A cli script to deobfuscate obfuscated autorun.inf files as used by the Conficker / Downadup malware for example.
Project description
autorun.inf Deobfuscator
A cli script to deobfuscate obfuscated autorun.inf files as used by the Conficker / Downadup malware for example.
Such an autorun.inf file can be quite big since the malware authors can add junk to the configfile which will not be evaluated by Windows.
This scripts only shows the important parts of the config which will be evaluated by Windows.
More information about autorun.inf files you can find on Wikipedia.
Installation
Install the package with pip
pip install autorun-inf-deobfuscator
or
pip install git+https://github.com/wahlflo/AutorunInfDeobfuscator
Features
- It removes all non ASCII characters
- It removes empty lines
- It removes comments
- It adds missing brackets to section declarations
- It removes not junk sections which are meaningless in an autorun.inf file
Usage
Type deobfuscate-autorun-inf --help to view the help.
usage: deobfuscate-autorun-inf [OPTION]... -i FILE
A cli script to deobfuscate obfuscated autorun.inf files as used by the Conficker / Downadup malware for example.
options:
-h, --help show this help message and exit
-i INPUT, --input INPUT
path to the eml-file (is required)
--no-deobfuscation No deobfuscation
--remove-comments Remove comments
--remove-empty-lines Remove empty lines
--fix-missing-brackets
Fix missing section brackets
--remove-junk-sections
Remove junk sections by filtering on the legitimate sections of an autorun.inf file
--show-sections Prints out only the name of the sections contained in the file
-o OUTPUT, --output OUTPUT
Writes the obfuscated file to the given file
Example deobfuscation of an autorun.inf file
excerpt of an obfuscated autorun.inf file created by Conficker:
[AUTorUN
;
ÅA¯˜ölÜŠq¦…tÎKVWœý¸¤¬
AcTION
=Ordner öffnen, um Dateien anzuzeigen
icon =
%syStEmrOot%\sySTEM32\sHELL32.Dll ,4
;Pr×SoàDWWCfDnhTvVQyažã¾
;«GáÊ
;
qTJ¥·r€ÕoÍgwDqçÚJûKEí´û
shelLExECUte
=RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
;
zD¾pl¿›cà½ÂuDbËyF½žÚG
;f›yÊlÌÃèŠdGµBwAsUmF
;
»Ÿobz²q•GEìªiSøµväF˜Ø¤ò¼fîNŒDs±
useAuTopLAY
=
1
;
Fª†g•¿úoÖMÊc°¹tYcÈìkdQeæØnD§äâÙrˆe…C¿ùlÝ„ôC
[
oiw]
deobfuscation with the deobfuscate-autorun-inf script:
$deobfuscate-autorun-inf -i conficker_autorun_sample.ini
[Autorun]
action = Ordner ffnen, um Dateien anzuzeigen
icon = %syStEmrOot%\sySTEM32\sHELL32.Dll ,4
shellexecute = RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
useautoplay = 1
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file autorun-inf-deobfuscator-1.0.1.tar.gz.
File metadata
- Download URL: autorun-inf-deobfuscator-1.0.1.tar.gz
- Upload date:
- Size: 5.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a2527dd7bb176cd538df38016ecb496c8c06753eae27a88b7e798803a298aba6 |
|
| MD5 | e421e86a73521c20bedf8890b63781ac |
|
| BLAKE2b-256 | ec77fb90169881b75a55b3c144d876b4bd1c25ed78a5e1ae9265aa4028db799a |
File details
Details for the file autorun_inf_deobfuscator-1.0.1-py3-none-any.whl.
File metadata
- Download URL: autorun_inf_deobfuscator-1.0.1-py3-none-any.whl
- Upload date:
- Size: 6.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ba39fd2a472aad1193b81fe13c84667163483ab7b04c6889acc973ef6314747b |
|
| MD5 | 6fe24e3664610d02ed458efa3402f14e |
|
| BLAKE2b-256 | 05c6f46adf7076de2d956c1ec031f69b6a3f3e07cb1404877485d33470d6f254 |
