def scan(file_path): # print "I am scanning VBA on file:", file_path vba_malicious_script = None ot = Output_Item() url_count = 0 iom = 0 report = "" path = os.path.dirname(__file__) + "\malicious_vba_list.txt" with open(path, 'r') as f: vba_malicious_script = f.readlines() f.close() # print vba_malicious_script f = open(file_path, 'r') data = f.read() # print data f.close() for pattern in vba_malicious_script: pattern = pattern.strip('\n') regex = re.compile(pattern, re.I) match = regex.findall(data) # pdb.set_trace() # print "\nPattern: "+pattern+", Match: "+str(len(match))+"\n" report = report + "\nPattern: " + pattern + ", Match: " + str( len(match)) + "\n" iom += len(match) * 10 ot.set_item(iom, report) return ot
def scan(file_path): # print "I am scanning VBA on file:", file_path vba_malicious_script=None ot=Output_Item() url_count=0 iom=0 report="" path=os.path.dirname(__file__)+"\malicious_vba_list.txt" with open(path, 'r') as f: vba_malicious_script=f.readlines() f.close() # print vba_malicious_script f = open(file_path, 'r') data=f.read() # print data f.close() for pattern in vba_malicious_script: pattern=pattern.strip('\n') regex=re.compile(pattern,re.I) match=regex.findall(data) # pdb.set_trace() # print "\nPattern: "+pattern+", Match: "+str(len(match))+"\n" report=report+"\nPattern: "+pattern+", Match: "+str(len(match))+"\n" iom+=len(match)*10 ot.set_item(iom,report) return ot
def scan(file_path): print "I am scanning AS on file:", file_path ot = Output_Item() url_count = 0 iom = 0 report = "" ot.set_item(iom, report) return ot
def scan(file_path): print "I am scanning AS on file:", file_path ot=Output_Item() url_count=0 iom=0 report="" ot.set_item(iom,report) return ot
def scan(file_path): ot=Output_Item() url_count=0 iom=0 report="" url_white_list=[ "openxmlformats", "microsoft", "purl", "w3", "dublincore" #vba ] url_not_white_list=list() # report=report+"\n\nScanning URL on file:"+file_path f = open(file_path, 'rb') data = f.read() f.close() url=r"http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+" # url2=r"(?:http://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\. )*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+) ){3}))(?::(?:\d+))?)(?:/(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F \d]{2}))|[;:@&=])*)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;:@&=])*))*)(?:\?(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;:@&=])*))?)?)|(?:ftp://(?:(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(? :%[a-fA-F\d]{2}))|[;?&=])*)(?::(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a- fA-F\d]{2}))|[;?&=])*))?@)?(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|- )*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(? :\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))?))(?:/(?:(?:(?:(?:[a-zA-Z\d$\-_.+! *'(),]|(?:%[a-fA-F\d]{2}))|[?:@&=])*)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'() ,]|(?:%[a-fA-F\d]{2}))|[?:@&=])*))*)(?:;type=[AIDaid])?)?)|(?:news:(?: (?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;/?:&=])+@(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3})))|(?:[a-zA-Z](?:[a-zA-Z\d]|[_.+-])*)|\*))|(?:nntp://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d ])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))?)/(?:[a-zA-Z](?:[a-zA-Z \d]|[_.+-])*)(?:/(?:\d+))?)|(?:telnet://(?:(?:(?:(?:(?:[a-zA-Z\d$\-_.+ !*'(),]|(?:%[a-fA-F\d]{2}))|[;?&=])*)(?::(?:(?:(?:[a-zA-Z\d$\-_.+!*'() ,]|(?:%[a-fA-F\d]{2}))|[;?&=])*))?@)?(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a -zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d] )?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))?))/?)|(?:gopher://(?:(?: (?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?: (?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+ ))?)(?:/(?:[a-zA-Z\d$\-_.+!*'(),;/?:@&=]|(?:%[a-fA-F\d]{2}))(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),;/?:@&=]|(?:%[a-fA-F\d]{2}))*)(?:%09(?:(?:(?:[a-zA -Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;:@&=])*)(?:%09(?:(?:[a-zA-Z\d$ \-_.+!*'(),;/?:@&=]|(?:%[a-fA-F\d]{2}))*))?)?)?)?)|(?:wais://(?:(?:(?: (?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?: [a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))? )/(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*)(?:(?:/(?:(?:[a-zA -Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*)/(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*))|\?(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d] {2}))|[;:@&=])*))?)|(?:mailto:(?:(?:[a-zA-Z\d$\-_.+!*'(),;/?:@&=]|(?:% [a-fA-F\d]{2}))+))|(?:file://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d] |-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?: (?:\d+)(?:\.(?:\d+)){3}))|localhost)?/(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'() ,]|(?:%[a-fA-F\d]{2}))|[?:@&=])*)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&=])*))*))|(?:prospero://(?:(?:(?:(?:(?:[a-zA-Z \d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-) *[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))?)/(?:(?:(?:(? :[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&=])*)(?:/(?:(?:(?:[a- zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&=])*))*)(?:(?:;(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&])*)=(?:(?:(?:[a-zA-Z\d $\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[?:@&])*)))*)|(?:ldap://(?:(?:(?:(?: (?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(?: [a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+))? ))?/(?:(?:(?:(?:(?:(?:(?:[a-zA-Z\d]|%(?:3\d|[46][a-fA-F\d]|[57][Aa\d]) )|(?:%20))+|(?:OID|oid)\.(?:(?:\d+)(?:\.(?:\d+))*))(?:(?:%0[Aa])?(?:%2 0)*)=(?:(?:%0[Aa])?(?:%20)*))?(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F \d]{2}))*))(?:(?:(?:%0[Aa])?(?:%20)*)\+(?:(?:%0[Aa])?(?:%20)*)(?:(?:(? :(?:(?:[a-zA-Z\d]|%(?:3\d|[46][a-fA-F\d]|[57][Aa\d]))|(?:%20))+|(?:OID |oid)\.(?:(?:\d+)(?:\.(?:\d+))*))(?:(?:%0[Aa])?(?:%20)*)=(?:(?:%0[Aa]) ?(?:%20)*))?(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*)))*)(?:(?:(?:(?:%0[Aa])?(?:%20)*)(?:[;,])(?:(?:%0[Aa])?(?:%20)*))(?:(?:(?:(?:(?:(?:[a-zA-Z\d]|%(?:3\d|[46][a-fA-F\d]|[57][Aa\d]))|(?:%20))+|(?:OID|o id)\.(?:(?:\d+)(?:\.(?:\d+))*))(?:(?:%0[Aa])?(?:%20)*)=(?:(?:%0[Aa])?(?:%20)*))?(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*))(?:(?:(?: %0[Aa])?(?:%20)*)\+(?:(?:%0[Aa])?(?:%20)*)(?:(?:(?:(?:(?:[a-zA-Z\d]|%(?:3\d|[46][a-fA-F\d]|[57][Aa\d]))|(?:%20))+|(?:OID|oid)\.(?:(?:\d+)(?: \.(?:\d+))*))(?:(?:%0[Aa])?(?:%20)*)=(?:(?:%0[Aa])?(?:%20)*))?(?:(?:[a -zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))*)))*))*(?:(?:(?:%0[Aa])?(?:%2 0)*)(?:[;,])(?:(?:%0[Aa])?(?:%20)*))?)(?:\?(?:(?:(?:(?:[a-zA-Z\d$\-_.+ !*'(),]|(?:%[a-fA-F\d]{2}))+)(?:,(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-f A-F\d]{2}))+))*)?)(?:\?(?:base|one|sub)(?:\?(?:((?:[a-zA-Z\d$\-_.+!*'(),;/?:@&=]|(?:%[a-fA-F\d]{2}))+)))?)?)?)|(?:(?:z39\.50[rs])://(?:(?:(? :(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?)\.)*(?:[a-zA-Z](?:(? :[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?:\d+)){3}))(?::(?:\d+)) ?)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))+)(?:\+(?:(?: [a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))+))*(?:\?(?:(?:[a-zA-Z\d$\-_ .+!*'(),]|(?:%[a-fA-F\d]{2}))+))?)?(?:;esn=(?:(?:[a-zA-Z\d$\-_.+!*'(), ]|(?:%[a-fA-F\d]{2}))+))?(?:;rs=(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA -F\d]{2}))+)(?:\+(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))+))*) ?))|(?:cid:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;?:@&= ])*))|(?:mid:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;?:@ &=])*)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[;?:@&=] )*))?)|(?:vemmi://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z \d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\ .(?:\d+)){3}))(?::(?:\d+))?)(?:/(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a -fA-F\d]{2}))|[/?:@&=])*)(?:(?:;(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a -fA-F\d]{2}))|[/?:@&])*)=(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d ]{2}))|[/?:@&])*))*))?)|(?:imap://(?:(?:(?:(?:(?:(?:(?:[a-zA-Z\d$\-_.+ !*'(),]|(?:%[a-fA-F\d]{2}))|[&=~])+)(?:(?:;[Aa][Uu][Tt][Hh]=(?:\*|(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~])+))))?)|(?:(?:;[Aa][Uu][Tt][Hh]=(?:\*|(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2 }))|[&=~])+)))(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~])+))?))@)?(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d]) ?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?:\.(?: \d+)){3}))(?::(?:\d+))?))/(?:(?:(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?: %[a-fA-F\d]{2}))|[&=~:@/])+)?;[Tt][Yy][Pp][Ee]=(?:[Ll](?:[Ii][Ss][Tt]| [Ss][Uu][Bb])))|(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2})) |[&=~:@/])+)(?:\?(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~:@/])+))?(?:(?:;[Uu][Ii][Dd][Vv][Aa][Ll][Ii][Dd][Ii][Tt][Yy]=(?:[1- 9]\d*)))?)|(?:(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~ :@/])+)(?:(?:;[Uu][Ii][Dd][Vv][Aa][Ll][Ii][Dd][Ii][Tt][Yy]=(?:[1-9]\d* )))?(?:/;[Uu][Ii][Dd]=(?:[1-9]\d*))(?:(?:/;[Ss][Ee][Cc][Tt][Ii][Oo][Nn ]=(?:(?:(?:[a-zA-Z\d$\-_.+!*'(),]|(?:%[a-fA-F\d]{2}))|[&=~:@/])+)))?)) )?)|(?:nfs:(?:(?://(?:(?:(?:(?:(?:[a-zA-Z\d](?:(?:[a-zA-Z\d]|-)*[a-zA- Z\d])?)\.)*(?:[a-zA-Z](?:(?:[a-zA-Z\d]|-)*[a-zA-Z\d])?))|(?:(?:\d+)(?: \.(?:\d+)){3}))(?::(?:\d+))?)(?:(?:/(?:(?:(?:(?:(?:[a-zA-Z\d\$\-_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*)(?:/(?:(?:(?:[a-zA-Z\d\$\-_.!~*'(), ])|(?:%[a-fA-F\d]{2})|[:@&=+])*))*)?)))?)|(?:/(?:(?:(?:(?:(?:[a-zA-Z\d \$\-_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*)(?:/(?:(?:(?:[a-zA-Z\d\$\ -_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*))*)?))|(?:(?:(?:(?:(?:[a-zA- Z\d\$\-_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*)(?:/(?:(?:(?:[a-zA-Z\d \$\-_.!~*'(),])|(?:%[a-fA-F\d]{2})|[:@&=+])*))*)?)))" pattern=re.compile(url) rlt=pattern.findall(data) for url in rlt: # print url url=url.replace("</w:t></w:r></w:hyperlink></w:p></w:footnote><w:footnote","") url=url.replace("</w:t></w:r></w:hyperlink><w:r","") url=url.replace("</w:t></w:r><w:r><w:rPr><w:rStyle","") ext=tldextract.extract(url) if not ext.domain in url_white_list: url_not_white_list.append(url) print url report=report+"*"+url+"\n" iom=len(url_not_white_list) # for link in rlt: # report = report +link+"\n" ot.set_item(iom,report) return ot
def scan(file_path): ot = Output_Item() iom = 0 report = "" utils = Utils() timestamp_3906 = "2013-03-21 16:49:05.943" time = "" try: time = utils.get_ole_timestamp(file_path) except Exception, e: print "Error when getting OLE timestamp:" + str(e)
def omh_shellcode_scan(g_f_cnt, file_path): global g_power global g_f_name mode_flg = 0 # <scan | info> mode debug_flg = 0 brute_flg = 0 g_power = 0 libc = cdll.msvcrt k32 = windll.kernel32 h = k32.GetStdHandle(0xFFFFFFF5) # STD_OUTPUT_HANDLE g_f_size = len(g_f_cnt) output = "" print "[*] Scanning result...\n\n", output = output + "\n[*] File:" + file_path + "\n" output = output + "[*] Scanning result...\n" for i in xrange(g_f_size): if ( libc.memcmp(byref(g_FS30Sig1), g_f_cnt[i:], 5) == 0 or libc.memcmp(byref(g_FS30Sig2), g_f_cnt[i:], 5) == 0 or libc.memcmp(byref(g_FS30Sig3), g_f_cnt[i:], 5) == 0 or libc.memcmp(byref(g_FS30Sig4), g_f_cnt[i:], 5) == 0 or libc.memcmp(byref(g_FS30Sig5), g_f_cnt[i:], 5) == 0 or libc.memcmp(byref(g_FS30Sig6), g_f_cnt[i:], 5) == 0 ): print "FS:[30h] (Method 1) signature found at offset: 0x%x\n" % i, output = output + "FS:[30h] (Method 1) signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0x6A and unpack("B", g_f_cnt[i + 1])[0] == 0x30 and unpack("B", g_f_cnt[i + 3])[0] == 0x64 and unpack("B", g_f_cnt[i + 4])[0] == 0x8B ): print "FS:[30] (Method 2) signature found at offset: 0x%x\n" % i, output = output + "FS:[30] (Method 2) signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0x33 and unpack("B", g_f_cnt[i + 3])[0] == 0xB3 and unpack("B", g_f_cnt[i + 4])[0] == 0x64 and unpack("B", g_f_cnt[i + 5])[0] == 0x8B ): print "FS:[30] (Method 3) signature found at offset: 0x%x\n" % i, output = output + "FS:[30] (Method 3) signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0x74 and unpack("B", g_f_cnt[i + 2])[0] == 0xC1 and unpack("B", g_f_cnt[i + 4])[0] == 0x0D and unpack("B", g_f_cnt[i + 5])[0] == 0x03 ): print "API-Hashing signature found at offset: 0x%x\n" % i, output = output + "API-Hashing signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0x55 and unpack("B", g_f_cnt[i + 1])[0] == 0x8B and unpack("B", g_f_cnt[i + 2])[0] == 0xEC and unpack("B", g_f_cnt[i + 3])[0] == 0x83 and unpack("B", g_f_cnt[i + 4])[0] == 0xC4 ): print "Function prolog signature found at offset: 0x%x\n" % i, output = output + "Function prolog signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0x55 and unpack("B", g_f_cnt[i + 1])[0] == 0x8B and unpack("B", g_f_cnt[i + 2])[0] == 0xEC and unpack("B", g_f_cnt[i + 3])[0] == 0x81 and unpack("B", g_f_cnt[i + 4])[0] == 0xEC ): print "Function prolog signature found at offset: 0x%x\n" % i, output = output + "Function prolog signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xFF and unpack("B", g_f_cnt[i + 1])[0] == 0x75 and unpack("B", g_f_cnt[i + 3])[0] == 0xFF and unpack("B", g_f_cnt[i + 4])[0] == 0x55 ): print "PUSH DWORD[]/CALL[] signature found at offset: 0x%x\n" % i, output = output + "PUSH DWORD[]/CALL[] signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAC and unpack("B", g_f_cnt[i + 1])[0] == 0x34 and unpack("B", g_f_cnt[i + 3])[0] == 0xAA ): print "LODSB/STOSB XOR decryption signature found at offset: 0x%x\n" % i, output = output + "LODSB/STOSB XOR decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAC and unpack("B", g_f_cnt[i + 1])[0] == 0x04 and unpack("B", g_f_cnt[i + 3])[0] == 0xAA ): print "LODSB/STOSB ADD decryption signature found at offset: 0x%x\n" % i, output = output + "LODSB/STOSB XOR decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAC and unpack("B", g_f_cnt[i + 1])[0] == 0x2C and unpack("B", g_f_cnt[i + 3])[0] == 0xAA ): print "LODSB/STOSB SUB decryption signature found at offset: 0x%x\n" % i, output = output + "LODSB/STOSB SUB decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAC and unpack("B", g_f_cnt[i + 1])[0] == 0xD0 and unpack("B", g_f_cnt[i + 2])[0] == 0xC0 and unpack("B", g_f_cnt[i + 3])[0] == 0xAA ): print "LODSB/STOSB ROL decryption signature found at offset: 0x%x\n" % i, output = output + "LODSB/STOSB ROL decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAC and unpack("B", g_f_cnt[i + 1])[0] == 0xD0 and unpack("B", g_f_cnt[i + 2])[0] == 0xC8 and unpack("B", g_f_cnt[i + 3])[0] == 0xAA ): print "LODSB/STOSB ROR decryption signature found at offset: 0x%x\n" % i, output = output + "LODSB/STOSB ROR decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAC and unpack("B", g_f_cnt[i + 1])[0] == 0xC0 and unpack("B", g_f_cnt[i + 2])[0] == 0xC0 and unpack("B", g_f_cnt[i + 4])[0] == 0xAA ): print "LODSB/STOSB ROL decryption signature found at offset: 0x%x\n" % i, output = output + "LODSB/STOSB ROL decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAC and unpack("B", g_f_cnt[i + 1])[0] == 0xC0 and unpack("B", g_f_cnt[i + 2])[0] == 0xC8 and unpack("B", g_f_cnt[i + 4])[0] == 0xAA ): print "LODSB/STOSB ROR decryption signature found at offset: 0x%x\n" % i, output = output + "LODSB/STOSB ROR decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0x66 and unpack("B", g_f_cnt[i + 1])[0] == 0xAD and unpack("B", g_f_cnt[i + 2])[0] == 0x66 and unpack("B", g_f_cnt[i + 3])[0] == 0x35 and unpack("B", g_f_cnt[i + 6])[0] == 0x66 and unpack("B", g_f_cnt[i + 7])[0] == 0xAB ): print "LODSW/STOSW XOR decryption signature found at offset: 0x%x\n" % i, output = output + "LODSW/STOSW XOR decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0x66 and unpack("B", g_f_cnt[i + 1])[0] == 0xAD and unpack("B", g_f_cnt[i + 2])[0] == 0x66 and unpack("B", g_f_cnt[i + 3])[0] == 0x05 and unpack("B", g_f_cnt[i + 6])[0] == 0x66 and unpack("B", g_f_cnt[i + 7])[0] == 0xAB ): print "LODSW/STOSW ADD decryption signature found at offset: 0x%x\n" % i, output = output + "LODSW/STOSW ADD decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0x66 and unpack("B", g_f_cnt[i + 1])[0] == 0xAD and unpack("B", g_f_cnt[i + 2])[0] == 0x66 and unpack("B", g_f_cnt[i + 3])[0] == 0x2D and unpack("B", g_f_cnt[i + 6])[0] == 0x66 and unpack("B", g_f_cnt[i + 7])[0] == 0xAB ): print "LODSW/STOSW SUB decryption signature found at offset: 0x%x\n" % i, output = output + "LODSW/STOSW SUB decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAD and unpack("B", g_f_cnt[i + 1])[0] == 0x35 and unpack("B", g_f_cnt[i + 6])[0] == 0xAB ): print "LODSD/STOSD XOR decryption signature found at offset: 0x%x\n" % i, output = output + "LODSD/STOSD XOR decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAD and unpack("B", g_f_cnt[i + 1])[0] == 0x05 and unpack("B", g_f_cnt[i + 6])[0] == 0xAB ): print "LODSD/STOSD ADD decryption signature found at offset: 0x%x\n" % i, output = output + "LODSD/STOSD ADD decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( unpack("B", g_f_cnt[i])[0] == 0xAD and unpack("B", g_f_cnt[i + 1])[0] == 0x2D and unpack("B", g_f_cnt[i + 6])[0] == 0xAB ): print "LODSD/STOSD SUB decryption signature found at offset: 0x%x\n" % i, output = output + "LODSD/STOSD SUB decryption signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if libc.memcmp(byref(g_FldzSig), g_f_cnt[i:], 6) == 0: print "FLDZ/FSTENV [esp-12] signature found at offset: 0x%x\n" % i, output = output + "FLDZ/FSTENV [esp-12] signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if ( libc.memcmp(byref(g_CallPopSig1), g_f_cnt[i:], 6) == 0 or libc.memcmp(byref(g_CallPopSig2), g_f_cnt[i:], 6) == 0 or libc.memcmp(byref(g_CallPopSig3), g_f_cnt[i:], 6) == 0 or libc.memcmp(byref(g_CallPopSig4), g_f_cnt[i:], 6) == 0 or libc.memcmp(byref(g_CallPopSig5), g_f_cnt[i:], 6) == 0 or libc.memcmp(byref(g_CallPopSig6), g_f_cnt[i:], 6) == 0 or libc.memcmp(byref(g_CallPopSig7), g_f_cnt[i:], 6) == 0 ): print "CALL next/POP signature found at offset: 0x%x\n" % i, output = output + "CALL next/POP signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if unpack("B", g_f_cnt[i])[0] == 0xEB: # print binascii.hexlify(g_f_cnt[i+1]) # print i, g_f_size if i <= g_f_size - 2: if i + unpack("B", g_f_cnt[i + 1])[0] + 2 < g_f_size: # unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ): jmp_off = i + unpack("B", g_f_cnt[i + 1])[0] + 2 # call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple call_va = unpack("B", g_f_cnt[jmp_off + 1])[0] call_va += unpack("B", g_f_cnt[jmp_off + 2])[0] << 8 call_va += unpack("B", g_f_cnt[jmp_off + 3])[0] << 16 call_va += unpack("B", g_f_cnt[jmp_off + 4])[0] << 24 if jmp_off + call_va + 5 < g_f_size: if ( unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x58 or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x59 or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5A or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5B or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5E or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5F ): print "JMP [0xEB]/CALL/POP signature found at offset: 0x%x\n" % i, output = output + "JMP [0xEB]/CALL/POP signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if unpack("B", g_f_cnt[i])[0] == 0xE9: # print binascii.hexlify(g_f_cnt[i+1]) # print i, g_f_size if i <= g_f_size - 2: if i + unpack("B", g_f_cnt[i + 1])[0] + 5 < g_f_size: # unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ): jmp_off = i + unpack("B", g_f_cnt[i + 1])[0] + 5 # call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple call_va = unpack("B", g_f_cnt[jmp_off + 1])[0] call_va += unpack("B", g_f_cnt[jmp_off + 2])[0] << 8 call_va += unpack("B", g_f_cnt[jmp_off + 3])[0] << 16 call_va += unpack("B", g_f_cnt[jmp_off + 4])[0] << 24 if jmp_off + call_va + 5 < g_f_size: if ( unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x58 or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x59 or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5A or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5B or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5E or unpack("B", g_f_cnt[jmp_off + call_va + 5])[0] == 0x5F ): print "JMP [0xE9]/CALL/POP signature found at offset: 0x%x\n" % i, output = output + "JMP [0xE9]/CALL/POP signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) g_power += RATING_CODE if libc.memcmp(c_char_p("MZ"), g_f_cnt[i:], 2) == 0: pe_off = unpack("B", g_f_cnt[i + 0x3C])[0] pe_off += unpack("B", g_f_cnt[i + 0x3D])[0] << 8 pe_off += unpack("B", g_f_cnt[i + 0x3E])[0] << 16 pe_off += unpack("B", g_f_cnt[i + 0x3F])[0] << 24 if libc.memcmp(c_char_p("PE"), g_f_cnt[i + pe_off :], 2) == 0: print "unencrypted MZ/PE signature found at offset: 0x%x\n" % i, output = output + "unencrypted MZ/PE signature found at offset: " + hex(i) + "\n" if debug_flg == 1: dump_data("PE-File", g_f_cnt[i:], 0x100) g_power += RATING_EXEC i = 0 while i < g_f_size: if libc.memcmp(byref(g_NopSig), g_f_cnt[i:], 3) == 0: print "NOP slides signature found at offset: 0x%x\n" % i, output = output + "NOP slides signature found at offset: " + hex(i) + "\n" if debug_flg == 1: print_opcodz(g_f_cnt[i:]) while unpack("B", g_f_cnt[i])[0] == 0x90: i += 1 g_power += RATING_OLENOP i += 1 # for api in APIZ: # for i in xrange(g_f_size): # if libc.memcmp( c_char_p(api), g_f_cnt[i:], len(api) ) == 0: # print "API-Name %s string found at offset: 0x%x\n" % (api, i), # if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 ) # g_power += RATING_STRS # for i in xrange(8, g_f_size): # if libc.memcmp( byref(g_aOfficeSig), g_f_cnt[i:], 8 ) == 0: # print "Embedded OLE signature found at offset: 0x%x\n" % i, # if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 ) # g_power += RATING_OLENOP print "\n\nAnalysis finished!