waliedassar

RunPE Embedded Executable Extractor

Apr 22nd, 2015
370
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Script used to extract embedded executable inside a RunPE executable.
  2. # Blog Post: http://middleeastmalware.blogspot.com/2015/04/cyber-attack-7.html
  3. import sys,os,time
  4.  
  5. def IsNonHexChar(CharX):
  6.     if CharX != "0" and CharX != "1" and CharX != "2" and CharX != "3" and CharX != "4" and CharX != "5" and CharX != "6" and CharX != "7" and CharX != "8" and CharX != "9" and CharX != "A" and CharX != "a" and CharX != "B" and CharX != "b" and CharX != "C" and CharX != "c" and CharX != "D" and CharX != "d" and CharX != "E" and CharX != "e" and CharX != "F" and CharX != "f":
  7.         return True
  8.     return False
  9.  
  10.  
  11. def Hexify(StuffX):
  12.     if len(StuffX)==0:
  13.         print "File is empty\r\n"
  14.         return
  15.     else:
  16.         Second = False
  17.         SkipNext = False
  18.         FinalStr = ""
  19.         NewStr = ""
  20.         for X in StuffX:
  21.             if SkipNext == True:
  22.                 SkipNext = False
  23.                 continue
  24.             if IsNonHexChar(X)==True:
  25.                 SkipNext = True
  26.                 continue
  27.             if Second == False:
  28.                 NewStr+=X
  29.                 Second = True
  30.             else:
  31.                 NewStr+=X
  32.                 FinalStr += "\\x"
  33.                 FinalStr += NewStr
  34.                 NewStr = ""
  35.                 Second = False
  36.        
  37.         XXX = "\"" + FinalStr + "\""
  38.         outputX =  eval(XXX)
  39.         return outputX
  40.  
  41. def RevvAndThenHexify(InputFileX):
  42.     if os.path.exists(InputFileX)==False:
  43.         print "File does not exist\r\n"
  44.         return
  45.     fIn = open(InputFileX,"r")
  46.     contentX = fIn.read()
  47.     fIn.close()
  48.     if len(contentX)==0:
  49.         print "File is empty\r\n"
  50.         return
  51.     else:
  52.         print "Processing input of length " + str(len(contentX))
  53.  
  54.     fOut = open("result.txt","wb")
  55.     fIn_ = open(InputFileX,"r")
  56.     for LinX in fIn_:
  57.         PureStringX = LinX.rstrip("\r\n")
  58.         PureStringX = PureStringX.rstrip("\r")
  59.         PureStringX = PureStringX.rstrip("\n")
  60.         print len(''.join(reversed(PureStringX)))
  61.         Hexified = Hexify(''.join(reversed(PureStringX)))
  62.         print "Line of Length: " + str(len(Hexified))
  63.         fOut.write(Hexified)
  64.     fIn_.close()
  65.     fOut.close()
  66.     return
  67.  
  68. def main():
  69.     if len(sys.argv)!=2:
  70.         print "Usage: Hexify.py input.txt\r\n"
  71.         sys.exit(-1)
  72.     else:
  73.         RevvAndThenHexify(sys.argv[1])
  74.         sys.exit(0)
  75.        
  76.  
  77.  
  78. if __name__ == "__main__":
  79.     main()
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×