richardg867/desynaptics.py

## desynaptics.py
#
# This Python 3 script disinfects Windows executables modified by the
# Chinese "Synaptics" worm. It was developed with only one sample of
# the worm as a basis, but it should work on any sample, as long as
# it didn't mess with the way I detect the stub and extract the EXE.
#
#   $ python desynaptics.py file_or_directory_path
#
# If you're running this script under Windows, I highly recommend
# disabling Windows Defender and other antivirus software, as well as
# restoring/allowing any detections they may have made, otherwise the
# infected files won't be readable by the script.
#
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#

import os, sys

def disinfect(file_path):
	try:
		f = open(file_path, 'rb')
	except:
		print('Open failed (antivirus triggered?):', file_path)
		return
	data = f.read(655360)

	magic = data.find(b'\x00Drive Watcher Stop -> \x00')
	if magic > -1:
		print('Disinfecting:', file_path)
		data += f.read()

		mz_start = data.find(b'MZ', magic)
		mz_end = data.rfind(b'MZ')
		if mz_start > magic and mz_end > mz_start:
			f.close()
			f = open(file_path, 'wb')
			f.write(data[mz_start:mz_end - 4])
		else:
			print('MZ detection failed, offsets:', magic, mz_start, mz_end)

	f.close()

scan = sys.argv[1] if len(sys.argv) > 1 else '.'
if os.path.isdir(scan):
	for scan_dir_path, scan_dir_names, scan_file_names in os.walk(scan):
		for scan_file_name in scan_file_names:
			disinfect(os.path.join(scan_dir_path, scan_file_name))
elif os.path.isfile(scan):
	disinfect(scan)
	#
	# This Python 3 script disinfects Windows executables modified by the
	# Chinese "Synaptics" worm. It was developed with only one sample of
	# the worm as a basis, but it should work on any sample, as long as
	# it didn't mess with the way I detect the stub and extract the EXE.
	#
	# $ python desynaptics.py file_or_directory_path
	#
	# If you're running this script under Windows, I highly recommend
	# disabling Windows Defender and other antivirus software, as well as
	# restoring/allowing any detections they may have made, otherwise the
	# infected files won't be readable by the script.
	#
	#
	# This program is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, either version 3 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#

	import os, sys

	def disinfect(file_path):
	try:
	f = open(file_path, 'rb')
	except:
	print('Open failed (antivirus triggered?):', file_path)
	return
	data = f.read(655360)

	magic = data.find(b'\x00Drive Watcher Stop -> \x00')
	if magic > -1:
	print('Disinfecting:', file_path)
	data += f.read()

	mz_start = data.find(b'MZ', magic)
	mz_end = data.rfind(b'MZ')
	if mz_start > magic and mz_end > mz_start:
	f.close()
	f = open(file_path, 'wb')
	f.write(data[mz_start:mz_end - 4])
	else:
	print('MZ detection failed, offsets:', magic, mz_start, mz_end)

	f.close()

	scan = sys.argv[1] if len(sys.argv) > 1 else '.'
	if os.path.isdir(scan):
	for scan_dir_path, scan_dir_names, scan_file_names in os.walk(scan):
	for scan_file_name in scan_file_names:
	disinfect(os.path.join(scan_dir_path, scan_file_name))
	elif os.path.isfile(scan):
	disinfect(scan)