def get_bot_information(self, file_data):
results = {}
encrypted_section = file_data.rfind("\x44\x6d\x47\x00")
if encrypted_section == -1:
pe = PE(data=file_data)
for x in range(len(pe.sections)):
for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress), 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation):
if s.startswith("http://") and s != "http://":
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": s})
else:
encrypted_section += 4
encryption_key = None
pe = PE(data=file_data)
for s in data_strings(pe.get_data(pe.sections[3].VirtualAddress), 7):
# the last string
encryption_key = s
if encryption_key is not None:
rc4 = RC4(encryption_key)
decrypted = "".join([chr(next(rc4) ^ ord(c)) for c in file_data[encrypted_section:]])
for s in data_strings(decrypted, 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation):
if s.startswith("http://") and s != "http://":
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": s})
return results
def read(self):
try:
pe = PE(self.name, fast_load=True)
except:
print('File %s invalid' % self.name)
return False
if not pe.is_exe():
print('This file is not exe')
pe.close()
return False
section = None
for s in pe.sections:
if s.Name == '.enigma1':
section = s
break
if section is None:
print('This file is not Enigma Virtual Box container')
pe.close()
return False
self.data = pe.get_data(section.VirtualAddress, section.SizeOfRawData)
pe.close()
return True
def read(self):
try:
pe = PE(self.name, fast_load=True)
except:
print('File %s invalid' % self.name)
return False
if not pe.is_exe():
print('This file is not exe')
pe.close()
return False
section = None
for s in pe.sections:
if s.Name == '.enigma1':
section = s
break
if section is None:
print('This file is not Enigma Virtual Box container')
pe.close()
return False
self.data = pe.get_data(section.VirtualAddress, section.SizeOfRawData)
pe.close()
return True
def get_ep_bytes(self, pe: pefile.PE) -> str:
"""Get entry point bytes (PE).
@return: entry point bytes (16).
"""
try:
return binascii.b2a_hex(
pe.get_data(pe.OPTIONAL_HEADER.AddressOfEntryPoint,
0x10)).decode()
except Exception:
return None
def get_bot_information(self, file_data):
results = {}
encrypted_section = file_data.rfind("\x44\x6d\x47\x00")
if encrypted_section == -1:
pe = PE(data=file_data)
for x in xrange(len(pe.sections)):
for s in data_strings(pe.get_data(
pe.sections[x].VirtualAddress),
8,
charset=ascii_uppercase +
ascii_lowercase + digits + punctuation):
if s.startswith("http://") and s != "http://":
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": s})
else:
encrypted_section += 4
encryption_key = None
pe = PE(data=file_data)
for s in data_strings(pe.get_data(pe.sections[3].VirtualAddress),
7):
# the last string
encryption_key = s
if encryption_key is not None:
rc4 = RC4(encryption_key)
decrypted = "".join([
chr(rc4.next() ^ ord(c))
for c in file_data[encrypted_section:]
])
for s in data_strings(decrypted,
8,
charset=ascii_uppercase +
ascii_lowercase + digits + punctuation):
if s.startswith("http://") and s != "http://":
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": s})
return results
def get_resources(self, pe: pefile.PE) -> List[Dict[str, str]]:
"""Get resources.
@return: resources dict or None.
"""
if not pe:
return None
resources = []
if not hasattr(pe, "DIRECTORY_ENTRY_RESOURCE"):
return resources
for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
try:
if resource_type.name is not None:
name = str(resource_type.name)
else:
name = str(
pefile.RESOURCE_TYPE.get(resource_type.struct.Id))
if hasattr(resource_type, "directory"):
for resource_id in resource_type.directory.entries:
if hasattr(resource_id, "directory"):
for resource_lang in resource_id.directory.entries:
data = pe.get_data(
resource_lang.data.struct.OffsetToData,
resource_lang.data.struct.Size)
resources.append({
"name":
name,
"offset":
f"0x{resource_lang.data.struct.OffsetToData:08x}",
"size":
f"0x{resource_lang.data.struct.Size:08x}",
"filetype":
self._get_filetype(data),
"language":
pefile.LANG.get(resource_lang.data.lang),
"sublanguage":
pefile.get_sublang_name_for_lang(
resource_lang.data.lang,
resource_lang.data.sublang),
"entropy":
f"{float(self.get_entropy(data)):.02f}",
})
except pefile.PEFormatError as e:
log.error("get_resources error: %s", str(e))
except Exception as e:
log.error(e, exc_info=True)
continue
return resources
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
pe = PE(data=file_data)
for x in range(len(pe.sections)):
for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
if gate is None:
gate = set()
gate.add(s)
if is_ip_or_domain(s):
if server is None:
server = set()
server.add(s)
if server is not None and gate is not None:
results["c2s"] = []
for ip in server:
for p in gate:
uri = "%s%s" % (ip, p)
results["c2s"].append({"c2_uri": uri})
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
pe = PE(data=file_data)
for x in xrange(len(pe.sections)):
for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
if gate is None:
gate = set()
gate.add(s)
if is_ip_or_domain(s):
if server is None:
server = set()
server.add(s)
if server is not None and gate is not None:
results["c2s"] = []
for ip in server:
for p in gate:
uri = "%s%s" % (ip, p)
results["c2s"].append({"c2_uri": uri})
return results
def read_struct(pe:pefile.PE, struct:pefile.Structure) -> bytes:
return pe.get_data(struct.OffsetToData, struct.Size)
if tbl.ServiceTable in sym.name:
value = omap.remap(off + virt_base)
addr.ServiceTable = value
#print tbl.ServiceTable,hex(omap.remap(off+virt_base))
elif tbl.ServiceLimit in sym.name:
value = omap.remap(off + virt_base)
addr.ServiceLimit = value
#print tbl.ServiceLimit,hex(value)
elif tbl.ArgumentTable in sym.name:
value = omap.remap(off + virt_base)
addr.ArgumentTable = value
#print tbl.ArgumentTable,hex(value)
for addr, val in zip(addrs, values):
if not addr.ServiceTable: continue
limit = unpack("<L", pe.get_data(addr.ServiceLimit, 4))[0]
functions = unpack("<%dL" % limit, pe.get_data(addr.ServiceTable,
limit * 4))
functions = [f - pe.OPTIONAL_HEADER.ImageBase for f in functions]
args = unpack("<%dB" % limit, pe.get_data(addr.ArgumentTable, limit))
#for i,f,a in zip(range(limit), functions, args):
# print i, hex(f), hex(a)
val.ServiceTable = functions
val.ServiceLimit = limit
val.ArgumentTable = args
function_names = {}
for i, val in enumerate(values):
if not val.ServiceTable: continue
remapped = [omap_rev.remap(f) for f in val.ServiceTable]
if tbl.ServiceTable in sym.name:
value = omap.remap(off + virt_base)
addr.ServiceTable = value
#print tbl.ServiceTable,hex(omap.remap(off+virt_base))
elif tbl.ServiceLimit in sym.name:
value = omap.remap(off + virt_base)
addr.ServiceLimit = value
#print tbl.ServiceLimit,hex(value)
elif tbl.ArgumentTable in sym.name:
value = omap.remap(off + virt_base)
addr.ArgumentTable = value
#print tbl.ArgumentTable,hex(value)
for addr, val in zip(addrs, values):
if not addr.ServiceTable: continue
limit = unpack("<L", pe.get_data(addr.ServiceLimit, 4))[0]
functions = unpack("<%dL" % limit, pe.get_data(addr.ServiceTable, limit * 4))
functions = [f - pe.OPTIONAL_HEADER.ImageBase for f in functions]
args = unpack("<%dB" % limit, pe.get_data(addr.ArgumentTable, limit))
#for i,f,a in zip(range(limit), functions, args):
# print i, hex(f), hex(a)
val.ServiceTable = functions
val.ServiceLimit = limit
val.ArgumentTable = args
function_names = {}
for i, val in enumerate(values):
if not val.ServiceTable: continue
remapped = [omap_rev.remap(f) for f in val.ServiceTable]
for sym in gsyms.globals:
