forked from kevthehermit/RATDecoders
-
Notifications
You must be signed in to change notification settings - Fork 2
/
darkddoser.py
91 lines (84 loc) · 3.42 KB
/
darkddoser.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Author: Jason Jones
########################################################################
# Copyright 2014
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
########################################################################
import argparse
import os
import string
import pefile
def decrypt_str(encrypted_str,key_str):
d = 0
decrypted = ''
for e in encrypted_str:
for c in key_str:
d = (ord(c)+d) ^ 9
decrypted += chr(((d>>3) ^ ord(e)) % 256)
return decrypted
def load_rsrc(pe):
strs = {}
rcd = pefile.RESOURCE_TYPE['RT_RCDATA']
for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
if entry.id == rcd:
for e in entry.directory.entries:
data_rva = e.directory.entries[0].data.struct.OffsetToData
size = e.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
strs[str(e.name)] = data
break
return strs
def extract(filename,rsrc_name,key):
decrypted = []
try:
pe = pefile.PE(filename)
rsrc = load_rsrc(pe)
if rsrc.get(rsrc_name,''):
crypted_config = rsrc[rsrc_name]
if crypted_config.find('[{#}]') != -1:
for crypt_str in crypted_config.split('[{#}]'):
crypt_str = ''.join([chr(ord(c)^0xbc) for c in crypt_str])
decrypted.append(decrypt_str(crypt_str,key))
except Exception, e:
print '[+] %s: %s' % (Exception, e)
if decrypted:
try:
int(decrypted[1]) # easiest way to test success, port = int
print '[+] Filename: %s' % filename
print '[+] CnC: %s:%s' % (decrypted[0],decrypted[1])
print '[+] Server: %s' % decrypted[2]
print '[+] Version: %s' % decrypted[8]
print '[+] Mutex: %s' % decrypted[4]
print '[+] Install: %s' % decrypted[7]
print '[+] Service Name: %s' % decrypted[6]
print
except:
print '[+] Filename: %s' % filename
print '[+] Did not successfully decrypt config'
else:
print '[+] Could not locate encrypted config'
def main():
parser = argparse.ArgumentParser(description='Extract configuration data from DarkDDoser')
parser.add_argument('filenames',nargs='+',help='Executables to extract configuration from')
parser.add_argument('--resource',default='BUBZ',help='Custom resource string name where encrypted config is kept')
parser.add_argument('--key',default='darkddoser',help='Custom encryption key for encrypted config')
args = parser.parse_args()
if args.filenames:
for filename in args.filenames:
extract(filename,args.resource,args.key)
else:
print args.usage()
if __name__ == "__main__":
main()