Last active
December 16, 2018 01:20
-
-
Save DavidBuchanan314/68a193beed13162031cb61b6c7b696d3 to your computer and use it in GitHub Desktop.
oops
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| """ | |
| IMPORTANT - READ BEFORE CONTINUING: | |
| 1. This tool is only intended to repair machines that have been infected and never turned back on again. i.e. NO ENCRYPTION HAS HAPPENED YET | |
| 2. You should make a full disk backup before continuing. I am not responsible if this makes things worse. | |
| 3. This tool does not repair part of NTLDR which is corrupted by the malware (The second sector of the NTFS partition), you will need a secondary tool to do this. | |
| """ | |
| import sys | |
| import hashlib | |
| if len(sys.argv) != 2: | |
| print("USAGE: {} infected_disk".format(sys.argv[0])) | |
| with open(sys.argv[1], "rb+") as disk: | |
| infected_mbr = disk.read(0x200) | |
| mbr_hash = hashlib.sha256(infected_mbr).hexdigest() | |
| if mbr_hash != "bc0d4c2d90178464c9e495eb63765b938a69696a9e04ee6214f6374af49b297a": # sanity check | |
| print("ERROR: MBR hash does not match known sample. Patch out this sanity check at your own risk") | |
| exit() | |
| disk.seek(0x4400) | |
| old_mbr = bytes(x ^ 0x07 for x in disk.read(0x200)) # The malware backs up the MBR to disk offset 0x4400, obfuscated by XORing with 0x07 | |
| if old_mbr[0x1FE:] != b"\x55\xAA": # sanity check | |
| print("ERROR: Boot sector missing from backup!") | |
| exit() | |
| print("Restoring MBR...") | |
| disk.seek(0) | |
| disk.write(old_mbr) | |
| print("Restoration complete!") | |
| print("You will still need to restore NTLDR before you are able to boot up your machine again.") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment