def rat_module(self):
import struct
rat_data = get_section_data('.data1', self.filepath)
rat_data = fix_dword(rat_data[rat_data.index('MZ') -
3:].rstrip('\x00'))
try:
return lznt1.decompress(rat_data, length_check=False)
except struct.error:
return lznt1.decompress(rat_data + '\x00', length_check=False)
def handle(self):
print("Connection established")
done = False
try:
# Get IV (16 bytes) and init decryptor
self.data = self.request.recv(16)
print(f"IV is {self.data}")
iv = self.data
cbc = pyaes.AESModeOfOperationCBC(key, iv)
decrypter = pyaes.Decrypter(cbc)
decrypted = b''
# Start with 4 bytes to get the DWORD representing the exfil size
self.data = self.request.recv(4)
exfil_length = int.from_bytes(self.data, 'little')
print(f"exfil length: {exfil_length}",)
# Then receive all the data
self.data = self.request.recv(exfil_length)
print(f"Received data: {self.data}")
decrypted += decrypter.feed(self.data)
decrypted += decrypter.feed()
data = lznt1.decompress(decrypted).decode('utf-16')
with open("exfil.txt", "w") as outfile:
outfile.write(data)
print("Exfil complete! Check exfil.txt")
except ConnectionAbortedError or ConnectionResetError:
print("Connection force closed by client")
def main():
with open(args.FILE, 'rb') as fp:
data = fp.read()
#data = "Hello world!" * 800
print('[*] input size = {} bytes, sha1 hash = {}'.format(len(data), sha1(data).hexdigest()))
compressed1 = lznt1.compress(data)
decompressed11 = lznt1.decompress(compressed1)
buf_decompressed = ctypes.create_string_buffer(len(data)*2)
final_size = ctypes.c_ulong(0)
ctypes.windll.ntdll.RtlDecompressBuffer(2, buf_decompressed, ctypes.sizeof(buf_decompressed), ctypes.c_char_p(compressed1), len(compressed1), ctypes.byref(final_size))
decompressed12 = buf_decompressed.raw[:final_size.value]
buf_compressed = ctypes.create_string_buffer(len(data)*2)
work_size = ctypes.c_ulong(0)
work_frag_size = ctypes.c_ulong(0)
ctypes.windll.ntdll.RtlGetCompressionWorkSpaceSize(2, ctypes.byref(work_size), ctypes.byref(work_frag_size))
workspace = ctypes.create_string_buffer(work_size.value)
final_size = ctypes.c_ulong(0)
ctypes.windll.ntdll.RtlCompressBuffer(2, ctypes.c_char_p(data), len(data), buf_compressed, ctypes.sizeof(buf_compressed), 4096, ctypes.byref(final_size), workspace)
compressed2 = buf_compressed.raw[:final_size.value]
decompressed21 = lznt1.decompress(compressed2)
buf_decompressed = ctypes.create_string_buffer(len(data)*2)
final_size = ctypes.c_ulong(0)
ctypes.windll.ntdll.RtlDecompressBuffer(2, buf_decompressed, ctypes.sizeof(buf_decompressed), buf_compressed, ctypes.sizeof(buf_compressed), ctypes.byref(final_size))
decompressed22 = buf_decompressed.raw[:final_size.value]
print('[*] size of compressed1: {}'.format(len(compressed1)))
print('[*] size of compressed2: {}'.format(len(compressed2)))
print('[*] sha1 hash of compressed1: {}'.format(sha1(compressed1).hexdigest()))
print('[*] sha1 hash of compressed2: {}'.format(sha1(compressed2).hexdigest()))
print('[*] sha1 hash of decompressed11: {}'.format(sha1(decompressed11).hexdigest()))
print('[*] sha1 hash of decompressed12: {}'.format(sha1(decompressed12).hexdigest()))
print('[*] sha1 hash of decompressed21: {}'.format(sha1(decompressed21).hexdigest()))
print('[*] sha1 hash of decompressed22: {}'.format(sha1(decompressed22).hexdigest()))
def decompress(filename):
with open(filename, "rb") as toDecode:
data = toDecode.read()
return (lznt1.decompress(data))
import struct
import lznt1
from scapy.all import rdpcap, TCP
from pyrc4 import rc4decrypt
pcap = rdpcap('help.pcapng')
sessions = pcap.sessions()
for session_no, (k, s) in enumerate(sessions.items()):
payload = b''.join(bytes(p[TCP].payload) for p in s if TCP in p)
for i in range(len(payload[:-4])):
maybelen, = struct.unpack_from('<I', payload, i)
if maybelen == len(payload) - i:
try:
with open('mass{}.bin'.format(session_no), 'wb') as f:
f.write(
lznt1.decompress(
rc4decrypt(b'FLARE ON 2019\x00', payload[i + 4:])))
except Exception as e:
print('Error processing {}: {}'.format(session_no, e))