______ Y ______
My own personal time capsule.
Category Archives: anty-virus
Binary XOR decoder
May 1, 2012
Posted by on Handy if you have a few binaries to reverse, and need a quick and dirty way to perform an XOR on them with the given key.
print "[+] XOR binary decoder by Y" print "[+] Will perform an XOR decode on files given spcified key" print "[+] contact : If you know me then give me a shout" print "[+] usage: ./xor_decode.py <FILE_PATH> <key>" print "[+] example: ./xor_decode.py binary.bin 0xAA,0x00,0xAB" print "\n" import sys def decode(xored_file,key): fHandle = open(xored_file,"rb") fBuffer = fHandle.read() fHandle.close() # key format 0xAA,0x11,0xAB .... key = [key] dec_buffer= '' c = '' # do all the xoring on the buffer for x in range(11,len(fBuffer)): var_a = ord(fBuffer[x]) var_b = key[c%len(key)] decoded = var_a ^ var_b # xor dec_buffer = dec_buffer + (chr(decoded)) c+=1 out_name = xored_file+".decoded" outHandle = open(out_name,"wb") outHandle.write(decoded) outHandle.close() xored_file = sys.argv[1] key = sys.argv[2] decode(xored_file,key)
Alternate Data Streams File Hider In Python
February 13, 2012
Posted by on Alternate Data Streams (ADS) is a nice little feature in NTFS system that practically allows to hide the files in one of the ‘streams’ mandatory supported by NTFS system. In practice, there are not many anty-viruses that check such streams thus it may be sometimes handy to lunch a new process from the ADS that wont be picked up by ‘on-access’ scan engine. The code below will use windows API ( kernel32.dll again ) to find static drives and write a file to ADS.
Steps to follow:
1) Enumerate all the partitions
2) Check for static drive
3) Get the list of first 1000 files
4) Select 1 of the files from the list
5) Use it to write to ADS
NOTE: ADS does not survive compression or many other file operations so once put in place it can be only copied to other locations
print "[+] Advance Data Stream Hider by Y" print "[+] Will hide selected file in random ADS on the writable drive" print "[+] contact : If you know me then give me a shout" print "[+] usage: ./ads_hide.py <FILE_PATH>" print "\n" # define imports import ctypes import os import random import stat import string import sys.argv #define kernel32 dll kernel32 = ctypes.windll.kernel32 def getDrives(): print "[+] Enumerating the list of current partitions" drivebits=kernel32.GetLogicalDrives() partition_list = list() for drives in range(1,26): mask=1 << drives if drivebits & mask: drive_letter='%c:\\' % chr(ord('A')+drives) partition_list.append(drive_letter) print "\t[+]Found drive: %s" % drive_letter return partition_list def getDriveInfo(drives): clean_list = list() for dx in drives: t = kernel32.GetDriveTypeA(dx) if t == 3: print "\t[+] Found Fixed Drive : " , dx # if we have DRIVE_FIXED clean_list.append(dx) elif t == 4: # its DRIVE_REMOTE # <- this is good for viruses pass else: # dont append any other type of drive pass return clean_list def genRandomPath(drive): # enumerate and return random path from the drive ( limit to 1000 possible variants for speed ) counter = 0 list_dirs = list() for dirname, dirnames, filenames in os.walk(drive): for nm in filenames: list_dirs.append(os.path.join(dirname, nm)) counter +=1 if counter == 1000: return list_dirs else: continue def getRandomDrive(list_writable_drives): print "[+] Selecting Partition" size = len(list_writable_drives) int = random.randrange(0,size) return list_writable_drives[int] def selectRandomPath(limit,list): print "[+] Choosing $PATH" int = random.randrange(0,limit) return list[int] def isFileWritable(filepath): print "[+] Checking File Write Permission" st = os.stat(filepath) return bool(st.st_mode & stat.S_IWGRP ) def write(file,path): filename,extension = str(file).split(".") name = ''.join(random.choice(string.ascii_uppercase + string.digits + string.lowercase) for x in range(random.randrange(4,20))) const = str(name)+"."+str(extension) command = "type %s > %s:%s" % (file,path,const) os.popen(command) l = str(path)+":"+str(const) print "[+] File Hidden In: %s" % l def ADS_HIDE(FILE_PATH): drives = getDrives() print "[+] Checking Drive Type" list_to_write = getDriveInfo(drives) drive_to_search = getRandomDrive(list_to_write) print "[+] Constructing ADS" # first attempt to get files path = selectRandomPath(1000,genRandomPath(drive_to_search)) # check permissions on the file if (isFileWritable(path) == True): print "[+] Writing to ADS" write(FILE_PATH,path) else: # select another path from the list path = selectRandomPath(1000,genRandomPath(drive_to_search)) print "[+] Writing to ADS" write(FILE_PATH,path) FILE = str(sys.argv[1]) ADS_HIDE(FILE)
Again, this code is here only for the educational purposes.