extract injects configuration from a Shylock infected machine

pipe.py

# k`sOSe
# extract webinjects configuration from a Shylock infected machine, tested on Shylock 1.2.1.3160
# to decode it: https://gist.github.com/1552594
import sys
import time
from ctypes import *

# each botnet has its own pipe name, change it.
PIPE_NAME = "\\\\.\\pipe\\D13A4A2693461B273701BEFB4E640D35"

def open_pipe():
 pipe_handle = windll.kernel32.CreateFileA(PIPE_NAME,
     0xc0000000,    #GENERIC_READ|GENERIC_WRITE
     3,  #FILE_SHARE_READ|FILE_SHARE_WRITE
     0,
     3,  #OPEN_EXISTING
     0x80,      #FILE_ATTRIBUTE_NORMAL
     0)

 if pipe_handle in [0, -1]:
    print "[!!] Error opening pipe: 0x%08x\n" % (windll.kernel32.GetLastError())
    sys.exit(1)
 else:
    print "[*] Got pipe handle: 0x%08x\n" % (pipe_handle)

 pipe_mode = c_ulong(0x2)  # PIPE_READMODE_MESSAGE
 windll.kernel32.SetNamedPipeHandleState(pipe_handle, byref(pipe_mode), 0, 0)

 return pipe_handle

def close_pipe(p):
 windll.kernel32.CloseHandle(p)

def wr(p, buf, buflen):
 written = c_ulong(0)
 windll.kernel32.WriteFile(p, buf, buflen, byref(written), 0)
 if written.value != buflen:
    print "[!!] wr:%x, got:%x => %x" %(written.value, buflen, windll.kernel32.GetLastError())
 return written.value

def rd(p, buflen):
 read = c_ulong(0)
 buf = create_string_buffer(buflen)
 windll.kernel32.ReadFile(p, byref(buf), buflen, byref(read), 0)
 if read.value == 0:
    print "[!!] r:%x, got:%x => %x" %(read.value, buflen, windll.kernel32.GetLastError())
 return buf.raw[:read.value]


print "need to wait a couple of second.."
time.sleep(2)

p = open_pipe()
wr(p, "\x07\x00\x00\x00", 4)
buf = rd(p, 0x20000)

open("injects.conf", 'wb').write(buf[8:])