def test_go_to_next_call_Create2times(self): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data disass = Disass32(data=b64decode(data)) disass2 = Disass32(data=b64decode(data)) disass.go_to_next_call('CreateThread') if not disass2.go_to_next_call('CreateThread'): assert False assert True
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) disass.make_xref() for p in disass.xref['InternetConnectA']: disass.set_position(p) disass.update_stack_and_register() try: addr = disass.get_arguments(2) print " CC\t: %s" % disass.get_string(addr) except: continue if not disass.go_to_next_call('HttpOpenRequestA'): continue try: lpszVerb = disass.get_string(disass.get_arguments(2)) lpszObjectName = disass.get_string(disass.get_arguments(3)) lpszVersion = disass.get_string(disass.get_arguments(4)) print " Request\t: %s %s %s" % (lpszVerb, lpszObjectName, lpszVersion) except Exception as e: print str(e) continue
def test_where_am_i(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False return disass.rename_function('Entrypoint', "hopla") try: addr = disass.map_call_by_name["hopla"] name = disass.map_call[addr] except: assert False if name == "hopla": assert True return assert False
def test_where_am_i(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False return disass.register.eip = value[0] disass.map_call[100] = "100" disass.map_call[0] = "0" disass.map_call[10] = "10" disass.map_call[30] = "30" disass.map_call[40] = "40" disass.map_call[20] = "20" if disass.where_am_i() == value[1]: assert True return assert False
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) if disass.is_dll(): disass.make_xref() valuable_information = list() for address in disass.xref['InternetOpenA']: disass.set_position(address) function = disass.where_am_i() disass.set_position(disass.map_call_by_name[function]) while disass.go_to_instruction('REP'): disass.update_stack_and_register() try: r = disass.get_string(disass.register.esi) if r not in valuable_information: valuable_information.append(r) except: continue # If I change function it's finish if disass.where_am_i() != function: break print_result(valuable_information, 'Host') print_result(valuable_information, 'Content-Type') print_result(valuable_information, 'Accept-Encoding') print_result(valuable_information, 'Referer') print_result(valuable_information, 'Accept-Language') print_result(valuable_information, 'User-Agent') print_result(valuable_information, 'Request')
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) if disass.is_dll(): addrhMainThread = disass.symbols_exported_by_name['hMainThread'] disass.set_position(addrhMainThread) elif disass.is_exe(): if not disass.go_to_next_call('CreateThread'): print >> sys.stderr, "CreateThread not found in %s" % path return # CreateThread( ..., ... , ... ) startAddress = disass.get_arguments(3) # We set our position in this Thread disass.set_virtual_position(startAddress) else: return # We are searching when C&C are copy if not disass.go_to_next_call('lstrcpyW'): print >> sys.stderr, "lstrcpyW not found in %s" % path sys.exit(0) address_cc1 = disass.get_arguments(2) print disass.get_string(address_cc1) # We are searching when C&C are copy if not disass.go_to_next_call('lstrcpyW'): print >> sys.stderr, "CALL lstrcpyW not found in %s" % path sys.exit(0) address_cc2 = disass.get_arguments(2) print disass.get_string(address_cc2)
def test_next(self): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False return s1 = disass.decode[0] s2 = disass.decode[1] s3 = disass.decode[2] s4 = disass.decode[3] if disass.register.eip != s1[0]: assert False disass.next() if disass.register.eip != s2[0]: assert False disass.next() if disass.register.eip != s3[0]: assert False disass.next() if disass.register.eip != s4[0]: assert False assert True return
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) if disass.go_to_next_call('CreateMutex'): address_mutex = disass.get_arguments(3) mutex = disass.get_string(address_mutex) print " Mutex\t\t:", mutex version = mutex.split('v')[1] print " Version\t:", version if version[0] == '1': # Version 1 reverse_v1(disass) return elif version[0] == '2': #Version 2 reverse_v2(disass) return try: reverse_v1(disass) except: print "Not supported" return
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) if disass.is_dll(): addr_servicemain = disass.symbols_exported_by_name['ServiceMain'] disass.set_position(addr_servicemain) if not disass.go_to_next_call('_beginthreadex'): return addr_startthread = disass.get_arguments(3) disass.set_virtual_position(addr_startthread) list_cc = list() while identify_cc_function(disass): cc = disass.get_string(disass.get_arguments(1)) if cc not in list_cc: list_cc.append(cc) else: break print path for c in list_cc: print " CC\t:", c
def test_position_value(self): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False try: disass.set_position(0x0) except: assert False try: disass.set_position(0x100) except: assert False try: disass.set_position(0x200) except: assert False assert True return
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) disass.go_to_next_call('strncmp') try: addr = disass.get_arguments(1) print " CC\t: %s" % disass.get_string(addr) except: pass
def test_load_data_agentuuw(self): """ Test de l'initialisation du moteur disass 32 """ from test.agentuuw.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False return
def test_load_data_minjat(self): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False assert True return
def test_next_call(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.agentuuw.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False assert True
