def test_sanity_cbc_mode(self):
string = 'thisisateststringwhichis32bytesl'
rijndael_e = new(self.key, MODE_CBC, self.iv, blocksize=self.blocksize)
encrypted = rijndael_e.encrypt(string)
rijndael_d = new(self.key, MODE_CBC, self.iv, blocksize=self.blocksize)
decypted = rijndael_d.decrypt(encrypted)
self.assertEquals(string, decypted)
def test_ctr(self):
string = 'f34481ec3cc627bacd5dc3fb08f273e6'
rijndael_e = new(self.key,
self.iv,
util.Counter('16'),
blocksize=self.blocksize)
encrypted = rijndael_e.encrypt(string)
rijndael_d = new(self.key,
self.iv,
util.Counter('16'),
blocksize=self.blocksize)
decypted = rijndael_d.decrypt(encrypted)
self.assertEquals(string, decypted)
def encrypt(self, text, input_key, input_iv):
if (len(text) % 16) == 0:
pad_text = text
rjn = new(input_key, MODE_CBC, input_iv, blocksize=16)
return base64.b64encode(rjn.encrypt(pad_text))
else:
aes = AES.new(input_key, AES.MODE_CBC, input_iv)
pad_text = self.encoder.encode(text)
cipher_text = aes.encrypt(pad_text)
return base64.b64encode(cipher_text)
def main():
if args.sample is not "":
nanocore_sample = pefile.PE(args.sample)
for rsrc in nanocore_sample.DIRECTORY_ENTRY_RESOURCE.entries:
for entry in rsrc.directory.entries:
if entry.id:
offset = entry.directory.entries[
0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
raw_config_data = nanocore_sample.get_memory_mapped_image(
)[offset:offset + size]
print("[+] extracted encrypted config from PE resource")
elif args.config_rsrc is not "":
if parser.guid is "":
print(
"[!] if a raw resource is being passed the PE guid must be passed as well"
)
raw_config_data = open(args.config_rsrc, 'rb').read()
if args.guid == "":
print("[!] a GUID is required for the nanocore sample")
os.Exit(1)
guid = uuid.UUID(args.guid).bytes_le
# AES encrypted key
encrypted_key = raw_config_data[4:20]
# rfc2898 derive IV and key
div, dkey = derive_pbkdf2(guid, guid, 16, 16, 8)
# init new rijndael cipher
rjn = new(dkey, MODE_CBC, div, blocksize=len(encrypted_key))
# decrypt the config encryption key
final_key = rjn.decrypt(encrypted_key)
# decrypt the config
decrypted_conf = decrypt_config(raw_config_data, final_key)
config_dict = parse_config(decrypted_conf)
for v, k in config_dict.items():
print("[+] Config param {}: {}".format(v, k))
with open('config_out.bin', 'wb') as out:
out.write(decrypted_conf)
def decrypt(self, text, input_key, input_iv):
rjn = new(input_key, MODE_CBC, input_iv, blocksize=16)
return rjn.decrypt(base64.b64decode(text)).replace('\x00', '')
def decrypt(self, text, input_key, input_iv='\x00' * 16):
rjn = new(input_key, MODE_CBC, input_iv, blocksize=16)
return self.encoder.decode(rjn.decrypt(base64.b64decode(text)))
def encrypt(self, text, input_key, input_iv='\x00' * 16):
pad_text = self.encoder.encode(text)
rjn = new(input_key, MODE_CBC, input_iv, blocksize=16)
return base64.b64encode(rjn.encrypt(pad_text))