Created
February 25, 2022 18:55
-
-
Save Und3rf10w/e5b02a56257841e97ca9f4fba0608258 to your computer and use it in GitHub Desktop.
Algo that resolves the driver name used by #HermeticWiper. Should likley be converted to idapython or something.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alpha_list = [] | |
| for x in range(0x61,0x7a): | |
| alpha_list.append(chr(x)) | |
| alpha_list.append(0) # To represent Null Bytes | |
| def generate_driver_name(current_pid, address_of_az_array): | |
| """ | |
| Generates the current driver name based off of the PID of hermeticWiper | |
| :param current_pid: The current Process ID of the HermeticWiper.exe | |
| :param address_of_az_array: The address of the az stack | |
| :return: a string with the driver name | |
| """ | |
| # Identify the first character of the driver | |
| char_1 = address_of_az_array = (current_pid+1 * 0x10000 + current_pid+1) % 0x1a * 2 | |
| uVar10 = ((current_pid+1) + current_pid) % 0xfff1 | |
| # Identify the second character of the driver | |
| char_2 = address_of_az_array + uVar10 + ((((((current_pid+1) + uvar10) % 0xfff1) * 10000) % 0x1a) * 2) | |
| return alpha_list[char_1] + alpha_list[char_2] + "dr.sys" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment