Adding files

Author: W4nn4Die

ch04/code/domain_suffixes.txt

@@ -0,0 +1,3 @@
+sudo apt install python-pygraphviz
+sudo apt install icoutils
+sudo pip install -r requirements.txt

ch04/code/install-requirements.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/python
+import networkx
+
+# Instantiate a network with no nodes and no edges.
+network = networkx.Graph()
+
+nodes = ["hello","world",1,2,3]
+for node in nodes:
+    network.add_node(node)
+network.add_edge("hello","world")
+network.add_edge(1,2)
+network.add_edge(1,3)
+network.add_node(1,myattribute="foo")
+network.node[1]["myattribute"] = "foo"
+print network.node[1]["myattribute"] # prints "foo"
+network.add_edge("node1","node2",myattribute="attribute of an edge")
+network.get_edge_data("node1","node2")["myattribute"] = "attribute of an edge"
+network.get_edge_data("node1","node2")["myattribute"] = 321
+print network.get_edge_data("node1","node2")["myattribute"] # prints 321

ch04/code/listing-4-1.py

@@ -0,0 +1,91 @@
+#!/usr/bin/python
+
+import pefile
+import sys
+import argparse
+import os
+import pprint
+import logging
+import networkx
+import collections
+import tempfile
+from networkx.drawing.nx_agraph import write_dot
+from networkx.algorithms import bipartite
+
+# Use argparse to parse any command line arguments
+
+args = argparse.ArgumentParser("Visualize shared image relationships between a directory of malware samples")
+args.add_argument("target_path",help="directory with malware samples")
+args.add_argument("output_file",help="file to write DOT file to")
+args.add_argument("malware_projection",help="file to write DOT file to")
+args.add_argument("resource_projection",help="file to write DOT file to")
+args = args.parse_args()
+network = networkx.Graph()
+
+class ExtractImages():
+    def __init__(self,target_binary):
+        self.target_binary = target_binary
+        self.image_basedir = None
+        self.images = []
+
+    def work(self):
+        self.image_basedir = tempfile.mkdtemp()
+        icondir = os.path.join(self.image_basedir,"icons")
+        bitmapdir = os.path.join(self.image_basedir,"bitmaps")
+        raw_resources = os.path.join(self.image_basedir,"raw")
+        for directory in [icondir,bitmapdir,raw_resources]:
+            os.mkdir(directory)
+        rawcmd = "wrestool -x {0} -o {1} 2> /dev/null".format(self.target_binary,raw_resources)
+        bmpcmd = "mv {0}/*.bmp {1} 2> /dev/null".format(raw_resources,bitmapdir)
+        icocmd = "icotool -x {0}/*.ico -o {1} 2> /dev/null".format(raw_resources,icondir)
+        for cmd in [rawcmd,bmpcmd,icocmd]:
+            try:
+                os.system(cmd)
+            except Exception,msg:
+                pass
+        for dirname in [icondir,bitmapdir]:
+            for path in os.listdir(dirname):
+                logging.info(path)
+                path = os.path.join(dirname,path)
+                imagehash = hash(open(path).read())
+                if path.endswith(".png"):
+                    self.images.append((path,imagehash))
+                if path.endswith(".bmp"):
+                    self.images.append((path,imagehash))
+
+    def cleanup(self):
+        os.system("rm -rf {0}".format(self.image_basedir))
+
+# search the target directory for PE files to extract images from
+image_objects = []
+for root,dirs,files in os.walk(args.target_path):
+    for path in files:
+        # try to parse the path to see if it's a valid PE file
+
+        try:
+            pe = pefile.PE(os.path.join(root,path))
+        except pefile.PEFormatError:
+            continue
+        fullpath = os.path.join(root,path)
+        images = ExtractImages(fullpath)
+        images.work()
+        image_objects.append(images)
+
+        # create the network by linking malware samples to their images
+        for path, image_hash in images.images:
+            # set the image attribute on the image nodes to tell GraphViz to render images within these nodes
+            if not image_hash in network:
+                network.add_node(image_hash,image=path,label='',type='image')
+            node_name = path.split("/")[-1]
+            network.add_node(node_name,type="malware")
+            network.add_edge(node_name,image_hash)
+
+# write the bipartite network, then do the two projections and write them
+write_dot(network, args.output_file)
+malware = set(n for n,d in network.nodes(data=True) if d['type']=='malware')
+resource = set(network) - malware
+malware_network = bipartite.projected_graph(network, malware)
+resource_network = bipartite.projected_graph(network, resource)
+
+write_dot(malware_network,args.malware_projection)
+write_dot(resource_network,args.resource_projection)

ch04/code/listing-4-12.py

@@ -0,0 +1,12 @@
+#!/usr/bin/python
+import networkx
+from networkx.drawing.nx_agraph import write_dot
+
+# instantiate a network, add some nodes, and connect them
+nodes = ["hello","world",1,2,3]
+network = networkx.Graph()
+for node in nodes:
+    network.add_node(node)
+network.add_edge("hello","world")
+write_dot(network, "network.dot")
+

ch04/code/listing-4-3.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python
+
+import networkx
+from networkx.drawing.nx_agraph import write_dot
+
+g = networkx.Graph()
+g.add_node(1)
+g.add_node(2)
+g.add_edge(1,2,penwidth=10) # make the edge extra wide
+write_dot(g,'network.dot')
+
+
+

