From dcadb41749c00f905238ea7cb0009b24e006f142 Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Fri, 22 Oct 2021 20:28:44 +0200 Subject: [PATCH] updated findSymbols.py --- windows/README.md | 7 ++----- windows/findSymbols.py | 24 ++++++++++++------------ 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/windows/README.md b/windows/README.md index 33140f9..c8c42e5 100644 --- a/windows/README.md +++ b/windows/README.md @@ -49,15 +49,12 @@ Output filtering: Example run: ``` -cmd> py findSymbols.py "c:\Program Files\Microsoft Office" -r -u -s exec -s launch -s run -s process -s eval +cmd> py findSymbols.py "c:\Program Files\Microsoft Office" -e -r -u -s exec -s launch -s run -s process -s eval -s dcom -s dde -s pipe ``` - Searches for imports and exports in MS Office PE executables matching any of `'exec','launch','run','process','eval'` regular expressions. + Searches for unique exports in MS Office PE executables matching any of `'exec','launch','run','process','eval','dcom','dde','pipe'` regular expressions in their names. ``` -| 562 | AppvIsvSubsystems64.dll | import | rpcrt4.dll | RpcServerUnregisterIf | 2004368 | c:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll | -| 563 | DBGCORE.DLL | import | ntdll.dll | RtlRunOnceExecuteOnce | 175056 | c:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL | -| 564 | mscss7ge.dll | export | mscss7ge.dll | RunCssWordBreaker | 556488 | c:\Program Files\Microsoft Office\root\Office16\mscss7ge.dll | | 565 | PRIVATE_ODBC32.dll | export | PRIVATE_ODBC32.dll | SQLExecDirect | 734088 | c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for | | | | | | | | Excel Integrated\bin\PRIVATE_ODBC32.dll | | 566 | PRIVATE_ODBC32.dll | export | PRIVATE_ODBC32.dll | SQLExecDirectA | 734088 | c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for | diff --git a/windows/findSymbols.py b/windows/findSymbols.py index 04e8480..4655d37 100644 --- a/windows/findSymbols.py +++ b/windows/findSymbols.py @@ -108,36 +108,36 @@ def verifyCriterias(args, regexes, infos, uniqueSymbols): regexesVerified = sum([len(v) for k, v in regexes.items()]) - for rex in regexes['not-name']: + for name, rex in regexes['not-name']: match = rex.search(infos['symbol']) if match: - verbose(args, f'(-) Skipping symbol {infos["module"]}.{infos["symbol"]} as it DID satisfy not-name regex.') + verbose(args, f'(-) Skipping symbol {infos["module"]}.{infos["symbol"]} as it DID satisfy not-name ({name}) regex.') return False - for rex in regexes['not-module']: + for name, rex in regexes['not-module']: match = rex.search(infos['module']) if match: - verbose(args, f'(-) Skipping symbol\'s module {infos["module"]}.{infos["symbol"]} as it DID satisfy not-module regex.') + verbose(args, f'(-) Skipping symbol\'s module {infos["module"]}.{infos["symbol"]} as it DID satisfy not-module ({name}) regex.') return False satisifed = False carryOn = False if len(regexes['module']) > 0: - for rex in regexes['module']: + for name, rex in regexes['module']: match = rex.search(infos['module']) if match: - verbose(args, f'(+) Symbol\'s module {infos["module"]}.{infos["symbol"]} satisfied module regex.') + verbose(args, f'(+) Symbol\'s module {infos["module"]}.{infos["symbol"]} satisfied module ({name}) regex.') carryOn = True break else: carryOn = True if carryOn: - for rex in regexes['name']: + for name, rex in regexes['name']: match = rex.search(infos['symbol']) if match: - verbose(args, f'(+) Symbol {infos["module"]}.{infos["symbol"]} satisfied name regex.') + verbose(args, f'(+) Symbol {infos["module"]}.{infos["symbol"]} satisfied name ({name}) regex.') satisifed = True break @@ -312,16 +312,16 @@ def opts(argv): } for name in args.name: - regexes['name'].append(re.compile(accomodate_rex(name), re.I)) + regexes['name'].append((name, re.compile(accomodate_rex(name), re.I))) for not_name in args.not_name: - regexes['not-name'].append(re.compile(accomodate_rex(not_name), re.I)) + regexes['not-name'].append((not_name, re.compile(accomodate_rex(not_name), re.I))) for module in args.module: - regexes['module'].append(re.compile(accomodate_rex(module), re.I)) + regexes['module'].append((module, re.compile(accomodate_rex(module), re.I))) for not_module in args.not_module: - regexes['not-module'].append(re.compile(accomodate_rex(not_module), re.I)) + regexes['not-module'].append((not_module, re.compile(accomodate_rex(not_module), re.I))) return args, regexes