ksose/pipe.py

## pipe.py
# k`sOSe
# extract webinjects configuration from a Shylock infected machine, tested on Shylock 1.2.1.3160
# to decode it: https://gist.github.com/1552594
import sys
import time
from ctypes import *

# each botnet has its own pipe name, change it.
PIPE_NAME = "\\\\.\\pipe\\D13A4A2693461B273701BEFB4E640D35"

def open_pipe():
 pipe_handle = windll.kernel32.CreateFileA(PIPE_NAME,
     0xc0000000,    #GENERIC_READ|GENERIC_WRITE
     3,  #FILE_SHARE_READ|FILE_SHARE_WRITE
     0,
     3,  #OPEN_EXISTING
     0x80,      #FILE_ATTRIBUTE_NORMAL
     0)

 if pipe_handle in [0, -1]:
    print "[!!] Error opening pipe: 0x%08x\n" % (windll.kernel32.GetLastError())
    sys.exit(1)
 else:
    print "[*] Got pipe handle: 0x%08x\n" % (pipe_handle)

 pipe_mode = c_ulong(0x2)  # PIPE_READMODE_MESSAGE
 windll.kernel32.SetNamedPipeHandleState(pipe_handle, byref(pipe_mode), 0, 0)

 return pipe_handle

def close_pipe(p):
 windll.kernel32.CloseHandle(p)

def wr(p, buf, buflen):
 written = c_ulong(0)
 windll.kernel32.WriteFile(p, buf, buflen, byref(written), 0)
 if written.value != buflen:
    print "[!!] wr:%x, got:%x => %x" %(written.value, buflen, windll.kernel32.GetLastError())
 return written.value

def rd(p, buflen):
 read = c_ulong(0)
 buf = create_string_buffer(buflen)
 windll.kernel32.ReadFile(p, byref(buf), buflen, byref(read), 0)
 if read.value == 0:
    print "[!!] r:%x, got:%x => %x" %(read.value, buflen, windll.kernel32.GetLastError())
 return buf.raw[:read.value]


print "need to wait a couple of second.."
time.sleep(2)

p = open_pipe()
wr(p, "\x07\x00\x00\x00", 4)
buf = rd(p, 0x20000)

open("injects.conf", 'wb').write(buf[8:])
	# k`sOSe
	# extract webinjects configuration from a Shylock infected machine, tested on Shylock 1.2.1.3160
	# to decode it: https://gist.github.com/1552594
	import sys
	import time
	from ctypes import *

	# each botnet has its own pipe name, change it.
	PIPE_NAME = "\\\\.\\pipe\\D13A4A2693461B273701BEFB4E640D35"

	def open_pipe():
	pipe_handle = windll.kernel32.CreateFileA(PIPE_NAME,
	0xc0000000, #GENERIC_READ\|GENERIC_WRITE
	3, #FILE_SHARE_READ\|FILE_SHARE_WRITE
	0,
	3, #OPEN_EXISTING
	0x80, #FILE_ATTRIBUTE_NORMAL
	0)

	if pipe_handle in [0, -1]:
	print "[!!] Error opening pipe: 0x%08x\n" % (windll.kernel32.GetLastError())
	sys.exit(1)
	else:
	print "[*] Got pipe handle: 0x%08x\n" % (pipe_handle)

	pipe_mode = c_ulong(0x2) # PIPE_READMODE_MESSAGE
	windll.kernel32.SetNamedPipeHandleState(pipe_handle, byref(pipe_mode), 0, 0)

	return pipe_handle

	def close_pipe(p):
	windll.kernel32.CloseHandle(p)

	def wr(p, buf, buflen):
	written = c_ulong(0)
	windll.kernel32.WriteFile(p, buf, buflen, byref(written), 0)
	if written.value != buflen:
	print "[!!] wr:%x, got:%x => %x" %(written.value, buflen, windll.kernel32.GetLastError())
	return written.value

	def rd(p, buflen):
	read = c_ulong(0)
	buf = create_string_buffer(buflen)
	windll.kernel32.ReadFile(p, byref(buf), buflen, byref(read), 0)
	if read.value == 0:
	print "[!!] r:%x, got:%x => %x" %(read.value, buflen, windll.kernel32.GetLastError())
	return buf.raw[:read.value]


	print "need to wait a couple of second.."
	time.sleep(2)

	p = open_pipe()
	wr(p, "\x07\x00\x00\x00", 4)
	buf = rd(p, 0x20000)

	open("injects.conf", 'wb').write(buf[8:])