ch04/code/listing-4-4.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python
+
+import networkx
+from networkx.drawing.nx_agraph import write_dot
+
+g = networkx.Graph()
+g.add_node(1,color="blue") # make the node outline blue
+g.add_node(2,color="pink") # make the node outline pink
+g.add_edge(1,2,color="red") # make the edge  red
+write_dot(g,'network.dot')
+
+
+

ch04/code/listing-4-5.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python
+
+import networkx
+from networkx.drawing.nx_agraph import write_dot
+
+g = networkx.Graph()
+g.add_node(1,shape='diamond')
+g.add_node(2,shape='egg')
+g.add_edge(1,2)
+
+write_dot(g,'network.dot')
+
+

ch04/code/listing-4-6.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python
+
+import networkx
+from networkx.drawing.nx_agraph import write_dot
+
+g = networkx.Graph()
+g.add_node(1,label="first node")
+g.add_node(2,label="second node")
+g.add_edge(1,2,label="link between first and second node")
+
+write_dot(g,'network.dot')
+
+

ch04/code/listing-4-7.py

@@ -0,0 +1,68 @@
+#!/usr/bin/python
+
+import pefile
+import sys
+import argparse
+import os
+import pprint
+import networkx
+import re
+from networkx.drawing.nx_agraph import write_dot
+import collections
+from networkx.algorithms import bipartite
+
+args = argparse.ArgumentParser("Visualize shared hostnames between a directory of malware samples")
+args.add_argument("target_path",help="directory with malware samples")
+args.add_argument("output_file",help="file to write DOT file to")
+args.add_argument("malware_projection",help="file to write DOT file to")
+args.add_argument("hostname_projection",help="file to write DOT file to")
+args = args.parse_args()
+network = networkx.Graph()
+
+valid_hostname_suffixes = map(lambda string: string.strip(), open("domain_suffixes.txt"))
+valid_hostname_suffixes = set(valid_hostname_suffixes)
+def find_hostnames(string):
+    possible_hostnames = re.findall(r'(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}', string)
+    valid_hostnames = filter(
+            lambda hostname: hostname.split(".")[-1].lower() in valid_hostname_suffixes,
+            possible_hostnames
+    )
+    return valid_hostnames
+
+# search the target directory for valid Windows PE executable files
+for root,dirs,files in os.walk(args.target_path):
+    for path in files:
+        # try opening the file with pefile to see if it's really a PE file
+        try:
+            pe = pefile.PE(os.path.join(root,path))
+        except pefile.PEFormatError:
+            continue
+        fullpath = os.path.join(root,path)
+        # extract printable strings from the target sample
+        strings = os.popen("strings '{0}'".format(fullpath)).read()
+
+        # use the search_doc function in the included reg module to find hostnames
+        hostnames = find_hostnames(strings)
+        if len(hostnames):
+            # add the nodes and edges for the bipartite network
+            network.add_node(path,label=path[:32],color='black',penwidth=5,bipartite=0)
+        for hostname in hostnames:
+            network.add_node(hostname,label=hostname,color='blue',
+               penwidth=10,bipartite=1)
+            network.add_edge(hostname,path,penwidth=2)
+        if hostnames:
+            print "Extracted hostnames from:",path
+            pprint.pprint(hostnames)
+# write the dot file to disk
+write_dot(network, args.output_file)
+malware = set(n for n,d in network.nodes(data=True) if d['bipartite']==0)
+hostname = set(network)-malware
+
+# use NetworkX's bipartite network projection function to produce the malware
+# and hostname projections
+malware_network = bipartite.projected_graph(network, malware)
+hostname_network = bipartite.projected_graph(network, hostname)
+
+# write the projected networks to disk as specified by the user
+write_dot(malware_network,args.malware_projection)
+write_dot(hostname_network,args.hostname_projection)

ch04/code/listing-4-8.py

@@ -0,0 +1,6 @@
+strict graph  {
+	world -- hello;
+	2;
+	3;
+	1;
+}

ch04/code/network.dot

@@ -0,0 +1,8 @@
+# Requirements automatically generated by pigar.
+# https://github.com/Damnever/pigar
+
+networkx == 2.0
+pydot == 1.2.4
+Murmur == 0.1.3
+pefile == 2017.11.5
+matplotlib == 2.0.0

ch04/code/requirements.txt

@@ -0,0 +1 @@
+python listing-4-12.py ../data full_network.dot malware_network.dot image_network.dot

ch04/code/run-listing-4-12.sh

@@ -0,0 +1 @@
+python listing-4-8.py ../data/APT1_MALWARE_FAMILIES/ network.dot malware.dot hostname.dot

ch04/code/run-listing-4-8.sh

@@ -0,0 +1 @@
+The AURIGA malware family shares a large amount of functionality with the BANGAT backdoor.  The malware family contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine.  The AURIGA malware contains a driver component which is used to inject the malware DLL into other processes.  This driver can also perform process and IP connection hiding.  The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the "Microsoft corp" strings in the cmd.exe binary with different values.  The malware family typically maintains persistence through installing itself as a service