X-Junior/Wineloader_String_Decryptor.py

## Wineloader_String_Decryptor.py
from Crypto.Cipher import ARC4
from capstone import *
from capstone.x86 import *
import pefile , sys , os

'''
Author: Mohamed Ashraf (@X__Junior)
make sure you are passing wineloader and not the loader of wineloader, if you suspect it's the loader then use https://raw.githubusercontent.com/tccontre/KnowledgeBase/main/malware_re_tools/wineloader_dll_side_load/wineloader_extractor.py , to extract the shellcode
tested samples:
27c0935a22862475bb3fd516f93bd466f8021f77727e83f53d67d76978b439ee
1f123f8e82310161e2e0ebf0420d3b5f3dd932f26b93eedb2b01f5abe77450d7
f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d
'''

def extract_strings(encrypted_strings_table):
    flag = 0
    counter = 0
    extracted_strings = []
    string_length = encrypted_strings_table[0]

    while counter < len(encrypted_strings_table):

        if encrypted_strings_table[counter] == 0:
            counter += 1

        elif encrypted_strings_table[counter] != 0 and flag == 0:
            string_length = encrypted_strings_table[counter]
            counter += 1
            flag = 1

        elif encrypted_strings_table[counter] != 0 and flag == 1:
            encrypted_string = encrypted_strings_table[counter : counter + string_length]
            extracted_strings.append(encrypted_string)
            flag = 0
            counter += string_length

    return extracted_strings


def decrypt_strings(encrypted_strings , rc4_key):
    for encrypted_string in encrypted_strings:
        try:
            cipher = ARC4.new(rc4_key)
            decrypted_string = cipher.decrypt(encrypted_string)
            print(decrypted_string.decode())
        except:
            continue

def extract_rc4_key (md ,text_addr ,pe ,file_data ,text):
	inst = list(md.disasm(text.get_data(), text_addr))
	for i  in range(len(inst)):
			try :
				if inst[i].mnemonic == "xor" and inst[i+1].mnemonic == "mov" and inst[i+2].mnemonic == "mov" and inst[i+3].mnemonic == "lea" and inst[i+4].mnemonic == "mov" and inst[i+5].mnemonic == "xor":
					last_4_bytes_inst = inst[i+3].operands[1].value.mem.disp
					instruction_size = inst[i+3].size
					instruction_addr = inst[i+3].address
					rc4_key_rva = instruction_addr + instruction_size + last_4_bytes_inst
					break
			except:
				continue
	for s in pe.sections:
			if b'.text' in s.Name:
				rc4_key_offset = rc4_key_rva - s.VirtualAddress + s.PointerToRawData - pe.OPTIONAL_HEADER.ImageBase
				rc4_key = file_data[rc4_key_offset : rc4_key_offset + 0x100]

	return rc4_key , rc4_key_offset

def main():
	# Check if the correct number of arguments are provided
	if len(sys.argv) != 2:
		# python3 WineLoader_String_Decryptor.py WineLoader.dll(WineLoader_Shellcode)
		print("Usage: python WineLoader_String_Decryptor.py [filename]")
		exit()

	# Check if the file exists
	if not os.path.isfile(sys.argv[1]):
		print(f"The file {sys.argv[1]} does not exist.")
		exit()

	else:
		file_data = open(sys.argv[1], "rb").read()

		try:
			pe = pefile.PE(sys.argv[1])
			md = Cs(CS_ARCH_X86, CS_MODE_64)
			md.skipdata = True
			md.detail = True
			text = pe.sections[0]
			text_addr = pe.OPTIONAL_HEADER.ImageBase + text.VirtualAddress
			rc4_key , rc4_key_offset = extract_rc4_key(md , text_addr , pe , file_data , text)
			encrypted_strings_table =  file_data[rc4_key_offset + 0x100: rc4_key_offset + 0x1100]
		except:
      # if only the shellcode is passed
			# Use splunk wineloader shellcode extractor : https://raw.githubusercontent.com/tccontre/KnowledgeBase/main/malware_re_tools/wineloader_dll_side_load/wineloader_extractor.py
			rc4_key = file_data[0x20:0x120]
			encrypted_strings_table =  file_data[0x120:0x1000]

		extracted_strings = extract_strings(encrypted_strings_table)
		decrypt_strings(extracted_strings , rc4_key)

if __name__ == "__main__":
	main()
	from Crypto.Cipher import ARC4
	from capstone import *
	from capstone.x86 import *
	import pefile , sys , os

	'''
	Author: Mohamed Ashraf (@X__Junior)
	make sure you are passing wineloader and not the loader of wineloader, if you suspect it's the loader then use https://raw.githubusercontent.com/tccontre/KnowledgeBase/main/malware_re_tools/wineloader_dll_side_load/wineloader_extractor.py , to extract the shellcode
	tested samples:
	27c0935a22862475bb3fd516f93bd466f8021f77727e83f53d67d76978b439ee
	1f123f8e82310161e2e0ebf0420d3b5f3dd932f26b93eedb2b01f5abe77450d7
	f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d
	'''

	def extract_strings(encrypted_strings_table):
	flag = 0
	counter = 0
	extracted_strings = []
	string_length = encrypted_strings_table[0]

	while counter < len(encrypted_strings_table):

	if encrypted_strings_table[counter] == 0:
	counter += 1

	elif encrypted_strings_table[counter] != 0 and flag == 0:
	string_length = encrypted_strings_table[counter]
	counter += 1
	flag = 1

	elif encrypted_strings_table[counter] != 0 and flag == 1:
	encrypted_string = encrypted_strings_table[counter : counter + string_length]
	extracted_strings.append(encrypted_string)
	flag = 0
	counter += string_length

	return extracted_strings


	def decrypt_strings(encrypted_strings , rc4_key):
	for encrypted_string in encrypted_strings:
	try:
	cipher = ARC4.new(rc4_key)
	decrypted_string = cipher.decrypt(encrypted_string)
	print(decrypted_string.decode())
	except:
	continue

	def extract_rc4_key (md ,text_addr ,pe ,file_data ,text):
	inst = list(md.disasm(text.get_data(), text_addr))
	for i in range(len(inst)):
	try :
	if inst[i].mnemonic == "xor" and inst[i+1].mnemonic == "mov" and inst[i+2].mnemonic == "mov" and inst[i+3].mnemonic == "lea" and inst[i+4].mnemonic == "mov" and inst[i+5].mnemonic == "xor":
	last_4_bytes_inst = inst[i+3].operands[1].value.mem.disp
	instruction_size = inst[i+3].size
	instruction_addr = inst[i+3].address
	rc4_key_rva = instruction_addr + instruction_size + last_4_bytes_inst
	break
	except:
	continue
	for s in pe.sections:
	if b'.text' in s.Name:
	rc4_key_offset = rc4_key_rva - s.VirtualAddress + s.PointerToRawData - pe.OPTIONAL_HEADER.ImageBase
	rc4_key = file_data[rc4_key_offset : rc4_key_offset + 0x100]

	return rc4_key , rc4_key_offset

	def main():
	# Check if the correct number of arguments are provided
	if len(sys.argv) != 2:
	# python3 WineLoader_String_Decryptor.py WineLoader.dll(WineLoader_Shellcode)
	print("Usage: python WineLoader_String_Decryptor.py [filename]")
	exit()

	# Check if the file exists
	if not os.path.isfile(sys.argv[1]):
	print(f"The file {sys.argv[1]} does not exist.")
	exit()

	else:
	file_data = open(sys.argv[1], "rb").read()

	try:
	pe = pefile.PE(sys.argv[1])
	md = Cs(CS_ARCH_X86, CS_MODE_64)
	md.skipdata = True
	md.detail = True
	text = pe.sections[0]
	text_addr = pe.OPTIONAL_HEADER.ImageBase + text.VirtualAddress
	rc4_key , rc4_key_offset = extract_rc4_key(md , text_addr , pe , file_data , text)
	encrypted_strings_table = file_data[rc4_key_offset + 0x100: rc4_key_offset + 0x1100]
	except:
	# if only the shellcode is passed
	# Use splunk wineloader shellcode extractor : https://raw.githubusercontent.com/tccontre/KnowledgeBase/main/malware_re_tools/wineloader_dll_side_load/wineloader_extractor.py
	rc4_key = file_data[0x20:0x120]
	encrypted_strings_table = file_data[0x120:0x1000]

	extracted_strings = extract_strings(encrypted_strings_table)
	decrypt_strings(extracted_strings , rc4_key)

	if __name__ == "__main__":
	main()