspendisse', 'sapien', 'blandit', 'morbi', 'tellus', 'enim', 'maximus', 'semper', 'arcu', 'bibendum', 'convallis', 'hendrerit', 'imperdiet', 'finibus', 'fusce', 'congue', 'ullamcorper', 'placerat', 'nullam', 'eros', 'habitant', 'senectus', 'netus', 'turpis', 'luctus', 'volutpat', 'rhoncus', 'mattis', 'nisi', 'ex', 'tempus', 'eleifend', 'vehicula', 'class', 'aptent', 'taciti', 'sociosqu', 'ad', 'litora', 'torquent', 'per', 'conubia', 'nostra', 'inceptos', 'himenaeos']
sample = random.sample(words, random.randint(minimum, maximum))
sample[0] = sample[0].capitalize()
return ' '.join(sample) + '.'
def LoremIpsum(sentences):
return ' '.join([LoremIpsumSentence(15, 30) for i in range(sentences)])
STATE_START = 0
STATE_IDENTIFIER = 1
STATE_STRING = 2
STATE_SPECIAL_CHAR = 3
STATE_ERROR = 4
FUNCTIONNAME_REPEAT = 'repeat'
FUNCTIONNAME_RANDOM = 'random'
FUNCTIONNAME_CHR = 'chr'
FUNCTIONNAME_LOREMIPSUM = 'loremipsum'
def Tokenize(expression):
result = []
token = ''
state = STATE_START
while expression != '':
char = expression[0]
expression = expression[1:]
if char == "'":
if state == STATE_START:
state = STATE_STRING
elif state == STATE_IDENTIFIER:
result.append([STATE_IDENTIFIER, token])
state = STATE_STRING
token = ''
elif state == STATE_STRING:
result.append([STATE_STRING, token])
state = STATE_START
token = ''
elif char >= '0' and char <= '9' or char.lower() >= 'a' and char.lower() <= 'z':
if state == STATE_START:
token = char
state = STATE_IDENTIFIER
else:
token += char
elif char == ' ':
if state == STATE_IDENTIFIER:
result.append([STATE_IDENTIFIER, token])
token = ''
state = STATE_START
elif state == STATE_STRING:
token += char
else:
if state == STATE_IDENTIFIER:
result.append([STATE_IDENTIFIER, token])
token = ''
state = STATE_START
result.append([STATE_SPECIAL_CHAR, char])
elif state == STATE_STRING:
token += char
else:
result.append([STATE_SPECIAL_CHAR, char])
token = ''
if state == STATE_IDENTIFIER:
result.append([state, token])
elif state == STATE_STRING:
result = [[STATE_ERROR, 'Error: string not closed', token]]
return result
def ParseFunction(tokens):
if len(tokens) == 0:
print('Parsing error')
return None, tokens
if tokens[0][0] == STATE_STRING or tokens[0][0] == STATE_IDENTIFIER and tokens[0][1].startswith('0x'):
return [[FUNCTIONNAME_REPEAT, [[STATE_IDENTIFIER, '1'], tokens[0]]], tokens[1:]]
if tokens[0][0] != STATE_IDENTIFIER:
print('Parsing error')
return None, tokens
function = tokens[0][1]
tokens = tokens[1:]
if len(tokens) == 0:
print('Parsing error')
return None, tokens
if tokens[0][0] != STATE_SPECIAL_CHAR or tokens[0][1] != '(':
print('Parsing error')
return None, tokens
tokens = tokens[1:]
if len(tokens) == 0:
print('Parsing error')
return None, tokens
arguments = []
while True:
if tokens[0][0] != STATE_IDENTIFIER and tokens[0][0] != STATE_STRING:
print('Parsing error')
return None, tokens
arguments.append(tokens[0])
tokens = tokens[1:]
if len(tokens) == 0:
print('Parsing error')
return None, tokens
if tokens[0][0] != STATE_SPECIAL_CHAR or (tokens[0][1] != ',' and tokens[0][1] != ')'):
print('Parsing error')
return None, tokens
if tokens[0][0] == STATE_SPECIAL_CHAR and tokens[0][1] == ')':
tokens = tokens[1:]
break
tokens = tokens[1:]
if len(tokens) == 0:
print('Parsing error')
return None, tokens
return [[function, arguments], tokens]
def Parse(expression):
tokens = Tokenize(expression)
if len(tokens) == 0:
print('Parsing error')
return None
if tokens[0][0] == STATE_ERROR:
print(tokens[0][1])
print(tokens[0][2])
print(expression)
return None
functioncalls = []
while True:
functioncall, tokens = ParseFunction(tokens)
if functioncall == None:
return None
functioncalls.append(functioncall)
if len(tokens) == 0:
return functioncalls
if tokens[0][0] != STATE_SPECIAL_CHAR or tokens[0][1] != '+':
print('Parsing error')
return None
tokens = tokens[1:]
def InterpretInteger(token):
if token[0] != STATE_IDENTIFIER:
return None
try:
return int(token[1])
except:
return None
def Hex2Bytes(hexadecimal):
if len(hexadecimal) % 2 == 1:
hexadecimal = '0' + hexadecimal
try:
return binascii.a2b_hex(hexadecimal)
except:
return None
def InterpretHexInteger(token):
if token[0] != STATE_IDENTIFIER:
return None
if not token[1].startswith('0x'):
return None
bytes = Hex2Bytes(token[1][2:])
if bytes == None:
return None
integer = 0
for byte in bytes:
integer = integer * 0x100 + C2IIP2(byte)
return integer
def InterpretNumber(token):
number = InterpretInteger(token)
if number == None:
return InterpretHexInteger(token)
else:
return number
def InterpretBytes(token):
if token[0] == STATE_STRING:
return token[1]
if token[0] != STATE_IDENTIFIER:
return None
if not token[1].startswith('0x'):
return None
return Hex2Bytes(token[1][2:])
def CheckFunction(functionname, arguments, countarguments, maxcountarguments=None):
if maxcountarguments == None:
if countarguments == 0 and len(arguments) != 0:
print('Error: function %s takes no arguments, %d are given' % (functionname, len(arguments)))
return True
if countarguments == 1 and len(arguments) != 1:
print('Error: function %s takes 1 argument, %d are given' % (functionname, len(arguments)))
return True
if countarguments != len(arguments):
print('Error: function %s takes %d arguments, %d are given' % (functionname, countarguments, len(arguments)))
return True
else:
if len(arguments) < countarguments or len(arguments) > maxcountarguments:
print('Error: function %s takes between %d and %d arguments, %d are given' % (functionname, countarguments, maxcountarguments, len(arguments)))
return True
return False
def CheckNumber(argument, minimum=None, maximum=None):
number = InterpretNumber(argument)
if number == None:
print('Error: argument should be a number: %s' % argument[1])
return None
if minimum != None and number < minimum:
print('Error: argument should be minimum %d: %d' % (minimum, number))
return None
if maximum != None and number > maximum:
print('Error: argument should be maximum %d: %d' % (maximum, number))
return None
return number
def Interpret(expression):
functioncalls = Parse(expression)
if functioncalls == None:
return None
decoded = ''
for functioncall in functioncalls:
functionname, arguments = functioncall
if functionname == FUNCTIONNAME_REPEAT:
if CheckFunction(functionname, arguments, 2):
return None
number = CheckNumber(arguments[0], minimum=1)
if number == None:
return None
bytes = InterpretBytes(arguments[1])
if bytes == None:
print('Error: argument should be a byte sequence: %s' % arguments[1][1])
return None
decoded += number * bytes
elif functionname == FUNCTIONNAME_RANDOM:
