forked from lasq88/deobfuscate
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeobfuscate.py
105 lines (94 loc) · 3.7 KB
/
deobfuscate.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/python
import re,sys,zlib,base64,argparse
obfuscation_methods = [
('replace','Replace String','replace\s?\('),
('decompress','Compress string','::decompress'),
('split','ASCII table with split','-split'),
('ascii','ASCII table','\((?:\s?[0-9]{2,3}\s?,?){5,}\)')
]
def FindString(str,regx):
match = re.compile(regx,flags=re.I)
search = re.findall(match,str)
return search
def StrChar(matchobj):
return "'"+chr(int(matchobj.group(1)))+"'"
def FindReplaces(text,replacements):
match = re.compile("replace\s*(\(|\(\(|)\\\\?'([a-zA-Z0-9]{2,4})\\\\?'(\)|),\\\\?'(.{1})\\\\?'(\)|)",flags=re.I)
search = re.findall(match,text)
if (search == []):
return 0
else:
for i in search:
replacements.add((i[1],i[3]))
return replacements
def DeobfReplace(text):
replacements = set()
while True:
text = re.sub("'\+'|''\+|\+''","",text)
text = re.sub('\[char\]([0-9]{2,3})',StrChar,text,flags=re.I)
text = re.sub("'\+'|''\+|\+''","",text)
text = re.sub('\[string\]','',text,flags=re.I)
if(FindReplaces(text, replacements) == 0):
return text
else:
replacements = FindReplaces(text, replacements)
for i in replacements:
text = re.sub("'\+'|''\+|\+''","",text)
text = text.replace(i[0],i[1])
def Detect(text):
for (_, method, regx) in obfuscation_methods:
match = re.compile(regx,flags=re.I)
search = re.findall(match,text)
if (search != []):
return method
if (search == []):
return -1
def Deobfuscate(text,method):
try:
if (method == "Replace String"):
return DeobfReplace(text)
elif (method == "Compress string"):
compressed = FindString(text,"frombase64string\(\s?'(\S*)'")[0]
return zlib.decompress(base64.b64decode(compressed),-zlib.MAX_WBITS)
elif (method == "ASCII table with split"):
split_by = '|'.join(FindString(text,"split\s?'(\S)'"))
ascii_table = re.split(split_by,FindString(text,"\('(\S*)'")[0])
return ''.join(chr(int(i)) for i in ascii_table)
elif (method == "ASCII table"):
ascii_table = re.split(',',FindString(text,'\(((?:\s?[0-9]{2,3}\s?,?){5,})\)')[0])
return ''.join(chr(int(i)) for i in ascii_table)
except:
print "Unfortunately deobfuscation failed. Maybe you provided wrong method or there is no method to deobfuscate this code."
return -1
def main():
parser = argparse.ArgumentParser(description='Deobfuscates Emotet\'s powershell payload')
parser.add_argument("file", type=argparse.FileType('r'), help="file with obfuscated code")
parser.add_argument("-m", "--method",type=str, choices=['replace', 'decompress', 'split', 'ascii'], help="Specify obfuscation method")
args = parser.parse_args()
text = args.file.readlines()
for line in text:
if (args.method != None):
for i in obfuscation_methods:
if (i[0] == args.method):
detected = i[1]
print "Provided obfuscation method: " + detected
deobfuscated_text = Deobfuscate(line,detected)
else:
detected = Detect(line)
if (detected != -1):
print "Detected obfuscation method: " + detected
deobfuscated_text = Deobfuscate(line,detected)
else:
print "Obfuscation method could not be detected automatically. Try to specify deobfuscation method by using --method"
return -1
if (deobfuscated_text != -1):
urls = FindString(deobfuscated_text,'https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+[/\-\w]+')
print ''
print 'Deobfuscated text: '
print deobfuscated_text
print ''
print 'IoC Found: '
for url in urls:
print url
if __name__ == "__main__":
main()