Created
December 15, 2021 10:19
-
-
Save Djkusik/88d06ebaf7fbf9b7db99798a9f07fb6f to your computer and use it in GitHub Desktop.
[AWS Monitoring & Evasion article] Script for overwriting platform calls from session.py from botocore
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import inspect | |
import sys | |
try: | |
from botocore import session | |
except ModuleNotFoundError: | |
print("Unable to import session from botocore.") | |
print("Are you sure that botocore is installed in this environment?") | |
sys.exit(1) | |
# Calls which detect "PenTest machine" | |
STR1_TO_FIND = 'platform.system()' | |
STR2_TO_FIND = 'platform.release()' | |
# Replacements - you can edit these for any other thing you want | |
STR1_REPLACEMENT = '"Linux"' | |
STR2_REPLACEMENT = '"4.16.0"' | |
if __name__ == '__main__': | |
# Get filepath to the session file of botocore library | |
try: | |
path_to_session = inspect.getfile(session) | |
except Exception as err: | |
print("Something went wrong when trying to find path to botocore/session.") | |
print(err) | |
sys.exit(2) | |
# Get session content | |
with open(path_to_session, 'r') as f: | |
content = f.read() | |
if_continue = True | |
# Verify existence of platform calls and replace them | |
if STR1_TO_FIND not in content: | |
print(f"{STR1_TO_FIND} not found in {path_to_session}") | |
if_continue = False | |
else: | |
content = content.replace(STR1_TO_FIND, STR1_REPLACEMENT) | |
print(f"Successfuly replaced {STR1_TO_FIND} with {STR1_REPLACEMENT}") | |
if STR2_TO_FIND not in content: | |
print(f"{STR2_TO_FIND} not found in {path_to_session}") | |
if not if_continue: | |
print("None of two platform calls were found, exiting...") | |
sys.exit(3) | |
else: | |
content = content.replace(STR2_TO_FIND, STR2_REPLACEMENT) | |
print(f"Successfuly replaced {STR2_TO_FIND} with {STR2_REPLACEMENT}") | |
# Overwrite session file | |
with open(path_to_session, 'w') as f: | |
f.write(content) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment