malnetlib

Release 1.0.8

MalNetLib is a Python library for parsing PE files made with .NET

Homepage PyPI Python

Keywords
dotnet, parser, malware, malware-analysis
Install
pip install malnetlib==1.0.8

Documentation

MalNetLib

MalNetLib is a Python library for parsing PE files made with .NET (based on dnlib).

Installation

Install the library (available on pypi.org):

$ python3 -m pip install malnetlib

Compile dnlib.dll (required for the project) :

# Debian
$ sudo apt install -y dotnet-sdk-6.0
# Arch
$ sudo pacman -S dotnet-sdk-6.0

$ git clone --depth=1 https://github.com/0xd4d/dnlib
$ cd dnlib
$ dotnet build
$ cd ..
$ cp ./dnlib/Examples/bin/Debug/net6.0/dnlib.dll .
$ rm -rf dnlib

Examples

NjRAT

NjRAT is a remote access trojan (RAT).

You can use malnetlib to extract the configuration of NjRAT which is stored inside .NET class attributes. Here is an example with the a sample of NjRAT and the script njrat_extractor.py :

pe = DotNetPE(args.sample)
ok_class = pe.get_object("OK")
njrat_conf = {
	"host": ok_class.get_attribute("HH").get_value(),
	"port": ok_class.get_attribute("P").get_value(),
	"install_directory": "%" + ok_class.get_attribute("DR").get_value() + "%",
	"install_name": ok_class.get_attribute("EXE").get_value(),
	"startup": ok_class.get_attribute("sf").get_value(),
	"campain_id": b64decode(ok_class.get_attribute("VN").get_value()).decode("UTF-8"),
	"version": ok_class.get_attribute("VR").get_value(),
	"network_separator": ok_class.get_attribute("Y").get_value(),
	"mutex": ok_class.get_attribute("RG").get_value()
}
print(dumps(njrat_conf))
{
  "host": "2.tcp.eu.ngrok.io",
  "port": "10008",
  "install_directory": "%TEMP%",
  "install_name": "server.exe",
  "startup": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
  "campain_id": "HacKed",
  "version": "im523",
  "network_separator": "|'|'|",
  "mutex": "25ffb1a66b4748fe7537df7005cc8e55"
}

vw0rm

VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm).

You can use malnetlib to list and extract .NET resources from a vw0rm dropper.

>>> from malnetlib.models import DotNetPE
>>> pe = DotNetPE("30d64daeb3e69ea6dde202a9d519f6ee17614af6e505dd2e5788017c3be4abd8")
>>> resources = pe.get_resources()
>>> resources
[<Resource Windows_Task_Manager.Resources.resources 0x0>, <Resource Windows_Task_Manager.proccesing.resources 0x4806>]
>>> resources[0].save("/tmp/output.bin")
>>> resources[0].read()
b'[...]On error resume next\r\n\r\nj = array("WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP")
\r\ng = array("HKCU","HKLM","HKCU\\vw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\")\r\ny=
array("winmgmts:","win32_logicaldisk","Win32_OperatingSystem","winmgmts:\\\\localhost\\root\\securitycenter","AntiVirusProduct")\r\n\r\nfunction go(m)\r\n

Stats

Dependencies
0
Dependent packages
0
Dependent repositories
0
Total releases
9
Latest release
First release
Stars
0
Forks
0
Watchers
1
Contributors
1
Repository size
13.7 KB
SourceRank
7

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

Contributors

xanhacks


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2023-02-04 08:49:08 UTC

Login to resync this project