Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
"""
############################################
# #
# Copyright 2017 Cyberus Technology GmbH #
# All rights reserved #
# #
############################################
"""
import time
import sys
import pprint
from pyTycho import tycho
from pyTycho.syscall_interpreter import interpret_execute_syscall
from pyTycho.syscall_interpreter import pointer_tracking_enabled_by_type
from pyTycho.syscall_interpreter import type_specific_handlers
# type specific handler function
list_of_files = []
def extract_string(process, object_representation):
global list_of_files
typ, value = object_representation
if typ == 'UNICODE_STRING' and 'Buffer' in value.iterkeys() and 'Length' in value.iterkeys():
_, length = value['Length']
_, address = value['Buffer']
filename = process.read_linear(address, length)
list_of_files.append(filename.decode("utf-16"))
def extract_filenames(file_name):
service = tycho()
# get process handle
process_handle = service.open_process(file_name)
# enable breakpoints on process startup
process_handle.set_break_on_start(True)
while not process_handle.is_running():
time.sleep(1)
print("{} is currently not running".format(file_name))
breakpoint = process_handle.get_syscall_breakpoint()
breakpoint.add_syscall_whitelist(tycho.syscalls.NtCreateFile)
breakpoint.add_syscall_whitelist(tycho.syscalls.NtTerminateProcess)
breakpoint.enable()
pointer_tracking_enabled_by_type.append('POBJECT_ATTRIBUTES')
type_specific_handlers.append(('UNICODE_STRING', extract_string))
while True:
process_handle.resume()
thread_handle = process_handle.wait_for_breakpoint()
syscall = interpret_execute_syscall(process_handle, thread_handle)
if syscall['num'] == tycho.syscalls.NtTerminateProcess:
break
pprint.pprint(list_of_files)
breakpoint.disable()
process_handle.close()
service.close()
if __name__ == '__main__':
if len(sys.argv) < 2:
extract_filenames("pafish.exe")
else:
extract_filenames(sys.argv[1])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment