nazywam / autoit-ripper Goto Github PK

View Code? Open in Web Editor NEW

155.0 8.0 31.0 118 KB

Extract AutoIt scripts embedded in PE binaries

License: MIT License

Python 97.02% YARA 2.98%

autoit malware extraction

autoit-ripper's Introduction

AutoIt-Ripper

What is this

This is a short python script that allows for extraction of "compiled" AutoIt scripts from PE executables.

References

This script is heavily based on 3 resources, definitely check them out if you want to dig a bit deeper into AutoIt stuff:

Supported AutoIt versions

Ready:

EA05 AutoIt3.00
EA06 AutoIt3.26

Unknown:

JB01 AutoHotKey
JB01 AutoIT2

Installation

python3 -m pip install autoit-ripper

or, if you'd like to install the version from sources:

git clone https://github.com/nazywam/AutoIt-Ripper.git
cd AutoIt-Ripper
pip install .

Running

From a python script:

from autoit_ripper import extract, AutoItVersion

with open("sample.exe", "rb") as f:
    file_content = f.read()

# EA05 for v3.00+, EA06 for v3.26+
# Omitting `version` or passing None will try both versions
content_list = extract(data=file_content, version=AutoItVersion.EA06)

From the commandline:

autoit-ripper sample.exe out_directory

Help message:

autoit-ripper --help
usage: autoit-ripper [-h] [--verbose] [--ea {EA05,EA06,guess}] file output_dir

positional arguments:
  file                  input binary
  output_dir            output directory

optional arguments:
  -h, --help            show this help message and exit
  --verbose, -v
  --ea {EA05,EA06,guess}
                        extract a specific version of AutoIt script (default: guess)

Format documentation

(In progress)

AU3 header

Field	Length	encryption (EA05)	encryption (EA06)	Notes
"FILE"	4	MT(0x16FA)	LAME(0x18EE)	static string
flag	4	xor(0x29BC)	xor(0xADBC)
auto_str	flag (* 2)	MT(0xA25E + flag)	LAME(0xB33F + flag)	UTF-8/UTF-16
path_len	4	xor(0x29AC)	xor(0xF820)
path	path_len (* 2)	MT(0xF25E + path_len)	LAME(0xF479 + path_len)	Path of the compiled script
compressed	1	None	None	is the script compressed
data_size	4	xor(0x45AA)	xor(0x87BC)	compressed data size
code_size	4	xor(0x45AA)	xor(0x87BC)	uncompressed data size
crc	4	xor(0xC3D2)	xor(0xA685)	compressed data crc checksum
creation date	4	None	None	file creation date (high)
creation date	4	None	None	file creation date (low)
last update date	4	None	None	last edit date (high)
last update date	4	None	None	last edit date (low)
data	data_size	MT(checksum + 0x22af)	LAME(0x2477)	script data

Differences between v3.00 and v3.26+

	v3.00	v3.26
Code storage	greped by magic	"SCRIPT" resource (/greped by magic?)
String encoding	UTF-8	UTF-16
Encryption	xor/custom MT19937	xor/LAME crypt
Code encryption key	dynamic	static
Compression	yes	yes
Code "compilation"	no	yes
Magic	EA05	EA06

autoit-ripper's People

Contributors

Stargazers

Watchers

autoit-ripper's Issues

Stuck in `ERROR: autoit_ripper.autoit_unpack: Couldn’t find the location chunk in binary

Hi:

I am running some workload by this package, in a loop, but I found when I decode some binary, it will throw this error message:
ERROR: autoit_ripper.autoit_unpack: Couldn’t find the location chunk in binary
And not continue to next file.

Anyway to skip to next file?

Check for decoding errors

"error": [
    "Traceback (most recent call last):\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/core/karton.py\", line 181, in internal_process\n    self.process(self.current_task)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/autoit_ripper/autoit_ripper_karton.py\", line 85, in process\n    drop = extract_binary(res_data.decode())\n",
    "UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc2 in position 166: invalid continuation byte\n"
],

Malduck update is needed because of a breaking change in yara-python

a3x extraction?

it seems usage of a3x files isn't supported yet, would you mind adding it ?

AutoIT EXE Files without SCRIPT resource.

Hi,

I recently encountered the following AutoIT3 file which this project is not able to extract a source AU3 file from:

6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

Tools that try to dynamically extract the tool using an interpreter succeed, but I'm not sure if the same principles can be applied to this project. Notably the file above does not have the characteristics PE Resources that you would expect to find in a compile AutoIT binary. If I had to guess, I'd guess that the script is stored in the overlay in this file, but thats purely based on its size.

If it can't be resolved, its no big deal, just thought id highlight it.

