Created
June 28, 2014 00:20
-
-
Save BobuSumisu/eda97a9e180882298994 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
# Simple config extractor for Bozok v1.4.3 | |
import sys | |
import pefile | |
import json | |
import re | |
def extract_conf(filename): | |
data = open(filename, 'rb').read() | |
# the version is hardcoded as a unicode string | |
if not re.search(r'1\x00.\x004\x00.\x003\x00\x00\x00', data): | |
print('Warning: version string (1.4.3) not found in data.') | |
print('This is probably not going to work...') | |
try: | |
pe = pefile.PE(data=data) | |
except: | |
print('Input file ({}) is not a valid PE file.'.format(filename)) | |
exit(1) | |
# loop over resources, looking for a RCDATA entry with name "CFG" | |
for resource in pe.DIRECTORY_ENTRY_RESOURCE.entries: | |
if resource.id == pefile.RESOURCE_TYPE['RT_RCDATA']: | |
for entry in resource.directory.entries: | |
if entry.name.string == 'CFG': | |
# found the correct resource (probably), extract it | |
offset = entry.directory.entries[0].data.struct.OffsetToData | |
size = entry.directory.entries[0].data.struct.Size | |
data = pe.get_memory_mapped_image()[offset:offset+size] | |
# config is saved with "interloping" null-bytes, remove every other char | |
# the different fields in the config are separated with a pipe | |
data = data.replace('\x00', '').split('|') | |
if len(data) != 15: | |
print('Error extracting config: expected 15 values, found {}.'.format(len(data))) | |
return None | |
# domains are saved with a trailing asterisk, cut it off | |
data[12] = data[12][:-1] | |
return { | |
'version': '1.4.3', | |
'unknown1': data[0], | |
'mutex': data[1], | |
'exename': data[2], | |
'regname': data[3], | |
'extfile?': data[4], | |
'password': data[5], | |
'flag_exe': data[6], | |
'flag_reg': data[7], | |
'flag_thread': data[8], | |
'flag4': data[9], | |
'flag5': data[10], | |
'port': data[11], | |
'domain': data[12], | |
'flag6': data[13] | |
} | |
return None | |
if __name__ == '__main__': | |
if len(sys.argv) < 2: | |
print('Usage: python ' + sys.argv[0] + ' FILENAME') | |
exit() | |
config = extract_conf(sys.argv[1]) | |
if config == None: | |
print('Config extraction failed.') | |
else: | |
print(json.dumps(config, indent=2)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment