Dump Torpig targets list from an infected machine

torpig-target-dumper.py

import re
from ctypes import *

PIPE_NAME = "\\\\.\\pipe\\!mscom$" 

pipe_handle = windll.kernel32.CreateFileA(PIPE_NAME,
		0xc0000000,	#GENERIC_READ|GENERIC_WRITE
		3,		#FILE_SHARE_READ|FILE_SHARE_WRITE
		0,
		3,		#OPEN_EXISTING
		0x80,		#FILE_ATTRIBUTE_NORMAL
		0)

if pipe_handle in [0, -1]:
	print "[!!] Error opening pipe: 0x%08x\n" % (windll.kernel32.GetLastError())
	sys.exit(1)
else:
	print "[*] Got pipe handle: 0x%08x" % (pipe_handle)

pipe_mode = c_ulong(0x2)	# PIPE_READMODE_MESSAGE 
windll.kernel32.SetNamedPipeHandleState(pipe_handle, byref(pipe_mode), 0, 0)

b_written = c_ulong(0)
windll.kernel32.WriteFile(pipe_handle, c_char_p("\x01"), 1, byref(b_written), 0)
windll.kernel32.WriteFile(pipe_handle, c_char_p("\x02"), 1, byref(b_written), 0)
windll.kernel32.WriteFile(pipe_handle, c_char_p("\x06\x00\x00\x00"), 4, byref(b_written), 0)
windll.kernel32.WriteFile(pipe_handle, c_char_p("\x00\x00\x00\x00\x19\x00"), 6, byref(b_written), 0)

msg_len = c_ulong(0)
windll.kernel32.ReadFile(pipe_handle, byref(msg_len), 1, byref(b_written), 0)
windll.kernel32.ReadFile(pipe_handle, byref(msg_len), 4, byref(b_written), 0)

msg = create_string_buffer(msg_len.value)
windll.kernel32.ReadFile(pipe_handle, byref(msg), msg_len.value, byref(b_written), 0)

targets = re.split("\s+|\x00+", msg.raw[8:])
print "[*] Got %d targets:" % (len(targets))
for target in targets:
	if target:
		print " %s" % (target)

windll.kernel32.CloseHandle(pipe_handle)