\n\n", # output=output+"\n\nAnalysis finished!\n\n" if g_power: # k32.SetConsoleTextAttribute( h, 0x0E ) # FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY libc.printf("---------------------------------------------") output = output + "---------------------------------------------" i = 0 while i < len(g_f_name): libc.printf("-") i += 1 libc.printf("\n%s seems to be malicious! Malicious Index = %02d\n", g_f_name, g_power) libc.printf("---------------------------------------------") output = output + "\n" + g_f_name + " seems to be malicious! Malicious Index = " + str(g_power) + "\n" output = output + "---------------------------------------------" i = 0 while i < len(g_f_name): libc.printf("-") output = output + "-" i += 1 # k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY else: # k32.SetConsoleTextAttribute( h, 0x07 ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED print "---------------------------------------------------------------------\n", print " No malicious traces found in this file!\n", print 'Assure that this file is being scanned with the "info" parameter too.\n', print "---------------------------------------------------------------------\n", output = output + "---------------------------------------------------------------------\n" output = output + " No malicious traces found in this file!\n" output = output + 'Assure that this file is being scanned with the "info" parameter too.\n' output = output + "---------------------------------------------------------------------\n" # k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY oi = Output_Item() oi.set_item(g_power, output) return oi
def omh_shellcode_scan(g_f_cnt): global g_power global g_f_name mode_flg = 0 # <scan | info> mode debug_flg = 0 brute_flg = 0 libc = cdll.msvcrt k32 = windll.kernel32 h = k32.GetStdHandle( 0xFFFFFFF5 ) # STD_OUTPUT_HANDLE g_f_size = len(g_f_cnt) ot=Output_Item() iom=0 report="" report=report+ "[*] Scanning now...\n\n" for i in xrange(g_f_size): if ( libc.memcmp( byref(g_FS30Sig1), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig2), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig3), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig4), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig5), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig6), g_f_cnt[i:], 5 ) == 0 ): print "FS:[30h] (Method 1) signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x6A and unpack( 'B', g_f_cnt[i+1] )[0] == 0x30 and unpack( 'B', g_f_cnt[i+3] )[0] == 0x64 and unpack( 'B', g_f_cnt[i+4] )[0] == 0x8B ): print "FS:[30] (Method 2) signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x33 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xB3 and unpack( 'B', g_f_cnt[i+4] )[0] == 0x64 and unpack( 'B', g_f_cnt[i+5] )[0] == 0x8B ): print "FS:[30] (Method 3) signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x74 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC1 and unpack( 'B', g_f_cnt[i+4] )[0] == 0x0D and unpack( 'B', g_f_cnt[i+5] )[0] == 0x03 ): print "API-Hashing signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE i = 0 while ( i < g_f_size ): if ( libc.memcmp( byref(g_NopSig), g_f_cnt[i:], 3 ) == 0 ): print "NOP slides signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) while unpack('B', g_f_cnt[i])[0] == 0x90: i += 1 g_power += RATING_OLENOP i += 1 for api in APIZ: for i in xrange(g_f_size): if libc.memcmp( c_char_p(api), g_f_cnt[i:], len(api) ) == 0: print "API-Name %s string found at offset: 0x%x\n" % (api, i), if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 ) g_power += RATING_STRS for i in xrange(8, g_f_size): if libc.memcmp( byref(g_aOfficeSig), g_f_cnt[i:], 8 ) == 0: print "Embedded OLE signature found at offset: 0x%x\n" % i, if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 ) g_power += RATING_OLENOP for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x55 and unpack( 'B', g_f_cnt[i+1] )[0] == 0x8B and unpack( 'B', g_f_cnt[i+2] )[0] == 0xEC and unpack( 'B', g_f_cnt[i+3] )[0] == 0x83 and unpack( 'B', g_f_cnt[i+4] )[0] == 0xC4 ): print "Function prolog signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x55 and unpack( 'B', g_f_cnt[i+1] )[0] == 0x8B and unpack( 'B', g_f_cnt[i+2] )[0] == 0xEC and unpack( 'B', g_f_cnt[i+3] )[0] == 0x81 and unpack( 'B', g_f_cnt[i+4] )[0] == 0xEC ): print "Function prolog signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xFF and unpack( 'B', g_f_cnt[i+1] )[0] == 0x75 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xFF and unpack( 'B', g_f_cnt[i+4] )[0] == 0x55 ): print "PUSH DWORD[]/CALL[] signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0x34 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): print "LODSB/STOSB XOR decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0x04 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): print "LODSB/STOSB ADD decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0x2C and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): print "LODSB/STOSB SUB decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0xD0 