If you have an area in memory that is xor obfuscated debug007:0018FB06 db 9Ch ; œ debug007:0018FB07 db 1Ah and you have assembly code that decodes it with a bitwise not like this .text:00401671 movzx edx, byte ptr [eax+3] .text:00401675 not cl .text:00401677 xor dl, 75h You can decode it to read it in IDA Python scripting by going to file -> script command and entering code like this where 'd' is filled with the encoded hex values and the print statements are filled with the individual xor values from the code from textwrap import wrap d = "9c1a" bytes = wrap(d, 2) for i in range(len(bytes)): bytes[i] = int(bytes[i],16) print(chr((~bytes[0]) & 0x000000FF)) print(chr(bytes[1] ^ 0x75)) thus in this example d = "9c1a" prints out 'co'
Showing posts with label Script. Show all posts
Showing posts with label Script. Show all posts
Friday, November 9, 2018
IDA Python bitwise NOT Decode malware strings
IDA Python Xor Decode malware strings
If you have an area in memory that is xor obfuscated debug007:0018FB04 db 0CEh ; Î debug007:0018FB05 db 27h ; ' debug007:0018FB06 db 9Ch ; œ debug007:0018FB07 db 1Ah debug007:0018FB08 db 95h ; • debug007:0018FB09 db 2Eh ; . debug007:0018FB0A db 22h ; " debug007:0018FB0B db 57h ; W debug007:0018FB0C db 91h ; ‘ debug007:0018FB0D db 21h ; ! debug007:0018FB0E db 57h ; W debug007:0018FB0F db 3Ah ; : and you have assembly code that decodes or xors it to get it back to readable value .text:00401654 mov eax, [esp+28h+arg_0] .text:00401658 movzx ecx, byte ptr [eax] .text:0040165B movzx edx, byte ptr [eax+1] .text:0040165F xor cl, 0A3h .text:00401662 xor dl, 54h .text:00401665 mov [esp+28h+memcpySource], cl .text:00401669 movzx ecx, byte ptr [eax+2] .text:0040166D mov [esp+28h+var_23], dl .text:00401671 movzx edx, byte ptr [eax+3] .text:00401675 not cl .text:00401677 xor dl, 75h .text:0040167A mov [esp+28h+var_22], cl .text:0040167E movzx ecx, byte ptr [eax+4] .text:00401682 mov [esp+28h+var_21], dl .text:00401686 movzx edx, byte ptr [eax+5] .text:0040168A xor cl, 0E7h .text:0040168D xor dl, 44h .text:00401690 mov [esp+28h+var_20], cl .text:00401694 movzx ecx, byte ptr [eax+6] .text:00401698 mov [esp+28h+var_1F], dl .text:0040169C movzx edx, byte ptr [eax+7] .text:004016A0 xor cl, 4Bh .text:004016A3 xor dl, 23h .text:004016A6 mov [esp+28h+var_1E], cl .text:004016AA movzx ecx, byte ptr [eax+8] .text:004016AE mov [esp+28h+var_1D], dl .text:004016B2 movzx edx, byte ptr [eax+9] .text:004016B6 xor cl, 0BFh .text:004016B9 xor dl, 45h .text:004016BC mov [esp+28h+var_1C], cl .text:004016C0 movzx ecx, byte ptr [eax+0Ah] .text:004016C4 mov [esp+28h+var_1B], dl .text:004016C8 movzx edx, byte ptr [eax+0Bh] .text:004016CC xor cl, 3Bh .text:004016CF xor dl, 56h You can decode or xor it to read it in IDA Python scripting by going to file -> script command and entering code like this where 'd' is filled with the encoded hex values and the print statements are filled with the individual xor values from the code from textwrap import wrap d = "ce279c1a952e22579121573a" bytes = wrap(d, 2) for i in range(len(bytes)): bytes[i] = int(bytes[i],16) print(chr(bytes[0] ^ 0xa3)) print(chr(bytes[1] ^ 0x54)) print(chr((~bytes[2]) & 0x000000FF)) print(chr(bytes[3] ^ 0x75)) print(chr(bytes[4] ^ 0xe7)) print(chr(bytes[5] ^ 0x44)) print(chr(bytes[6] ^ 0x4b)) print(chr(bytes[7] ^ 0x23)) print(chr(bytes[8] ^ 0xbf)) print(chr(bytes[9] ^ 0x45)) print(chr(bytes[10] ^ 0x3b)) print(chr(bytes[11] ^ 0x56)) thus in this example d = "ce279c1a952e22579121573a" prints out mscorjit.dll which is a library the malware is going to load
