GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nazywam → AutoIt-Ripper

nazywam / AutoIt-Ripper

Licence: MIT License
Extract AutoIt scripts embedded in PE binaries

Programming Languages

python
139335 projects - #7 most used programming language
YARA
70 projects

Labels

malwareextraction

Projects that are alternatives of or similar to AutoIt-Ripper

Locky
Stars: ✭ 61 (-39.6%)
Mutual labels:  malware, extraction
MSE
Malware sample exchange system and API intended for Anti-Virus companies and researchers.
Stars: ✭ 14 (-86.14%)
Mutual labels:  malware
H2PC TagExtraction
A application made to extract assets from cache files of H2v using BlamLib by KornnerStudios.
Stars: ✭ 12 (-88.12%)
Mutual labels:  extraction
ph-malhide
Process Hacker 2 hiding from external applications
Stars: ✭ 17 (-83.17%)
Mutual labels:  malware
Automated-Malware-Analysis-List
My personal Automated Malware Analysis Sandboxes and Services
Stars: ✭ 20 (-80.2%)
Mutual labels:  malware
Table-Detection-Extraction
Detect the tables in a form and extract the tables as well as the cells of the tables.
Stars: ✭ 35 (-65.35%)
Mutual labels:  extraction
Malware-Machine-Learning
Malware Machine Learning
Stars: ✭ 26 (-74.26%)
Mutual labels:  malware
ips-bph-framework
BLACKPHENIX is an open source malware analysis automation framework composed of services, scripts, plug-ins, and tools and is based on a Command-and-Control (C&C) architecture
Stars: ✭ 21 (-79.21%)
Mutual labels:  malware
mitre-visualizer
🧬 Mitre Interactive Network Graph (APTs, Malware, Tools, Techniques & Tactics)
Stars: ✭ 49 (-51.49%)
Mutual labels:  malware
Vital
Malware for Discord, designed to steal passwords, tokens, and inject discord folders for long-term use.
Stars: ✭ 50 (-50.5%)
Mutual labels:  malware
Ragnarok
Virus Package ( For Educational Purposes )
Stars: ✭ 23 (-77.23%)
Mutual labels:  malware
Whitecomet-Research
Research on malware creation and protection
Stars: ✭ 62 (-38.61%)
Mutual labels:  malware
fake-sandbox
👁‍🗨 This script will simulate fake processes of analysis sandbox/VM software that some malware will try to avoid.
Stars: ✭ 110 (+8.91%)
Mutual labels:  malware
Dr0pFi
Using this tool, You can capture all WiFi Passwords stored on Windows Computer and mail them to your email account!
Stars: ✭ 38 (-62.38%)
Mutual labels:  malware
zauberlehrling
Collection of tools and ideas for splitting up big monolithic PHP applications in smaller parts.
Stars: ✭ 28 (-72.28%)
Mutual labels:  extraction
Father
LD_PRELOAD rootkit
Stars: ✭ 59 (-41.58%)
Mutual labels:  malware
Windows-APT-Warfare
著作《Windows APT Warfare:惡意程式前線戰術指南》各章節技術實作之原始碼內容
Stars: ✭ 241 (+138.61%)
Mutual labels:  malware
Stanford-NER-Python
Stanford Named Entity Recognizer (NER) - Python Wrapper
Stars: ✭ 63 (-37.62%)
Mutual labels:  extraction
Malware-with-Backdoor-and-Keylogger
👨🏻‍💻 A great tool for Ethical Hackers, a malware programmed with Backdoor and Keylogger.
Stars: ✭ 25 (-75.25%)
Mutual labels:  malware
MalScan
A Simple PE File Heuristics Scanners
Stars: ✭ 41 (-59.41%)
Mutual labels:  malware
View All Similar Projects ➔

AutoIt-Ripper

What is this

This is a short python script that allows for extraction of "compiled" AutoIt scripts from PE executables.

References

This script is heavily based on 3 resources, definitely check them out if you want to dig a bit deeper into AutoIt stuff:

Supported AutoIt versions

Ready:

  • EA05 AutoIt3.00
  • EA06 AutoIt3.26

Unknown:

  • JB01 AutoHotKey
  • JB01 AutoIT2

Installation

python3 -m pip install autoit-ripper

or, if you'd like to install the version from sources:

git clone https://github.com/nazywam/AutoIt-Ripper.git
cd AutoIt-Ripper
pip install .

Running

From a python script:

from autoit_ripper import extract, AutoItVersion

with open("sample.exe", "rb") as f:
    file_content = f.read()

# EA05 for v3.00+, EA06 for v3.26+
# Omitting `version` or passing None will try both versions
content_list = extract(data=file_content, version=AutoItVersion.EA06)

From the commandline:

autoit-ripper sample.exe out_directory

Help message:

autoit-ripper --help
usage: autoit-ripper [-h] [--verbose] [--ea {EA05,EA06,guess}] file output_dir

positional arguments:
  file                  input binary
  output_dir            output directory

optional arguments:
  -h, --help            show this help message and exit
  --verbose, -v
  --ea {EA05,EA06,guess}
                        extract a specific version of AutoIt script (default: guess)

Format documentation

(In progress)

AU3 header

Field Length encryption (EA05) encryption (EA06) Notes
"FILE" 4 MT(0x16FA) LAME(0x18EE) static string
flag 4 xor(0x29BC) xor(0xADBC)
auto_str flag (* 2) MT(0xA25E + flag) LAME(0xB33F + flag) UTF-8/UTF-16
path_len 4 xor(0x29AC) xor(0xF820)
path path_len (* 2) MT(0xF25E + path_len) LAME(0xF479 + path_len) Path of the compiled script
compressed 1 None None is the script compressed
data_size 4 xor(0x45AA) xor(0x87BC) compressed data size
code_size 4 xor(0x45AA) xor(0x87BC) uncompressed data size
crc 4 xor(0xC3D2) xor(0xA685) compressed data crc checksum
creation date 4 None None file creation date (high)
creation date 4 None None file creation date (low)
last update date 4 None None last edit date (high)
last update date 4 None None last edit date (low)
data data_size MT(checksum + 0x22af) LAME(0x2477) script data

Differences between v3.00 and v3.26+

v3.00 v3.26
Code storage greped by magic "SCRIPT" resource (/greped by magic?)
String encoding UTF-8 UTF-16
Encryption xor/custom MT19937 xor/LAME crypt
Code encryption key dynamic static
Compression yes yes
Code "compilation" no yes
Magic EA05 EA06
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].