if CheckFunction(functionname, arguments, 1):
return None
number = CheckNumber(arguments[0], minimum=1)
if number == None:
return None
decoded += ''.join([chr(random.randint(0, 255)) for x in range(number)])
elif functionname == FUNCTIONNAME_LOREMIPSUM:
if CheckFunction(functionname, arguments, 1):
return None
number = CheckNumber(arguments[0], minimum=1)
if number == None:
return None
decoded += LoremIpsum(number)
elif functionname == FUNCTIONNAME_CHR:
if CheckFunction(functionname, arguments, 1, 2):
return None
number = CheckNumber(arguments[0], minimum=1, maximum=255)
if number == None:
return None
if len(arguments) == 1:
decoded += chr(number)
else:
number2 = CheckNumber(arguments[1], minimum=1, maximum=255)
if number2 == None:
return None
if number < number2:
decoded += ''.join([chr(n) for n in range(number, number2 + 1)])
else:
decoded += ''.join([chr(n) for n in range(number, number2 - 1, -1)])
else:
print('Error: unknown function: %s' % functionname)
return None
return decoded
FCH_FILENAME = 0
FCH_DATA = 1
FCH_ERROR = 2
def FilenameCheckHash(filename, literalfilename):
if literalfilename:
return FCH_FILENAME, filename
elif filename.startswith('#h#'):
result = Hex2Bytes(filename[3:])
if result == None:
return FCH_ERROR, 'hexadecimal'
else:
return FCH_DATA, result
elif filename.startswith('#b#'):
try:
return FCH_DATA, binascii.a2b_base64(filename[3:])
except:
return FCH_ERROR, 'base64'
elif filename.startswith('#e#'):
result = Interpret(filename[3:])
if result == None:
return FCH_ERROR, 'expression'
else:
return FCH_DATA, result
elif filename.startswith('#'):
return FCH_DATA, C2BIP3(filename[1:])
else:
return FCH_FILENAME, filename
def AnalyzeFileError(filename):
PrintError('Error opening file %s' % filename)
PrintError(sys.exc_info()[1])
try:
if not os.path.exists(filename):
PrintError('The file does not exist')
elif os.path.isdir(filename):
PrintError('The file is a directory')
elif not os.path.isfile(filename):
PrintError('The file is not a regular file')
except:
pass
class cBinaryFile:
def __init__(self, filename, zippassword='infected', noextraction=False, literalfilename=False):
self.filename = filename
self.zippassword = zippassword
self.noextraction = noextraction
self.literalfilename = literalfilename
self.oZipfile = None
self.extracted = False
self.fIn = None
fch, data = FilenameCheckHash(self.filename, self.literalfilename)
if fch == FCH_ERROR:
line = 'Error %s parsing filename: %s' % (data, self.filename)
raise Exception(line)
try:
if self.filename == '':
if sys.platform == 'win32':
import msvcrt
msvcrt.setmode(sys.stdin.fileno(), os.O_BINARY)
self.fIn = sys.stdin
elif fch == FCH_DATA:
self.fIn = DataIO(data)
elif not self.noextraction and self.filename.lower().endswith('.zip'):
self.oZipfile = zipfile.ZipFile(self.filename, 'r')
if len(self.oZipfile.infolist()) == 1:
self.fIn = self.oZipfile.open(self.oZipfile.infolist()[0], 'r', self.zippassword)
self.extracted = True
else:
self.oZipfile.close()
self.oZipfile = None
self.fIn = open(self.filename, 'rb')
elif not self.noextraction and self.filename.lower().endswith('.gz'):
self.fIn = gzip.GzipFile(self.filename, 'rb')
self.extracted = True
else:
self.fIn = open(self.filename, 'rb')
except:
AnalyzeFileError(self.filename)
raise
def close(self):
if self.fIn != sys.stdin and self.fIn != None:
self.fIn.close()
if self.oZipfile != None:
self.oZipfile.close()
def read(self, size=None):
try:
fRead = self.fIn.buffer
except:
fRead = self.fIn
if size == None:
return fRead.read()
else:
return fRead.read(size)
def Data(self):
data = self.read()
self.close()
return data
#-ENDCODE cBinaryFile--------------------------------------------------------------------------------
def File2Strings(filename):
try:
if filename == '':
f = sys.stdin
else:
f = open(filename, 'r')
except:
return None
try:
return map(lambda line:line.rstrip('\n'), f.readlines())
except:
return None
finally:
if f != sys.stdin:
f.close()
def File2String(filename):
try:
f = open(filename, 'rb')
except:
return None
try:
return f.read()
except:
return None
finally:
f.close()
def ProcessAt(argument):
if argument.startswith('@'):
strings = File2Strings(argument[1:])
if strings == None:
raise Exception('Error reading %s' % argument)
else:
return strings
else:
return [argument]
def Glob(filename):
filenames = glob.glob(filename)
if len(filenames) == 0:
return [filename]
else:
return filenames
class cExpandFilenameArguments():
def __init__(self, filenames, literalfilenames=False, recursedir=False, checkfilenames=False, expressionprefix=None, flagprefix=None):
self.containsUnixShellStyleWildcards = False
self.warning = False
self.message = ''
self.filenameexpressionsflags = []
self.expressionprefix = expressionprefix
self.flagprefix = flagprefix
self.literalfilenames = literalfilenames
expression = ''
flag = ''
if len(filenames) == 0:
self.filenameexpressionsflags = [['', '', '']]
elif literalfilenames:
self.filenameexpressionsflags = [[filename, '', ''] for filename in filenames]
elif recursedir:
for dirwildcard in filenames:
if expressionprefix != None and dirwildcard.startswith(expressionprefix):
expression = dirwildcard[len(expressionprefix):]
elif flagprefix != None and dirwildcard.startswith(flagprefix):
flag = dirwildcard[len(flagprefix):]
else:
if dirwildcard.startswith('@'):
for filename in ProcessAt(dirwildcard):
self.filenameexpressionsflags.append([filename, expression, flag])
elif os.path.isfile(dirwildcard):
self.filenameexpressionsflags.append([dirwildcard, expression, flag])
else:
if os.path.isdir(dirwildcard):
dirname = dirwildcard
basename = '*'
else:
dirname, basename = os.path.split(dirwildcard)
if dirname == '':
dirname = '.'
for path, dirs, files in os.walk(dirname):
for filename in fnmatch.filter(files, basename):
self.filenameexpressionsflags.append([os.path.join(path, filename), expression, flag])
else:
for filename in list(collections.OrderedDict.fromkeys(sum(map(self.Glob, sum(map(ProcessAt, filenames), [])), []))):
if expressionprefix != None and filename.startswith(expressionprefix):
expression = filename[len(expressionprefix):]
elif flagprefix != None and filename.startswith(flagprefix):
flag = filename[len(flagprefix):]
else:
self.filenameexpressionsflags.append([filename, expression, flag])
self.warning = self.containsUnixShellStyleWildcards and len(self.filenameexpressionsflags) == 0
if self.warning:
self.message = "Your filename argument(s) contain Unix shell-style wildcards, but no files were matched.\nCheck your wildcard patterns or use option literalfilenames if you don't want wildcard pattern matching."
