Adds working 64bit malware hunter

Author: Corb3nik

analysis_tools/opcache_disassembler.py

@@ -179,7 +179,7 @@ def create_ast(self, filename):
 
         # Main OP array
         for idx, opcode in enumerate(main_op_array['opcodes']):
-            opcode = OPcode(str(idx), opcode, main_op_array, opcache, is_64_bit)
+            opcode = OPcode(str(idx), opcode, main_op_array, opcache, self.is_64_bit)
             ast.paste("main_op_array", opcode)
 
         # Function Table
@@ -248,8 +248,8 @@ def print_syntax_tree(self, ast):
 
         ast.show(key=lambda a: "")
 
-    def disassemble(self, file, is_64_bit):
-        disassembler = OPcacheDisassembler(is_64_bit)
+    def disassemble(self, file):
+        disassembler = OPcacheDisassembler(self.is_64_bit)
         ast = disassembler.create_ast(file)
         final = ""
         final += disassembler.convert_branch_to_pseudo_code(ast, 'class_table', 0)

analysis_tools/opcache_malware_hunt.py

@@ -3,7 +3,9 @@
 # Copyright (c) 2016 GoSecure Inc.
 
 from opcache_disassembler import OPcacheDisassembler
-from opcache_parser import OPcacheParser
+import hashlib
+import opcache_parser
+import opcache_parser_64
 import sys
 import os
 import subprocess
@@ -232,7 +234,7 @@ def compare_parsed_files(file1, file2):
 
     return True
 
-def create_diff_report(file1, file2, report_name, from_desc, to_desc, is_64_bit):
+def create_diff_report(file1, file2, file_name, from_desc, to_desc, is_64_bit):
 
     """ Create a report showing the differences between two files
 
@@ -252,14 +254,16 @@ def create_diff_report(file1, file2, report_name, from_desc, to_desc, is_64_bit)
     html_differ = difflib.HtmlDiff()
 
     # Generate the report and write into a file
-    report_name = report_name.replace("/", "%2f") + '.html'
-    with open(hunt_report + "/" + report_name, "w") as f:
-        f.write(html_differ.make_file(disassembled_1, disassembled_2, from_desc, to_desc))
+    file_name = file_name.replace("/", "%2f") + '.html'
+    hash_name = hashlib.sha1(file_name).hexdigest()
+    with open(hunt_report + "/" + hash_name + ".html", "w") as f:
+	content = html_differ.make_file(disassembled_1, disassembled_2, from_desc, to_desc)
+        f.write(content)
 
     # Return the name of the report
-    return report_name
+    return (file_name, hash_name + ".html")
 
-def create_index(report_names):
+def create_index(file_names, report_names):
 
     """ Create an index file containing the list of all the reports generated by create_diff_report
 
@@ -279,9 +283,9 @@ def create_index(report_names):
 
     # The list of links towards each report
     body = "<ul>"
-    for report_name in report_names:
+    for index, report_name in enumerate(report_names):
         link = report_name.replace("%2f", "%252f")
-        link_name = report_name.replace("%2f", "/")[:-5]
+        link_name = file_names[index].replace("%2f", "/")[:-5]
         body += "<li><a href='{0}'>{1}</a></li>".format(link, link_name)
     body += "</ul>"
 
@@ -317,8 +321,10 @@ def show_help():
     is_64_bit = False
     if architecture == "-a64":
         is_64_bit = True
+	OPcacheParser = opcache_parser_64.OPcacheParser
     elif architecture == "-a32":
         is_64_bit = False
+	OPcacheParser = opcache_parser.OPcacheParser
 
 
     # Setup a new phpini for compilation
@@ -365,13 +371,15 @@ def show_help():
         print ""
         print "Potentially infected files : "
         reports = []
+	file_names = []
         for idx, file, new_cache_file in flagged_files:
             print " - " + file
 
-            report = create_diff_report(new_cache_file, file, opcache_files[idx], "Source Code", "Cache", is_64_bit)
+            (file_name, report) = create_diff_report(new_cache_file, file, opcache_files[idx], "Source Code", "Cache", is_64_bit)
             reports += [report]
+	    file_names += [file_name]
 
-        create_index(reports)
+        create_index(file_names, reports)
     else:
         print "No infected files found."
 

analysis_tools/opcache_parser.py

@@ -21,6 +21,12 @@ def Z_Val(name, callback = None, unserialize = True):
     if not callback:
         callback = Empty
 
+    callback_name = ""
+    if callback == unserialize_zend_function:
+	callback_name = "op_array"
+    elif callback == unserialize_class:
+        callback_name = "class"
+
     return name / Struct(Zend_Value("value"),
                   "u1" / Struct("type" / Byte,
                          "type_flags" / Byte,
@@ -29,13 +35,13 @@ def Z_Val(name, callback = None, unserialize = True):
                   ),
                   "u2" / Int32ul,
 
-                  If(lambda z: z.u1.type == 6 and unserialize,
+                  "string" / If(lambda z: z.u1.type == 6 and unserialize,
                      Pointer(lambda z: (z.value.w1 & ~1) +
                                       (meta['mem_size'] if meta['str_size'] != 0 else 0) +
                                       Meta.sizeof(),
                                       Zend_String("string")
                   )),
-                  If(lambda z: z.u1.type == 17 and unserialize,
+                  callback_name / If(lambda z: z.u1.type == 17 and unserialize,
                      Pointer(lambda z: z.value.w1 + Meta.sizeof(), callback()))
                   )
 

analysis_tools/opcache_parser_64.py

@@ -35,8 +35,8 @@ def Z_Val(name, callback = None, unserialize = True):
                   ),
                   "u2" / Int32ul,
 
-                  If(lambda z: z.u1.type == 6 and unserialize,
-                     "string" / Pointer(lambda z: (z.value.w1 & ~1) +
+                  "string" / If(lambda z: z.u1.type == 6 and unserialize,
+                     Pointer(lambda z: (z.value.w1 & ~1) +
                                       (meta['mem_size'] if meta['str_size'] != 0 else 0) +
                                       Meta.sizeof(),
                                       Zend_String("string")