Skip to content

Instantly share code, notes, and snippets.

@netscylla

netscylla/diasass.sh

Created February 28, 2019 16:34
Show Gist options
  • Save netscylla/9c14da340706d553920edc18bc7c308a to your computer and use it in GitHub Desktop.
Save netscylla/9c14da340706d553920edc18bc7c308a to your computer and use it in GitHub Desktop.
Download ZIP
An old script that is still useful - semi-automated script to disassemble shell code and fingerprint its functionality
Raw
diasass.sh
#!/bin/bash
##########################################
#
# Disass.sh (c) 2014
# Leveraging other OS disassembly and AV tools to fingerprint potential malware
#
# License :
# http://www.gnu.org/licenses/agpl-3.0.txt
#
# Author: Andy @ Netscylla
#
###########################################
echo -en "Testing for dependancies\n==============\n"
if [ ! -f "/usr/bin/md5" ]; then
export MD5_PROG="openssl dgst -md5"
echo -en "Using OpenSSL for MD5\n"
else
export MD5_PROG="/usr/bin/md5"
echo -en "Found md5\n"
fi
export SHA_PROG="openssl dgst -sha1"
echo -en "Using OpenSSL for SHA1\n"
if [ "$1" != "" ]; then
echo -en "\nFile Info\n==============\n"
echo "Filename: $1"
echo "Date: `date`"
md5=`$MD5_PROG $1`
echo "$md5"
sha=`$SHA_PROG $1`
echo "$sha"
magic=`file $1`
echo "magic: $magic"
if [ "$magic" == "$1: ASCII text, with very long lines" ]; then
echo "FOUND ASCII FILE.... ANALYSING..."
base64 -D -i $1 -o $1.data
magic=`file $1.data`
echo "magic: $magic"
fi
if [ ! -f $1.data ]; then
echo "creating data file $1.data"
cp $1 $1.data
magic=`file $1.data`
echo "magic: $magic"
fi
if [ "$magic" == "$1.data: data" ]; then
if [ ! -f $1.data ]; then
cp $1 $1.data
fi
echo -en "\n.text extracted\n==============\n"
md5=`$MD5_PROG $1.data`
echo "$md5"
sha=`$SHA_PROG $1.data`
echo "$sha"
header=`xxd $1.data |head -n 1|cut -b 10-48`
if [ "$header" == "fcbb 07f3 38b3 eb0c 5e56 311e ad01 c385" ]; then
echo "FOUND JMP_ADDITIVE XOR"
fi
cat $1.data |xxd -pr|awk '{printf "%s", $0}'|xargs rasm2 -a x86 -D |sed -e 's/push 0xe553a458/push 0xe553a458 ; hash("kernel32.dll","VirtualAlloc")/g'| sed -e 's/push 0x5fc8d902/push 0x5fc8d902 ; hash("ws2_32.dll","recv")/g'|sed -e 's/push 0x300f2f0b /push 0x300f2f0b ; hash("kernel32.dll","VirtualFree")/g'| sed -e 's/push 0x56a2b5f0/push 0x56a2b5f0 ; hash("kernel32.dll","ExitProcess")/g'|sed -e 's/push 0x614d6e75/push 0x614d6e75 ; hash("ws2_32.dll","closesocket")/g'|sed -e 's/mov ebx, 0x56a2b5f0/mov ebx, 0x56a2b5f0 ; hash("kernel32.dll","ExitProcess")/g'|sed -e 's/push 0x6174a599/push 0x6174a599 ; hash("ws2_32.dll","connect")/g'|sed -e 's/push 0xe0df0fea/push 0xe0df0fea ; hash("ws2_32.dll","WSASocketA")/g'|sed -e 's/push 0x5f327377/push 0x5f327377 ; push 'ws2_32',0,0/g'|sed -e 's/push 0x726774c/push 0x726774c ; hash("kernel32.dll","LoadLibraryA")/g'|sed -e 's/push 0x300f2f0b/push 0x300f2f0b ; hash("kernel32.dll","VirtualFree")/g'|sed -e 's/push 0x6b8029/push 0x6b8029 ; hash("ws2_32.dll", "WSAStartupA")/g'|sed -e 's/mov ebx, 0x6f721347/mov ebx, 0x6f721347 ; hash("ntdll.dll","RtlExitUserThread")/g'|sed -e s'/push 0x9dbd95a6/push 0x9dbd95a6 ; hash("kernel32.dll","GetVersion")/g'|sed -e 's/push 0x863fcc79/push 0x863fcc79 ; hash("kernel32.dll","CreateProcessA")/g'|sed -e 's/push 0x601d8708/push 0x601d8708 ; hash("kernel32.dll","WaitForSingleObject")/g'|sed -e 's/push 0xe13bec74/push 0xe13bec74 ; hash("ws2_32.dll","accept")/g'|sed -e 's/push 0xff38e9b7/push 0xff38e9b7 ; hash("ws2_32.dll","listen")/g'|sed -e 's/push 0x6737dbc2/push 0x6737dbc2 ; hash("ws2_32.dll","bind")/g'|sed -e 's/add byte \[ebx + 0x56a2b5f0\], bh/add byte \[ebx + 0x56a2b5f0\], bh ; hash("kernel32.dll","ExitProcess")/g'|sed -e 's/push 0xe2899612/push 0xe2899612 ; hash("wininet.dll","InternetReadFile")/g'|sed -e 's/push 0x7b18062d/push 0x7b18062d ; hash("wininet.dll","HttpSendRequestA")/g'|sed -e 's/push 0x696e6977/push 0x696e6977 ; 'wininet',0/g'|sed -e 's/push 0xa779563a/push 0xa779563a ; hash("wininet.dll","InternetOpenA")/g'|sed -e 's/push 0x3b2e55eb/push 0x3b2e55eb ; hash("wininet.dll","HttpOpenRequestA")/g' |sed -e 's/push 0xe7bdd8c5/push 0xe7bdd8c5 ; hash("kernel32.dll","WriteProcessMemory”)/g' |sed -e 's/push 0xe035f044/push 0xe035f044 ; hash("kernel32.dll","Sleep”)/g'|sed -e 's/push 0x799aacc6/push 0x799aacc6 ; hash("kernel32.dll","CreateRemoteThread”)/g'|sed -e 's/push 0x3f9287ae/push 0x3f9287ae ; hash("kernel32.dll","VirtualAllocEx”)/g'|sed -e 's/push 0xb16b4ab1/push 0xb16b4ab1 ; hash("kernel32.dll","GetStartupInfoA”)/g'|sed -e 's/push 0x863fcc79/push 0x863fcc79 ; hash("kernel32.dll","CreateProcessA”)/g'|sed -e 's/push 0x869e4675/push 0x869e4675 ; hash("wininet.dll", "InternetSetOptionA”)/g' |sed -e 's/push 0x84e03200/push 0x84e03200 ; hash("wininet.dll", "HttpOpenRequestA”)/g' |sed -e 's/push 0x709d8805/push 0x709d8805 ; hash("winhttp.dll","WinHttpReceiveResponse")/g' |sed -e 's/push 0x91bb5895/push 0x91bb5895 ; hash("winhttp.dll","WinHttpSendRequest")/g'|sed -e 's/push 0xce9d58d3/push 0xce9d58d3 ; hash("winhttp.dll","WinHttpSetOption")/g' |sed -e 's/push 0xc69f8957/push 0xc69f8957 ; hash("wininet.dll","InternetConnectA")/g' |sed -e 's/push 0x61736e64/push 0x61736e64 ; hash("dnsapi.dll","DNSAPI")/g' |sed -e 's/push 0xc99cc96a/push 0xc99cc96a ; hash("dnsapi.dll","DnsQuery_A")/g' | sed -e 's/push 0x90020/push 0x90020 ; Shellcode of Death!/g' | sed -e 's/push 0xbb5f9ead/push 0xbb5f9ead ; hash("kernel32.dll","ReadFile")/g'| sed -e 's/push 0xc0000000/push 0xc0000000 ; hash("dwDesiredAccess","GENERIC_READ | GENERIC_WRITE")/g'> $1.asm
cat $1.asm
echo -en "\nPossible Sockets?\n==============\n"
octets=($(cat $1.asm |grep -B 11 "; hash(\"ws2_32.dll\",\"WSASocketA\")"|head -n 1 |awk '$4 == "push" {print $3}'|sed 's/../0x& /g' | tr ' ' '\n' ))
ip=`printf "%d.%d.%d.%d" ${octets[1]} ${octets[2]} ${octets[3]} ${octets[4]} | sed 's/\.$//'`
port=($(cat $1.asm |grep -B 10 "; hash(\"ws2_32.dll\",\"WSASocketA\")"|head -n 1|awk '$4 == "push" {print $3}'|cut -b 5- |sed 's/../0x& /g' | tr ' ' '\n'))
port2=`printf "%x" ${port[1]} ${port[2]}`
port=`printf "%d\n" 0x${port2}`
echo "Connection string: $ip:$port"
#another possibility for ip & port
octets=($(cat $1.asm |grep -B 6 "; hash(\"ws2_32.dll\",\"connect\")"|head -n 1 |awk '$4 == "push" {print $3}'|sed 's/../0x& /g' | tr ' ' '\n' ))
ip=`printf "%d.%d.%d.%d" ${octets[1]} ${octets[2]} ${octets[3]} ${octets[4]} | sed 's/\.$//'`
port=($(cat $1.asm |grep -B 5 "; hash(\"ws2_32.dll\",\"connect\")"|head -n 1|awk '$4 == "push" {print $3}'|cut -b 5- |sed 's/../0x& /g' | tr ' ' '\n'))
port2=`printf "%x" ${port[1]} ${port[2]}`
port=`printf "%d\n" 0x${port2}`
echo "Connection string: $ip:$port"
#pull connection string from #windows/meterpreter/reverse_ord_tcp
conn=$(cat $1.asm |sed -n '/68.*push/p'|awk '{print $3 }' |awk '!(NR%2){print$0p}{p=$0}')
port2=$(echo $conn|cut -b 7-10)
port=`printf "%d\n" 0x${port2}`
octets=($(echo $conn|cut -b 13-22| sed 's/../0x& /g' | tr ' ' '\n'))
ip=`printf "%d.%d.%d.%d" ${octets[0]} ${octets[1]} ${octets[2]} ${octets[3]}`
echo "Connection string: $ip:$port"
echo -en "\nStrings\n==============\n"
my_strings=`strings $1.data`
echo "$my_strings"
echo -en "\nClamav\n==============\n"
my_avscan=`clamscan $1.data|head -n 2`
echo "$my_avscan"
echo -en "\nMSF/Sample Fingerprint\n=====================\n"
cat $1.asm|grep ";"|cut -f 2 -d";" > $1.msff
msfmd5=`$MD5_PROG $1.msff`
echo "$msfmd5"
msfsha=`$SHA_PROG $1.msff`
echo "$msfsha"
sqlite3 msf.db "select payload from payload where hash = '`echo $msfmd5|awk {'print $2}'`'"
echo -en "\n"
echo "Cleaning up temporary files..."
#rm $1.b64 $1.data $1.asm
fi
else
echo "Missing data file parameter"
fi
#stagers
#windows/meterpreter/reverse_tcp
#MD5 (rev_tcp.msff) = 92f42265acf057eab58a7ae8b35ededa
#SHA (rev_tcp.msff) = fdbccfbd1fd4af350c2f12b15f3c814062c86189
#windows/meterpreter/reverse_winhttp
#MD5 (rev_winhttp.msff) = 0788013f645e9babbda67f6f8c22a864
#SHA (rev_winhttp.msff) = c2e1fdd60e29fdacfdbe72d7256680486f09b30b
#windows/meterpreter/reverse_http
#MD5 (rev_http.msff) = 032d23c74678327d7394714b85535381
#SHA (rev_http.msff) = 84116e59095e45e0b2a116b68fa840c81e8308d7
#windows/meterpreter/reverse_https
#MD5 (rev_https.msff) = 5177617c7a83619da2528e99bdd89fe2
#SHA (rev_https.msff) = e5b3222b9607531bd69e416a96094e5eb63b1cda
#windows/meterpreter/reverse_tcp_dns
#MD5 (rev_dns.msff) = 582d3ca7ae0b1c5bd8f85f934e1d6dba
#SHA (rev_dns.msff) = a0f6ed463dc3a0359c6497687d77701eab395bf3
#windows/meterpreter/reverse_tcp_rc4
#MD5 (rev_rc4.msff) = 582d3ca7ae0b1c5bd8f85f934e1d6dba
#SHA (rev_rc4.msff) = a0f6ed463dc3a0359c6497687d77701eab395bf3
#windows/meterpreter/reverse_tcp_allports
#MD5 (rev_tcp_all.msff) = a7dbe5bdc9acbf0a8bd49dd19e8f7650
#SHA (rev_tcp_all.msff) = e875f1296e18e81df7f5e51e4bd4f7788b860fcd
#windows/meterpreter/reverse_ord_tcp (blanksig)
#MD5 (rev_ord_tcp.msff) = d41d8cd98f00b204e9800998ecf8427e
#SHA (rev_ord_tcp.msff) = da39a3ee5e6b4b0d3255bfef95601890afd80709
#windows/meterpreter/reverse_nonx_tcp (almost blanksig)
#MD5 (rev_nonx_tcp.msff) = ea7696e4c98fd30c29f03e99980b4621
#SHA (rev_nonx_tcp.msff) = a373b9bd6be632f7843102e425278a7793e9fbdf
#windows/meterpreter/reverse_tcp_rc4_dns
#MD5 (rev_rc4_dns.msff) = 582d3ca7ae0b1c5bd8f85f934e1d6dba
#SHA (rev_rc4_dns.msff) = a0f6ed463dc3a0359c6497687d77701eab395bf3
#windows/meterpreter/reverse_tcp_uuid
#MD5 (rev_uuid.msff) = 92f42265acf057eab58a7ae8b35ededa
#SHA (rev_uuid.msff) = fdbccfbd1fd4af350c2f12b15f3c814062c86189
#windows/meterpreter/reverse_hop_http
#MD5 (rev_hop.msff) = 4e14d3183a3714e231e7f66568740245
#SHA (rev_hop.msff) = 4ae9f1b5ad15b684d5e325bdc978de8efdd6fe3f
#windows/meterpreter/reverse_http_proxy_pstore
#MD5 (rev_hop.msff) = 52196da700efa0b93dbd4a19f34d2375
#SHA (rev_hop.msff) = 919b5684739a45adaf33714cfb2352e3a0d54901
#windows/shell_reverse_tcp
#MD5 (data2.msff) = 8e1a942139b139258adb2be8aca054dd
#SHA (data2.msff) = eac9209b102cca4c6119a12b287818c72e71ea4e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment