Last active
February 25, 2023 06:23
-
-
Save dmknght/0c28f952026a3a4d97232fca6a3f598c to your computer and use it in GitHub Desktop.
Parse signatures from extracted WinDef's DB. This script won't extract compressed DB (use WDExtract instead)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import streams | |
import bitops | |
import strutils | |
import std/enumutils | |
const | |
db_name = "mpavbase.vdm.extracted" | |
type | |
SigHeader = object | |
sig_type: uint8 | |
size_low: uint8 | |
size_high: uint8 | |
EKeyboardInterrupt = object of CatchableError | |
SigTypes = enum | |
SIGNATURE_TYPE_RESERVED = 1, | |
SIGNATURE_TYPE_VOLATILE_THREAT_INFO = 2, | |
SIGNATURE_TYPE_VOLATILE_THREAT_ID = 3, | |
SIGNATURE_TYPE_CKOLDREC = 17, | |
SIGNATURE_TYPE_KVIR32 = 32, | |
SIGNATURE_TYPE_POLYVIR32 = 33, | |
SIGNATURE_TYPE_NSCRIPT_NORMAL = 39, | |
SIGNATURE_TYPE_NSCRIPT_SP = 40, | |
SIGNATURE_TYPE_NSCRIPT_BRUTE = 41, | |
SIGNATURE_TYPE_NSCRIPT_CURE = 44, | |
SIGNATURE_TYPE_TITANFLT = 48, | |
SIGNATURE_TYPE_PEFILE_CURE = 61, | |
SIGNATURE_TYPE_MAC_CURE = 62, | |
SIGNATURE_TYPE_SIGTREE = 64, | |
SIGNATURE_TYPE_SIGTREE_EXT = 65, | |
SIGNATURE_TYPE_MACRO_PCODE = 66, | |
SIGNATURE_TYPE_MACRO_SOURCE = 67, | |
SIGNATURE_TYPE_BOOT = 68, | |
SIGNATURE_TYPE_CLEANSCRIPT = 73, | |
SIGNATURE_TYPE_TARGET_SCRIPT = 74, | |
SIGNATURE_TYPE_CKSIMPLEREC = 80, | |
SIGNATURE_TYPE_PATTMATCH = 81, | |
SIGNATURE_TYPE_RPFROUTINE = 83, | |
SIGNATURE_TYPE_NID = 85, | |
SIGNATURE_TYPE_GENSFX = 86, | |
SIGNATURE_TYPE_UNPLIB = 87, | |
SIGNATURE_TYPE_DEFAULTS = 88, | |
SIGNATURE_TYPE_DBVAR = 91, | |
SIGNATURE_TYPE_THREAT_BEGIN = 92, | |
SIGNATURE_TYPE_THREAT_END = 93, | |
SIGNATURE_TYPE_FILENAME = 94, | |
SIGNATURE_TYPE_FILEPATH = 95, | |
SIGNATURE_TYPE_FOLDERNAME = 96, | |
SIGNATURE_TYPE_PEHSTR = 97, | |
SIGNATURE_TYPE_LOCALHASH = 98, | |
SIGNATURE_TYPE_REGKEY = 99, | |
SIGNATURE_TYPE_HOSTSENTRY = 100, | |
SIGNATURE_TYPE_STATIC = 103, | |
SIGNATURE_TYPE_LATENT_THREAT = 105, | |
SIGNATURE_TYPE_REMOVAL_POLICY = 106, | |
SIGNATURE_TYPE_WVT_EXCEPTION = 107, | |
SIGNATURE_TYPE_REVOKED_CERTIFICATE = 108, | |
SIGNATURE_TYPE_TRUSTED_PUBLISHER = 112, | |
SIGNATURE_TYPE_ASEP_FILEPATH = 113, | |
SIGNATURE_TYPE_DELTA_BLOB = 115, | |
SIGNATURE_TYPE_DELTA_BLOB_RECINFO = 116, | |
SIGNATURE_TYPE_ASEP_FOLDERNAME = 117, | |
SIGNATURE_TYPE_PATTMATCH_V2 = 119, | |
SIGNATURE_TYPE_PEHSTR_EXT = 120, | |
SIGNATURE_TYPE_VDLL_X86 = 121, | |
SIGNATURE_TYPE_VERSIONCHECK = 122, | |
SIGNATURE_TYPE_SAMPLE_REQUEST = 123, | |
SIGNATURE_TYPE_VDLL_X64 = 124, | |
SIGNATURE_TYPE_SNID = 126, | |
SIGNATURE_TYPE_FOP = 127, | |
SIGNATURE_TYPE_KCRCE = 128, | |
SIGNATURE_TYPE_VFILE = 131, | |
SIGNATURE_TYPE_SIGFLAGS = 132, | |
SIGNATURE_TYPE_PEHSTR_EXT2 = 133, | |
SIGNATURE_TYPE_PEMAIN_LOCATOR = 134, | |
SIGNATURE_TYPE_PESTATIC = 135, | |
SIGNATURE_TYPE_UFSP_DISABLE = 136, | |
SIGNATURE_TYPE_FOPEX = 137, | |
SIGNATURE_TYPE_PEPCODE = 138, | |
SIGNATURE_TYPE_IL_PATTERN = 139, | |
SIGNATURE_TYPE_ELFHSTR_EXT = 140, | |
SIGNATURE_TYPE_MACHOHSTR_EXT = 141, | |
SIGNATURE_TYPE_DOSHSTR_EXT = 142, | |
SIGNATURE_TYPE_MACROHSTR_EXT = 143, | |
SIGNATURE_TYPE_TARGET_SCRIPT_PCODE = 144, | |
SIGNATURE_TYPE_VDLL_IA64 = 145, | |
SIGNATURE_TYPE_PEBMPAT = 149, | |
SIGNATURE_TYPE_AAGGREGATOR = 150, | |
SIGNATURE_TYPE_SAMPLE_REQUEST_BY_NAME = 151, | |
SIGNATURE_TYPE_REMOVAL_POLICY_BY_NAME = 152, | |
SIGNATURE_TYPE_TUNNEL_X86 = 153, | |
SIGNATURE_TYPE_TUNNEL_X64 = 154, | |
SIGNATURE_TYPE_TUNNEL_IA64 = 155, | |
SIGNATURE_TYPE_VDLL_ARM = 156, | |
SIGNATURE_TYPE_THREAD_X86 = 157, | |
SIGNATURE_TYPE_THREAD_X64 = 158, | |
SIGNATURE_TYPE_THREAD_IA64 = 159, | |
SIGNATURE_TYPE_FRIENDLYFILE_SHA256 = 160, | |
SIGNATURE_TYPE_FRIENDLYFILE_SHA512 = 161, | |
SIGNATURE_TYPE_SHARED_THREAT = 162, | |
SIGNATURE_TYPE_VDM_METADATA = 163, | |
SIGNATURE_TYPE_VSTORE = 164, | |
SIGNATURE_TYPE_VDLL_SYMINFO = 165, | |
SIGNATURE_TYPE_IL2_PATTERN = 166, | |
SIGNATURE_TYPE_BM_STATIC = 167, | |
SIGNATURE_TYPE_BM_INFO = 168, | |
SIGNATURE_TYPE_NDAT = 169, | |
SIGNATURE_TYPE_FASTPATH_DATA = 170, | |
SIGNATURE_TYPE_FASTPATH_SDN = 171, | |
SIGNATURE_TYPE_DATABASE_CERT = 172, | |
SIGNATURE_TYPE_SOURCE_INFO = 173, | |
SIGNATURE_TYPE_HIDDEN_FILE = 174, | |
SIGNATURE_TYPE_COMMON_CODE = 175, | |
SIGNATURE_TYPE_VREG = 176, | |
SIGNATURE_TYPE_NISBLOB = 177, | |
SIGNATURE_TYPE_VFILEEX = 178, | |
SIGNATURE_TYPE_SIGTREE_BM = 179, | |
SIGNATURE_TYPE_VBFOP = 180, | |
SIGNATURE_TYPE_VDLL_META = 181, | |
SIGNATURE_TYPE_TUNNEL_ARM = 182, | |
SIGNATURE_TYPE_THREAD_ARM = 183, | |
SIGNATURE_TYPE_PCODEVALIDATOR = 184, | |
SIGNATURE_TYPE_MSILFOP = 186, | |
SIGNATURE_TYPE_KPAT = 187, | |
SIGNATURE_TYPE_KPATEX = 188, | |
SIGNATURE_TYPE_LUASTANDALONE = 189, | |
SIGNATURE_TYPE_DEXHSTR_EXT = 190, | |
SIGNATURE_TYPE_JAVAHSTR_EXT = 191, | |
SIGNATURE_TYPE_MAGICCODE = 192, | |
SIGNATURE_TYPE_CLEANSTORE_RULE = 193, | |
SIGNATURE_TYPE_VDLL_CHECKSUM = 194, | |
SIGNATURE_TYPE_THREAT_UPDATE_STATUS = 195, | |
SIGNATURE_TYPE_VDLL_MSIL = 196, | |
SIGNATURE_TYPE_ARHSTR_EXT = 197, | |
SIGNATURE_TYPE_MSILFOPEX = 198, | |
SIGNATURE_TYPE_VBFOPEX = 199, | |
SIGNATURE_TYPE_FOP64 = 200, | |
SIGNATURE_TYPE_FOPEX64 = 201, | |
SIGNATURE_TYPE_JSINIT = 202, | |
SIGNATURE_TYPE_PESTATICEX = 203, | |
SIGNATURE_TYPE_KCRCEX = 204, | |
SIGNATURE_TYPE_FTRIE_POS = 205, | |
SIGNATURE_TYPE_NID64 = 206, | |
SIGNATURE_TYPE_MACRO_PCODE64 = 207, | |
SIGNATURE_TYPE_BRUTE = 208, | |
SIGNATURE_TYPE_SWFHSTR_EXT = 209, | |
SIGNATURE_TYPE_REWSIGS = 210, | |
SIGNATURE_TYPE_AUTOITHSTR_EXT = 211, | |
SIGNATURE_TYPE_INNOHSTR_EXT = 212, | |
SIGNATURE_TYPE_ROOTCERTSTORE = 213, | |
SIGNATURE_TYPE_EXPLICITRESOURCE = 214, | |
SIGNATURE_TYPE_CMDHSTR_EXT = 215, | |
SIGNATURE_TYPE_FASTPATH_TDN = 216, | |
SIGNATURE_TYPE_EXPLICITRESOURCEHASH = 217, | |
SIGNATURE_TYPE_FASTPATH_SDN_EX = 218, | |
SIGNATURE_TYPE_BLOOM_FILTER = 219, | |
SIGNATURE_TYPE_RESEARCH_TAG = 220, | |
SIGNATURE_TYPE_ENVELOPE = 222, | |
SIGNATURE_TYPE_REMOVAL_POLICY64 = 223, | |
