def scan(file_path):
# print "I am scanning VBA on file:", file_path
vba_malicious_script = None
ot = Output_Item()
url_count = 0
iom = 0
report = ""
path = os.path.dirname(__file__) + "\malicious_vba_list.txt"
with open(path, 'r') as f:
vba_malicious_script = f.readlines()
f.close()
# print vba_malicious_script
f = open(file_path, 'r')
data = f.read()
# print data
f.close()
for pattern in vba_malicious_script:
pattern = pattern.strip('\n')
regex = re.compile(pattern, re.I)
match = regex.findall(data)
# pdb.set_trace()
# print "\nPattern: "+pattern+", Match: "+str(len(match))+"\n"
report = report + "\nPattern: " + pattern + ", Match: " + str(
len(match)) + "\n"
iom += len(match) * 10
ot.set_item(iom, report)
return ot
def scan(file_path):
# print "I am scanning VBA on file:", file_path
vba_malicious_script=None
ot=Output_Item()
url_count=0
iom=0
report=""
path=os.path.dirname(__file__)+"\malicious_vba_list.txt"
with open(path, 'r') as f:
vba_malicious_script=f.readlines()
f.close()
# print vba_malicious_script
f = open(file_path, 'r')
data=f.read()
# print data
f.close()
for pattern in vba_malicious_script:
pattern=pattern.strip('\n')
regex=re.compile(pattern,re.I)
match=regex.findall(data)
# pdb.set_trace()
# print "\nPattern: "+pattern+", Match: "+str(len(match))+"\n"
report=report+"\nPattern: "+pattern+", Match: "+str(len(match))+"\n"
iom+=len(match)*10
ot.set_item(iom,report)
return ot
def scan(file_path):
print "I am scanning AS on file:", file_path
ot = Output_Item()
url_count = 0
iom = 0
report = ""
ot.set_item(iom, report)
return ot
def scan(file_path): print "I am scanning AS on file:", file_path ot=Output_Item() url_count=0 iom=0 report="" ot.set_item(iom,report) return ot
def scan(file_path):
ot=Output_Item()
url_count=0
iom=0
report=""
url_white_list=[
"openxmlformats",
"microsoft",
"purl",
"w3",
"dublincore" #vba
]
url_not_white_list=list()
# report=report+"\n\nScanning URL on file:"+file_path
f = open(file_path, 'rb')
data = f.read()
f.close()
url=r"http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"
# url2=r"(?:http://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\. )*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+) ){3}))(?::(?:\d+))?)(?:/(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F \d]{2}))|[;:@&=])*)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;:@&=])*))*)(?:\?(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;:@&=])*))?)?)|(?:ftp://(?:(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(? :%[a-fA-F\d]{2}))|[;?&=])*)(?::(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a- fA-F\d]{2}))|[;?&=])*))?@)?(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|- )*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(? :\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))?))(?:/(?:(?:(?:(?:[a-zA-Z\d$\-_.+! *'(),]|(?:%[a-fA-F\d]{2}))|[?:@&=])*)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'() ,]|(?:%[a-fA-F\d]{2}))|[?:@&=])*))*)(?:;type=[AIDaid])?)?)|(?:news:(?: (?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;/?:&=])+@(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3})))|(?:[a-zA-Z](?:[a-zA-Z\d]|[_.+-])*)|\*))|(?:nntp://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d ])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))?)/(?:[a-zA-Z](?:[a-zA-Z \d]|[_.+-])*)(?:/(?:\d+))?)|(?:telnet://(?:(?:(?:(?:(?:[a-zA-Z\d$\-_.+ !*'(),]|(?:%[a-fA-F\d]{2}))|[;?&=])*)(?::(?:(?:(?:[a-zA-Z\d$\-_.+!*'() ,]|(?:%[a-fA-F\d]{2}))|[;?&=])*))?@)?(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a -zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d] )?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))?))/?)|(?:gopher://(?:(?: (?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?: (?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+ ))?)(?:/(?:[a-zA-Z\d$\-_.+!*'(),;/?:@&=]|(?:%[a-fA-F\d]{2}))(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),;/?:@&=]|(?:%[a-fA-F\d]{2}))*)(?:%09(?:(?:(?:[a-zA -Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;:@&=])*)(?:%09(?:(?:[a-zA-Z\d$ \-_.+!*'(),;/?:@&=]|(?:%[a-fA-F\d]{2}))*))?)?)?)?)|(?:wais://(?:(?:(?: (?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?: [a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))? )/(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*)(?:(?:/(?:(?:[a-zA -Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*)/(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*))|\?(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d] {2}))|[;:@&=])*))?)|(?:mailto:(?:(?:[a-zA-Z\d$\-_.+!*'(),;/?:@&=]|(?:% [a-fA-F\d]{2}))+))|(?:file://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d] |-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?: (?:\d+)(?:\.(?:\d+)){3}))|localhost)?/(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'() ,]|(?:%[a-fA-F\d]{2}))|[?:@&=])*)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&=])*))*))|(?:prospero://(?:(?:(?:(?:(?:[a-zA-Z \d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-) *[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))?)/(?:(?:(?:(? :[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&=])*)(?:/(?:(?:(?:[a- zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&=])*))*)(?:(?:;(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&])*)=(?:(?:(?:[a-zA-Z\d $\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&])*)))*)|(?:ldap://(?:(?:(?:(?: (?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?: [a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))? ))?/(?:(?:(?:(?:(?:(?:(?:[a-zA-Z\d]|%(?:3\d|[46][a-fA-F\d]|[57][Aa\d]) )|(?:%20))+|(?:OID|oid)\.(?:(?:\d+)(?:\.(?:\d+))*))(?:(?:%0[Aa])?(?:%2 0)*)=(?:(?:%0[Aa])?(?:%20)*))?(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F \d]{2}))*))(?:(?:(?:%0[Aa])?(?:%20)*)\+(?:(?:%0[Aa])?(?:%20)*)(?:(?:(? :(?:(?:[a-zA-Z\d]|%(?:3\d|[46][a-fA-F\d]|[57][Aa\d]))|(?:%20))+|(?:OID |oid)\.(?:(?:\d+)(?:\.(?:\d+))*))(?:(?:%0[Aa])?(?:%20)*)=(?:(?:%0[Aa]) ?(?:%20)*))?(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*)))*)(?:(?:(?:(?:%0[Aa])?(?:%20)*)(?:[;,])(?:(?:%0[Aa])?(?:%20)*))(?:(?:(?:(?:(?:(?:[a-zA-Z\d]|%(?:3\d|[46][a-fA-F\d]|[57][Aa\d]))|(?:%20))+|(?:OID|o id)\.(?:(?:\d+)(?:\.(?:\d+))*))(?:(?:%0[Aa])?(?:%20)*)=(?:(?:%0[Aa])?(?:%20)*))?(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*))(?:(?:(?: %0[Aa])?(?:%20)*)\+(?:(?:%0[Aa])?(?:%20)*)(?:(?:(?:(?:(?:[a-zA-Z\d]|%(?:3\d|[46][a-fA-F\d]|[57][Aa\d]))|(?:%20))+|(?:OID|oid)\.(?:(?:\d+)(?: \.(?:\d+))*))(?:(?:%0[Aa])?(?:%20)*)=(?:(?:%0[Aa])?(?:%20)*))?(?:(?:[a -zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*)))*))*(?:(?:(?:%0[Aa])?(?:%2 0)*)(?:[;,])(?:(?:%0[Aa])?(?:%20)*))?)(?:\?(?:(?:(?:(?:[a-zA-Z\d$\-_.+ !*'(),]|(?:%[a-fA-F\d]{2}))+)(?:,(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-f A-F\d]{2}))+))*)?)(?:\?(?:base|one|sub)(?:\?(?:((?:[a-zA-Z\d$\-_.+!*'(),;/?:@&=]|(?:%[a-fA-F\d]{2}))+)))?)?)?)|(?:(?:z39\.50[rs])://(?:(?:(? :(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(? :[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+)) ?)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))+)(?:\+(?:(?: [a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))+))*(?:\?(?:(?:[a-zA-Z\d$\-_ .+!*'(),]|(?:%[a-fA-F\d]{2}))+))?)?(?:;esn=(?:(?:[a-zA-Z\d$\-_.+!*'(), ]|(?:%[a-fA-F\d]{2}))+))?(?:;rs=(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA -F\d]{2}))+)(?:\+(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))+))*) ?))|(?:cid:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;?:@&= ])*))|(?:mid:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;?:@ &=])*)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;?:@&=] )*))?)|(?:vemmi://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z \d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\ .(?:\d+)){3}))(?::(?:\d+))?)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a -fA-F\d]{2}))|[/?:@&=])*)(?:(?:;(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a -fA-F\d]{2}))|[/?:@&])*)=(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d ]{2}))|[/?:@&])*))*))?)|(?:imap://(?:(?:(?:(?:(?:(?:(?:[a-zA-Z\d$\-_.+ !*'(),]|(?:%[a-fA-F\d]{2}))|[&=~])+)(?:(?:;[Aa][Uu][Tt][Hh]=(?:\*|(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~])+))))?)|(?:(?:;[Aa][Uu][Tt][Hh]=(?:\*|(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2 }))|[&=~])+)))(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~])+))?))@)?(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d]) ?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?: \d+)){3}))(?::(?:\d+))?))/(?:(?:(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?: %[a-fA-F\d]{2}))|[&=~:@/])+)?;[Tt][Yy][Pp][Ee]=(?:[Ll](?:[Ii][Ss][Tt]| [Ss][Uu][Bb])))|(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2})) |[&=~:@/])+)(?:\?(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~:@/])+))?(?:(?:;[Uu][Ii][Dd][Vv][Aa][Ll][Ii][Dd][Ii][Tt][Yy]=(?:[1- 9]\d*)))?)|(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~ :@/])+)(?:(?:;[Uu][Ii][Dd][Vv][Aa][Ll][Ii][Dd][Ii][Tt][Yy]=(?:[1-9]\d* )))?(?:/;[Uu][Ii][Dd]=(?:[1-9]\d*))(?:(?:/;[Ss][Ee][Cc][Tt][Ii][Oo][Nn ]=(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~:@/])+)))?)) )?)|(?:nfs:(?:(?://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA- Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?: \.(?:\d+)){3}))(?::(?:\d+))?)(?:(?:/(?:(?:(?:(?:(?:[a-zA-Z\d\$\-_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*)(?:/(?:(?:(?:[a-zA-Z\d\$\-_.!~*'(), ])|(?:%[a-fA-F\d]{2})|[:@&=+])*))*)?)))?)|(?:/(?:(?:(?:(?:(?:[a-zA-Z\d \$\-_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*)(?:/(?:(?:(?:[a-zA-Z\d\$\ -_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*))*)?))|(?:(?:(?:(?:(?:[a-zA- Z\d\$\-_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*)(?:/(?:(?:(?:[a-zA-Z\d \$\-_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*))*)?)))"
