-
Notifications
You must be signed in to change notification settings - Fork 5
/
SigLocator.py
151 lines (142 loc) · 5.51 KB
/
SigLocator.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
import os
import shutil
import string
import random
import threading
import subprocess
sigList = []
workPath = os.path.join(os.environ['userprofile'], 'Desktop', "".join(random.choices(string.ascii_letters, k=10)))
testWD = True
testMem = False
# 测试机器码是否存在特征码
def TestCode(code):
print(f'Testing length: {len(code)}')
killed = False
if testMem:
# 保存至桌面 BIN 文件
'''
开头添加该函数 ShellCode, 让杀毒软件有充足的扫描时间
void Wait(PVOID pSleep) {
((int(*)(...))pSleep)(60000);
}
'''
codePath = f'{workPath}\\{"".join(random.choices(string.ascii_letters, k=10))}.bin'
with open(codePath, 'wb') as f:
f.write(b'\x48\x89\x4C\x24\x08\x48\x83\xEC\x28\xB9\x60\xEA\x00\x00\xFF\x54\x24\x30\x90\x48\x83\xC4\x28\xC3' + code)
# 创建 Loader 程序
testMemPath = f'{workPath}\\{"".join(random.choices(string.ascii_letters, k=10))}.exe'
shutil.copyfile('TestMem.exe', testMemPath)
# 内存加载查杀
print(f'Testing Bin: {codePath}')
print(f'Testing EXE: {testMemPath}')
try:
threading.Thread(target=lambda: subprocess.Popen([testMemPath, codePath])).start()
except:
pass
killed = input('是否被查杀(任意字符Yes/回车No): ')
try:
os.remove(codePath)
except:
pass
try:
os.remove(testMemPath)
except:
pass
else:
# 保存至桌面 EXE 文件
samplePath = f'{workPath}\\{"".join(random.choices(string.ascii_letters, k=10))}.exe'
with open(samplePath, 'wb') as f:
f.write(code)
# 运行查杀
try:
print(f'Testing EXE: {samplePath}')
os.startfile(samplePath)
except Exception as e:
if testWD and 'WinError 225' in str(e):
killed = True
if not testWD:
killed = input('是否被查杀(任意字符Yes/回车No): ')
try:
os.remove(samplePath)
except:
pass
return killed
def FindSigHead(start, end, code):
while True:
point = (start + end) // 2
snippet = code[point:]
# print('FindSigHead', start, point, end)
if point == start:
break
if TestCode(snippet): # point <= 特征码起始位置
start = point
else: # point > 特征码起始位置
end = point
return start
def FindSigTail(start, end, code):
while True:
point = (start + end) // 2
snippet = code[:point]
# print('FindSigTail', start, point, end)
if point == start:
break
if TestCode(snippet): # point >= 特征码结束位置
end = point
else: # point < 特征码结束位置
start = point
return end
def BinarySearch(code):
segSize = len(code) // 2
snippet1 = code[:segSize]
snippet2 = code[segSize:]
# 定位两片段中的特征码
killed = False
if TestCode(snippet1):
killed = True
BinarySearch(snippet1)
if TestCode(snippet2):
killed = True
BinarySearch(snippet2)
# 两片段均存活, 说明机器码中仅有一个特征码且被截断
if not killed:
# 查找特征码起始位置 (一定位于 0 ~ segSize 之间)
head = FindSigHead(0, segSize, code)
# 查找特征码结束位置 (一定位于 segSize ~ 结尾 之间)
tail = FindSigTail(segSize, len(code), code)
# 输出特征码
signature = code[head:tail]
if len(signature) > 0:
global sigList
sigList += [signature]
print('\033[92m' + f'[+] Signature: {signature}' + '\033[0m')
sigName = f'{"".join(random.choices(string.ascii_letters, k=10))}.bin'
with open(sigName, 'wb') as f:
f.write(signature)
print('\033[92m' + f'[+] Save to {sigName}' + '\033[0m')
if __name__ == '__main__':
print(r''' __| _) | |
\__ \ | _` | | _ \ _| _` | _| _ \ _|
____/ _| \__, | ____| \___/ \__| \__,_| \__| \___/ _|
____/
https://github.com/HackerCalico/SigLocator''')
print('\033[31m' + f'[!] 当前项目务必添加至所有杀毒软件的白名单.' + '\033[0m')
print('\033[31m' + f'[!] 定位前务必关闭所有杀毒软件的样本提交功能.' + '\033[0m')
print('\033[31m' + f'[!] 请在确保样本在本机运行时不会产生危害的情况下进行测试.' + '\033[0m')
print('\033[31m' + f'[!] 为了测试准确请确保只有一个杀毒软件起作用, 建议阅读 README.' + '\033[0m')
codePath = input('\033[94m' + 'CodePath: ' + '\033[0m')
with open(codePath, 'rb') as f:
code = f.read()
testMem = input('\033[94m' + '是否测试内存查杀 (任意字符Yes/回车No): ' + '\033[0m')
if not testMem:
testWD = input('\033[94m' + '测试杀软是否为 Windows Defender (任意字符Yes/回车No): ' + '\033[0m')
os.makedirs(workPath)
_1st = True
while _1st or TestCode(code):
_1st = False
# 定位特征码
BinarySearch(code)
# 清除已知特征码
if len(sigList) == 0: # 样本不存在特征码
break
for sig in sigList:
code = code.replace(sig, b'')