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC0 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): print "LODSB/STOSB ROL decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0xD0 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC8 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): print "LODSB/STOSB ROR decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0xC0 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC0 and unpack( 'B', g_f_cnt[i+4] )[0] == 0xAA ): print "LODSB/STOSB ROL decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0xC0 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC8 and unpack( 'B', g_f_cnt[i+4] )[0] == 0xAA ): print "LODSB/STOSB ROR decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+3] )[0] == 0x35 and unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ): print "LODSW/STOSW XOR decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+3] )[0] == 0x05 and unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ): print "LODSW/STOSW ADD decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+3] )[0] == 0x2D and unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ): print "LODSW/STOSW SUB decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+1] )[0] == 0x35 and unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ): print "LODSD/STOSD XOR decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+1] )[0] == 0x05 and unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ): print "LODSD/STOSD ADD decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+1] )[0] == 0x2D and unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ): print "LODSD/STOSD SUB decryption signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if libc.memcmp( byref(g_FldzSig), g_f_cnt[i:], 6 ) == 0: print "FLDZ/FSTENV [esp-12] signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( libc.memcmp( byref(g_CallPopSig1), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig2), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig3), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig4), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig5), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig6), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig7), g_f_cnt[i:], 6 ) == 0 ): print "CALL next/POP signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): # print "%08X" % i import binascii if ( unpack( 'B', g_f_cnt[i] )[0] == 0xEB ): # print binascii.hexlify(g_f_cnt[i+1]) # print i, g_f_size if(i<=g_f_size-2): if(i+unpack('B',g_f_cnt[i+1])[0]+2<g_f_size) : # unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ): jmp_off = i + unpack('B',g_f_cnt[i+1])[0] + 2 # call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple call_va = unpack( 'B', g_f_cnt[jmp_off + 1] )[0] call_va += unpack( 'B', g_f_cnt[jmp_off + 2] )[0] << 8 call_va += unpack( 'B', g_f_cnt[jmp_off + 3] )[0] << 16 call_va += unpack( 'B', g_f_cnt[jmp_off + 4] )[0] << 24 if ( jmp_off + call_va + 5 < g_f_size): if( unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x58 or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x59 or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5A or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5B or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5E or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5F ): print "JMP [0xEB]/CALL/POP signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): # print "%08X" % i import binascii if ( unpack( 'B', g_f_cnt[i] )[0] == 0xE9 ): # print binascii.hexlify(g_f_cnt[i+1]) # print i, g_f_size if(i<=g_f_size-2): if(i+unpack('B',g_f_cnt[i+1])[0]+5<g_f_size) : # unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ): jmp_off = i + unpack('B',g_f_cnt[i+1])[0] + 5 # call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple call_va = unpack( 'B', g_f_cnt[jmp_off + 1] )[0] call_va += unpack( 'B', g_f_cnt[jmp_off + 2] )[0] << 8 call_va += unpack( 'B', g_f_cnt[jmp_off + 3] )[0] << 16 call_va += unpack( 'B', g_f_cnt[jmp_off + 4] )[0] << 24 if ( jmp_off + call_va + 5 < g_f_size): if( unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x58 or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x59 or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5A or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5B or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5E or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5F ): print "JMP [0xE9]/CALL/POP signature found at offset: 0x%x\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( libc.memcmp( c_char_p("MZ"), g_f_cnt[i:], 2 ) == 0 ): pe_off = unpack( 'B', g_f_cnt[i+0x3C] )[0] pe_off += unpack( 'B', g_f_cnt[i+0x3D] )[0] << 8 pe_off += unpack( 'B', g_f_cnt[i+0x3E] )[0] << 16 pe_off += unpack( 'B', g_f_cnt[i+0x3F] )[0] << 24 if ( libc.memcmp( c_char_p("PE"), g_f_cnt[i+pe_off:], 2 ) == 0): print "unencrypted MZ/PE signature found at offset: 0x%x\n" % i, if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 ) g_power += RATING_EXEC print "\n\nAnalysis finished!\n\n", if g_power: k32.SetConsoleTextAttribute( h, 0x0E ) # FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY libc.printf( "---------------------------------------------" ) i = 0 while i < len(g_f_name): libc.printf("-") i += 1 libc.printf( "\n%s seems to be malicious! Malicious Index = %02d\n", g_f_name, g_power ) libc.printf( "---------------------------------------------" ) i = 0 while i < len(g_f_name): libc.printf("-") i += 1 k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY else: k32.SetConsoleTextAttribute( h, 0x07 ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED print "---------------------------------------------------------------------\n", print " No malicious traces found in this file!\n", print "Assure that this file is being scanned with the \"info\" parameter too.\n", print "---------------------------------------------------------------------\n", k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY
def omh_shellcode_scan(g_f_cnt): global g_power global g_f_name mode_flg = 0 # <scan | info> mode debug_flg = 0 brute_flg = 0 libc = cdll.msvcrt k32 = windll.kernel32 h = k32.GetStdHandle( 0xFFFFFFF5 ) # STD_OUTPUT_HANDLE g_f_size = len(g_f_cnt) ot=Output_Item() iom=0 report="" report=report+ "\r\n[*] Scanning now...\r\n\r\n" for i in xrange(g_f_size): if ( libc.memcmp( byref(g_FS30Sig1), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig2), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig3), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig4), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig5), g_f_cnt[i:], 5 ) == 0 or libc.memcmp( byref(g_FS30Sig6), g_f_cnt[i:], 5 ) == 0 ): output= "FS:[30h] (Method 1) signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x6A and unpack( 'B', g_f_cnt[i+1] )[0] == 0x30 and unpack( 'B', g_f_cnt[i+3] )[0] == 0x64 and unpack( 'B', g_f_cnt[i+4] )[0] == 0x8B ): output= "FS:[30] (Method 2) signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x33 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xB3 and unpack( 'B', g_f_cnt[i+4] )[0] == 0x64 and unpack( 'B', g_f_cnt[i+5] )[0] == 0x8B ): output= "FS:[30] (Method 3) signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x74 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC1 and unpack( 'B', g_f_cnt[i+4] )[0] == 0x0D and unpack( 'B', g_f_cnt[i+5] )[0] == 0x03 ): output= "API-Hashing signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE i = 0 while ( i < g_f_size ): if ( libc.memcmp( byref(g_NopSig), g_f_cnt[i:], 3 ) == 0 ): output= "NOP slides signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) while unpack('B', g_f_cnt[i])[0] == 0x90: i += 1 g_power += RATING_OLENOP i += 1 for api in APIZ: for i in xrange(g_f_size): if libc.memcmp( c_char_p(api), g_f_cnt[i:], len(api) ) == 0: output= "API-Name %s string found at offset: 0x%x\r\n" % (api, i) report=report+str(output) if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 ) g_power += RATING_STRS for i in xrange(8, g_f_size): if libc.memcmp( byref(g_aOfficeSig), g_f_cnt[i:], 8 ) == 0: output="Embedded OLE signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 ) g_power += RATING_OLENOP for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x55 and unpack( 'B', g_f_cnt[i+1] )[0] == 0x8B and unpack( 'B', g_f_cnt[i+2] )[0] == 0xEC and unpack( 'B', g_f_cnt[i+3] )[0] == 0x83 and unpack( 'B', g_f_cnt[i+4] )[0] == 0xC4 ): output= "Function prolog signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x55 and unpack( 'B', g_f_cnt[i+1] )[0] == 0x8B and unpack( 'B', g_f_cnt[i+2] )[0] == 0xEC and unpack( 'B', g_f_cnt[i+3] )[0] == 0x81 and unpack( 'B', g_f_cnt[i+4] )[0] == 0xEC ): output= "Function prolog signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xFF and unpack( 'B', g_f_cnt[i+1] )[0] == 0x75 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xFF and unpack( 'B', g_f_cnt[i+4] )[0] == 0x55 ): output= "PUSH DWORD[]/CALL[] signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0x34 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): report=report+ "LODSB/STOSB XOR decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0x04 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): report=report+ "LODSB/STOSB ADD decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0x2C and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): report=report+ "LODSB/STOSB SUB decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0xD0 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC0 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): report=report+ "LODSB/STOSB ROL decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0xD0 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC8 and unpack( 'B', g_f_cnt[i+3] )[0] == 0xAA ): report=report+ "LODSB/STOSB ROR decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0xC0 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC0 and unpack( 'B', g_f_cnt[i+4] )[0] == 0xAA ): report=report+ "LODSB/STOSB ROL decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAC and unpack( 'B', g_f_cnt[i+1] )[0] == 0xC0 and unpack( 'B', g_f_cnt[i+2] )[0] == 0xC8 and unpack( 'B', g_f_cnt[i+4] )[0] == 0xAA ): report=report+ "LODSB/STOSB ROR decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+3] )[0] == 0x35 and unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ): report=report+ "LODSW/STOSW XOR decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+3] )[0] == 0x05 and unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ): report=report+ "LODSW/STOSW ADD decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+1] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+2] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+3] )[0] == 0x2D and unpack( 'B', g_f_cnt[i+6] )[0] == 0x66 and unpack( 'B', g_f_cnt[i+7] )[0] == 0xAB ): report=report+ "LODSW/STOSW SUB decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+1] )[0] == 0x35 and unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ): report=report+ "LODSD/STOSD XOR decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+1] )[0] == 0x05 and unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ): report=report+ "LODSD/STOSD ADD decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( unpack( 'B', g_f_cnt[i] )[0] == 0xAD and unpack( 'B', g_f_cnt[i+1] )[0] == 0x2D and unpack( 'B', g_f_cnt[i+6] )[0] == 0xAB ): report=report+ "LODSD/STOSD SUB decryption signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if libc.memcmp( byref(g_FldzSig), g_f_cnt[i:], 6 ) == 0: report=report+ "FLDZ/FSTENV [esp-12] signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( libc.memcmp( byref(g_CallPopSig1), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig2), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig3), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig4), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig5), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig6), g_f_cnt[i:], 6 ) == 0 or libc.memcmp( byref(g_CallPopSig7), g_f_cnt[i:], 6 ) == 0 ): output= "CALL next/POP signature found at offset: 0x%x\r\n" % i, report=report+str(output) if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): # print "%08X" % i import binascii if ( unpack( 'B', g_f_cnt[i] )[0] == 0xEB ): # print binascii.hexlify(g_f_cnt[i+1]) # print i, g_f_size if(i<=g_f_size-2): if(i+unpack('B',g_f_cnt[i+1])[0]+2<g_f_size) : # unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ): jmp_off = i + unpack('B',g_f_cnt[i+1])[0] + 2 # call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple call_va = unpack( 'B', g_f_cnt[jmp_off + 1] )[0] call_va += unpack( 'B', g_f_cnt[jmp_off + 2] )[0] << 8 call_va += unpack( 'B', g_f_cnt[jmp_off + 3] )[0] << 16 call_va += unpack( 'B', g_f_cnt[jmp_off + 4] )[0] << 24 if ( jmp_off + call_va + 5 < g_f_size): if( unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x58 or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x59 or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5A or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5B or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5E or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5F ): report=report+ "JMP [0xEB]/CALL/POP signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): # print "%08X" % i import binascii if ( unpack( 'B', g_f_cnt[i] )[0] == 0xE9 ): # print binascii.hexlify(g_f_cnt[i+1]) # print i, g_f_size if(i<=g_f_size-2): if(i+unpack('B',g_f_cnt[i+1])[0]+5<g_f_size) : # unpack( 'B', g_f_cnt[i+unpack('B',g_f_cnt[i+1])[0]+2] )[0] == 0xE8 ): jmp_off = i + unpack('B',g_f_cnt[i+1])[0] + 5 # call_va = unpack( '<L', g_f_cnt[jmp_off+1:jmp_off+5] )[0] # python is much simple call_va = unpack( 'B', g_f_cnt[jmp_off + 1] )[0] call_va += unpack( 'B', g_f_cnt[jmp_off + 2] )[0] << 8 call_va += unpack( 'B', g_f_cnt[jmp_off + 3] )[0] << 16 call_va += unpack( 'B', g_f_cnt[jmp_off + 4] )[0] << 24 if ( jmp_off + call_va + 5 < g_f_size): if( unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x58 or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x59 or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5A or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5B or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5E or unpack( 'B', g_f_cnt[jmp_off+call_va+5] )[0] == 0x5F ): report=report+ "JMP [0xE9]/CALL/POP signature found at offset: 0x%x\r\n" % i, if debug_flg == 1: print_opcodz( g_f_cnt[i:] ) g_power += RATING_CODE for i in xrange(g_f_size): if ( libc.memcmp( c_char_p("MZ"), g_f_cnt[i:], 2 ) == 0 ): pe_off = unpack( 'B', g_f_cnt[i+0x3C] )[0] pe_off += unpack( 'B', g_f_cnt[i+0x3D] )[0] << 8 pe_off += unpack( 'B', g_f_cnt[i+0x3E] )[0] << 16 pe_off += unpack( 'B', g_f_cnt[i+0x3F] )[0] << 24 if ( libc.memcmp( c_char_p("PE"), g_f_cnt[i+pe_off:], 2 ) == 0): output= "unencrypted MZ/PE signature found at offset: 0x%x\r\n" % i report=report+str(output) if debug_flg == 1: dump_data( "PE-File", g_f_cnt[i:], 0x100 ) g_power += RATING_EXEC report=report+ "\r\n\r\nAnalysis finished!\r\n\r\n", if g_power: k32.SetConsoleTextAttribute( h, 0x0E ) # FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY report= str(report)+ "---------------------------------------------" i = 0 while i < len(g_f_name): libc.printf("-") i += 1 output= "\r\n%s seems to be malicious! Malicious Index = %02d\r\n" % ( g_f_name, g_power ) report=report+str(output) report=report+ "---------------------------------------------" iom=g_power i = 0 while i < len(g_f_name): libc.printf("-") i += 1 k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY else: k32.SetConsoleTextAttribute( h, 0x07 ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED report=report+ "---------------------------------------------------------------------\r\n", report=report+ " No malicious traces found in this file!\r\n", report=report+ "Assure that this file is being scanned with the \"info\" parameter too.\r\n", report=report+ "---------------------------------------------------------------------\r\n", k32.SetConsoleTextAttribute( h, 0x0F ) # FOREGROUND_BLUE or FOREGROUND_GREEN or FOREGROUND_RED or FOREGROUND_INTENSITY ot.set_item(iom,report) return ot