喜歡 0
分支 0

最後活躍 6 months ago

go prog to extract EXE from GIF as Trojan-Ransom.Win32.Foreign did

GIF Malware

scusi 已修改 6 months ago. 還原成這個修訂版本

1 file changed, 2 insertions

gifExeExtract.go

@@ -1,3 +1,5 @@
1 + ## see also https://0x41414141.de/blog/2017-03-30-trojan-ransom.win32.foreign-hides-payload-exe-in-gif-file/
2 + #
1 3 package main
2 4
3 5 import (

scusi 已修改 6 months ago. 還原成這個修訂版本

沒有任何變更

Florian Walther 已修改 8 years ago. 還原成這個修訂版本

1 file changed, 105 insertions

gifExeExtract.go(檔案已創建)

@@ -0,0 +1,105 @@
1 + package main
2 +
3 + import (
4 + "bufio"
5 + "bytes"
6 + "container/ring"
7 + "encoding/hex"
8 + "flag"
9 + "fmt"
10 + "io/ioutil"
11 + "log"
12 + "os"
13 + )
14 +
15 + var inFile string
16 +
17 + func init() {
18 + flag.StringVar(&inFile, "in", "", "path to input file")
19 + }
20 +
21 + func check(err error) {
22 + if err != nil {
23 + log.Fatal(err)
24 + }
25 + }
26 +
27 + func main() {
28 + // parse flags
29 + flag.Parse()
30 + // check if inputFile is given
31 + if inFile == "" {
32 + err := fmt.Errorf("no input file given")
33 + check(err)
34 + }
35 + // determine fileSize of inputFile
36 + var fileSize int64
37 + file, err := os.Open(inFile)
38 + check(err)
39 + fi, err := file.Stat()
40 + check(err)
41 + fileSize = fi.Size()
42 +
43 + var offset int64
44 + var bytesRead int
45 +
46 + // extract XOR key
47 + keyBuf := make([]byte, 256)
48 + offset, err = file.Seek(10, 0)
49 + check(err)
50 + bytesRead, err = file.Read(keyBuf)
51 + check(err)
52 + log.Printf("read %d at offset %d into keyBuf\n", bytesRead, offset)
53 + log.Println("Key extracted is:")
54 + d := hex.Dumper(os.Stdout)
55 + defer d.Close()
56 + d.Write(keyBuf)
57 + err = ioutil.WriteFile("key", keyBuf, 0755)
58 + check(err)
59 + log.Printf("key was written to the file 'key'\n")
60 +
61 + // extract encrypted EXE from inFile
62 + encBlockSize := fileSize - 10 - 256 - 266
63 + encBlockBuf := make([]byte, encBlockSize)
64 + offset, err = file.Seek(266, 0)
65 + check(err)
66 + bytesRead, err = file.Read(encBlockBuf)
67 + check(err)
68 + log.Printf("read %d at offset %d into encBlockBuf\n", bytesRead, offset)
69 +
70 + // extract last block from inFile
71 + lastBlockBuf := make([]byte, 266)
72 + offset, err = file.Seek(-532, 2)
73 + check(err)
74 + bytesRead, err = file.Read(lastBlockBuf)
75 + check(err)
76 + log.Printf("read %d at offset %d into lastBlock\n", bytesRead, offset)
77 + // xor encBlockBuf with XOR key
78 + decBlock := XOR(encBlockBuf, keyBuf)
79 + // decBlock = append(decBlock, lastBlockBuf)
80 + var exeBuf bytes.Buffer
81 + w := bufio.NewWriter(&exeBuf)
82 + w.Write(decBlock)
83 + w.Write(lastBlockBuf)
84 + w.Flush()
85 + // write exe file out
86 + err = ioutil.WriteFile("exe", exeBuf.Bytes(), 0755)
87 + check(err)
88 + log.Printf("wrote output to file 'exe'\n")
89 + }
90 +
91 + // XOR implements a rolling xor where the key size is allowed not to be the same size as the data
92 + func XOR(data, key []byte) []byte {
93 + // setup ring buffer with key data
94 + r := ring.New(len(key))
95 + for i := 0; i < r.Len(); i++ {
96 + r.Value = key[i]
97 + r = r.Next()
98 + }
99 + // do the actual xor operation
100 + for i := 0; i < len(data); i++ { // foreach byte of data
101 + data[i] = r.Value.(byte) ^ data[i] // xor data byte with current ring element
102 + r = r.Next() // move ring forward
103 + }
104 + return data
105 + }
上一頁 下一頁

Opengist 提供支持 Load: 30ms

繁體中文