return
if self.filenameexpressionsflags == [] and (expression != '' or flag != ''):
self.filenameexpressionsflags = [['', expression, flag]]
if checkfilenames:
self.CheckIfFilesAreValid()
def Glob(self, filename):
if not ('?' in filename or '*' in filename or ('[' in filename and ']' in filename)):
return [filename]
self.containsUnixShellStyleWildcards = True
return glob.glob(filename)
def CheckIfFilesAreValid(self):
valid = []
doesnotexist = []
isnotafile = []
for filename, expression, flag in self.filenameexpressionsflags:
hashfile = False
try:
hashfile = FilenameCheckHash(filename, self.literalfilenames)[0] == FCH_DATA
except:
pass
if filename == '' or hashfile:
valid.append([filename, expression, flag])
elif not os.path.exists(filename):
doesnotexist.append(filename)
elif not os.path.isfile(filename):
isnotafile.append(filename)
else:
valid.append([filename, expression, flag])
self.filenameexpressionsflags = valid
if len(doesnotexist) > 0:
self.warning = True
self.message += 'The following files do not exist and will be skipped: ' + ' '.join(doesnotexist) + '\n'
if len(isnotafile) > 0:
self.warning = True
self.message += 'The following files are not regular files and will be skipped: ' + ' '.join(isnotafile) + '\n'
def Filenames(self):
if self.expressionprefix == None:
return [filename for filename, expression, flag in self.filenameexpressionsflags]
else:
return self.filenameexpressionsflags
def CheckJSON(stringJSON):
try:
object = json.loads(stringJSON)
except:
print('Error parsing JSON')
print(sys.exc_info()[1])
return None
if not isinstance(object, dict):
print('Error JSON is not a dictionary')
return None
if not 'version' in object:
print('Error JSON dictionary has no version')
return None
if object['version'] != 2:
print('Error JSON dictionary has wrong version')
return None
if not 'id' in object:
print('Error JSON dictionary has no id')
return None
if object['id'] != 'didierstevens.com':
print('Error JSON dictionary has wrong id')
return None
if not 'type' in object:
print('Error JSON dictionary has no type')
return None
if object['type'] != 'content':
print('Error JSON dictionary has wrong type')
return None
if not 'fields' in object:
print('Error JSON dictionary has no fields')
return None
if not 'name' in object['fields']:
print('Error JSON dictionary has no name field')
return None
if not 'content' in object['fields']:
print('Error JSON dictionary has no content field')
return None
if not 'items' in object:
print('Error JSON dictionary has no items')
return None
for item in object['items']:
item['content'] = binascii.a2b_base64(item['content'])
return object['items']
CUTTERM_NOTHING = 0
CUTTERM_POSITION = 1
CUTTERM_FIND = 2
CUTTERM_LENGTH = 3
def Replace(string, dReplacements):
if string in dReplacements:
return dReplacements[string]
else:
return string
def ParseInteger(argument):
sign = 1
if argument.startswith('+'):
argument = argument[1:]
elif argument.startswith('-'):
argument = argument[1:]
sign = -1
if argument.startswith('0x'):
return sign * int(argument[2:], 16)
else:
return sign * int(argument)
def ParseCutTerm(argument):
if argument == '':
return CUTTERM_NOTHING, None, ''
oMatch = re.match(r'\-?0x([0-9a-f]+)', argument, re.I)
if oMatch == None:
oMatch = re.match(r'\-?(\d+)', argument)
else:
value = int(oMatch.group(1), 16)
if argument.startswith('-'):
value = -value
return CUTTERM_POSITION, value, argument[len(oMatch.group(0)):]
if oMatch == None:
oMatch = re.match(r'\[([0-9a-f]+)\](\d+)?([+-](?:0x[0-9a-f]+|\d+))?', argument, re.I)
else:
value = int(oMatch.group(1))
if argument.startswith('-'):
value = -value
return CUTTERM_POSITION, value, argument[len(oMatch.group(0)):]
if oMatch == None:
oMatch = re.match(r"\[u?\'(.+?)\'\](\d+)?([+-](?:0x[0-9a-f]+|\d+))?", argument)
else:
if len(oMatch.group(1)) % 2 == 1:
raise Exception("Uneven length hexadecimal string")
else:
return CUTTERM_FIND, (binascii.a2b_hex(oMatch.group(1)), int(Replace(oMatch.group(2), {None: '1'})), ParseInteger(Replace(oMatch.group(3), {None: '0'}))), argument[len(oMatch.group(0)):]
if oMatch == None:
return None, None, argument
else:
if argument.startswith("[u'"):
# convert ascii to unicode 16 byte sequence
searchtext = oMatch.group(1).decode('unicode_escape').encode('utf16')[2:]
else:
searchtext = oMatch.group(1)
return CUTTERM_FIND, (searchtext, int(Replace(oMatch.group(2), {None: '1'})), ParseInteger(Replace(oMatch.group(3), {None: '0'}))), argument[len(oMatch.group(0)):]
def ParseCutArgument(argument):
type, value, remainder = ParseCutTerm(argument.strip())
if type == CUTTERM_NOTHING:
return CUTTERM_NOTHING, None, CUTTERM_NOTHING, None
elif type == None:
if remainder.startswith(':'):
typeLeft = CUTTERM_NOTHING
valueLeft = None
remainder = remainder[1:]
else:
return None, None, None, None
else:
typeLeft = type
valueLeft = value
if typeLeft == CUTTERM_POSITION and valueLeft < 0:
return None, None, None, None
if typeLeft == CUTTERM_FIND and valueLeft[1] == 0:
return None, None, None, None
if remainder.startswith(':'):
remainder = remainder[1:]
else:
return None, None, None, None
type, value, remainder = ParseCutTerm(remainder)
if type == CUTTERM_POSITION and remainder == 'l':
return typeLeft, valueLeft, CUTTERM_LENGTH, value
elif type == None or remainder != '':
return None, None, None, None
elif type == CUTTERM_FIND and value[1] == 0:
return None, None, None, None
else:
return typeLeft, valueLeft, type, value
def Find(data, value, nth, startposition=-1):
position = startposition
while nth > 0:
position = data.find(value, position + 1)
if position == -1:
return -1
nth -= 1
return position
def CutData(stream, cutArgument):
if cutArgument == '':
return [stream, None, None]
typeLeft, valueLeft, typeRight, valueRight = ParseCutArgument(cutArgument)
if typeLeft == None:
return [stream, None, None]
if typeLeft == CUTTERM_NOTHING:
positionBegin = 0
elif typeLeft == CUTTERM_POSITION:
positionBegin = valueLeft
elif typeLeft == CUTTERM_FIND:
positionBegin = Find(stream, valueLeft[0], valueLeft[1])
if positionBegin == -1:
return ['', None, None]
positionBegin += valueLeft[2]
else:
raise Exception("Unknown value typeLeft")
if typeRight == CUTTERM_NOTHING:
positionEnd = len(stream)
elif typeRight == CUTTERM_POSITION and valueRight < 0:
positionEnd = len(stream) + valueRight
elif typeRight == CUTTERM_POSITION:
positionEnd = valueRight + 1
elif typeRight == CUTTERM_LENGTH:
positionEnd = positionBegin + valueRight
elif typeRight == CUTTERM_FIND:
positionEnd = Find(stream, valueRight[0], valueRight[1], positionBegin)
if positionEnd == -1:
return ['', None, None]
else:
positionEnd += len(valueRight[0])
positionEnd += valueRight[2]
else:
raise Exception("Unknown value typeRight")
return [stream[positionBegin:positionEnd], positionBegin, positionEnd]
#-BEGINCODE cDump------------------------------------------------------------------------------------
#import binascii
#import sys
#if sys.version_info[0] >= 3:
# from io import StringIO
#else:
# from cStringIO import StringIO
class cDump():
def __init__(self, data, prefix='', offset=0, dumplinelength=16):
self.data = data
self.prefix = prefix
self.offset = offset
self.dumplinelength = dumplinelength
def HexDump(self):
oDumpStream = self.cDumpStream(self.prefix)
hexDump = ''
for i, b in enumerate(self.data):
if i % self.dumplinelength == 0 and hexDump != '':
oDumpStream.Addline(hexDump)
hexDump = ''
hexDump += IFF(hexDump == '', '', ' ') + '%02X' % self.C2IIP2(b)
oDumpStream.Addline(hexDump)
return oDumpStream.Content()
def CombineHexAscii(self, hexDump, asciiDump):
if hexDump == '':
return ''
countSpaces = 3 * (self.dumplinelength - len(asciiDump))
if len(asciiDump) <= self.dumplinelength / 2:
countSpaces += 1
return hexDump + ' ' + (' ' * countSpaces) + asciiDump
def HexAsciiDump(self, rle=False):
oDumpStream = self.cDumpStream(self.prefix)
position = ''
hexDump = ''
asciiDump = ''
previousLine = None
countRLE = 0
for i, b in enumerate(self.data):
b = self.C2IIP2(b)
if i % self.dumplinelength == 0:
if hexDump != '':
line = self.CombineHexAscii(hexDump, asciiDump)
if not rle or line != previousLine:
if countRLE > 0:
oDumpStream.Addline('* %d 0x%02x' % (countRLE, countRLE * self.dumplinelength))
oDumpStream.Addline(position + line)
countRLE = 0
else:
countRLE += 1
previousLine = line
position = '%08X:' % (i + self.offset)
hexDump = ''
asciiDump = ''
if i % self.dumplinelength == self.dumplinelength / 2:
hexDump += ' '
hexDump += ' %02X' % b
asciiDump += IFF(b >= 32 and b < 128, chr(b), '.')