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) if disass.go_to_next_call('CreateMutex'): address_mutex = disass.get_arguments(3) print " Mutex\t:", disass.get_string(address_mutex) if disass.go_to_next_call('InternetOpenA'): ua = disass.get_string(disass.get_arguments(1)) disass.up() disass.up() last_position = disass.register.eip host = disass.get_string(disass.get_arguments(1)) disass.go_to_next_call('InternetConnectA') try: port = disass.get_arguments(2) print " Host\t\t:", host print " Port\t\t:", port print " UserAgent\t:", ua except: pass print "" disass.set_position(last_position) if disass.go_to_next_call('InternetOpenA'): ua = disass.get_string(disass.get_arguments(1)) disass.up() disass.up() last_position = disass.register.eip host = disass.get_string(disass.get_arguments(1)) disass.go_to_next_call('InternetConnectA') try: port = disass.get_arguments(3) print " Host\t\t:", host print " Port\t\t:", port print " UserAgent\t:", ua except: pass request = '' if disass.go_to_next_call('HttpOpenRequestA'): s = disass.get_stack() request = '%s%s%s%s' % (disass.get_string( s[10]), "????????", disass.get_string(s[13]), '????????') request = '%s %s %s' % (disass.get_string( s[1]), request, disass.get_string(s[3])) print " Request\t:", request return True
def test_xref(self): """ Test de l'initialisation du moteur disass 32 """ from test.kimjong.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False disass.make_xref() assert True
def test_load_data_not_valid_win32(self): """ Test de l'initialisation du moteur disass 32 """ from disass.exceptions import DataNotWin32ApplicationError from test.minjat.f1 import data try: disass = Disass32(data=data) except DataNotWin32ApplicationError: return except: assert False assert False return
def test_get_unicode_value(self): from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False domain = disass.get_string(0x41bad8) if domain != 'timesofindia.8866.org': print domain assert False assert True
def test_is_not_register(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data from disass.exceptions import InvalidValueEIP try: disass = Disass32(data=b64decode(data)) except: assert False if disass.is_register(value): assert False assert True
def test_symbols_imported_by_name(self): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False if "InternetReadFile" in disass.symbols_imported_by_name: assert True else: assert False return
def test_next_call_from_import(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False res = disass.go_to_next_call(value) if not res: assert False assert True
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) disass.go_to_next_call('GetCommandLineA') disass.go_to_instruction('CALL') disass.go_to_instruction('CALL') disass.go_to_instruction('CALL') disass.go_to_instruction('CALL') if disass.go_to_next_call('memcpy'): address_mutex = disass.get_arguments(2) mutex = disass.get_string(address_mutex) print " C&C\t\t:", mutex
def test_get_arguments(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False res = disass.go_to_next_call(value) if int(disass.get_arguments(3)) == 0x403b16: return assert False
def reverse(path, verbose): print path disass = Disass32(path=path, verbose=verbose) if disass.go_to_next_call('CreateMutex'): address_mutex = disass.get_arguments(3) print " Mutex\t:", disass.get_string(address_mutex) found = False if disass.go_to_next_call('__jmp__WS2_32.dll@52'): print " CC1\t:", disass.get_string(disass.get_arguments(1)) found = True if disass.go_to_next_call('__jmp__WS2_32.dll@52'): print " CC2\t:", disass.get_string(disass.get_arguments(1)) if not found: # # Check in thread if there is connection with C&C # if disass.go_to_next_call('CreateThread'): startAddress = disass.get_stack()[2] disass.symbols_imported_by_name["startAdress"] = startAddress disass.symbols_imported[startAddress] = "startAdress" disass.set_virtual_position(startAddress) if disass.go_to_next_call('__jmp__WS2_32.dll@52'): print " CC1\t:", disass.get_string(disass.get_arguments(1)) found = True if disass.go_to_next_call('__jmp__WS2_32.dll@52'): print " CC2\t:", disass.get_string(disass.get_arguments(1)) if not found: # # Check if connection with HttpSendRequestA function # if disass.go_to_next_call('HttpSendRequestA'): disass.up() f2 = disass.where_am_i() disass.up() print " CC1\t:", disass.get_string(disass.get_arguments(1)) found = True if disass.go_to_next_call(f2): print " CC2\t:", disass.get_string(disass.get_arguments(1)) return
def test_position_negative_value(self): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data from disass.exceptions import InvalidValueEIP try: disass = Disass32(data=b64decode(data)) except: assert False try: disass.set_position(-0x20) except InvalidValueEIP as e: assert True return assert False
def test_go_to_next_call(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False return if disass.go_to_next_call(value): assert True return assert False return
def test_get_arguments_bad_value(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False res = disass.go_to_next_call(value) try: a = disass.get_arguments(0) except ValueError as e: return assert False
def test_entrypoint(self): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False ep = disass.get_entry_point() if ep == None: assert False if ep != disass.register.eip: assert False assert True return
def test_replace_in_function(self, value): """ Test de l'initialisation du moteur disass 32 """ from test.minjat.f1 import data try: disass = Disass32(data=b64decode(data)) except: assert False return addr = disass.replace_function(value[0]) print addr, value[1] if addr == value[1]: assert True return assert False return
def reverse(path, verbose): disass = Disass32(path=path, verbose=verbose) if not disass.go_to_next_call('InternetConnectA'): print >> sys.stderr, "InternetConnectA not found in %s" % path return fn = disass.where_am_i() address_cc = disass.get_arguments(2) print " CC\t:", disass.get_string(address_cc) disass.set_position(disass.map_call_by_name[fn]) if not disass.go_to_next_call('strcpy'): print >> sys.stderr, "strcat not found in %s" % path return address_url = disass.get_arguments(2) print " URL\t:", disass.get_string(address_url)