Abstract:
I am analysing a pcap file, with live malware (for educational purposes), and using Wireshark - I managed to extract few objects from the HTTP stream and some executables.
During my Analysis, I found instances hinting Fiestka Exploit Kit used.
Having Googled a ton, I came across a GitHub Rep: https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py
What am I trying to achieve?
I am trying to run the python fiesta-payload-decrypter.py against the malicious executable (extracted from the pcap).
What have I done so far?
I've copied the code onto a plain text and saved it as malwaredecoder.py. - This script is saved in the same Folder (/Download/Investigation/) as the malware.exe that I want to run it against.
What's the Problem?
Traceback (most recent call last):
File "malwaredecoder.py", line 51, in <module>
sys.exit(DecryptFiestaPyload(sys.argv[1], sys.argv[2]))
File "malwaredecoder.py", line 27, in DecryptFiestaPyload
fdata = open(inputfile, "rb").read()
IOError: [Errno 2] No such file or directory: '-'
I am running this python script in Kali Linux, and any help would be much appreciated. Thank you.
The script expects two args... What are you passing it?
Looks like it expects the args to be files and it sees a -, (dash), as the input file.
https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py#L44 Here it looks like the first arg is the input file and second is the output file.
Try running it like this:
python malewaredecoder.py /Download/Investigation/fileImInvestigating.pcap /Download/Investigation/out.pcap
All that said, good luck, that script looks pretty old and was last modified in 2015.
Related
Here is my problem :
I got a python program that writes into a file, and a batch one that reads the file then. So I got my python code (simplified) :
import os
file = open("test.txt", "w")
file.write(Chooseentry.get()+"\n")
for i in hal:
file.write(i+"\n")
file.close()
os.startfile (r"C:/Hack/Project/Read.bat")
So I start my batch after having closed the file. It is supposed not to be used anymore by python, right ?
But then my batch file that reads it tells me :
The system cannot find the file test.txt
The process cannot access to the file because this file is already used by another process
Soooo... How can I close properly my file in python so that I can use it with my batch then ?
Thanks by advance for any help ! ^^
I am working on a project in Python in which I am parsing data from a zipped folder containing log files. The code works fine for most zips, but occasionally this exception is thrown:
[Errno 22] Invalid argument
As a result, the entire file is skipped, thus excluding the data in the desired log files from the results. When I try to extract the zipped file using the default Windows utility, I am met with this error:
Zip error
However, when I try to extract the file with 7zip, it does so successfully, save 2 errors:
1 <path> Unexpected End of Data
2 Data error: x.csv
x.csv is totally unrelated to the log I am trying to parse, and as such, I need to write code that is resilient to the point where if an unrelated file is corrupted, it will still be able to parse the other logs that are not.
At the moment, I am using the zipfile module to extract the files into memory. Is there a robust way to do this without the entire file being skipped?
Update 1: I believe the error I am running into is that the zipfile is missing a footer. I realized this when looking at it in a hex editor. I do not really have any idea how to safely edit the actual file using Python.
Here is the code that I am using to extract zips into memory:
for zip in os.listdir(directory):
try:
if zip.lower().endswith('.zip'):
if os.path.isfile(directory + "\\" + zip):
logs = zipfile.ZipFile(directory + "\\" + zip)
for log in logs.namelist():
if log.endswith('log.txt'):
data = logs.read(log)
Edit 2: Traceback for the error:
Traceback (most recent call last):
File "c:/Users/xxx/Desktop/Python Porjects/PE/logParse.py", line 28, in parse
logs = zipfile.ZipFile(directory + "\\" + zip)
File "C:\Users\xxx\AppData\Local\Programs\Python\Python37\lib\zipfile.py", line 1222, in __init__
self._RealGetContents()
File "C:\Users\xxx\AppData\Local\Programs\Python\Python37\lib\zipfile.py", line 1289, in _RealGetContents
raise BadZipFile("File is not a zip file")
zipfile.BadZipFile: File is not a zip file
The stacktrace seems to show that it's not your code which badly manage to read the file but the Python module managing zip that is raising an error.
It looks like that python zip manager is more strict than other program (see this bug where a user report a difference between python behaviour and other program as GNOME Archive Manager).
Maybe, there is a bug report to do.
I want to export some data to an app that is installed on my mobile phone. So I exported some dummy data in the app, in order to investigate how I can produce data to import.
First step: It's a gzipped file. No problem, that is what gunzip is for.
Second step:
$ file export
export: Smile binary data version 0: binary encoded, shared String values disabled, shared field names
I have never heard of a smile file (which is quite ugly to google because of the emoticons), but I found pySmile. Problem: I am not even a noob regarding python. To be more specific: I don't know anything about python.
But I tried it anyways.
import pysmile
import sys
f = open(sys.argv[1],'r')
a = f.read()
print repr(a)
o=pysmile.decode(a)
print o
This worked pretty well with a smile file I generated myself, but with the given export smile file I get the following error:
Traceback (most recent call last):
File "dec.py", line 7, in <module>
o=pysmile.decode(a)
File "/usr/local/lib/python2.7/dist-packages/pysmile/decode.py", line 224, in decode
state.copy_shared_value_string()
File "/usr/local/lib/python2.7/dist-packages/pysmile/decode.py", line 151, in copy_shared_value_string
raise SMILEDecodeError('Cannot lookup shared value, sharing disabled!')
pysmile.decode.SMILEDecodeError: Cannot lookup shared value, sharing disabled!
After that I tried to investigate where the difference between the two files is:
export: Smile binary data version 0: binary encoded, shared String values disabled, shared field names enabled
dummyf: Smile binary data version 0: binary encoded, shared String values enabled, shared field names enabled
This in addition to the Error Trace lead me to my question: How can I enable sharing in pysmile (decode and encode), and is there another python-free method to convert a smile file to a text file and (which is even more important) the other way around?
I'm newbie here and I wouldn't want to ask such a easy question as my first post but I don't know anything about Python even I'm a PHP/C programmer.
I have a python script in Figway tools which is called RegisterDevice.py to register my own sensor hardware to FIWARE Lab. But some code lines of that script doesn't work as I expected because of Python3.4. This may not be my problem but I don't have too much time to wait an official solution that's why I thought that I could resolve it as a person who is familiar to the programming.
I've searched on the web for solution but I couldn't find any exact solution for it yet. As far as I read bytes and unicode strings are two different types in Python3.x but I couldn't realize where I have to encode or maybe decode string to other type on the code. Maybe I have to do something else...
Here is the part of script which gave me error like above.
# Load the configuration file
with open(CONFIG_FILE,'r+') as f:
sample_config = f.read()
#config = ConfigParser.RawConfigParser(allow_no_value=True)
config = configparser.RawConfigParser(allow_no_value=True)
config.readfp(io.BytesIO(sample_config))
Error:
Traceback (most recent call last):
File "RegisterDevice.py", line 47, in <module>
config.readfp(io.BytesIO(sample_config))
TypeError: 'str' does not support the buffer interface
Firstly readfp() is deprecated in Python3 and you should use read_file().
The best way is probably using the read() function directly when you want to work with a file. You should set encoding as the second parameter if you expect non-ASCII characters inside the file.
The alternative is to read_string() and give it a string directly.
I have been doing work very similar to this, and I believe this script runs, but you will have to verify if it gives you the desired results:
import configparser
with open('.coveragerc','r+') as f:
#config = ConfigParser.RawConfigParser(allow_no_value=True)
config = configparser.RawConfigParser(allow_no_value=True)
config.readfp(f)
I'm using Python 2.7 on Windows XP.
My script relies on tempfile.mkstemp and tempfile.mkdtemp to create a lot of files and directories with the following pattern:
_,_tmp = mkstemp(prefix=section,dir=indir,text=True)
<do something with file>
os.close(_)
Running the script always incurs the following error (although the exact line number changes, etc.). The actual file that the script is attempting to open varies.
OSError: [Errno 24] Too many open files: 'path\\to\\most\\recent\\attempt\\to\\open\\file'
Any thoughts on how I might debug this? Also, let me know if you would like additional information. Thanks!
EDIT:
Here's an example of use:
out = os.fdopen(_,'w')
out.write("Something")
out.close()
with open(_) as p:
p.read()
You probably don't have the same value stored in _ at the time you call os.close(_) as at the time you created the temp file. Try assigning to a named variable instead of _.
If would help you and us if you could provide a very small code snippet that demonstrates the error.
why not use tempfile.NamedTemporaryFile with delete=False? This allows you to work with python file objects which is one bonus. Also, it can be used as a context manager (which should take care of all the details making sure the file is properly closed):
with tempfile.NamedTemporaryFile('w',prefix=section,dir=indir,delete=False) as f:
pass #Do something with the file here.