dns_xor.go
· 1.4 KiB · Go
Bruto
// domain data encoding/decoding algo for FrameworkPOS Malware DNS-Tunneling Variant,
// as described on:
// https://blog.gdata.de/artikel/neue-variante-von-frameworkpos-schoepft-daten-ueber-dns-anfragen-ab/
//
package main
import(
"fmt"
"os"
"encoding/hex"
"flag"
)
const A = 0xAA
const B = 0x9B
const C = 0xC3
var op string
var in string
func init(){
flag.StringVar(&op, "op", "decode", "operation to perform: 'encode' or 'decode', default is 'decode'")
flag.StringVar(&in, "in", "", "Inputstring to perform choosen operation on")
}
// decode - decodes single values from dns queries into cleartext
func decode(data []byte)(result []byte){
for _, v := range data {
a := v ^ A
b := a ^ B
result = append(result, b ^ C)
}
return result
}
// encode - encodes cleartext values to be used in dns queries
func encode(data []byte)(result []byte) {
for _, v := range data {
b := v ^ C
a := b ^ B
result = append(result, a ^ A)
}
return result
}
func main(){
flag.Parse()
input := []byte(in)
switch {
case op == "encode":
encoded := encode(input)
fmt.Printf("%s %x\n", input, string(encoded))
case op == "decode":
data, err := hex.DecodeString(string(input))
if err != nil {
panic(err)
}
decoded := decode(data)
fmt.Printf("%x %s\n", data, string(decoded))
default:
prog := os.Args[0]
fmt.Printf("For USAGE INFO call: '%s -h'\n", prog)
}
}
| 1 | // domain data encoding/decoding algo for FrameworkPOS Malware DNS-Tunneling Variant, |
| 2 | // as described on: |
| 3 | // https://blog.gdata.de/artikel/neue-variante-von-frameworkpos-schoepft-daten-ueber-dns-anfragen-ab/ |
| 4 | // |
| 5 | |
| 6 | package main |
| 7 | |
| 8 | import( |
| 9 | "fmt" |
| 10 | "os" |
| 11 | "encoding/hex" |
| 12 | "flag" |
| 13 | ) |
| 14 | |
| 15 | const A = 0xAA |
| 16 | const B = 0x9B |
| 17 | const C = 0xC3 |
| 18 | |
| 19 | var op string |
| 20 | var in string |
| 21 | |
| 22 | func init(){ |
| 23 | flag.StringVar(&op, "op", "decode", "operation to perform: 'encode' or 'decode', default is 'decode'") |
| 24 | flag.StringVar(&in, "in", "", "Inputstring to perform choosen operation on") |
| 25 | } |
| 26 | |
| 27 | // decode - decodes single values from dns queries into cleartext |
| 28 | func decode(data []byte)(result []byte){ |
| 29 | for _, v := range data { |
| 30 | a := v ^ A |
| 31 | b := a ^ B |
| 32 | result = append(result, b ^ C) |
| 33 | } |
| 34 | return result |
| 35 | } |
| 36 | |
| 37 | // encode - encodes cleartext values to be used in dns queries |
| 38 | func encode(data []byte)(result []byte) { |
| 39 | for _, v := range data { |
| 40 | b := v ^ C |
| 41 | a := b ^ B |
| 42 | result = append(result, a ^ A) |
| 43 | } |
| 44 | return result |
| 45 | } |
| 46 | |
| 47 | func main(){ |
| 48 | flag.Parse() |
| 49 | input := []byte(in) |
| 50 | |
| 51 | switch { |
| 52 | case op == "encode": |
| 53 | encoded := encode(input) |
| 54 | fmt.Printf("%s %x\n", input, string(encoded)) |
| 55 | case op == "decode": |
| 56 | data, err := hex.DecodeString(string(input)) |
| 57 | if err != nil { |
| 58 | panic(err) |
| 59 | } |
| 60 | decoded := decode(data) |
| 61 | fmt.Printf("%x %s\n", data, string(decoded)) |
| 62 | default: |
| 63 | prog := os.Args[0] |
| 64 | fmt.Printf("For USAGE INFO call: '%s -h'\n", prog) |
| 65 | } |
| 66 | } |