if countRLE > 0:
oDumpStream.Addline('* %d 0x%02x' % (countRLE, countRLE * self.dumplinelength))
oDumpStream.Addline(self.CombineHexAscii(position + hexDump, asciiDump))
return oDumpStream.Content()
def Base64Dump(self, nowhitespace=False):
encoded = binascii.b2a_base64(self.data)
if nowhitespace:
return encoded
encoded = encoded.strip()
oDumpStream = self.cDumpStream(self.prefix)
length = 64
for i in range(0, len(encoded), length):
oDumpStream.Addline(encoded[0+i:length+i])
return oDumpStream.Content()
class cDumpStream():
def __init__(self, prefix=''):
self.oStringIO = StringIO()
self.prefix = prefix
def Addline(self, line):
if line != '':
self.oStringIO.write(self.prefix + line + '\n')
def Content(self):
return self.oStringIO.getvalue()
@staticmethod
def C2IIP2(data):
if sys.version_info[0] > 2:
return data
else:
return ord(data)
#-ENDCODE cDump--------------------------------------------------------------------------------------
def IfWIN32SetBinary(io):
if sys.platform == 'win32':
import msvcrt
msvcrt.setmode(io.fileno(), os.O_BINARY)
#Fix for http://bugs.python.org/issue11395
def StdoutWriteChunked(data):
if sys.version_info[0] > 2:
sys.stdout.buffer.write(data)
else:
while data != '':
sys.stdout.write(data[0:10000])
try:
sys.stdout.flush()
except IOError:
return
data = data[10000:]
class cVariables():
def __init__(self, variablesstring='', separator=DEFAULT_SEPARATOR):
self.dVariables = {}
if variablesstring == '':
return
for variable in variablesstring.split(separator):
name, value = VariableNameValue(variable)
self.dVariables[name] = value
def SetVariable(self, name, value):
self.dVariables[name] = value
def Instantiate(self, astring):
for key, value in self.dVariables.items():
astring = astring.replace('%' + key + '%', value)
return astring
class cOutput():
def __init__(self, filenameOption=None):
self.starttime = time.time()
self.filenameOption = filenameOption
self.separateFiles = False
self.progress = False
self.console = False
self.head = False
self.headCounter = 0
self.tail = False
self.tailQueue = []
self.fOut = None
self.rootFilenames = {}
if self.filenameOption:
if self.ParseHash(self.filenameOption):
if not self.separateFiles and self.filename != '':
self.fOut = open(self.filename, 'w')
elif self.filenameOption != '':
self.fOut = open(self.filenameOption, 'w')
def ParseHash(self, option):
if option.startswith('#'):
position = self.filenameOption.find('#', 1)
if position > 1:
switches = self.filenameOption[1:position]
self.filename = self.filenameOption[position + 1:]
for switch in switches:
if switch == 's':
self.separateFiles = True
elif switch == 'p':
self.progress = True
elif switch == 'c':
self.console = True
elif switch == 'l':
pass
elif switch == 'g':
if self.filename != '':
extra = self.filename + '-'
else:
extra = ''
self.filename = '%s-%s%s.txt' % (os.path.splitext(os.path.basename(sys.argv[0]))[0], extra, self.FormatTime())
elif switch == 'h':
self.head = True
elif switch == 't':
self.tail = True
else:
return False
return True
return False
@staticmethod
def FormatTime(epoch=None):
if epoch == None:
epoch = time.time()
return '%04d%02d%02d-%02d%02d%02d' % time.localtime(epoch)[0:6]
def RootUnique(self, root):
if not root in self.rootFilenames:
self.rootFilenames[root] = None
return root
iter = 1
while True:
newroot = '%s_%04d' % (root, iter)
if not newroot in self.rootFilenames:
self.rootFilenames[newroot] = None
return newroot
iter += 1
def LineSub(self, line, eol):
if self.fOut == None or self.console:
try:
print(line, end=eol)
except UnicodeEncodeError:
encoding = sys.stdout.encoding
print(line.encode(encoding, errors='backslashreplace').decode(encoding), end=eol)
# sys.stdout.flush()
if self.fOut != None:
self.fOut.write(line + '\n')
self.fOut.flush()
def Line(self, line, eol='\n'):
if self.head:
if self.headCounter < 10:
self.LineSub(line, eol)
elif self.tail:
self.tailQueue = self.tailQueue[-9:] + [[line, eol]]
self.headCounter += 1
elif self.tail:
self.tailQueue = self.tailQueue[-9:] + [[line, eol]]
else:
self.LineSub(line, eol)
def LineTimestamped(self, line):
self.Line('%s: %s' % (self.FormatTime(), line))
def Filename(self, filename, index, total):
self.separateFilename = filename
if self.progress:
if index == 0:
eta = ''
else:
seconds = int(float((time.time() - self.starttime) / float(index)) * float(total - index))
eta = 'estimation %d seconds left, finished %s ' % (seconds, self.FormatTime(time.time() + seconds))
PrintError('%d/%d %s%s' % (index + 1, total, eta, self.separateFilename))
if self.separateFiles and self.filename != '':
oFilenameVariables = cVariables()
oFilenameVariables.SetVariable('f', self.separateFilename)
basename = os.path.basename(self.separateFilename)
oFilenameVariables.SetVariable('b', basename)
oFilenameVariables.SetVariable('d', os.path.dirname(self.separateFilename))
root, extension = os.path.splitext(basename)
oFilenameVariables.SetVariable('r', root)
oFilenameVariables.SetVariable('ru', self.RootUnique(root))
oFilenameVariables.SetVariable('e', extension)
self.Close()
self.fOut = open(oFilenameVariables.Instantiate(self.filename), 'w')
def Close(self):
if self.head and self.tail and len(self.tailQueue) > 0:
self.LineSub('...', '\n')
for line, eol in self.tailQueue:
self.LineSub(line, eol)
self.headCounter = 0
self.tailQueue = []
if self.fOut != None:
self.fOut.close()
self.fOut = None
def ToString(value):
if isinstance(value, str):
return value
else:
return str(value)
def Quote(value, separator, quote):
value = ToString(value)
if len(value) > 1 and value[0] == quote and value[-1] == quote:
return value
if separator in value or value == '':
return quote + value + quote
else:
return value
def MakeCSVLine(row, separator, quote):
return separator.join([Quote(value, separator, quote) for value in row])
class cLogfile():
def __init__(self, keyword, comment):
self.starttime = time.time()
self.errors = 0
if keyword == '':
self.oOutput = None
else:
self.oOutput = cOutput('%s-%s-%s.log' % (os.path.splitext(os.path.basename(sys.argv[0]))[0], keyword, self.FormatTime()))
self.Line('Start')
self.Line('UTC', '%04d%02d%02d-%02d%02d%02d' % time.gmtime(time.time())[0:6])
self.Line('Comment', comment)
self.Line('Args', repr(sys.argv))
self.Line('Version', __version__)
self.Line('Python', repr(sys.version_info))
self.Line('Platform', sys.platform)
self.Line('CWD', repr(os.getcwd()))
@staticmethod
def FormatTime(epoch=None):
if epoch == None:
epoch = time.time()
return '%04d%02d%02d-%02d%02d%02d' % time.localtime(epoch)[0:6]
def Line(self, *line):
if self.oOutput != None:
self.oOutput.Line(MakeCSVLine((self.FormatTime(), ) + line, DEFAULT_SEPARATOR, QUOTE))
def LineError(self, *line):
self.Line('Error', *line)
self.errors += 1
def Close(self):
if self.oOutput != None:
self.Line('Finish', '%d error(s)' % self.errors, '%d second(s)' % (time.time() - self.starttime))
self.oOutput.Close()
def CalculateByteStatistics(dPrevalence=None, data=None):
averageConsecutiveByteDifference = None
if dPrevalence == None:
dPrevalence = {iter: 0 for iter in range(0x100)}
sumDifferences = 0.0
previous = None
if len(data) > 1:
for byte in data:
byte = C2IIP2(byte)
dPrevalence[byte] += 1
if previous != None:
sumDifferences += abs(byte - previous)
previous = byte
averageConsecutiveByteDifference = sumDifferences /float(len(data)-1)
sumValues = sum(dPrevalence.values())
countNullByte = dPrevalence[0]
countControlBytes = 0
countWhitespaceBytes = 0
countUniqueBytes = 0
for iter in range(1, 0x21):
if chr(iter) in string.whitespace:
countWhitespaceBytes += dPrevalence[iter]
else:
countControlBytes += dPrevalence[iter]
countControlBytes += dPrevalence[0x7F]
countPrintableBytes = 0
for iter in range(0x21, 0x7F):
countPrintableBytes += dPrevalence[iter]
countHighBytes = 0
for iter in range(0x80, 0x100):
countHighBytes += dPrevalence[iter]
countHexadecimalBytes = 0
countBASE64Bytes = 0
for iter in range(0x30, 0x3A):
countHexadecimalBytes += dPrevalence[iter]
countBASE64Bytes += dPrevalence[iter]
for iter in range(0x41, 0x47):
countHexadecimalBytes += dPrevalence[iter]
for iter in range(0x61, 0x67):
countHexadecimalBytes += dPrevalence[iter]
for iter in range(0x41, 0x5B):
countBASE64Bytes += dPrevalence[iter]
for iter in range(0x61, 0x7B):
countBASE64Bytes += dPrevalence[iter]
countBASE64Bytes += dPrevalence[ord('+')] + dPrevalence[ord('/')] + dPrevalence[ord('=')]
entropy = 0.0
for iter in range(0x100):
if dPrevalence[iter] > 0:
prevalence = float(dPrevalence[iter]) / float(sumValues)
entropy += - prevalence * math.log(prevalence, 2)
countUniqueBytes += 1
return sumValues, entropy, countUniqueBytes, countNullByte, countControlBytes, countWhitespaceBytes, countPrintableBytes, countHighBytes, countHexadecimalBytes, countBASE64Bytes, averageConsecutiveByteDifference
def GetChunk(position, data):
return [data[:position], data[position:]]
def InstantiateCOutput(options):
filenameOption = None
if options.output != '':
filenameOption = options.output
return cOutput(filenameOption)
def Unpack(format, data):
size = struct.calcsize(format)
result = list(struct.unpack(format, data[:size]))
result.append(data[size:])
return result
def Represent(data):
if sum([ord(c) for c in data]) == 0:
return '(NULL ...)'
else:
return repr(data.rstrip('\x00'))
def PrefixIfNeeded(string, prefix=' '):
if string == '':
return string
else:
return prefix + string
def Xor(data, key):
data = C2SIP3(data)
key = C2SIP3(key)
return C2BIP3(''.join(chr(ord(data[i]) ^ ord(key[i % len(key)])) for i in range(len(data))))
def FindAll(data, sub):
result = []
start = 0
while True:
position = data.find(sub, start)
if position == -1:
return result
result.append(position)
start = position + 1
def FindAllList(data, searches):
result = []
for element in searches:
result.extend(FindAll(data, element))
return sorted(list(set(result)))
def DecodeSectionnameIfNeeded(name):
if name.startswith('.'):
return name
xorkey = ord(name[0]) ^ ord('.')
newname = ''.join([chr(ord(c) ^ xorkey) for c in name]).rstrip('\x00')
return newname
def GetDataSection(data):
sectionnames = []
try:
oPE = pefile.PE(data=data)
except Exception as e:
return e.value, None
for section in oPE.sections:
if sys.version_info[0] >= 3:
sectionname = ''.join(filter(lambda c:c != '\0', str(section.Name.decode('unicode_escape'))))
else:
sectionname = ''.join(filter(lambda c:c != '\0', section.Name))
sectionnames.append(repr(sectionname))
if DecodeSectionnameIfNeeded(sectionname) == '.data':
return None, section.get_data()
return '.data section not found: ' + ' '.join(sectionnames), None
def StatisticalSearch(payloadsectiondata, key):
start = None
end = None
position = 0
while len(payloadsectiondata) > 8:
block, payloadsectiondata = GetChunk(8, payloadsectiondata)
if sum([IFF(c == key, 1, 0) for c in block]) > 2:
if start == None:
start = position
end = position + 7
else:
end = position + 7
position += 8
return start, end
def AnalyzeShellcode(shellcode, oOutput):
dInstructions = {b'\x68': 'push', b'\xB8': 'mov eax'}
dJSONData = GetJSONData()
dLookupValues = dJSONData.get('dLookupValues', {})
position = shellcode.rfind(b'\xFF\xFF')
if position != -1:
parameters = shellcode[position+2:]
position00 = parameters.find(b'\x00')
remainder = b''
if position00 != -1:
remainder = parameters[position00 + 1:]
parameters = parameters[:position00]
oOutput.Line('Parameter: %d %s' % (position, repr(parameters)))
if len(remainder) == 4:
licenseid = struct.unpack('>I',remainder)[0]
info = 'license-id: %d %d' % (position + position00 + 1, licenseid)
info += LookupValue("37", '%d' % licenseid, dLookupValues)
oOutput.Line(info)
for pushPosition in FindAllList(shellcode, dInstructions.keys()):
if pushPosition + 5 <= len(shellcode):
if position == -1:
oOutput.Line('%s: %d %d %d.%d.%d.%d %s' % (dInstructions[shellcode[pushPosition:pushPosition+1]], pushPosition, struct.unpack('<I', shellcode[pushPosition + 1:pushPosition + 5])[0], ord(shellcode[pushPosition + 1]), ord(shellcode[pushPosition + 2]), ord(shellcode[pushPosition + 3]), ord(shellcode[pushPosition + 4]), repr(shellcode[pushPosition:pushPosition + 5])))
elif shellcode[pushPosition + 3:pushPosition + 5] == b'\x00\x00':
oOutput.Line('%s: %d %d %s' % (dInstructions[shellcode[pushPosition:pushPosition+1]], pushPosition, struct.unpack('<H', shellcode[pushPosition + 1:pushPosition + 3])[0], repr(shellcode[pushPosition:pushPosition + 5])))
for str in ExtractStringsASCII(shellcode):
if len(str) == 5 and str.startswith(b'/') or str.startswith(b'User-Agent: ') or str.startswith(b'Mozilla/'):
positions = FindAll(shellcode, str)
oOutput.Line('String: %s %s' % (','.join(['%d' % position for position in positions]),str))
REGEX_STANDARD = b'[\x09\x20-\x7E]'
def ExtractStringsASCII(data):
regex = REGEX_STANDARD + b'{%d,}'
return re.findall(regex % 1, data)
def LookupConfigValue(id, value):
dConfigValues = {
0x0001: {
0: 'windows-beacon_http-reverse_http',
1: 'windows-beacon_dns-reverse_http',
2: 'windows-beacon_smb-bind_pipz',
8: 'windows-beacon_https-reverse_https',
16: 'windows-beacon_tcp-bind_tcp',
},
0x0023: {
1: 'no proxy',
2: 'IE settings',
4: 'hardcoded proxy',
},
0x002b: {
0x01: 'PAGE_NOACCESS',
0x02: 'PAGE_READONLY',
0x04: 'PAGE_READWRITE',
0x08: 'PAGE_WRITECOPY',
0x10: 'PAGE_EXECUTE',
0x20: 'PAGE_EXECUTE_READ',
0x40: 'PAGE_EXECUTE_READWRITE',
0x80: 'PAGE_EXECUTE_WRITECOPY',
},
}
return PrefixIfNeeded(dConfigValues[id].get(value, ''))
def ConvertIntToIPv4(value):
return ' %d.%d.%d.%d' % (C2IIP2(value[0]), C2IIP2(value[1]), C2IIP2(value[2]), C2IIP2(value[3]))
def ToHexadecimal(value):
return binascii.b2a_hex(value).decode()
def LookupValue(number, value, dInfo):
lookup = ''
if number in dInfo:
lookup = dInfo[number].get(value, '')
return PrefixIfNeeded(lookup)
def InterpretValue(info, number, value, dConfigValueInterpreter):
interpreted = ''
if number in dConfigValueInterpreter:
interpreted = dConfigValueInterpreter[number](value)
return info + interpreted
def GetScriptPath():
if getattr(sys, 'frozen', False):
return os.path.dirname(sys.executable)
else:
return os.path.dirname(sys.argv[0])
def GetJSONData():
filename = os.path.join(GetScriptPath(), '1768.json')
if not os.path.isfile(filename):
return {}
return json.load(open(filename, 'r'))
def AnalyzeEmbeddedPEFile(payloadsectiondata, oOutput, options):
xorKey = b'i'
config, startconfig, endconfig = CutData(Xor(payloadsectiondata, xorKey), '[000100010002]:')
if len(config) == 0:
xorKey = b'.'
config, startconfig, endconfig = CutData(Xor(payloadsectiondata, xorKey), '[000100010002]:')
if len(config) == 0:
xorKey = b'i'
startconfig, endconfig = StatisticalSearch(payloadsectiondata, xorKey)
if startconfig == None:
xorKey = b'.'
startconfig, endconfig = StatisticalSearch(payloadsectiondata, xorKey)
if startconfig == None:
oOutput.Line('Error: config not found')
return
else:
oOutput.Line('Config found (statistical): xorkey %s 0x%08x 0x%08x' % (xorKey, startconfig, endconfig))
oOutput.Line(cDump(Xor(payloadsectiondata[startconfig:endconfig + 1], xorKey)).HexAsciiDump(rle=True))
return
# oOutput.Line('Config found: 0x%08x 0x%08x %s' % (startconfig, endconfig, ' '.join(['0x%08x' % position for position in FindAll(payloadsectiondata, '\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF')])))
# oOutput.Line('Config found: 0x%08x 0x%08x %s' % (startconfig, endconfig, ' '.join(['0x%08x' % position for position in FindAll(payloadsectiondata, '\x90\x01\x00\x00')])))
oOutput.Line('Config found: xorkey %s 0x%08x 0x%08x' % (xorKey, startconfig, endconfig))
data = config
dConfigIdentifiers = {
0x0001: 'payload type',
0x0002: 'port',
0x0003: 'sleeptime',
0x0004: 'maxgetsize', #
0x0005: 'jitter',
0x0006: 'maxdns',
0x0007: 'publickey',
0x0008: 'server,get-uri',
0x0009: 'useragent',
0x000a: 'post-uri',
0x000b: 'Malleable_C2_Instructions', #
0x000c: 'http_get_header',
0x000d: 'http_post_header',
0x000e: 'SpawnTo', #
0x000f: 'pipename',
0x0010: 'killdate_year', #
0x0011: 'killdate_month', #
0x0012: 'killdate_day', #
0x0013: 'DNS_Idle', #
0x0014: 'DNS_Sleep', #
0x0015: 'SSH_', #
0x0016: 'SSH_', #
0x0017: 'SSH_', #
0x0018: 'SSH_', #
0x0019: 'SSH_', #
0x001a: 'get-verb',
0x001b: 'post-verb',
0x001c: 'HttpPostChunk', #
0x001d: 'spawnto_x86',
0x001e: 'spawnto_x64',
0x001f: 'CryptoScheme', #
0x0020: 'proxy',
0x0021: 'proxy_username',
0x0022: 'proxy_password',
0x0023: 'proxy_type',
0x0024: 'deprecated', #
0x0025: 'license-id',
0x0026: 'bStageCleanup', #
0x0027: 'bCFGCaution', #
0x0028: 'killdate',
0x0029: 'textSectionEnd', #
0x002a: 'ObfuscateSectionsInfo', #
0x002b: 'process-inject-start-rwx',
0x002c: 'process-inject-use-rwx',
0x002d: 'process-inject-min_alloc',
0x002e: 'process-inject-transform-x86',
0x002f: 'process-inject-transform-x64',
0x0032: 'UsesCookies',
0x0033: 'process-inject-execute',
0x0034: 'process-inject-allocation-method',
0x0035: 'process-inject-stub',
0x0036: 'HostHeader',
}
dConfigValueInterpreter = {
0x0001: lambda value: LookupConfigValue(0x0001, value),
0x0007: ToHexadecimal,
0x0013: ConvertIntToIPv4,
0x0023: lambda value: LookupConfigValue(0x0023, value),
0x002b: lambda value: LookupConfigValue(0x002b, value),
0x002c: lambda value: LookupConfigValue(0x002b, value),
}
dJSONData = GetJSONData()
dLookupValues = dJSONData.get('dLookupValues', {})
while len(data) >= 2:
formatNumber = '>H'
formatTypeLength = '>HH'
ntlBytes = data[0:struct.calcsize(formatNumber) + struct.calcsize(formatTypeLength)]
number, data = Unpack(formatNumber, data)
if number == 0:
oOutput.Line('0x%04x' % number)
break
type, length, data = Unpack(formatTypeLength, data)
parameter, data = GetChunk(length, data)
info = ''
if type == 1 and length == 2:
identifier = struct.unpack('>H', parameter)[0]
info = InterpretValue('%d' % identifier, number, identifier, dConfigValueInterpreter)
elif type == 2 and length == 4:
value = '%d' % struct.unpack('>I', parameter)[0]
info = InterpretValue(value, number, parameter[0:4], dConfigValueInterpreter)
info += LookupValue(str(number), value, dLookupValues)
elif type == 3 and not number in [0x0c, 0x0d]:
info = InterpretValue('', number, parameter, dConfigValueInterpreter)
if info == '':
info = Represent(C2SIP3(parameter))
oOutput.Line(('0x%04x %-' + str(max([len(value) for value in dConfigIdentifiers.values()])) + 's 0x%04x 0x%04x%s') % (number, dConfigIdentifiers.get(number, ''), type, length, PrefixIfNeeded(info)))
if type == 3 and number in [0x0c, 0x0d]:
# parameters = parameter
# while len(parameters) >= 8 and sum([C2IIP2(c) for c in parameters]) != 0:
# type, parameters = Unpack('>I', parameters)
# if type != 3:
# length, parameters = Unpack('>I', parameters)
# parameter, parameters = GetChunk(length, parameters)
# else:
# length = None
# if type == 3:
# oOutput.Line(' 0x%04x' % (type))
# else:
# oOutput.Line(' 0x%04x 0x%04x%s' % (type, length, PrefixIfNeeded(Represent(C2SIP3(parameter)))))
for string in ExtractStringsASCII(parameter):
oOutput.Line(' %s' % (string))
if options.select != '':
select = ParseInteger(options.select)
if number == select:
oOutput.Line(' Decoded: %s' % ToHexadecimal(ntlBytes + parameter))
oOutput.Line(" 'i'-encoded: %s" % ToHexadecimal(Xor(ntlBytes + parameter, b'i')))
oOutput.Line(" '.'-encoded: %s" % ToHexadecimal(Xor(ntlBytes + parameter, b'.')))
def DetectPEFile(data):
if len(data) < 40:
return False
if data[0:2] != b'MZ':
return False
offsetbytes = data[0x3C:0x3C + 4]
if len(offsetbytes) != 4:
return False
offset = struct.unpack('<I', offsetbytes)[0]
if data[offset:offset + 2] != b'PE':
return False
return True
def StripLeadingNOPs(data):
return data.lstrip(b'\x90')
def XORChain(iKey, encodedData):
decodedData = b''
xorkey = iKey
while len(encodedData) >= 4:
encoded = struct.unpack('<I', encodedData[0:4])[0]
decodedData += struct.pack('<I', encoded ^ xorkey)
xorkey = encoded
encodedData = encodedData[4:]
return decodedData
def TryXORChainDecoding(data):
if len(data) < 0x100:
return data, []
formatstring = '<III'
formatlength = struct.calcsize(formatstring)
for iIter in range(1, 0x100):
bytesValues = data[iIter:iIter + formatlength]
if len(bytesValues) != formatlength:
return data, []
xorKey, xorEncodedLength, xorEncodedMZ = struct.unpack(formatstring, bytesValues)
decodedMZ = xorKey ^ xorEncodedMZ
if struct.pack('<I', decodedMZ)[0:2] != b'MZ':
continue
decodedLength = xorKey ^ xorEncodedLength
decodedData = XORChain(xorKey, data[iIter + formatlength - 4:iIter + formatlength - 4 + decodedLength])
if DetectPEFile(decodedData):
return decodedData, ['xorkey(chain): 0x%08x' % xorKey, 'length: 0x%08x' % decodedLength]
return data, []
def ExtractPEFile(data):
if DetectPEFile(data):
return data, []
extracted = StripLeadingNOPs(data)
if DetectPEFile(extracted):
return extracted, ['leading NOPs: 0x%04x' % (len(data) - len(extracted))]
extracted, messages = TryXORChainDecoding(data)
if DetectPEFile(extracted):
return extracted, messages
return data, []
def TestShellcodeHeuristic(data):
return b'hwini' in data[:0x1000] or b'hws2_' in data[:0x1000] or (data[0:1] == b'\xFC' and len(data) < 0x1000)
def ProcessBinaryFile(filename, content, cutexpression, flag, oOutput, oLogfile, options, oParserFlag):
if content == None:
try:
oBinaryFile = cBinaryFile(filename, C2BIP3(options.password), options.noextraction, options.literalfilenames)
except:
oLogfile.LineError('Opening file %s %s' % (filename, repr(sys.exc_info()[1])))
return
oLogfile.Line('Success', 'Opening file %s' % filename)
try:
data = oBinaryFile.read()
except:
oLogfile.LineError('Reading file %s %s' % (filename, repr(sys.exc_info()[1])))
return
data = CutData(data, cutexpression)[0]
oBinaryFile.close()
else:
data = content
(flagoptions, flagargs) = oParserFlag.parse_args(flag.split(' '))
try:
# ----- Put your data processing code here -----
oOutput.Line('File: %s%s' % (filename, IFF(oBinaryFile.extracted, ' (extracted)', '')))
data, messages = ExtractPEFile(data)
for message in messages:
oOutput.Line(message)
if data[0:2] == b'MZ' and not options.raw:
error, sectiondata = GetDataSection(data)
if error != None:
oOutput.Line('Error: PE file error: %s' % error)
elif len(sectiondata) < 16:
oOutput.Line('Error: section .data too small: %d' % len(sectiondata))
else:
payloadType, payloadSize, intxorkey, id2, sectiondata = Unpack('<IIII', sectiondata)
xorkey = struct.pack('<I', intxorkey)
oOutput.Line('payloadType: 0x%08x' % payloadType)
oOutput.Line('payloadSize: 0x%08x' % payloadSize)
oOutput.Line('intxorkey: 0x%08x' % intxorkey)
oOutput.Line('id2: 0x%08x' % id2)
if payloadSize > len(sectiondata):
oOutput.Line('Error: payload size too large: 0x%08x' % payloadSize)
oOutput.Line('.data section size: 0x%08x' % len(sectiondata))
return
# if payloadSize <= 0:
# oOutput.Line('Error: payload size too small: 0x%08x' % payloadSize)
# return
payload = Xor(sectiondata[:payloadSize], xorkey)
error, payloadsectiondata = GetDataSection(payload)
if error != None:
positionMZ = payload.find(b'MZ')
if positionMZ != 0:
if b'ihihik' in sectiondata or b'././.,' in sectiondata:
AnalyzeEmbeddedPEFile(data, oOutput, options)
elif TestShellcodeHeuristic(payload):
oOutput.Line('Probably found shellcode:')
AnalyzeShellcode(payload, oOutput)
oOutput.Line(cDump(payload).HexAsciiDump(rle=False))
elif positionMZ >= 0 and positionMZ < 0x20:
oOutput.Line('MZ header found position %d' % positionMZ)
AnalyzeEmbeddedPEFile(payload[positionMZ:], oOutput, options)
else:
oOutput.Line('MZ header not found, truncated dump:')
oOutput.Line(cDump(payload[:0x1000]).HexAsciiDump(rle=True))
else:
oOutput.Line('Error: embedded PE file error: %s' % error)
else:
AnalyzeEmbeddedPEFile(payloadsectiondata, oOutput, options)
elif TestShellcodeHeuristic(data):
oOutput.Line('Probably found shellcode:')
AnalyzeShellcode(data, oOutput)
oOutput.Line(cDump(data).HexAsciiDump(rle=False))
else:
for position in FindAll(data, b'ihihik') + FindAll(data, b'././.,'):
AnalyzeEmbeddedPEFile(data[position:position+0x10000], oOutput, options)
# oOutput.Line(cDump(data[0:0x100]).HexAsciiDump())
# ----------------------------------------------
except:
oLogfile.LineError('Processing file %s %s' % (filename, repr(sys.exc_info()[1])))
if not options.ignoreprocessingerrors:
raise
# data = CutData(cBinaryFile(filename, C2BIP3(options.password), options.noextraction, options.literalfilenames).Data(), cutexpression)[0]
def FormatTime(epoch=None):
if epoch == None:
epoch = time.time()
return '%04d%02d%02d-%02d%02d%02d' % time.localtime(epoch)[0:6]
def SpaceEvery2Characters(string):
result = []
while string != '':
result.append(string[0:2])
string = string[2:]
return ' '.join(result)
def ProcessLicenseIDs(oOutput, oLogfile, options):
rule_config = '''rule cs_%s_licenseid {
meta:
license_name = "%s"
license_id = "%d"
info = "rule generated by 1768.py on %s"
strings:
$a = { %s }
condition:
$a
}
'''
rule_config_i = '''rule cs_%s_licenseid_i {
meta:
license_name = "%s"
license_id = "%d"
info = "rule generated by 1768.py on %s"
strings:
$a = { %s }
condition:
$a
}
'''
rule_config_dot = '''rule cs_%s_licenseid_dot {
meta:
license_name = "%s"
license_id = "%d"
info = "rule generated by 1768.py on %s"
