waliedassar

RunPE Embedded Executable Extractor

Apr 22nd, 2015
393
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Script used to extract embedded executable inside a RunPE executable.
  2. # Blog Post: http://middleeastmalware.blogspot.com/2015/04/cyber-attack-7.html
  3. import sys,os,time
  4.  
  5. def IsNonHexChar(CharX):
  6.     if CharX != "0" and CharX != "1" and CharX != "2" and CharX != "3" and CharX != "4" and CharX != "5" and CharX != "6" and CharX != "7" and CharX != "8" and CharX != "9" and CharX != "A" and CharX != "a" and CharX != "B" and CharX != "b" and CharX != "C" and CharX != "c" and CharX != "D" and CharX != "d" and CharX != "E" and CharX != "e" and CharX != "F" and CharX != "f":
  7.         return True
  8.     return False
  9.  
  10.  
  11. def Hexify(StuffX):
  12.     if len(StuffX)==0:
  13.         print "File is empty\r\n"
  14.         return
  15.     else:
  16.         Second = False
  17.         SkipNext = False
  18.         FinalStr = ""
  19.         NewStr = ""
  20.         for X in StuffX:
  21.             if SkipNext == True:
  22.                 SkipNext = False
  23.                 continue
  24.             if IsNonHexChar(X)==True:
  25.                 SkipNext = True
  26.                 continue
  27.             if Second == False:
  28.                 NewStr+=X
  29.                 Second = True
  30.             else:
  31.                 NewStr+=X
  32.                 FinalStr += "\\x"
  33.                 FinalStr += NewStr
  34.                 NewStr = ""
  35.                 Second = False
  36.        
  37.         XXX = "\"" + FinalStr + "\""
  38.         outputX =  eval(XXX)
  39.         return outputX
  40.  
  41. def RevvAndThenHexify(InputFileX):
  42.     if os.path.exists(InputFileX)==False:
  43.         print "File does not exist\r\n"
  44.         return
  45.     fIn = open(InputFileX,"r")
  46.     contentX = fIn.read()
  47.     fIn.close()
  48.     if len(contentX)==0:
  49.         print "File is empty\r\n"
  50.         return
  51.     else:
  52.         print "Processing input of length " + str(len(contentX))
  53.  
  54.     fOut = open("result.txt","wb")
  55.     fIn_ = open(InputFileX,"r")
  56.     for LinX in fIn_:
  57.         PureStringX = LinX.rstrip("\r\n")
  58.         PureStringX = PureStringX.rstrip("\r")
  59.         PureStringX = PureStringX.rstrip("\n")
  60.         print len(''.join(reversed(PureStringX)))
  61.         Hexified = Hexify(''.join(reversed(PureStringX)))
  62.         print "Line of Length: " + str(len(Hexified))
  63.         fOut.write(Hexified)
  64.     fIn_.close()
  65.     fOut.close()
  66.     return
  67.  
  68. def main():
  69.     if len(sys.argv)!=2:
  70.         print "Usage: Hexify.py input.txt\r\n"
  71.         sys.exit(-1)
  72.     else:
  73.         RevvAndThenHexify(sys.argv[1])
  74.         sys.exit(0)
  75.        
  76.  
  77.  
  78. if __name__ == "__main__":
  79.     main()
RAW Paste Data