Thursday, January 11, 2018
Python script search open directories for Phishing Kits and Malware
original version from 1/11/2018
https://pastebin.com/raw/Ed2fmmNj
new version from 11/1/2018
https://pastebin.com/raw/Xj5VK0Mb
old version 11/29/2018
https://pastebin.com/raw/dhJusnX4
new version 11/30/2018
https://pastebin.com/raw/T4aA5UhU
from urllib.request import urlopen
from urllib.request import urlretrieve
import re
import sys
import os
filepath = 'urls.txt'
with open(filepath) as fp:
theurl = fp.readline()
while theurl:
if(not theurl.startswith('http')):
if(":443" in theurl):
theurl = 'https://' + theurl.strip()
else:
theurl = 'http://' + theurl.strip()
theurl = theurl.strip()
if(theurl.endswith("/") or theurl.endswith("\\")):
theurl = theurl[:-1]
stopnow = 0
while stopnow == 0:
try:
domain = theurl.split("//")[-1].split("/")[0]
currentfolder = theurl.split("/")[-1]
try:
if not theurl.endswith(".zip") and (len(theurl.split("//")[-1].split("/")) > 1):
zipfile = domain + "___" + currentfolder + ".zip"
phishkit = theurl + ".zip"
urlretrieve(phishkit, zipfile)
print("phishkit," + phishkit)
except Exception as e:
print("failedphishkit," + phishkit + "(" + str(e) + ")")
html = urlopen(theurl, timeout=3)
val = html.read()
titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
if len(titles) > 0:
if titles[0].startswith('Index of'):
print("opendir," + theurl + "(" + titles[0] + ")")
zipfiles = re.findall(r'(?i)href\=\"[^\"]+\.zip\"\>',str(val))
if len(zipfiles) > 0:
for zipfile in zipfiles:
zipfile = zipfile.replace('\"', '').replace('href=', '').replace('>','').replace("&", "&")
if theurl.endswith('/'):
phishkit = theurl + zipfile
else:
phishkit = theurl + "/" + zipfile
try:
zipfile = domain + "___" + zipfile
urlretrieve(phishkit, zipfile)
print("phishkit," + phishkit)
except Exception as e:
print("failedphishkit," + phishkit + "(" + str(e) + ")")
exefiles = re.findall(r'(?i)href\=\"[^\"]+\.exe\"\>',str(val))
if len(exefiles) > 0:
for exefile in exefiles:
exefile = exefile.replace('\"', '').replace('href=', '').replace('>','').replace("&", "&")
if theurl.endswith('/'):
malware = theurl + exefile
else:
malware = theurl + "/" + exefile
try:
urlretrieve(malware, exefile)
print("malware," + malware)
except Exception as e:
print("failedmalware," + malware + "(" + str(e) + ")")
panels = re.findall(r'(?i)href\=\"(panel|webpanel|fre\.php)\"\>',str(val))
if len(panels) > 0:
for panel in panels:
panel = panel.replace('\"', '').replace('href=' ,'').replace('>', '').replace("&", "&")
if theurl.endswith('/'):
panelurl = theurl + panel
else:
panelurl = theurl + "/" + panel
print("panel," + panelurl)
else:
print("webpage," + theurl + "(" + titles[0] + ")")
theurl = re.sub(r'\/[^\/]*$', '', theurl)
if theurl.endswith('http:/') or theurl.endswith('https:/'):
stopnow = 1
except Exception as e:
if "no host given" in str(e):
stopnow = 1
else:
print("failedurl," + theurl + "(" + str(e) + ")")
theurl = re.sub(r'\/[^\/]*$', '', theurl)
theurl = fp.readline()
https://pastebin.com/raw/Ed2fmmNj
new version from 11/1/2018
https://pastebin.com/raw/Xj5VK0Mb
old version 11/29/2018
https://pastebin.com/raw/dhJusnX4
new version 11/30/2018
https://pastebin.com/raw/T4aA5UhU
from urllib.request import urlopen
from urllib.request import urlretrieve
import re
import sys
import os
filepath = 'urls.txt'
with open(filepath) as fp:
theurl = fp.readline()
while theurl:
if(not theurl.startswith('http')):
if(":443" in theurl):
theurl = 'https://' + theurl.strip()
else:
theurl = 'http://' + theurl.strip()
theurl = theurl.strip()
if(theurl.endswith("/") or theurl.endswith("\\")):
theurl = theurl[:-1]
stopnow = 0
while stopnow == 0:
try:
domain = theurl.split("//")[-1].split("/")[0]
currentfolder = theurl.split("/")[-1]
try:
if not theurl.endswith(".zip") and (len(theurl.split("//")[-1].split("/")) > 1):
zipfile = domain + "___" + currentfolder + ".zip"
phishkit = theurl + ".zip"
urlretrieve(phishkit, zipfile)
print("phishkit," + phishkit)
except Exception as e:
print("failedphishkit," + phishkit + "(" + str(e) + ")")
html = urlopen(theurl, timeout=3)
val = html.read()
titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
if len(titles) > 0:
if titles[0].startswith('Index of'):
print("opendir," + theurl + "(" + titles[0] + ")")
zipfiles = re.findall(r'(?i)href\=\"[^\"]+\.zip\"\>',str(val))
if len(zipfiles) > 0:
for zipfile in zipfiles:
zipfile = zipfile.replace('\"', '').replace('href=', '').replace('>','').replace("&", "&")
if theurl.endswith('/'):
phishkit = theurl + zipfile
else:
phishkit = theurl + "/" + zipfile
try:
zipfile = domain + "___" + zipfile
urlretrieve(phishkit, zipfile)
print("phishkit," + phishkit)
except Exception as e:
print("failedphishkit," + phishkit + "(" + str(e) + ")")
exefiles = re.findall(r'(?i)href\=\"[^\"]+\.exe\"\>',str(val))
if len(exefiles) > 0:
for exefile in exefiles:
exefile = exefile.replace('\"', '').replace('href=', '').replace('>','').replace("&", "&")
if theurl.endswith('/'):
malware = theurl + exefile
else:
malware = theurl + "/" + exefile
try:
urlretrieve(malware, exefile)
print("malware," + malware)
except Exception as e:
print("failedmalware," + malware + "(" + str(e) + ")")
panels = re.findall(r'(?i)href\=\"(panel|webpanel|fre\.php)\"\>',str(val))
if len(panels) > 0:
for panel in panels:
panel = panel.replace('\"', '').replace('href=' ,'').replace('>', '').replace("&", "&")
if theurl.endswith('/'):
panelurl = theurl + panel
else:
panelurl = theurl + "/" + panel
print("panel," + panelurl)
else:
print("webpage," + theurl + "(" + titles[0] + ")")
theurl = re.sub(r'\/[^\/]*$', '', theurl)
if theurl.endswith('http:/') or theurl.endswith('https:/'):
stopnow = 1
except Exception as e:
if "no host given" in str(e):
stopnow = 1
else:
print("failedurl," + theurl + "(" + str(e) + ")")
theurl = re.sub(r'\/[^\/]*$', '', theurl)
theurl = fp.readline()
Tuesday, January 9, 2018
Python script to Download Url Page Titles
from urllib.request import urlopen
import re
import sys
import os
filepath = 'urls.txt'
with open(filepath) as fp:
theurl = fp.readline()
while theurl:
if(not theurl.startswith('http')):
if(":443" in theurl):
theurl = 'https://' + theurl
else:
theurl = 'http://' + theurl
try:
html = urlopen(theurl, timeout=3)
titles = re.findall(r'<title>(.*?)</title>',str(html.read()))
if len(titles) > 0:
print(titles[0] + "," + theurl)
except:
print("ERROR," + theurl)
theurl = fp.readline()
----
input is text file with 1 url per line
----
sample results
import re
import sys
import os
filepath = 'urls.txt'
with open(filepath) as fp:
theurl = fp.readline()
while theurl:
if(not theurl.startswith('http')):
if(":443" in theurl):
theurl = 'https://' + theurl
else:
theurl = 'http://' + theurl
try:
html = urlopen(theurl, timeout=3)
titles = re.findall(r'<title>(.*?)</title>',str(html.read()))
if len(titles) > 0:
print(titles[0] + "," + theurl)
except:
print("ERROR," + theurl)
theurl = fp.readline()
----
input is text file with 1 url per line
----
sample results
Subscribe to:
Posts (Atom)