SIGNATURE_TYPE_REMOVAL_POLICY64_BY_NAME = 224, | |
SIGNATURE_TYPE_VDLL_META_X64 = 225, | |
SIGNATURE_TYPE_VDLL_META_ARM = 226, | |
SIGNATURE_TYPE_VDLL_META_MSIL = 227, | |
SIGNATURE_TYPE_MDBHSTR_EXT = 228, | |
SIGNATURE_TYPE_SNIDEX = 229, | |
SIGNATURE_TYPE_SNIDEX2 = 230, | |
SIGNATURE_TYPE_AAGGREGATOREX = 231, | |
SIGNATURE_TYPE_PUA_APPMAP = 232, | |
SIGNATURE_TYPE_PROPERTY_BAG = 233, | |
SIGNATURE_TYPE_DMGHSTR_EXT = 234, | |
SIGNATURE_TYPE_DATABASE_CATALOG = 235, | |
proc handler() {.noconv.} = | |
raise newException(EKeyboardInterrupt, "Keyboard Interrupt") | |
proc is_readable(input: char): bool = | |
if ord(input) >= 32 and ord(input) <= 126: | |
return true | |
return false | |
proc enum_field_name(value: uint8): string = | |
for field_name in items(SigTypes): | |
if value == uint8(field_name): | |
return $field_name | |
return "ERR_UNKNOWN_TYPE_" & $value | |
proc str_escape(input: string): seq[string] = | |
result.add("") | |
for input_char in input: | |
var | |
converted_char = "" | |
char_readable = true | |
# Check if input_char is a readable character (ascii) | |
if is_readable(input_char): | |
converted_char = $input_char | |
else: | |
converted_char = "\\x" & toHex($input_char) | |
char_readable = false | |
# We concat character to the last element of seq if: | |
# 1. Current char is readable | |
# 2. Last element of seq is readable | |
if char_readable and not result[^1].startsWith("\\"): | |
result[^1] &= converted_char | |
elif result[0] == "": | |
# Replace element by current element | |
result[0] = converted_char | |
else: | |
# Previous char wasn't readable, do not concat | |
result.add(converted_char) | |
proc read_db() = | |
setControlCHook(handler) | |
var | |
fsig = newFileStream(db_name, fmRead) | |
header: SigHeader | |
sig_len: uint | |
sig_type_name: string | |
try: | |
while not atEnd(fsig): | |
# Read header | |
discard fsig.readData(addr(header), sizeof(header)) | |
# size_low | size_high << 8 | |
sig_len = bitor(uint(header.size_low), rotateLeftBits(uint(header.size_high), 8)) | |
sig_type_name = enum_field_name(header.sig_type) | |
if header.sig_type == uint(SIGNATURE_TYPE_THREAT_BEGIN): | |
echo "===================Threat BEGIN===================" | |
echo "SigType: ", sig_type_name | |
echo "s_low: ", header.size_low, " s_high: ", header.size_high, " len: ", sig_len | |
# Read header and map values completed. Start reading signature value | |
fsig.setPosition(fsig.getPosition() + 1) | |
var sig_value = fsig.readStr(int(sig_len)) | |
echo "Value: ", sig_value.str_escape() | |
if header.sig_type == uint(SIGNATURE_TYPE_THREAT_END): | |
echo "-------------------Threat END---------------------\n" | |
else: | |
echo "" | |
except CatchableError: | |
return | |
finally: | |
fsig.close() | |
read_db() |
Fixed var type when doing bitwise, causing overflow value of len
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Analysis result from https://github.com/commial/experiments/tree/master/windows-defender/VDM