more stuff

Author: Te-k

README.md

@@ -9,6 +9,7 @@ Feel free to open [issues](https://github.com/Te-k/analyst-scripts/issues) if yo
 * `clamav_to_yara.py` : Convert ClamAV signature to Yara (from the [Malware Analyst's Cookbook](https://www.wiley.com/en-us/Malware+Analyst%27s+Cookbook+and+DVD%3A+Tools+and+Techniques+for+Fighting+Malicious+Code-p-9780470613030))
 * `cloudcidrs.py` : check if an IP is part of a Cloud provider range (for now, only Google Cloud and Amazon AWS, inspired from [cloudcidrs](https://cloudyr.github.io/cloudcidrs/))
 * `disassemble.py` : disassemble a binary file using [Capstone](http://www.capstone-engine.org/) (mostly for shellcode)
+* `csv_extract.py` : extract a column from a csv file
 * `hostnametoips.py` : resolve a list of hostnames in a text files and return list of uniq IPs
 * `infect.sh` : classic script to create an encrypted zip of a file with password infected (password used to share malware)
 * `mqtt-get.py` : basic script to do get requests to an [MQTT](https://fr.wikipedia.org/wiki/MQTT) service
@@ -41,6 +42,7 @@ Feel free to open [issues](https://github.com/Te-k/analyst-scripts/issues) if yo
     * `api.py` : API and CLI tool to query Google URL shortener goo.gl (soon deprecated by Google)
 * [harpoon-extra](harpoon-extra/) : some scripts expanding [Harpoon](https://github.com/Te-k/harpoon) features
 * [web](web/) : Web stuff (mostly outdated)
+* [macos](macos/) : Mac OSX related scripts
 * [misp](misp/) : some scripts helping using [MISP servers](https://www.misp-project.org/)
 * [network](network/) : network related scripts
 * [ooni](ooni/) : [OONI](https://ooni.torproject.org/) API scripts
@@ -53,3 +55,4 @@ Feel free to open [issues](https://github.com/Te-k/analyst-scripts/issues) if yo
 * [twilio](twilio/) : scripts related to [Twilio](https://www.twilio.com/)
 * [twitter](twitter/) : Twitter stuff
 * [visualization](visualization/) : nice graphs everywhere
+* [vt](vt/) : scripts related to Virus Total

csv_extract.py

@@ -0,0 +1,19 @@
+import csv
+import argparse
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Process some integers.')
+    parser.add_argument('COLUMN', type=int, default=0,
+            help='Column of the file')
+    parser.add_argument('FILE', help='CSV file')
+    parser.add_argument('--delimiter', '-d', default=',', help='Delimiter')
+    parser.add_argument('--quotechar', '-q', default='"', help='Quote char')
+    args = parser.parse_args()
+
+    with open(args.FILE) as csvfile:
+        reader = csv.reader(csvfile, delimiter=args.delimiter, quotechar=args.quotechar)
+
+        for row in reader:
+            print(row[args.COLUMN])
+
+

forensic/README.md

@@ -5,4 +5,6 @@ Two scripts here to help creating timeline on Linux live systems :
 * `mactime.py` : convert this list of files into a csv timeline
 
 Misc :
+* `extract_chrome_history.py`: extract history from a Chrome History SQlite file
 * `ios_unpack.py` : unpack iOS backup folder from iTunes or [libimobiledevice](https://www.libimobiledevice.org/)
+

forensic/extract_chrome_history.py

@@ -0,0 +1,47 @@
+import argparse
+import sqlite3
+import csv
+from datetime import datetime
+
+"""
+Schema
+CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL);
+CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL,incremented_omnibox_typed_score BOOLEAN DEFAULT FALSE NOT NULL);
+"""
+
+def convert_timestamp(tmstp):
+    return datetime.fromtimestamp(int(tmstp)/ 1000000 - 11644473600)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Process some integers.')
+    parser.add_argument('FILE', help='History file')
+    parser.add_argument('--filter', '-f', help='Filter on the url')
+    args = parser.parse_args()
+
+
+    query = "SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.visit_duration, visits.transition, visit_source.source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id"
+    if args.filter:
+        query += ' WHERE urls.url like "%{}%"'.format(args.filter)
+    query += " ORDER BY visits.visit_time;"
+
+    conn = sqlite3.connect(args.FILE)
+    c = conn.cursor()
+
+
+    print("url_id,url,title,#visits,typed_count,last_visit_time,hidden,visit_time,from_visit,visit_duration,transition,source")
+    for row in c.execute(query):
+        print("{},{},\"{}\",{},{},{},{},{},{},{},{},{}".format(
+            row[0],
+            row[1],
+            row[2],
+            row[3],
+            row[4],
+            convert_timestamp(row[5]).strftime("%Y-%m-%d %H:%M:%S:%f"),
+            row[6],
+            convert_timestamp(row[7]).strftime("%Y-%m-%d %H:%M:%S:%f"),
+            row[8],
+            row[9],
+            row[10],
+            row[11]
+        ))

ghidra_scripts/yara-crypto.yar

@@ -243,7 +243,7 @@ rule BLOWFISH_Constants {
 		version = "0.1"
 	strings:
 		$c0 = { D1310BA6 }
-		$c1 = { A60B31D1 }	
+		$c1 = { A60B31D1 }
 		$c2 = { 98DFB5AC }
 		$c3 = { ACB5DF98 }
 		$c4 = { 2FFD72DB }
@@ -421,7 +421,7 @@ rule DarkEYEv3_Cryptor {
 		hash8 = "f3d5b71b7aeeb6cc917d5bb67e2165cf8a2fbe61"
 		score = 55
 	strings:
-		$s0 = "\\DarkEYEV3-" 
+		$s0 = "\\DarkEYEV3-"
 	condition:
 		uint16(0) == 0x5a4d and $s0
 }
@@ -833,7 +833,7 @@ rule OpenSSL_DSA
 	meta:
 		author="_pusher_"
 		date="2016-08"
-	strings:	
+	strings:
 		$a0 = "bignum_data" wide ascii nocase
 		$a1 = "DSA_METHOD" wide ascii nocase
 		$a2 = "PDSA" wide ascii nocase
@@ -1048,16 +1048,28 @@ rule RijnDael_AES_CHAR_inv
 	condition:
 		$c0
 }
+rule RijnDael_AES_CHAR_inv2 {
+    meta:
+        author = "Etienne Maynier"
+        description = "Rijndael AES S-inv"
+        ref = "https://en.wikipedia.org/wiki/Rijndael_S-box"
 
-rule RijnDael_AES_LONG
-{	meta:
-		author = "_pusher_"
-		description = "RijnDael AES"
-		date = "2016-06"
-	strings:
-		$c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }
-	condition:
-		$c0
+    strings:
+        $c0 = { 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb }
+    condition:
+        $c0
+}
+
+rule RijnDael_AES_Key_Schedule {
+    meta:
+        author = "Etienne Maynier"
+        ref = "https://en.wikipedia.org/wiki/AES_key_schedule"
+
+    strings:
+         $c0 = { 01	02	04	08	10	20	40	80	1B	36 }
+
+    condition:
+        $c0
 }
 
 rule RsaRef2_NN_modExp
@@ -1189,15 +1201,15 @@ rule x509_public_key_infrastructure_cert
 		ext = "crt"
 	strings:
 		$c0 = { 30 82 ?? ?? 30 82 ?? ?? }
-	condition: 
+	condition:
 		$c0
 }
 
 rule pkcs8_private_key_information_syntax_standard
 {	meta:
 		desc = "Found PKCS #8: Private-Key"
 		ext = "key"
-	strings: 
+	strings:
 		$c0 = { 30 82 ?? ?? 02 01 00 }
 	condition:
 		$c0

iocs/extract_hashes.py

@@ -0,0 +1,22 @@
+import os
+import re
+import argparse
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Process some integers.')
+    parser.add_argument('FILE', help="File to search for hashes")
+    args = parser.parse_args()
+
+    with open(args.FILE) as f:
+        data = f.read().split("\n")
+
+    hashes = set()
+
+    for d in data:
+        r = re.search("[0-9a-fA-F]{64}", d)
+        if r:
+            hashes.add(r.group())
+
+    for h in hashes:
+        print(h)

macos/README.md

@@ -0,0 +1,5 @@
+# Mac OS stuff
+
+* `macho_print_lief.py` : print raw data from LIEF
+* `macho_print.py` : print information on a Mach-O file
+* `macho_rename_section.py` : rename a Macho section

macos/check_kext_kk.py

@@ -0,0 +1,21 @@
+import json
+import argparse
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Analyse kext and KnockKnock files')
+    parser.add_argument('JSONFILE', help='JSON File saved by kext or knock knock')
+    args = parser.parse_args()
+
+    with open(args.JSONFILE) as f:
+        data = json.loads(f.read())
+
+    for k in data.keys():
+        print("Checking {}".format(k))
+        for l in data[k]:
+            if "VT detection" in l:
+                if not l["VT detection"].startswith("0/"):
+                    print("Suspicious detection in VT:")
+                    print(json.dumps(l, indent=4))
+            else:
+                print("Suspicious detection in VT:")
+                print(json.dumps(l, indent=4))

macos/extract_kext_kk.py

@@ -0,0 +1,20 @@
+import json
+import argparse
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Extract SHA1 kext and KnockKnock files')
+    parser.add_argument('JSONFILE', help='JSON File saved by kext or knock knock')
+    args = parser.parse_args()
+
+    with open(args.JSONFILE) as f:
+        data = json.loads(f.read())
+
+    hashes = set()
+    for k in data.keys():
+        for l in data[k]:
+            if "hashes" in l.keys():
+                if 'sha1' in l['hashes']:
+                    hashes.add(l['hashes']['sha1'])
+
+    for l in hashes:
+        print(l)

macos/macho_print.py

@@ -0,0 +1,87 @@
+import lief
+import argparse
+import hashlib
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Print Mach-O information')
+    parser.add_argument('MACHO', help='Mach-o file')
+    args = parser.parse_args()
+
+
+    binary = lief.parse(args.MACHO)
+
+    with open(args.MACHO, 'rb') as f:
+        data = f.read()
+
+    # General information -> CPU Type
+    # Hash, CPU Type, Size
+    print("General Information")
+    print("=" * 80)
+    for algo in ["md5", "sha1", "sha256"]:
+        m = getattr(hashlib, algo)()
+        m.update(data)
+        print("{:15} {}".format(algo.upper()+":", m.hexdigest()))
+    print("{:15} {} bytes".format("Size:", len(data)))
+    print("{:15} {}".format("Type:", binary.header.cpu_type.name))
+    print("Entry point:\t0x%x" % binary.entrypoint)
+    print("")
+
+    # Commands
+    print("Commands")
+    print("=" * 80)
+    for c in binary.commands:
+        if c.command.name == "SEGMENT_64":
+            print("{:20} {:10} {:5} {:14} {}".format(
+                c.command.name,
+                c.name if hasattr(c, 'name') else '',
+                c.size,
+                hex(c.virtual_address) if hasattr(c, 'virtual_address') else "",
+                hex(c.file_offset) if hasattr(c, 'file_offset') else "",
+                ))
+        elif c.command.name in ["LOAD_DYLIB", "LOAD_WEAK_DYLIB"]:
+            print("{:20} {} (version {})".format(
+                c.command.name,
+                c.name,
+                ".".join([str(a) for a in c.current_version])
+            ))
+        elif c.command.name == "UUID":
+            print("{:20} {}".format(
+                c.command.name,
+                ''.join('{:02x}'.format(x) for x in c.uuid)
+            ))
+        else:
+            print("{:20} {:20}".format(
+                c.command.name,
+                c.name if hasattr(c, 'name') else ''
+            ))
+    print("")
+
+    # Sections
+    print("Sections")
+    print("=" * 80)
+    print("%-16s %-9s %-12s %-9s %-9s %-25s %s" % ( "Name", "Segname", "VirtAddr", "RawAddr", "Size", "type", "Md5"))
+    for s in binary.sections:
+        m = hashlib.md5()
+        m.update(bytearray(s.content))
+        print("%-16s %-9s %-12s %-9s %-9s %-25s %s" % (
+            s.name,
+            s.segment.name,
+            hex(s.virtual_address),
+            hex(s.offset),
+            s.size,
+            str(s.type).replace("SECTION_TYPES.", ""),
+            m.hexdigest()
+            ))
+    print("")
+
+    # Imports (binding infos)
+    print("Imports")
+    print("=" * 80)
+    for f in binary.imported_symbols:
+        try:
+            print("{:35s} {}".format(f.name, f.binding_info.library.name))
+        except lief.not_found:
+            print(f.name)
+
+

macos/macho_print_lief.py

@@ -0,0 +1,13 @@
+import lief
+import argparse
+import hashlib
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Print Mach-O information')
+    parser.add_argument('MACHO', help='Mach-o file')
+    args = parser.parse_args()
+
+
+    binary = lief.parse(args.MACHO)
+    print(binary)

macos/macho_rename_section.py

@@ -0,0 +1,26 @@
+import lief
+import argparse
+import os
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Rename the __cfstring section in __text')
+    parser.add_argument('MACHO', help='Mach-O binary')
+    parser.add_argument('NAME', help='Name of the section')
+    parser.add_argument('NEWNAME', help='Name of the section')
+    args = parser.parse_args()
+
+    binary = lief.parse(args.MACHO)
+    found = False
+    for s in binary.sections:
+        if s.name == args.NAME:
+            s.name = args.NEWNAME
+            print("Section found")
+            found = True
+            break
+
+    if not found:
+        print("This section was not found in this binary")
+    else:
+        binary.write(args.MACHO + "_renamed")
+

vt/README.md

@@ -0,0 +1,3 @@
+# Virus Total
+
+* `check_hashes.py` : check for a list of hashes on VT