def wildcard_search( pid, pattern ): # # Hex patterns must be in this form: # "68 65 6c 6c 6f 20 77 6f 72 6c 64" # "hello world" # # Spaces are optional. Capitalization of hex digits doesn't matter. # This is exactly equivalent to the previous example: # "68656C6C6F20776F726C64" # "hello world" # # Wildcards are allowed, in the form of a "?" sign in any hex digit: # "5? 5? c3" # pop register / pop register / ret # "b8 ?? ?? ?? ??" # mov eax, immediate value # # Instance a Process object. process = Process( pid ) # Search for the hexadecimal pattern in the process memory. for address, data in process.search_hexa( pattern ): # Print a hex dump for each memory location found. print HexDump.hexblock(data, address = address)
def wildcard_search(pid, pattern): # # Hex patterns must be in this form: # "68 65 6c 6c 6f 20 77 6f 72 6c 64" # "hello world" # # Spaces are optional. Capitalization of hex digits doesn't matter. # This is exactly equivalent to the previous example: # "68656C6C6F20776F726C64" # "hello world" # # Wildcards are allowed, in the form of a "?" sign in any hex digit: # "5? 5? c3" # pop register / pop register / ret # "b8 ?? ?? ?? ??" # mov eax, immediate value # # Instance a Process object. process = Process(pid) # Search for the hexadecimal pattern in the process memory. for address, data in process.search_hexa(pattern): # Print a hex dump for each memory location found. print HexDump.hexblock(data, address=address)
system.scan_processes() pid = int(sys.argv[1]) process = Process(pid) memory_map = process.get_memory_map() for mM in memory_map: if mM.Protect == win32.PAGE_EXECUTE_READWRITE: base_addr = mM.baseAddress reg_size = mM.RegionSize #pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00" pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ??" f_data = process.search_hexa(pattern, base_addr, base_addr + reg_size) try: enc_con_addr = f_data.next()[0] + 0x18 except: print "Not found" exit() print "[*] Encrypted config address: 0x%s" % HexDump.address( enc_con_addr, 32) enc_con = process.read(enc_con_addr, 0x2EF) RC4_key = process.read(enc_con_addr + 0x2EF, 0x39).rstrip('\x00') print "[*] RC4 key: %s" % RC4_key dec_con = RC4_dec(RC4_key, enc_con) conf = re.split("\x00+", dec_con) print "[*] Config: "