you're reading...
Hacking / Counter Intelligence, Lawful Intercept, Source Code

Automatically decompiling virii

While looking for better and faster ways of analyzing virii to attack CNCs faster I ended up finding some new tools out in the world these days. You guys keep me on my toes with coming out with open source tech constantly! There is a free .Net compiler called JustDecompile recently release by Telerik(ok of my favorite companies). A couple childishly simple lines of C# later, and I am automatically decompiling .Net based virii that were caught and uploaded by my distributed honeypot system.

Right now I am working on adding some recursion for encrypted binaries loaded as resources. I am definitely interested in anything you guys have to add regarding automagically attacking virus platforms. Soon to come will be my write-up regarding Reflexive DDoS Mitigation.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

using System.IO;

using JustDecompile.Tools.MSBuildProjectBuilder;
using Telerik.JustDecompiler.Languages.CSharp;
using System.Threading;

namespace VirusThreatAnalysis
    class Program
        private static string BaseDir = "";
        static void Main(string[] args)
            BaseDir = args[1];
            if (!BaseDir.EndsWith(@"\")) { BaseDir += @"\"; }
            FileSystemWatcher watcher = new FileSystemWatcher();
            watcher.Created += new FileSystemEventHandler(watcher_Created);
            watcher.Path = BaseDir;
            watcher.IncludeSubdirectories = false;
            watcher.EnableRaisingEvents = true;
            for (; ; )
            { }

        static void watcher_Created(object sender, FileSystemEventArgs e)
                string assemblypath = e.FullPath;
                string assemblyfilename = System.IO.Path.GetFileName(assemblypath);
                string currentlocation = System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location);

                System.IO.Directory.CreateDirectory(BaseDir + assemblyfilename.Remove(assemblyfilename.Length - 4, 4));

                MSBuildProjectBuilder projectBuilder = new MSBuildProjectBuilder(assemblypath, BaseDir + assemblyfilename.Remove(assemblyfilename.Length - 4, 4) + @"\", new CSharpV4());
                projectBuilder.BuildProject(new CancellationToken());
            catch { }

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: