Skip to content
/ shellcode_extractor_for_maldoc Public

The code in this repository which function is to extract the shellcode from the maldoc.

License

GPL-3.0 license
10 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

g0mxxm/shellcode_extractor_for_maldoc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
hook
hook
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
shellcode_extractor.py
shellcode_extractor.py
 
 

Repository files navigation

The code in this repository which function is to extract the shellcode from the maldoc

Introduction

In my daily analysis, I will face many maldoc. Most maldoc contain shellcode, so we have to face the problem of how to quickly extract shellcode from it and analyze its behavior. This tool solves this problem very well by combining existing analysis tools to form a tool chain. And if you want know more details of this tool, you can read this article I wrote

Install

Environment

  • python3 & javascript
  • REMnux or any enviroment that include these tools (zipdump & rtfdump & oledump & oleid & msoffcrypto-crack & xorsearch & scdbg & cut-bytes)
  • Windows + Office + frida (If you want to use the hook function to extract the OLE object from the RTF file)
  • The docker image(g0mx/remnux-shellcode_extractor) created by myself for extracting shellcode from maldoc based on REMnux

Code

You only need to clone this repository

Usage

Extract OLE from RTF by hook

Environment

Windows + Office + frida

Code

In the hook folder (you need modify the storage location of the OLE object which is dumped from RTF)

Bash

python3 "$(The path of hook.py)" -n "$(The path of WINWORD.exe) $(The path of RTF file)" "$(The path of hook_OLE.mjs)"

Shellcode extractor

Environment

REMnux or any enviroment that include these tools (zipdump & rtfdump & xorsearch & scdbg & cut-bytes) or The docker image(g0mx/remnux-shellcode_extractor) created by myself for extracting shellcode from maldoc based on REMnux

Code

shellcode_extractor.py (you need to make sure that the tool path in the python file matches the environment you are using. At the same time you can modify the storage location of the shellcode file which is dumped from maldoc)

Bash

If you use the docker images(g0mx/remnux-shellcode_extractor), you will find the shellcode_extractor.py in the "/home/remnux"

docker run --rm -it -u remnux -v "$(The path of folder)":/home/remnux/files remnux/remnux-shellcode_extractor /bin/bash  
cd /home/remnux  
python3 "$(The path of shellcode_extractor.py)"

Examples

Extract OLE from RTF by hook

2022-12-15-22-23-40

Shellcode extractor

2022-12-15-22-32-06

Reference

About

The code in this repository which function is to extract the shellcode from the maldoc.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

10 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages