singleghost/extract_embedded_exe_file.py

## extract_embedded_exe_file.py
import pefile
def find_string_occurrences(string):
  results = []
  base = idaapi.get_imagebase() + 1024
  while True:
    ea = FindBinary(base, SEARCH_NEXT|SEARCH_DOWN|SEARCH_CASE, '"%s"' % string)
    if ea != 0xFFFFFFFF:
      base = ea+1
    else:
      break
    results.append(ea)
  return results

def find_embedded_exes():
  results = []
  exes = find_string_occurrences("!This program cannot be run in DOS mode.")
  if len(exes) > 1:
    for exe in exes:
      m = Byte(exe-77)
      z = Byte(exe-76)
      if m == ord("M") and z == ord("Z"):
        mz_start = exe-77
        print "[*] Identified embedded executable at the following offset: 0x%x" % mz_start
        results.append(mz_start)
  return results

def calculate_exe_size(begin):
  buff = ""
  for c in range(0, 1024):
    buff += chr(Byte(begin+c))
  pe = pefile.PE(data=buff)
  total_size = 0
  # Add total size of headers
  total_size += pe.OPTIONAL_HEADER.SizeOfHeaders
  # Iterate through each section and add section size
  for section in pe.sections:
    total_size += section.SizeOfRawData
  return total_size

def extract_exe(name, begin, size):
    print("Begin to extract exe to file %s.Start address: %s. Exe size: %d" % (name, hex(begin), size))
    buff = ""
    for c in range(0, size):
        buff += chr(Byte(begin+c))
    f = open(name, 'wb')
    f.write(buff)
    f.close()

exes_start_addr = find_embedded_exes()
exes_sizes = {}
for exe_addr in exes_start_addr:
    tot_size = calculate_exe_size(exe_addr)
    exes_sizes[exe_addr] = tot_size

print exes_sizes
input("wait")
for exe_addr, size in exes_sizes.items():
    extract_exe("embedded_exe-%s" % hex(exe_addr), exe_addr, size)
	import pefile
	def find_string_occurrences(string):
	results = []
	base = idaapi.get_imagebase() + 1024
	while True:
	ea = FindBinary(base, SEARCH_NEXT\|SEARCH_DOWN\|SEARCH_CASE, '"%s"' % string)
	if ea != 0xFFFFFFFF:
	base = ea+1
	else:
	break
	results.append(ea)
	return results

	def find_embedded_exes():
	results = []
	exes = find_string_occurrences("!This program cannot be run in DOS mode.")
	if len(exes) > 1:
	for exe in exes:
	m = Byte(exe-77)
	z = Byte(exe-76)
	if m == ord("M") and z == ord("Z"):
	mz_start = exe-77
	print "[*] Identified embedded executable at the following offset: 0x%x" % mz_start
	results.append(mz_start)
	return results

	def calculate_exe_size(begin):
	buff = ""
	for c in range(0, 1024):
	buff += chr(Byte(begin+c))
	pe = pefile.PE(data=buff)
	total_size = 0
	# Add total size of headers
	total_size += pe.OPTIONAL_HEADER.SizeOfHeaders
	# Iterate through each section and add section size
	for section in pe.sections:
	total_size += section.SizeOfRawData
	return total_size

	def extract_exe(name, begin, size):
	print("Begin to extract exe to file %s.Start address: %s. Exe size: %d" % (name, hex(begin), size))
	buff = ""
	for c in range(0, size):
	buff += chr(Byte(begin+c))
	f = open(name, 'wb')
	f.write(buff)
	f.close()

	exes_start_addr = find_embedded_exes()
	exes_sizes = {}
	for exe_addr in exes_start_addr:
	tot_size = calculate_exe_size(exe_addr)
	exes_sizes[exe_addr] = tot_size

	print exes_sizes
	input("wait")
	for exe_addr, size in exes_sizes.items():
	extract_exe("embedded_exe-%s" % hex(exe_addr), exe_addr, size)