Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # ZBot (Citadel/Ice IX) config extractor, written in python2
- # Wrote by aaSSfxxx
- # WARNING: this code is unstable (dirty finding of "call" opcodes), and could
- # make the extractor crash or find nothing. If it's the case, reverse manually the bot.
- import pefile
- import sys
- import struct
- def find_str(str):
- tmp = ""
- for i in str:
- if ord(i) != 0:
- tmp += i
- else:
- break
- return tmp
- #Gets the first far call relative address of a function (really dirty function)
- def get_first_far_call_rel(str):
- calloff = str.find("\xe8")
- return struct.unpack("l", str[calloff+1:calloff+5])[0] + 5 + calloff
- # Finds the "real" entry point of a Zbot (bacause citadel does a "jmp start_0" at the EP)
- def find_real_ep(ep):
- global mem
- # Compare if opcode of EP is a long jump
- if(ord(mem[ep]) == 0xe9):
- # If it is the case, get reljump & do a recursive finding (to avoid inception-like
- # jmp)
- realep = struct.unpack("l", mem[ep+1:ep+5])[0]
- return find_real_ep(ep + realep + 5)
- else:
- # If no jmp found, just return the right address.
- return ep
- #Parses the bot's PE header
- malw = pefile.PE(sys.argv[1])
- #Get the botkey address and virtual memory
- botkey = malw.sections[2].VirtualAddress
- mem = malw.get_memory_mapped_image()
- #Get the malware EP
- ep = malw.OPTIONAL_HEADER.AddressOfEntryPoint
- ep = find_real_ep(ep)
- #Grab address of bot init function
- initfunc = get_first_far_call_rel (mem[ep:ep+50]) + ep
- #Grab the address of the config extractor function (should grab both Ice IX & citadel)
- grabconffunc = get_first_far_call_rel(mem[initfunc+0x2d0:initfunc+0x300]) + initfunc + 0x2d0
- #Grab length of config
- len = struct.unpack("L", mem[grabconffunc+2: grabconffunc+6])[0]
- #Grab address of structure
- confaddr = struct.unpack("L", mem[grabconffunc+8:grabconffunc+12])[0] - malw.OPTIONAL_HEADER.ImageBase
- #Grab config
- config = mem[confaddr: confaddr+len]
- #Decrypt the config
- i=0
- safe = ""
- for c in config:
- safe += chr((ord(c) ^ ord(mem[botkey+i])))
- i += 1
- #Find all URL's inside config \o/
- offset = safe.find("http")
- while offset != -1:
- print find_str(safe[offset:offset+100])
- safe = safe[offset+5:]
- offset = safe.find("http")
- # ACHIEVEMENT UNLOCKED FAGGOTS \o/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement