Last active
February 5, 2019 16:21
-
-
Save neutrinoguy/a7aec5322319a8187cbcd987f13fa4df to your computer and use it in GitHub Desktop.
Artifact Finder
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import re | |
import sys | |
banner = ''' | |
___ __ _ ____ __ _______ __ | |
/ | _____/ /_(_/ ______ ______/ /_ / ____(_____ ____/ ___ _____ | |
/ /| | / ___/ __/ / /_/ __ `/ ___/ ________/ /_ / / __ \/ __ / _ \/ ___/ | |
/ ___ |/ / / /_/ / __/ /_/ / /__/ /_/_____/ __/ / / / / / /_/ / __/ / | |
/_/ |_/_/ \__/_/_/ \__,_/\___/\__/ /_/ /_/_/ /_/\__,_/\___/_/ | |
ver 0.2 by @neutrinoguy | |
''' | |
print banner | |
file_name = sys.argv[1] | |
ip_address = [] | |
urls = [] | |
dll = [] | |
syscalls = [] | |
exe = [] | |
interesting = [] | |
interesting_files = [] | |
for string in open(file_name,'r').readlines(): | |
if re.findall(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", string): | |
ip_address.append(string.strip('\n')) | |
elif re.findall('http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+', string): | |
urls.append(string.strip('\n')) | |
elif re.findall('([a-zA-Z0-9-_]*\.dll)',string): | |
dll.append(string.strip('\n')) | |
elif re.match('[A-Z]([A-Z0-9]*[a-z][a-z0-9]*[A-Z]|[a-z0-9]*[A-Z][A-Z0-9]*[a-z])[A-Za-z0-9]*',string): | |
syscalls.append(string.strip('\n')) | |
elif re.findall('([a-zA-Z0-9-_]*\.exe)',string): | |
exe.append(string.strip('\n')) | |
elif re.match('\W*(upload)\W*',string,flags=re.IGNORECASE): | |
interesting.append(string.strip('\n')) | |
elif re.match('\W*(download)\W*',string,flags=re.IGNORECASE): | |
interesting.append(string.strip('\n')) | |
elif re.match('\W*(api)\W*',string,flags=re.IGNORECASE): | |
interesting.append(string.strip('\n')) | |
elif re.findall('([a-zA-Z0-9-_]*\.virus)',string): | |
interesting_files.append(string.strip('\n')) | |
elif re.findall('([a-zA-Z0-9-_]*\.rar)',string): | |
interesting_files.append(string.strip('\n')) | |
elif re.findall('([a-zA-Z0-9-_]*\.bat)',string): | |
interesting_files.append(string.strip('\n')) | |
if len(ip_address) > 0: | |
print "[+] IP addresses found." | |
print ip_address | |
if len(urls) > 0: | |
print "[+] Urls found" | |
print urls | |
if len(dll) > 0: | |
print "[+] DLL's found" | |
print dll | |
if len(syscalls) > 0: | |
print "[+] Syscalls found." | |
print syscalls | |
if len(exe) > 0: | |
print "[+] EXE's found." | |
print exe | |
if len(interesting) > 0: | |
print "[+] Interesting Strings found." | |
print interesting | |
if len(interesting_files) > 0: | |
print "[+] Interesting Files found." | |
print interesting_files | |
else: | |
print "Done :)" | |
sys.exit() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
### Simple Regex script to find Interesting things from output of strings command.
Sample Output
[+] IP addresses found. ['1.1.1.1', '192.168.0.1'] [+] Urls found ['http://c2c.com', 'http://abc.site'] [+] DLL's found ['kernel32.dll'] [+] Syscalls found. ['SDs', 'GetProcessId', 'UploadData'] [+] EXE's found. ['Upl0ad3r.exe'] [+] interesting Strings found. ['apicall']
Purely based on regexes nothing fancy.