Cheers,
Tom

Possible broken x64 samples

sha2:

873aebfc8144b270b1f525f79080485429dc9ea9164ca46c39937bc33031f7b7
145078c3c1f0b7fbc5f760a9afad611f383b7b1ca34a7741357ce47814df9b2a

  File "/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py", line 206, in extract
    return unpack_ea06(data)
  File "/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py", line 190, in unpack_ea06
    parsed_data = parse_all(stream, AutoItVersion.EA06)
  File "/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py", line 142, in parse_all
    return list(
  File "/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py", line 123, in parse_au3_header
    yield ("script.au3", deassemble_script(dec_data).encode())
  File "/usr/local/lib/python3.9/site-packages/autoit_ripper/opcodes.py", line 141, in deassemble_script
    line_items.append(OPCODES[opcode](stream))
  File "/usr/local/lib/python3.9/site-packages/autoit_ripper/opcodes.py", line 92, in <lambda>
    0x32: lambda x: "@" + MACROS_INVERT_CASE[x.get_xored_string()],
KeyError: 'AUTOITX6484'

Make autoit-ripper a module

It will be great to be able to use it something like this:

$ pip install autoit-ripper
...
$ autoit-ripper file.exe

As well as

>>> from autoit_ripper import Ripper
>>> ripped_file = Ripper("file.exe", ...)

Consider adjusting requirements to be less strict

Hey,

I think the setup procedure could be less strict to allow working alongside other applications which work on either older versions of python or more modern versions of pefile.

setup.py specifies a required python version >=3.7 but it seems like it works on 3.6.8 fine without issue.
requirements.txt specifies a specific version of pefile but infact it works with the latest version of pefile.

Cheers,
Tom

Update for autoit_ripper - [not really an issue]

Well I did some work on the sources.
However I don't get it done to issue a pull request for that so I just add the files here:
autoit_ripper_Dec2020.zip
If someone can push these into that repo it would be nice.

Some of the changes:

added support for newer opcode 0x00 and 0x01 tokens
restore case for keywords
speed up decryption

Check for proper PEs

sha256: fc17d887bb75a0d8eded67ca8b11aa662c7ea4071aa962b645054d4c3f627f67 / ddbb11b3fdf418eec1c07e8e993f951feb55e2ec3fbe7575d210061a549ed323

"error": [
    "Traceback (most recent call last):\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/core/karton.py\", line 181, in internal_process\n    self.process(self.current_task)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/autoit_ripper/autoit_ripper_karton.py\", line 50, in process\n    resources = extract(data=sample.content, version=AutoItVersion.EA06)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 206, in extract\n    return unpack_ea06(data)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 176, in unpack_ea06\n    if not pe.DIRECTORY_ENTRY_RESOURCE:\n",
    "AttributeError: 'PE' object has no attribute 'DIRECTORY_ENTRY_RESOURCE'\n"
],

"error": [
    "Traceback (most recent call last):\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/core/karton.py\", line 181, in internal_process\n    self.process(self.current_task)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/autoit_ripper/autoit_ripper_karton.py\", line 50, in process\n    resources = extract(data=sample.content, version=AutoItVersion.EA06)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 206, in extract\n    return unpack_ea06(data)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 170, in unpack_ea06\n    pe = pefile.PE(data=binary_data, fast_load=True)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/pefile.py\", line 2895, in __init__\n    self.__parse__(name, data, fast_load)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/pefile.py\", line 3031, in __parse__\n    raise PEFormatError(\"DOS Header magic not found.\")\n",
    "pefile.PEFormatError: 'DOS Header magic not found.'\n"
],

error: The 'lief' distribution was not found

I got a problem when installing:

C:\AutoIt-Ripper>setup.py develop
running develop
running egg_info
creating autoit_ripper.egg-info
writing autoit_ripper.egg-info\PKG-INFO
writing dependency_links to autoit_ripper.egg-info\dependency_links.txt
writing requirements to autoit_ripper.egg-info\requires.txt
writing top-level names to autoit_ripper.egg-info\top_level.txt
writing manifest file 'autoit_ripper.egg-info\SOURCES.txt'
reading manifest file 'autoit_ripper.egg-info\SOURCES.txt'
writing manifest file 'autoit_ripper.egg-info\SOURCES.txt'
running build_ext
Creating c:\python39\lib\site-packages\autoit-ripper.egg-link (link to .)
Removing autoit-ripper 1.0.0 from easy-install.pth file
Adding autoit-ripper 1.0.0 to easy-install.pth file

Installed c:\autoit-ripper
Processing dependencies for autoit-ripper==1.0.0
Searching for lief==0.10.1
Reading https://pypi.org/simple/lief/
Downloading https://files.pythonhosted.org/packages/ee/b1/57241e2f5f7aac93d8d8d3ad46bf3f104a4f4ef171ca2eef38803f3868aa/lief-0.10.1.tar.gz#sha256=a487fe7234c04bccd58223dbb79214421176e2629814c7a4a887764cceb5be7c
Best match: lief 0.10.1
Processing lief-0.10.1.tar.gz
Writing C:\Users\user\AppData\Local\Temp\easy_install-uakpf7ye\lief-0.10.1\setup.cfg
Running lief-0.10.1\setup.py -q bdist_egg --dist-dir C:\Users\user\AppData\Local\Temp\easy_install-uakpf7ye\lief-0.10.1\egg-dist-tmp-zvea0ss1
error: The 'lief' distribution was not found and is required by the application

Hmm I little pitty that Running lief-0.10.1\setup.py -q bdist_egg uses -q possible errors
I also downloaded and unpacked this files.pythonhosted.org/packages/.../lief-0.10.1.tar and ran
setup.py build there. Well first I complained about that cmake was missing so I did pip install cmake.
Well having cmake there now there was this issue:

CMake Error at CMakeLists.txt:541 (add_subdirectory):
  add_subdirectory given source
  "C:/AutoIt-Ripper/2/dist/lief-0.10.1/package" which is not
  an existing directory.