pattern=re.compile(url)
rlt=pattern.findall(data)
for url in rlt:
# print url
url=url.replace("</w:t></w:r></w:hyperlink></w:p></w:footnote><w:footnote","")
url=url.replace("</w:t></w:r></w:hyperlink><w:r","")
url=url.replace("</w:t></w:r><w:r><w:rPr><w:rStyle","")
ext=tldextract.extract(url)
if not ext.domain in url_white_list:
url_not_white_list.append(url)
print url
report=report+"*"+url+"\n"
iom=len(url_not_white_list)
# for link in rlt:
# report = report +link+"\n"
ot.set_item(iom,report)
return ot
def scan(file_path):
ot = Output_Item()
iom = 0
report = ""
utils = Utils()
timestamp_3906 = "2013-03-21 16:49:05.943"
time = ""
try:
time = utils.get_ole_timestamp(file_path)
except Exception, e:
print "Error when getting OLE timestamp:" + str(e)
def omh_shellcode_scan(g_f_cnt, file_path):
global g_power
global g_f_name
mode_flg = 0 # <scan | info> mode
debug_flg = 0
brute_flg = 0
g_power = 0
libc = cdll.msvcrt
k32 = windll.kernel32
h = k32.GetStdHandle(0xFFFFFFF5) # STD_OUTPUT_HANDLE
g_f_size = len(g_f_cnt)
output = ""
print "[*] Scanning result...\n\n",
output = output + "\n[*] File:" + file_path + "\n"
output = output + "[*] Scanning result...\n"
for i in xrange(g_f_size):
if (
libc.memcmp(byref(g_FS30Sig1), g_f_cnt[i:], 5) == 0
or libc.memcmp(byref(g_FS30Sig2), g_f_cnt[i:], 5) == 0
or libc.memcmp(byref(g_FS30Sig3), g_f_cnt[i:], 5) == 0
or libc.memcmp(byref(g_FS30Sig4), g_f_cnt[i:], 5) == 0
or libc.memcmp(byref(g_FS30Sig5), g_f_cnt[i:], 5) == 0
or libc.memcmp(byref(g_FS30Sig6), g_f_cnt[i:], 5) == 0
):
print "FS:[30h] (Method 1) signature found at offset: 0x%x\n" % i,
output = output + "FS:[30h] (Method 1) signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0x6A
and unpack("B", g_f_cnt[i + 1])[0] == 0x30
and unpack("B", g_f_cnt[i + 3])[0] == 0x64
and unpack("B", g_f_cnt[i + 4])[0] == 0x8B
):
print "FS:[30] (Method 2) signature found at offset: 0x%x\n" % i,
output = output + "FS:[30] (Method 2) signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0x33
and unpack("B", g_f_cnt[i + 3])[0] == 0xB3
and unpack("B", g_f_cnt[i + 4])[0] == 0x64
and unpack("B", g_f_cnt[i + 5])[0] == 0x8B
):
print "FS:[30] (Method 3) signature found at offset: 0x%x\n" % i,
output = output + "FS:[30] (Method 3) signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0x74
and unpack("B", g_f_cnt[i + 2])[0] == 0xC1
and unpack("B", g_f_cnt[i + 4])[0] == 0x0D
and unpack("B", g_f_cnt[i + 5])[0] == 0x03
):
print "API-Hashing signature found at offset: 0x%x\n" % i,
output = output + "API-Hashing signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0x55
and unpack("B", g_f_cnt[i + 1])[0] == 0x8B
and unpack("B", g_f_cnt[i + 2])[0] == 0xEC
and unpack("B", g_f_cnt[i + 3])[0] == 0x83
and unpack("B", g_f_cnt[i + 4])[0] == 0xC4
):
print "Function prolog signature found at offset: 0x%x\n" % i,
output = output + "Function prolog signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0x55
and unpack("B", g_f_cnt[i + 1])[0] == 0x8B
and unpack("B", g_f_cnt[i + 2])[0] == 0xEC
and unpack("B", g_f_cnt[i + 3])[0] == 0x81
and unpack("B", g_f_cnt[i + 4])[0] == 0xEC
):
print "Function prolog signature found at offset: 0x%x\n" % i,
output = output + "Function prolog signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xFF
and unpack("B", g_f_cnt[i + 1])[0] == 0x75
and unpack("B", g_f_cnt[i + 3])[0] == 0xFF
and unpack("B", g_f_cnt[i + 4])[0] == 0x55
):
print "PUSH DWORD[]/CALL[] signature found at offset: 0x%x\n" % i,
output = output + "PUSH DWORD[]/CALL[] signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAC
and unpack("B", g_f_cnt[i + 1])[0] == 0x34
and unpack("B", g_f_cnt[i + 3])[0] == 0xAA
):
print "LODSB/STOSB XOR decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSB/STOSB XOR decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAC
and unpack("B", g_f_cnt[i + 1])[0] == 0x04
and unpack("B", g_f_cnt[i + 3])[0] == 0xAA
):
print "LODSB/STOSB ADD decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSB/STOSB XOR decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAC
and unpack("B", g_f_cnt[i + 1])[0] == 0x2C
and unpack("B", g_f_cnt[i + 3])[0] == 0xAA
):
print "LODSB/STOSB SUB decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSB/STOSB SUB decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAC
and unpack("B", g_f_cnt[i + 1])[0] == 0xD0
and unpack("B", g_f_cnt[i + 2])[0] == 0xC0
and unpack("B", g_f_cnt[i + 3])[0] == 0xAA
):
print "LODSB/STOSB ROL decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSB/STOSB ROL decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAC
and unpack("B", g_f_cnt[i + 1])[0] == 0xD0
and unpack("B", g_f_cnt[i + 2])[0] == 0xC8
and unpack("B", g_f_cnt[i + 3])[0] == 0xAA
):
print "LODSB/STOSB ROR decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSB/STOSB ROR decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAC
and unpack("B", g_f_cnt[i + 1])[0] == 0xC0
and unpack("B", g_f_cnt[i + 2])[0] == 0xC0
and unpack("B", g_f_cnt[i + 4])[0] == 0xAA
):
print "LODSB/STOSB ROL decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSB/STOSB ROL decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAC
and unpack("B", g_f_cnt[i + 1])[0] == 0xC0
and unpack("B", g_f_cnt[i + 2])[0] == 0xC8
and unpack("B", g_f_cnt[i + 4])[0] == 0xAA
):
print "LODSB/STOSB ROR decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSB/STOSB ROR decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0x66
and unpack("B", g_f_cnt[i + 1])[0] == 0xAD
and unpack("B", g_f_cnt[i + 2])[0] == 0x66
and unpack("B", g_f_cnt[i + 3])[0] == 0x35
and unpack("B", g_f_cnt[i + 6])[0] == 0x66
and unpack("B", g_f_cnt[i + 7])[0] == 0xAB
):
print "LODSW/STOSW XOR decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSW/STOSW XOR decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0x66
and unpack("B", g_f_cnt[i + 1])[0] == 0xAD
and unpack("B", g_f_cnt[i + 2])[0] == 0x66
and unpack("B", g_f_cnt[i + 3])[0] == 0x05
and unpack("B", g_f_cnt[i + 6])[0] == 0x66
and unpack("B", g_f_cnt[i + 7])[0] == 0xAB
):
print "LODSW/STOSW ADD decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSW/STOSW ADD decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0x66
and unpack("B", g_f_cnt[i + 1])[0] == 0xAD
and unpack("B", g_f_cnt[i + 2])[0] == 0x66
and unpack("B", g_f_cnt[i + 3])[0] == 0x2D
and unpack("B", g_f_cnt[i + 6])[0] == 0x66
and unpack("B", g_f_cnt[i + 7])[0] == 0xAB
):
print "LODSW/STOSW SUB decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSW/STOSW SUB decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAD
and unpack("B", g_f_cnt[i + 1])[0] == 0x35
and unpack("B", g_f_cnt[i + 6])[0] == 0xAB
):
print "LODSD/STOSD XOR decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSD/STOSD XOR decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAD
and unpack("B", g_f_cnt[i + 1])[0] == 0x05
and unpack("B", g_f_cnt[i + 6])[0] == 0xAB
):
print "LODSD/STOSD ADD decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSD/STOSD ADD decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
unpack("B", g_f_cnt[i])[0] == 0xAD
and unpack("B", g_f_cnt[i + 1])[0] == 0x2D
and unpack("B", g_f_cnt[i + 6])[0] == 0xAB
):
print "LODSD/STOSD SUB decryption signature found at offset: 0x%x\n" % i,
output = output + "LODSD/STOSD SUB decryption signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if libc.memcmp(byref(g_FldzSig), g_f_cnt[i:], 6) == 0:
print "FLDZ/FSTENV [esp-12] signature found at offset: 0x%x\n" % i,
output = output + "FLDZ/FSTENV [esp-12] signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if (
libc.memcmp(byref(g_CallPopSig1), g_f_cnt[i:], 6) == 0
or libc.memcmp(byref(g_CallPopSig2), g_f_cnt[i:], 6) == 0
or libc.memcmp(byref(g_CallPopSig3), g_f_cnt[i:], 6) == 0
or libc.memcmp(byref(g_CallPopSig4), g_f_cnt[i:], 6) == 0
or libc.memcmp(byref(g_CallPopSig5), g_f_cnt[i:], 6) == 0
or libc.memcmp(byref(g_CallPopSig6), g_f_cnt[i:], 6) == 0
or libc.memcmp(byref(g_CallPopSig7), g_f_cnt[i:], 6) == 0
):
print "CALL next/POP signature found at offset: 0x%x\n" % i,
output = output + "CALL next/POP signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if unpack("B", g_f_cnt[i])[0] == 0xEB:
# print binascii.hexlify(g_f_cnt[i+1])
# print i, g_f_size
if i <= g_f_size - 2:
if i + unpack("B", g_f_cnt[i + 1])[0] + 2 < g_f_size:
# unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ):
jmp_off = i + unpack("B", g_f_cnt[i + 1])[0] + 2
# call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple
call_va = unpack("B", g_f_cnt[jmp_off + 1])[0]
call_va += unpack("B", g_f_cnt[jmp_off + 2])[0] << 8
call_va += unpack("B", g_f_cnt[jmp_off + 3])[0] << 16
call_va += unpack("B", g_f_cnt[jmp_off + 4])[0] << 24
if jmp_off + call_va + 5 < g_f_size:
if (
unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x58
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x59
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5A
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5B
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5E
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5F
):
print "JMP [0xEB]/CALL/POP signature found at offset: 0x%x\n" % i,
output = output + "JMP [0xEB]/CALL/POP signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if unpack("B", g_f_cnt[i])[0] == 0xE9:
# print binascii.hexlify(g_f_cnt[i+1])
# print i, g_f_size
if i <= g_f_size - 2:
if i + unpack("B", g_f_cnt[i + 1])[0] + 5 < g_f_size:
# unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ):
jmp_off = i + unpack("B", g_f_cnt[i + 1])[0] + 5
# call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple
call_va = unpack("B", g_f_cnt[jmp_off + 1])[0]
call_va += unpack("B", g_f_cnt[jmp_off + 2])[0] << 8
call_va += unpack("B", g_f_cnt[jmp_off + 3])[0] << 16
call_va += unpack("B", g_f_cnt[jmp_off + 4])[0] << 24
if jmp_off + call_va + 5 < g_f_size:
if (
unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x58
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x59
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5A
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5B
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5E
or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5F
):
print "JMP [0xE9]/CALL/POP signature found at offset: 0x%x\n" % i,
output = output + "JMP [0xE9]/CALL/POP signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
g_power += RATING_CODE
if libc.memcmp(c_char_p("MZ"), g_f_cnt[i:], 2) == 0:
pe_off = unpack("B", g_f_cnt[i + 0x3C])[0]
pe_off += unpack("B", g_f_cnt[i + 0x3D])[0] << 8
pe_off += unpack("B", g_f_cnt[i + 0x3E])[0] << 16
pe_off += unpack("B", g_f_cnt[i + 0x3F])[0] << 24
if libc.memcmp(c_char_p("PE"), g_f_cnt[i + pe_off :], 2) == 0:
print "unencrypted MZ/PE signature found at offset: 0x%x\n" % i,
output = output + "unencrypted MZ/PE signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
dump_data("PE-File", g_f_cnt[i:], 0x100)
g_power += RATING_EXEC
i = 0
while i < g_f_size:
if libc.memcmp(byref(g_NopSig), g_f_cnt[i:], 3) == 0:
print "NOP slides signature found at offset: 0x%x\n" % i,
output = output + "NOP slides signature found at offset: " + hex(i) + "\n"
if debug_flg == 1:
print_opcodz(g_f_cnt[i:])
while unpack("B", g_f_cnt[i])[0] == 0x90:
i += 1
g_power += RATING_OLENOP
i += 1
# for api in APIZ:
# for i in xrange(g_f_size):
# if libc.memcmp( c_char_p(api), g_f_cnt[i:], len(api) ) == 0:
# print "API-Name %s string found at offset: 0x%x\n" % (api, i),
# if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 )
# g_power += RATING_STRS
# for i in xrange(8, g_f_size):
# if libc.memcmp( byref(g_aOfficeSig), g_f_cnt[i:], 8 ) == 0:
# print "Embedded OLE signature found at offset: 0x%x\n" % i,
# if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 )
# g_power += RATING_OLENOP
print "\n\nAnalysis finished!\n\n",
# output=output+"\n\nAnalysis finished!\n\n"
if g_power:
# k32.SetConsoleTextAttribute( h, 0x0E ) # FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
libc.printf("---------------------------------------------")
output = output + "---------------------------------------------"
i = 0
while i < len(g_f_name):
libc.printf("-")
i += 1
libc.printf("\n%s seems to be malicious! Malicious Index = %02d\n", g_f_name, g_power)
libc.printf("---------------------------------------------")
output = output + "\n" + g_f_name + " seems to be malicious! Malicious Index = " + str(g_power) + "\n"
output = output + "---------------------------------------------"
i = 0
while i < len(g_f_name):
libc.printf("-")
output = output + "-"
i += 1
# k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
else:
# k32.SetConsoleTextAttribute( h, 0x07 ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED
print "---------------------------------------------------------------------\n",
print " No malicious traces found in this file!\n",
print 'Assure that this file is being scanned with the "info" parameter too.\n',
print "---------------------------------------------------------------------\n",
output = output + "---------------------------------------------------------------------\n"
output = output + " No malicious traces found in this file!\n"
output = output + 'Assure that this file is being scanned with the "info" parameter too.\n'
output = output + "---------------------------------------------------------------------\n"
# k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
oi = Output_Item()
oi.set_item(g_power, output)
return oi
def omh_shellcode_scan(g_f_cnt):
global g_power
global g_f_name
mode_flg = 0 # <scan | info> mode
debug_flg = 0
brute_flg = 0
libc = cdll.msvcrt
k32 = windll.kernel32
h = k32.GetStdHandle( 0xFFFFFFF5 ) # STD_OUTPUT_HANDLE
g_f_size = len(g_f_cnt)
ot=Output_Item()
iom=0
report=""
report=report+ "[*] Scanning now...\n\n"
for i in xrange(g_f_size):
if ( libc.memcmp( byref(g_FS30Sig1), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig2), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig3), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig4), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig5), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig6), g_f_cnt[i:], 5 ) == 0 ):
print "FS:[30h] (Method 1) signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x6A and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x30 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x64 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0x8B ):
print "FS:[30] (Method 2) signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x33 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xB3 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0x64 and
unpack( 'B', g_f_cnt[i+5] )[0] == 0x8B ):
print "FS:[30] (Method 3) signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x74 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC1 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0x0D and
unpack( 'B', g_f_cnt[i+5] )[0] == 0x03 ):
print "API-Hashing signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
i = 0
while ( i < g_f_size ):
if ( libc.memcmp( byref(g_NopSig), g_f_cnt[i:], 3 ) == 0 ):
print "NOP slides signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
while unpack('B', g_f_cnt[i])[0] == 0x90: i += 1
g_power += RATING_OLENOP
i += 1
for api in APIZ:
for i in xrange(g_f_size):
if libc.memcmp( c_char_p(api), g_f_cnt[i:], len(api) ) == 0:
print "API-Name %s string found at offset: 0x%x\n" % (api, i),
if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 )
g_power += RATING_STRS
for i in xrange(8, g_f_size):
if libc.memcmp( byref(g_aOfficeSig), g_f_cnt[i:], 8 ) == 0:
print "Embedded OLE signature found at offset: 0x%x\n" % i,
if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 )
g_power += RATING_OLENOP
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x55 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x8B and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xEC and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x83 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0xC4 ):
print "Function prolog signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x55 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x8B and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xEC and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x81 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0xEC ):
print "Function prolog signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xFF and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x75 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xFF and
unpack( 'B', g_f_cnt[i+4] )[0] == 0x55 ):
print "PUSH DWORD[]/CALL[] signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x34 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
print "LODSB/STOSB XOR decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x04 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
print "LODSB/STOSB ADD decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x2C and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
print "LODSB/STOSB SUB decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xD0 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC0 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
print "LODSB/STOSB ROL decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xD0 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC8 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
print "LODSB/STOSB ROR decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xC0 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC0 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0xAA ):
print "LODSB/STOSB ROL decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xC0 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC8 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0xAA ):
print "LODSB/STOSB ROR decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x35 and
unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ):
print "LODSW/STOSW XOR decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x05 and
unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ):
print "LODSW/STOSW ADD decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x2D and
unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ):
print "LODSW/STOSW SUB decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x35 and
unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ):
print "LODSD/STOSD XOR decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x05 and
unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ):
print "LODSD/STOSD ADD decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x2D and
unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ):
print "LODSD/STOSD SUB decryption signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if libc.memcmp( byref(g_FldzSig), g_f_cnt[i:], 6 ) == 0:
print "FLDZ/FSTENV [esp-12] signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( libc.memcmp( byref(g_CallPopSig1), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig2), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig3), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig4), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig5), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig6), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig7), g_f_cnt[i:], 6 ) == 0 ):
print "CALL next/POP signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
# print "%08X" % i
import binascii
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xEB ):
# print binascii.hexlify(g_f_cnt[i+1])
# print i, g_f_size
if(i<=g_f_size-2):
if(i+unpack('B',g_f_cnt[i+1])[0]+2<g_f_size) :
# unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ):
jmp_off = i + unpack('B',g_f_cnt[i+1])[0] + 2
# call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple
call_va = unpack( 'B', g_f_cnt[jmp_off + 1] )[0]
call_va += unpack( 'B', g_f_cnt[jmp_off + 2] )[0] << 8
call_va += unpack( 'B', g_f_cnt[jmp_off + 3] )[0] << 16
call_va += unpack( 'B', g_f_cnt[jmp_off + 4] )[0] << 24
if ( jmp_off + call_va + 5 < g_f_size):
if( unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x58 or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x59 or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5A or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5B or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5E or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5F ):
print "JMP [0xEB]/CALL/POP signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
# print "%08X" % i
import binascii
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xE9 ):
# print binascii.hexlify(g_f_cnt[i+1])
# print i, g_f_size
if(i<=g_f_size-2):
if(i+unpack('B',g_f_cnt[i+1])[0]+5<g_f_size) :
# unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ):
jmp_off = i + unpack('B',g_f_cnt[i+1])[0] + 5
# call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple
call_va = unpack( 'B', g_f_cnt[jmp_off + 1] )[0]
call_va += unpack( 'B', g_f_cnt[jmp_off + 2] )[0] << 8
call_va += unpack( 'B', g_f_cnt[jmp_off + 3] )[0] << 16
call_va += unpack( 'B', g_f_cnt[jmp_off + 4] )[0] << 24
if ( jmp_off + call_va + 5 < g_f_size):
if( unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x58 or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x59 or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5A or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5B or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5E or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5F ):
print "JMP [0xE9]/CALL/POP signature found at offset: 0x%x\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( libc.memcmp( c_char_p("MZ"), g_f_cnt[i:], 2 ) == 0 ):
pe_off = unpack( 'B', g_f_cnt[i+0x3C] )[0]
pe_off += unpack( 'B', g_f_cnt[i+0x3D] )[0] << 8
pe_off += unpack( 'B', g_f_cnt[i+0x3E] )[0] << 16
pe_off += unpack( 'B', g_f_cnt[i+0x3F] )[0] << 24
if ( libc.memcmp( c_char_p("PE"), g_f_cnt[i+pe_off:], 2 ) == 0):
print "unencrypted MZ/PE signature found at offset: 0x%x\n" % i,
if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 )
g_power += RATING_EXEC
print "\n\nAnalysis finished!\n\n",
if g_power:
k32.SetConsoleTextAttribute( h, 0x0E ) # FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
libc.printf( "---------------------------------------------" )
i = 0
while i < len(g_f_name):
libc.printf("-")
i += 1
libc.printf( "\n%s seems to be malicious! Malicious Index = %02d\n", g_f_name, g_power )
libc.printf( "---------------------------------------------" )
i = 0
while i < len(g_f_name):
libc.printf("-")
i += 1
k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
else:
k32.SetConsoleTextAttribute( h, 0x07 ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED
print "---------------------------------------------------------------------\n",
print " No malicious traces found in this file!\n",
print "Assure that this file is being scanned with the \"info\" parameter too.\n",
print "---------------------------------------------------------------------\n",
k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
def omh_shellcode_scan(g_f_cnt):
global g_power
global g_f_name
mode_flg = 0 # <scan | info> mode
debug_flg = 0
brute_flg = 0
libc = cdll.msvcrt
k32 = windll.kernel32
h = k32.GetStdHandle( 0xFFFFFFF5 ) # STD_OUTPUT_HANDLE
g_f_size = len(g_f_cnt)
ot=Output_Item()
iom=0
report=""
report=report+ "\r\n[*] Scanning now...\r\n\r\n"
for i in xrange(g_f_size):
if ( libc.memcmp( byref(g_FS30Sig1), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig2), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig3), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig4), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig5), g_f_cnt[i:], 5 ) == 0 or
libc.memcmp( byref(g_FS30Sig6), g_f_cnt[i:], 5 ) == 0 ):
output= "FS:[30h] (Method 1) signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x6A and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x30 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x64 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0x8B ):
output= "FS:[30] (Method 2) signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x33 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xB3 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0x64 and
unpack( 'B', g_f_cnt[i+5] )[0] == 0x8B ):
output= "FS:[30] (Method 3) signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x74 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC1 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0x0D and
unpack( 'B', g_f_cnt[i+5] )[0] == 0x03 ):
output= "API-Hashing signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
i = 0
while ( i < g_f_size ):
if ( libc.memcmp( byref(g_NopSig), g_f_cnt[i:], 3 ) == 0 ):
output= "NOP slides signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
while unpack('B', g_f_cnt[i])[0] == 0x90: i += 1
g_power += RATING_OLENOP
i += 1
for api in APIZ:
for i in xrange(g_f_size):
if libc.memcmp( c_char_p(api), g_f_cnt[i:], len(api) ) == 0:
output= "API-Name %s string found at offset: 0x%x\r\n" % (api, i)
report=report+str(output)
if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 )
g_power += RATING_STRS
for i in xrange(8, g_f_size):
if libc.memcmp( byref(g_aOfficeSig), g_f_cnt[i:], 8 ) == 0:
output="Embedded OLE signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 )
g_power += RATING_OLENOP
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x55 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x8B and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xEC and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x83 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0xC4 ):
output= "Function prolog signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x55 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x8B and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xEC and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x81 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0xEC ):
output= "Function prolog signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xFF and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x75 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xFF and
unpack( 'B', g_f_cnt[i+4] )[0] == 0x55 ):
output= "PUSH DWORD[]/CALL[] signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x34 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
report=report+ "LODSB/STOSB XOR decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x04 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
report=report+ "LODSB/STOSB ADD decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x2C and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
report=report+ "LODSB/STOSB SUB decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xD0 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC0 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
report=report+ "LODSB/STOSB ROL decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xD0 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC8 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ):
report=report+ "LODSB/STOSB ROR decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xC0 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC0 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0xAA ):
report=report+ "LODSB/STOSB ROL decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xC0 and
unpack( 'B', g_f_cnt[i+2] )[0] == 0xC8 and
unpack( 'B', g_f_cnt[i+4] )[0] == 0xAA ):
report=report+ "LODSB/STOSB ROR decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x35 and
unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ):
report=report+ "LODSW/STOSW XOR decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x05 and
unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ):
report=report+ "LODSW/STOSW ADD decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+3] )[0] == 0x2D and
unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and
unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ):
report=report+ "LODSW/STOSW SUB decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x35 and
unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ):
report=report+ "LODSD/STOSD XOR decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x05 and
unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ):
report=report+ "LODSD/STOSD ADD decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and
unpack( 'B', g_f_cnt[i+1] )[0] == 0x2D and
unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ):
report=report+ "LODSD/STOSD SUB decryption signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if libc.memcmp( byref(g_FldzSig), g_f_cnt[i:], 6 ) == 0:
report=report+ "FLDZ/FSTENV [esp-12] signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( libc.memcmp( byref(g_CallPopSig1), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig2), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig3), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig4), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig5), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig6), g_f_cnt[i:], 6 ) == 0 or
libc.memcmp( byref(g_CallPopSig7), g_f_cnt[i:], 6 ) == 0 ):
output= "CALL next/POP signature found at offset: 0x%x\r\n" % i,
report=report+str(output)
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
# print "%08X" % i
import binascii
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xEB ):
# print binascii.hexlify(g_f_cnt[i+1])
# print i, g_f_size
if(i<=g_f_size-2):
if(i+unpack('B',g_f_cnt[i+1])[0]+2<g_f_size) :
# unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ):
jmp_off = i + unpack('B',g_f_cnt[i+1])[0] + 2
# call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple
call_va = unpack( 'B', g_f_cnt[jmp_off + 1] )[0]
call_va += unpack( 'B', g_f_cnt[jmp_off + 2] )[0] << 8
call_va += unpack( 'B', g_f_cnt[jmp_off + 3] )[0] << 16
call_va += unpack( 'B', g_f_cnt[jmp_off + 4] )[0] << 24
if ( jmp_off + call_va + 5 < g_f_size):
if( unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x58 or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x59 or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5A or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5B or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5E or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5F ):
report=report+ "JMP [0xEB]/CALL/POP signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
# print "%08X" % i
import binascii
if ( unpack( 'B', g_f_cnt[i] )[0] == 0xE9 ):
# print binascii.hexlify(g_f_cnt[i+1])
# print i, g_f_size
if(i<=g_f_size-2):
if(i+unpack('B',g_f_cnt[i+1])[0]+5<g_f_size) :
# unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ):
jmp_off = i + unpack('B',g_f_cnt[i+1])[0] + 5
# call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple
call_va = unpack( 'B', g_f_cnt[jmp_off + 1] )[0]
call_va += unpack( 'B', g_f_cnt[jmp_off + 2] )[0] << 8
call_va += unpack( 'B', g_f_cnt[jmp_off + 3] )[0] << 16
call_va += unpack( 'B', g_f_cnt[jmp_off + 4] )[0] << 24
if ( jmp_off + call_va + 5 < g_f_size):
if( unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x58 or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x59 or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5A or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5B or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5E or
unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5F ):
report=report+ "JMP [0xE9]/CALL/POP signature found at offset: 0x%x\r\n" % i,
if debug_flg == 1: print_opcodz( g_f_cnt[i:] )
g_power += RATING_CODE
for i in xrange(g_f_size):
if ( libc.memcmp( c_char_p("MZ"), g_f_cnt[i:], 2 ) == 0 ):
pe_off = unpack( 'B', g_f_cnt[i+0x3C] )[0]
pe_off += unpack( 'B', g_f_cnt[i+0x3D] )[0] << 8
pe_off += unpack( 'B', g_f_cnt[i+0x3E] )[0] << 16
pe_off += unpack( 'B', g_f_cnt[i+0x3F] )[0] << 24
if ( libc.memcmp( c_char_p("PE"), g_f_cnt[i+pe_off:], 2 ) == 0):
output= "unencrypted MZ/PE signature found at offset: 0x%x\r\n" % i
report=report+str(output)
if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 )
g_power += RATING_EXEC
report=report+ "\r\n\r\nAnalysis finished!\r\n\r\n",
if g_power:
k32.SetConsoleTextAttribute( h, 0x0E ) # FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
report= str(report)+ "---------------------------------------------"
i = 0
while i < len(g_f_name):
libc.printf("-")
i += 1
output= "\r\n%s seems to be malicious! Malicious Index = %02d\r\n" % ( g_f_name, g_power )
report=report+str(output)
report=report+ "---------------------------------------------"
iom=g_power
i = 0
while i < len(g_f_name):
libc.printf("-")
i += 1
k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
else:
k32.SetConsoleTextAttribute( h, 0x07 ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED
report=report+ "---------------------------------------------------------------------\r\n",
report=report+ " No malicious traces found in this file!\r\n",
report=report+ "Assure that this file is being scanned with the \"info\" parameter too.\r\n",
report=report+ "---------------------------------------------------------------------\r\n",
k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
ot.set_item(iom,report)
return ot