plugxdecoder icon indicating copy to clipboard operation
plugxdecoder copied to clipboard
Published 12 years ago verified publisher icon kcreyts

A few issues when running in 2.7.3

Open sketchymoose opened this issue 12 years ago • 5 comments

First off--- thanks for writing this code, I am hoping to use this in my research!

I had a few errors with the python and fixed them (return False outside a function, missing ')', etc). However I am not sure I got it working, I gave it the encrypted dll.hlp file but what I get back does not look correct, see output

output

Any ideas? I double checked my Python version to make sure it matched.. Again, much thanks for writing this, amazing idea!

I am new to GitHub so once I figure out the pull I can send you the code which I got to work.

sketchymoose avatar Mar 27 '13 08:03 sketchymoose

Can you give me the full error outputs as well? On Mar 27, 2013 1:14 AM, "sketchymoose" [email protected] wrote:

First off--- thanks for writing this code, I am hoping to use this in my research!

I had a few errors with the python and fixed them (return False outside a function, missing ')', etc). However I am not sure I got it working, I gave it the encrypted dll.hlp file but what I get back does not look correct, see output

[image: output]https://f.cloud.github.com/assets/3982994/307205/26d7c3a8-96b6-11e2-92c4-74038fe44b3a.jpg

Any ideas? I double checked my Python version to make sure it matched.. Again, much thanks for writing this, amazing idea!

I am new to GitHub so once I figure out the pull I can send you the code which I got to work.

— Reply to this email directly or view it on GitHubhttps://github.com/kcreyts/plugxdecoder/issues/2 .

kcreyts avatar Mar 27 '13 13:03 kcreyts

Besides the output, this was at the top of the output. There were 3 files associated with this:

  1. benign exe
  2. dll which calls the malicious dl
  3. malicious dll <-- i ran the tool against this file

output

sketchymoose avatar Mar 27 '13 14:03 sketchymoose

fixed the first two issues to which you referred... slight oversight, I might have pushed an incomplete development version on accident.

kcreyts avatar Mar 27 '13 15:03 kcreyts

Oh cool-- the other error was at line 130 if ip.p = 6: changed it to == and it worked fine then, well still the weird output!

sketchymoose avatar Mar 27 '13 15:03 sketchymoose

and how did you invoke it? ./plugxdecoder.py -f <the_encrypted_artifact> -o <your_name_for_the_extracted_content> ?

I would be interested in seeing your sample. (all 3 files, or the original rarsfx) you should be able to find my email pretty easily, and my pgp key lives on major keyservers.

kcreyts avatar Mar 27 '13 16:03 kcreyts