strings:
$a = { %s }
condition:
$a
}
'''
rule_shellcode = '''rule cs_%s_licenseid_shellcode {
meta:
license_name = "%s"
license_id = "%d"
info = "rule generated by 1768.py on %s"
strings:
$a = { %s }
condition:
$a and filesize < 10000
}
'''
rule_shellcode_00 = '''rule cs_%s_licenseid_shellcode_00 {
meta:
license_name = "%s"
license_id = "%d"
info = "rule generated by 1768.py on %s"
strings:
$a = { %s }
condition:
$a and filesize < 10000
}
'''
rule_shellcode_00_end = '''rule cs_%s_licenseid_shellcode_00_end {
meta:
license_name = "%s"
license_id = "%d"
info = "rule generated by 1768.py on %s"
strings:
$a = { %s }
condition:
$a and filesize < 10000 and $a at (filesize - 5)
}
'''
for licenseid in options.licenseids.split(','):
result = licenseid.split(':', 1)
if len(result) == 1:
idInteger = ParseInteger(licenseid)
bytes = struct.pack('>I', idInteger)
idName = binascii.b2a_hex(bytes).decode()
else:
idInteger = ParseInteger(result[1])
bytes = struct.pack('>I', idInteger)
idName = result[0]
prefix = b'\x00\x25\x00\x02\x00\x04'
oOutput.Line(rule_config % (idName, idName, idInteger, FormatTime(), SpaceEvery2Characters(binascii.b2a_hex(prefix + bytes).decode())))
oOutput.Line(rule_config_i % (idName, idName, idInteger, FormatTime(), SpaceEvery2Characters(binascii.b2a_hex(Xor(prefix + bytes, b'i')).decode())))
oOutput.Line(rule_config_dot % (idName, idName, idInteger, FormatTime(), SpaceEvery2Characters(binascii.b2a_hex(Xor(prefix + bytes, b'.')).decode())))
oOutput.Line(rule_shellcode % (idName, idName, idInteger, FormatTime(), SpaceEvery2Characters(binascii.b2a_hex(bytes).decode())))
oOutput.Line(rule_shellcode_00 % (idName, idName, idInteger, FormatTime(), SpaceEvery2Characters(binascii.b2a_hex(b'\x00' + bytes).decode())))
oOutput.Line(rule_shellcode_00_end % (idName, idName, idInteger, FormatTime(), SpaceEvery2Characters(binascii.b2a_hex(b'\x00' + bytes).decode())))
def ProcessBinaryFiles(filenames, oLogfile, options, oParserFlag):
oOutput = InstantiateCOutput(options)
index = 0
if options.jsoninput:
items = CheckJSON(sys.stdin.read())
if items == None:
return
for item in items:
oOutput.Filename(item['name'], index, len(items))
index += 1
ProcessBinaryFile(item['name'], item['content'], '', '', oOutput, oLogfile, options, oParserFlag)
elif options.licenseids != '':
ProcessLicenseIDs(oOutput, oLogfile, options)
else:
for filename, cutexpression, flag in filenames:
oOutput.Filename(filename, index, len(filenames))
index += 1
ProcessBinaryFile(filename, None, cutexpression, flag, oOutput, oLogfile, options, oParserFlag)
def Main():
moredesc = '''
Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com'''
oParserFlag = optparse.OptionParser(usage='\nFlag arguments start with #f#:')
oParserFlag.add_option('-l', '--length', action='store_true', default=False, help='Print length of files')
oParser = optparse.OptionParser(usage='usage: %prog [options] [[@]file|cut-expression|flag-expression ...]\n' + __description__ + moredesc, version='%prog ' + __version__, epilog='This tool also accepts flag arguments (#f#), read the man page (-m) for more info.')
oParser.add_option('-m', '--man', action='store_true', default=False, help='Print manual')
oParser.add_option('-r', '--raw', action='store_true', default=False, help='Search through the file as a binary file, do not parse as a PE file')
oParser.add_option('-s', '--select', default='', help='Field to select')
oParser.add_option('-o', '--output', type=str, default='', help='Output to file (# supported)')
oParser.add_option('-l', '--licenseids', default='', help='License ID(s)/Watermark(s) to generate YARA rules for')
oParser.add_option('-p', '--password', default='infected', help='The ZIP password to be used (default infected)')
oParser.add_option('-n', '--noextraction', action='store_true', default=False, help='Do not extract from archive file')
oParser.add_option('--literalfilenames', action='store_true', default=False, help='Do not interpret filenames')
oParser.add_option('--recursedir', action='store_true', default=False, help='Recurse directories (wildcards and here files (@...) allowed)')
oParser.add_option('--checkfilenames', action='store_true', default=False, help='Perform check if files exist prior to file processing')
oParser.add_option('-j', '--jsoninput', action='store_true', default=False, help='Consume JSON from stdin')
oParser.add_option('--logfile', type=str, default='', help='Create logfile with given keyword')
oParser.add_option('--logcomment', type=str, default='', help='A string with comments to be included in the log file')
oParser.add_option('--ignoreprocessingerrors', action='store_true', default=False, help='Ignore errors during file processing')
(options, args) = oParser.parse_args()
if options.man:
oParser.print_help()
oParserFlag.print_help()
PrintManual()
return
if len(args) != 0 and options.jsoninput:
print('Error: option -j can not be used with files')
return
oLogfile = cLogfile(options.logfile, options.logcomment)
oExpandFilenameArguments = cExpandFilenameArguments(args, options.literalfilenames, options.recursedir, options.checkfilenames, '#c#', '#f#')
oLogfile.Line('FilesCount', str(len(oExpandFilenameArguments.Filenames())))
oLogfile.Line('Files', repr(oExpandFilenameArguments.Filenames()))
if oExpandFilenameArguments.warning:
PrintError('\nWarning:')
PrintError(oExpandFilenameArguments.message)
oLogfile.Line('Warning', repr(oExpandFilenameArguments.message))
ProcessBinaryFiles(oExpandFilenameArguments.Filenames(), oLogfile, options, oParserFlag)
if oLogfile.errors > 0:
PrintError('Number of errors: %d' % oLogfile.errors)
oLogfile.Close()
if __name__ == '__main__':
Main()
参考文章:https://isc.sans.edu/diary/27176
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-03-09,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读