def get_bot_information(self, file_data): results = {} encrypted_section = file_data.rfind("\x44\x6d\x47\x00") if encrypted_section == -1: pe = PE(data=file_data) for x in range(len(pe.sections)): for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress), 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation): if s.startswith("http://") and s != "http://": if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": s}) else: encrypted_section += 4 encryption_key = None pe = PE(data=file_data) for s in data_strings(pe.get_data(pe.sections[3].VirtualAddress), 7): # the last string encryption_key = s if encryption_key is not None: rc4 = RC4(encryption_key) decrypted = "".join([chr(next(rc4) ^ ord(c)) for c in file_data[encrypted_section:]]) for s in data_strings(decrypted, 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation): if s.startswith("http://") and s != "http://": if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": s}) return results
def read(self): try: pe = PE(self.name, fast_load=True) except: print('File %s invalid' % self.name) return False if not pe.is_exe(): print('This file is not exe') pe.close() return False section = None for s in pe.sections: if s.Name == '.enigma1': section = s break if section is None: print('This file is not Enigma Virtual Box container') pe.close() return False self.data = pe.get_data(section.VirtualAddress, section.SizeOfRawData) pe.close() return True
def get_ep_bytes(self, pe: pefile.PE) -> str: """Get entry point bytes (PE). @return: entry point bytes (16). """ try: return binascii.b2a_hex( pe.get_data(pe.OPTIONAL_HEADER.AddressOfEntryPoint, 0x10)).decode() except Exception: return None
def get_bot_information(self, file_data): results = {} encrypted_section = file_data.rfind("\x44\x6d\x47\x00") if encrypted_section == -1: pe = PE(data=file_data) for x in xrange(len(pe.sections)): for s in data_strings(pe.get_data( pe.sections[x].VirtualAddress), 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation): if s.startswith("http://") and s != "http://": if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": s}) else: encrypted_section += 4 encryption_key = None pe = PE(data=file_data) for s in data_strings(pe.get_data(pe.sections[3].VirtualAddress), 7): # the last string encryption_key = s if encryption_key is not None: rc4 = RC4(encryption_key) decrypted = "".join([ chr(rc4.next() ^ ord(c)) for c in file_data[encrypted_section:] ]) for s in data_strings(decrypted, 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation): if s.startswith("http://") and s != "http://": if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": s}) return results
def get_resources(self, pe: pefile.PE) -> List[Dict[str, str]]: """Get resources. @return: resources dict or None. """ if not pe: return None resources = [] if not hasattr(pe, "DIRECTORY_ENTRY_RESOURCE"): return resources for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries: try: if resource_type.name is not None: name = str(resource_type.name) else: name = str( pefile.RESOURCE_TYPE.get(resource_type.struct.Id)) if hasattr(resource_type, "directory"): for resource_id in resource_type.directory.entries: if hasattr(resource_id, "directory"): for resource_lang in resource_id.directory.entries: data = pe.get_data( resource_lang.data.struct.OffsetToData, resource_lang.data.struct.Size) resources.append({ "name": name, "offset": f"0x{resource_lang.data.struct.OffsetToData:08x}", "size": f"0x{resource_lang.data.struct.Size:08x}", "filetype": self._get_filetype(data), "language": pefile.LANG.get(resource_lang.data.lang), "sublanguage": pefile.get_sublang_name_for_lang( resource_lang.data.lang, resource_lang.data.sublang), "entropy": f"{float(self.get_entropy(data)):.02f}", }) except pefile.PEFormatError as e: log.error("get_resources error: %s", str(e)) except Exception as e: log.error(e, exc_info=True) continue return resources
def get_bot_information(self, file_data): results = {} gate = None server = None pe = PE(data=file_data) for x in range(len(pe.sections)): for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)): if s.find(".php") != -1: if s[0] != "/": s = "/" + s if gate is None: gate = set() gate.add(s) if is_ip_or_domain(s): if server is None: server = set() server.add(s) if server is not None and gate is not None: results["c2s"] = [] for ip in server: for p in gate: uri = "%s%s" % (ip, p) results["c2s"].append({"c2_uri": uri}) return results
def get_bot_information(self, file_data): results = {} gate = None server = None pe = PE(data=file_data) for x in xrange(len(pe.sections)): for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)): if s.find(".php") != -1: if s[0] != "/": s = "/" + s if gate is None: gate = set() gate.add(s) if is_ip_or_domain(s): if server is None: server = set() server.add(s) if server is not None and gate is not None: results["c2s"] = [] for ip in server: for p in gate: uri = "%s%s" % (ip, p) results["c2s"].append({"c2_uri": uri}) return results
def read_struct(pe:pefile.PE, struct:pefile.Structure) -> bytes: return pe.get_data(struct.OffsetToData, struct.Size)
if tbl.ServiceTable in sym.name: value = omap.remap(off + virt_base) addr.ServiceTable = value #print tbl.ServiceTable,hex(omap.remap(off+virt_base)) elif tbl.ServiceLimit in sym.name: value = omap.remap(off + virt_base) addr.ServiceLimit = value #print tbl.ServiceLimit,hex(value) elif tbl.ArgumentTable in sym.name: value = omap.remap(off + virt_base) addr.ArgumentTable = value #print tbl.ArgumentTable,hex(value) for addr, val in zip(addrs, values): if not addr.ServiceTable: continue limit = unpack("<L", pe.get_data(addr.ServiceLimit, 4))[0] functions = unpack("<%dL" % limit, pe.get_data(addr.ServiceTable, limit * 4)) functions = [f - pe.OPTIONAL_HEADER.ImageBase for f in functions] args = unpack("<%dB" % limit, pe.get_data(addr.ArgumentTable, limit)) #for i,f,a in zip(range(limit), functions, args): # print i, hex(f), hex(a) val.ServiceTable = functions val.ServiceLimit = limit val.ArgumentTable = args function_names = {} for i, val in enumerate(values): if not val.ServiceTable: continue remapped = [omap_rev.remap(f) for f in val.ServiceTable]
if tbl.ServiceTable in sym.name: value = omap.remap(off + virt_base) addr.ServiceTable = value #print tbl.ServiceTable,hex(omap.remap(off+virt_base)) elif tbl.ServiceLimit in sym.name: value = omap.remap(off + virt_base) addr.ServiceLimit = value #print tbl.ServiceLimit,hex(value) elif tbl.ArgumentTable in sym.name: value = omap.remap(off + virt_base) addr.ArgumentTable = value #print tbl.ArgumentTable,hex(value) for addr, val in zip(addrs, values): if not addr.ServiceTable: continue limit = unpack("<L", pe.get_data(addr.ServiceLimit, 4))[0] functions = unpack("<%dL" % limit, pe.get_data(addr.ServiceTable, limit * 4)) functions = [f - pe.OPTIONAL_HEADER.ImageBase for f in functions] args = unpack("<%dB" % limit, pe.get_data(addr.ArgumentTable, limit)) #for i,f,a in zip(range(limit), functions, args): # print i, hex(f), hex(a) val.ServiceTable = functions val.ServiceLimit = limit val.ArgumentTable = args function_names = {} for i, val in enumerate(values): if not val.ServiceTable: continue remapped = [omap_rev.remap(f) for f in val.ServiceTable] for sym in gsyms.globals: