#!/usr/bin/python# [ pyexedump.py ]## By Neil Archibald#import sysimport

1. #!/usr/bin/python
2. # [ pyexedump.py ]
3. #
4. # By Neil Archibald
5. #
6.  
7. import sys
8. import yara
9. import pefile
10. import md5
11. import mmap
12.  
13. class exedump:
14. __srch = """
15. rule exe_drop
16. {
17. strings:
18. $a = "This program cannot be run in DOS mode"
19. condition:
20. all of them
21. }
22. """
23.  
24. MZSIZE = 78
25.  
26. def __init__(self, search_file):
27. self.__offset = None
28. self.__pe = None
29. self.__pe_size = None
30. self.__map = None
31. self.__rules = yara.compile(source=exedump.__srch)
32. self.__search_file = search_file
33. self.__matches = self.__rules.match(self.__search_file)
34. # end __init__
35.  
36. def __set_pe_size(self):
37. largest = 0
38. for section in self.__pe.sections:
39. addr = section.PointerToRawData + section.SizeOfRawData
40. if(addr > largest):
41. largest = addr
42. # end if
43. # end for
44. self.__pe_size = largest
45.  
46. def has_pe(self):
47. return (self.__matches and len(self.__matches) != 0)
48.  
49. def find_pe(self):
50. if not self.has_pe():
51. return None
52.  
53. self.__offset = self.__matches[0].strings[0][0] - exedump.MZSIZE # offset in file to start of MZ header
54. return self.__offset
55.  
56. def parse_pe(self):
57. if self.__offset == None and self.find_pe() == None:
58. return None
59.  
60. fp = open(self.__search_file,'r+b')
61. self.__map = mmap.mmap(fp.fileno(),0)
62. fp.close()
63.  
64. self.__pe = pefile.PE(data=self.__map[self.__offset:])
65. self.__set_pe_size()
66. self.__map = self.__map[self.__offset:self.__offset + self.__pe_size] #truncate extra bits
67. return self.__pe_size
68.  
69. def write_pe(self, filename=None):
70. if not self.__map:
71. return None
72.  
73. if not filename:
74. filename = self.gen_filename()
75. fp = open(filename, "wb+")
76. fp.write(self.__map)
77. fp.close()
78.  
79. return filename
80.  
81. def gen_filename(self):
82. m = md5.new()
83. m.update(self.__map)
84. filename = m.hexdigest() + ".exe"
85. return filename
86.  
87. def get_filesize(self):
88. if self.__pe_size == None:
89. self.__pe_size = self.__set_pe_size()
90.  
91. return self.__pe_size
92.  
93. # end exedump
94.  
95. def main(argv):
96.  
97. if(len(argv) != 2):
98. print "usage: %s \n" % argv[0]
99. sys.exit(1)
100. # end if
101.  
102. ed = exedump(argv[1])
103. if not ed.has_pe():
104. print "[!] error: no embedded executable file detected"
105. sys.exit(1)
106. # end if
107.  
108. print "[+] Searching for embedded EXE file in: %s" % argv[1]
109.  
110. offset = ed.find_pe()
111. print "[+] Found file embedded EXE at offset: 0x%x" % offset
112.  
113. file_size = ed.parse_pe()
114. print "[+] Size of PE file: 0x%x bytes." % file_size
115.  
116. exefilename = ed.gen_filename()
117. print "[+] Writing out exe file to: %s." % exefilename
118.  
119. ed.write_pe(exefilename)
120.  
121. # end main
122.  
123. if __name__ == "__main__":
124. main(sys.argv)
125. # end if