So I edited CMakeLists.txt and removed line 541 (the last line):

# Package
add_subdirectory("${CMAKE_CURRENT_SOURCE_DIR}/package")

Now it is compiling however errors like this arraised:

-- Selecting Windows SDK version  to target Windows 10.0.18363.
<snip>
Microsoft (R) Build Engine version 14.0.25420.1
<snip>
  ...lief-0.10.1\build\temp.win-amd64-3.9\Release\lief_frozen-prefix\src\lief_froze
  n\include\frozen/bits/basic_types.h(123): note: see declaration of 'frozen::bits::carray<std::pair<Key,Value>,5>::beg
  in'
          with
          [
              Key=LIEF::Function::FLAGS,
              Value=const char *
          ]
...lief-0.10.1\src\Abstract\EnumToString.cpp(105): 
error C2127: 'enumStrings': illegal initialization of 'constexpr' entity with a non-constant expression [...lief-0.
10.1\build\temp.win-amd64-3.9\Release\LIB_LIEF.vcxproj]

Oh dear I'm not gonna fix this. Maybe I'll have more luck using another compiler like MinGW or something. However I gave up on this path.

Consider adding a optional native module to speed up the decompilation process

Using python works fine for single files but gets kinda slow for large file batches

Check for incorrect macros

sha256: a88f3328e72764b960d6705b8d1a1d8de8558b7b63ae90d64585afde37160208

"error": [
    "Traceback (most recent call last):\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/core/karton.py\", line 181, in internal_process\n    self.process(self.current_task)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/autoit_ripper/autoit_ripper_karton.py\", line 50, in process\n    resources = extract(data=sample.content, version=AutoItVersion.EA06)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 206, in extract\n    return unpack_ea06(data)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 190, in unpack_ea06\n    parsed_data = parse_all(stream, AutoItVersion.EA06)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 142, in parse_all\n    return list(\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 123, in parse_au3_header\n    yield (\"script.au3\", deassemble_script(dec_data).encode())\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/opcodes.py\", line 141, in deassemble_script\n    line_items.append(OPCODES[opcode](stream))\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/opcodes.py\", line 92, in <lambda>\n    0x32: lambda x: \"@\" + MACROS_INVERT_CASE[x.get_xored_string()],\n",
    "KeyError: 'GUI_DRAGFILE'\n"
],

decompress:Uncompressed script size is larger than allowed

ERROR:autoit_ripper.autoit_unpack:EA05 magic mismatch
ERROR:autoit_ripper.decompress:Uncompressed script size is larger than allowed
ERROR:autoit_ripper.autoit_unpack:Error while trying to decompress data
ERROR:autoit_ripper.autoit_unpack:Couldn't decode the autoit script

MACROS are not supported?

A very simple code example - Drag File and Drop Example.au3
I'm trying to use AutoIt-Ripper like this:

from autoit_ripper import extract, AutoItVersion

import os 
dir = os.path.dirname(__file__)
fullname = os.path.join(dir, 'sample.exe')

with open(fullname, "rb") as f:
    file_content = f.read()

# EA05 for v3.00+, EA06 for v3.26+
# Omitting `version` or passing None will try both versions

# content_list = extract(data=file_content, version=AutoItVersion.EA05)
# content_list = extract(data=file_content, version=AutoItVersion.EA06)
content_list = extract(data=file_content)

But an error occurs:

C:\Users\1\Python>python ..\test.py
EA05 magic mismatch
Traceback (most recent call last):
  File "..\test.py", line 15, in <module>
    content_list = extract(data=file_content)
  File "C:\Users\1\pkgs\autoit_ripper\autoit_unpack.py", line 202, in extract
    return unpack_ea05(data) or unpack_ea06(data)
  File "C:\Users\1\pkgs\autoit_ripper\autoit_unpack.py", line 190, in unpack_ea06
    parsed_data = parse_all(stream, AutoItVersion.EA06)
  File "C:\Users\1\pkgs\autoit_ripper\autoit_unpack.py", line 142, in parse_all
    return list(
  File "C:\Users\1\pkgs\autoit_ripper\autoit_unpack.py", line 123, in parse_au3_header
    yield ("script.au3", deassemble_script(dec_data).encode())
  File "C:\Users\1\pkgs\autoit_ripper\opcodes.py", line 141, in deassemble_script
    line_items.append(OPCODES[opcode](stream))
  File "C:\Users\1\pkgs\autoit_ripper\opcodes.py", line 92, in <lambda>
    0x32: lambda x: "@" + MACROS_INVERT_CASE[x.get_xored_string()],
KeyError: 'GUI_DRAGID'

C:\Users\1\Python>

I suspect that the same errors will occur with other macros.
Will you ever be able to fix it? Thank you very much!