richardg867 · November 1, 2022 04:02
diff --git a/desynaptics.py b/desynaptics.py
 #
 # This Python 3 script disinfects Windows executables modified by the
 # Chinese "Synaptics" worm. It was developed with only one sample of
 # the worm as a basis, but it should work on any sample, as long as
 # it didn't mess with the way I detect the stub and extract the EXE.
 #
 #   $ python desynaptics.py file_or_directory_path
 #
 # If you're running this script under Windows, I highly recommend
 # disabling Windows Defender and other antivirus software, as well as
 # restoring/allowing any detections they may have made, otherwise the
 # infected files won't be readable by the script.
 #
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 # 
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #

 import os, sys

 def disinfect(file_path):
 	try:
 		f = open(file_path, 'rb')
 	except:
 		print('Open failed (antivirus triggered?):', file_path)
 		return
 	data = f.read(655360)

 	magic = data.find(b'\x00Drive Watcher Stop -> \x00')
 	if magic > -1:
 		print('Disinfecting:', file_path)
 		data += f.read()

 		mz_start = data.find(b'MZ', magic)
 		mz_end = data.rfind(b'MZ')
 		if mz_start > magic and mz_end > mz_start:
 			f.close()
 			f = open(file_path, 'wb')
 			f.write(data[mz_start:mz_end - 4])
 		else:
 			print('MZ detection failed, offsets:', magic, mz_start, mz_end)

 	f.close()

 scan = sys.argv[1] if len(sys.argv) > 1 else '.'
 if os.path.isdir(scan):
 	for scan_dir_path, scan_dir_names, scan_file_names in os.walk(scan):
 		for scan_file_name in scan_file_names:
 			disinfect(os.path.join(scan_dir_path, scan_file_name))
 elif os.path.isfile(scan):
 	disinfect(scan)
	#
	# This Python 3 script disinfects Windows executables modified by the
	# Chinese "Synaptics" worm. It was developed with only one sample of
	# the worm as a basis, but it should work on any sample, as long as
	# it didn't mess with the way I detect the stub and extract the EXE.
	#
	# $ python desynaptics.py file_or_directory_path
	#
	# If you're running this script under Windows, I highly recommend
	# disabling Windows Defender and other antivirus software, as well as
	# restoring/allowing any detections they may have made, otherwise the
	# infected files won't be readable by the script.
	#
	#
	# This program is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, either version 3 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#

	import os, sys

	def disinfect(file_path):
	try:
	f = open(file_path, 'rb')
	except:
	print('Open failed (antivirus triggered?):', file_path)
	return
	data = f.read(655360)

	magic = data.find(b'\x00Drive Watcher Stop -> \x00')
	if magic > -1:
	print('Disinfecting:', file_path)
	data += f.read()

	mz_start = data.find(b'MZ', magic)
	mz_end = data.rfind(b'MZ')
	if mz_start > magic and mz_end > mz_start:
	f.close()
	f = open(file_path, 'wb')
	f.write(data[mz_start:mz_end - 4])
	else:
	print('MZ detection failed, offsets:', magic, mz_start, mz_end)

	f.close()

	scan = sys.argv[1] if len(sys.argv) > 1 else '.'
	if os.path.isdir(scan):
	for scan_dir_path, scan_dir_names, scan_file_names in os.walk(scan):
	for scan_file_name in scan_file_names:
	disinfect(os.path.join(scan_dir_path, scan_file_name))
	elif os.path.isfile(scan):
	disinfect(scan)