Ejemplo n.º 1
0
def test_calc_dmp():
    with cuckoomem.from_file("tests/files/calc.dmp") as p:
        ppe = procmempe.from_memory(p, 0xd0000)
        assert p.regions == ppe.regions
        assert p.findmz(0x129abc) == 0xd0000
        # Old/regular method with PE header.
        assert pe(p.readv(p.imgbase, 0x1000)).dos_header.e_lfanew == 0xd8
        assert p.readv(p.imgbase + 0xd8, 4) == b"PE\x00\x00"

        assert pe(p).is32bit is True
        d = pe(p).optional_header.DATA_DIRECTORY[2]
        assert d.VirtualAddress == 0x59000 and d.Size == 0x62798
        data = pe(p).resource(b"WEVT_TEMPLATE")
        assert data.startswith(b"CRIM")
        assert len(data) == 4750
        assert len(ppe.pe.section(".text").get_data()) == 0x52e00
Ejemplo n.º 2
0
def decrypt_ransom_note(file):
    with open(file, 'rb') as f:
        try:
            pe = malduck.pe(f.read())
        except:
            print("\t==> Error reading PE file!\n")
            return

    for res in resdb:
        crypted_buffer = pe.resource(res)
        if crypted_buffer != None:
            break

    if crypted_buffer != None:
        for key in keydb:
            decrypted_buffer = b''
            for current_byte in range(0, len(crypted_buffer)):
                decrypted_buffer += bytes(
                    [crypted_buffer[current_byte] ^ key[current_byte % 0x21]])
            if b'DEAR' in decrypted_buffer:
                print(decrypted_buffer)
                break
    else:
        print("\t==> Expected resources not found!")
        return
Ejemplo n.º 3
0
def test_pe_header():
    img = pe(
        base64(b"""
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAACCixJ5xup8KsbqfCrG6nwqz5LpKsfqfCrhLBEqxOp8KuEsByrU6nwqxup9
KnjqfCoF5SEqxep8KgXlIyrH6nwqBeVzKsXqfCrPkvUq2ep8Kti46CrH6nwqz5LtKsfqfCpSaWNo
xup8KgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUAE5z9WAAAAAAAAAAA4AADAQsBCQAA
bgAAACoAAAAAAADnEAAAABAAAACAAAAAAEAAABAAAAACAAAFAAAAAAAAAAUAAAAAAAAAAJAEAAAE
AAAAAAAAAgAAgAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAARIQAAMgAAAAAwAAAEAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAACAAACYAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADQ
bAAAABAAAABuAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/hIAAACAAAAAFAAAAHIAAAAA
AAAAAAAAAAAAAEAAAEAuZGF0YQAAAGQKAAAAoAAAAAgAAACGAAAAAAAAAAAAAAAAAABAAADALmJz
cwAAAAARBwAAALAAAAAIAAAAjgAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAANADAADAAAAAzAMA
AJYAAAAAAAAAAAAAAAAAAEAAAEAK
""".strip()))
    assert img.dos_header.e_magic == 0x5a4d
    assert img.nt_headers.Signature == 0x4550
    assert img.file_header.NumberOfSections == len(img.sections)
    assert img.sections[0].Name.strip(b"\x00") == b".text"
    assert img.sections[-1].get_file_offset() == 0x298
    assert img.is32bit is True
    assert img.is64bit is False
    assert img.section(".text").VirtualAddress == 0x1000
Ejemplo n.º 4
0
def test_calc_exe():
    p = pe(open("tests/files/calc.exe", "rb").read(), fast_load=False)
    assert p.is32bit is True
    data = p.resource(b"WEVT_TEMPLATE")
    assert data.startswith(b"CRIM")
    assert len(data) == 4750

    icons = list(p.resources(b"RT_ICON"))
    assert len(icons) == 16
    assert len(icons[0]) == 2664
    assert len(icons[7]) == 2216
    assert len(icons[11]) == 16936

    bitmaps = list(p.resources(51209))
    assert len(bitmaps) == 1
    assert len(bitmaps[0]) == 22042
Ejemplo n.º 5
0
png_stego_xor = 0x61
url_xor = 0xC5
s = bytes('', 'latin1')
#Change the User-Agent to look less suspicius
headers = {
    'User-Agent': 'cruloader'
}

# RC4 key offset at 0xC
key_offset = 12

# RC4 key size
key_size = 15

# RC4 decrypt the first layer of CruLoader
p = pe(open(infile, "rb").read(), fast_load=False)
get_rsrc = p.resource('RT_RCDATA')
rc4_key = get_rsrc[key_offset:key_offset+key_size]
encrypted = get_rsrc[28:]
decrypted = rc4(rc4_key, encrypted)
print("[+] Second layer unpacked")

if decrypted[0:2].decode('latin1') != "MZ":
	print("[-] RC4 decryption failed")

# Seems malduck ROL needs data type int according to the documentation
else:
	convert_rol = (decrypted[0:])
	for index,value in enumerate(convert_rol):
		a = rol(value, 4, bits=8)
		#convert back to bytes for malduck.xor
Ejemplo n.º 6
0
#!/usr/bin/env python3

#Todo Figure out how to ROL 4 with Python to then be able to XOR 0xC5 and find the Pastebin URL with regexp in Python

import malduck
import sys

infile = sys.argv[1]
outfile = infile + "_decrypted"

# RC4 key offset at 0xC
key_offset = 12

# RC4 key size
key_size = 15

# RC4 decrypt the first layer of CruLoader
p = malduck.pe(open(infile, "rb").read(), fast_load=False)
get_rsrc = p.resource('RT_RCDATA')
rc4_key = get_rsrc[key_offset:key_offset+key_size]
encrypted = get_rsrc[28:]
decrypted = malduck.rc4(rc4_key, encrypted)

if decrypted[0:2].decode('latin1') != "MZ":
	print("RC4 decryption failed")	
else:
	with open (outfile, 'wb') as o:
		o.write(decrypted)
Ejemplo n.º 7
0
Emotet layer1 unpacker
Packer uses RC4 crypto with a modulo of 0x12296
Key seems to be located in either the .rdata or .data section

"""

import malduck
import sys

infile = sys.argv[1]
mod = 0x12296

with open(infile, 'rb') as f:
    a = f.read()
    p = malduck.pe(data=a)


# Custom RC4 taken from https://gist.github.com/sysopfb/19aa8e0bdecde60662b7adecdc72b11f
def decode_data(data, key, sz):
    S = list(range(sz))
    S = [x & 0xff for x in S]
    j = 0
    out = []
    for i in range(sz):
        j = (j + S[i] + ord(key[i % len(key)])) % sz
        S[i], S[j] = S[j], S[i]
    i = j = 0
    for char in data:
        i = (i + 1) % sz
        j = (j + S[i]) % sz
Ejemplo n.º 8
0
def test_ollydbg_exe():
    p = pe(open("tests/files/ollydbg.exe", "rb").read(), fast_load=False)
    assert p.is32bit is True
    data = p.resource("DVCLAL")
    assert data.startswith(b"\xA2\x8C\xDF\x98")
    assert len(data) == 16