├── IcedDecrypt.py
├── PeGen.py
├── README.md
└── requirements.txt


/IcedDecrypt.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import base64
  3 | import binascii
  4 | import collections
  5 | import hashlib
  6 | import math
  7 | import os
  8 | import re
  9 | import struct
 10 | import time
 11 | 
 12 | import pefile
 13 | 
 14 | import PeGen
 15 | 
 16 | rol = lambda val, r_bits, max_bits: \
 17 |     (val << r_bits % max_bits) & (2 ** max_bits - 1) | \
 18 |     ((val & (2 ** max_bits - 1)) >> (max_bits - (r_bits % max_bits)))  # rol lambda func. python pls add
 19 | 
 20 | ror = lambda val, r_bits, max_bits: \
 21 |     ((val & (2 ** max_bits - 1)) >> r_bits % max_bits) | \
 22 |     (val << (max_bits - (r_bits % max_bits)) & (2 ** max_bits - 1))  # ror lambda func. python pls add
 23 | 
 24 | 
 25 | def entropy(data):
 26 |     e = 0
 27 |     counter = collections.Counter(data)
 28 |     data_len = len(data)
 29 |     for count in counter.values():
 30 |         p_x = count / data_len
 31 |         e += - p_x * math.log2(p_x)
 32 |     return e
 33 | 
 34 | 
 35 | class IcedDecrypt:
 36 |     def __init__(self, filename, output):
 37 |         self.filename = filename
 38 |         self.output = output
 39 | 
 40 |     def main(self):
 41 |         filein = open(self.filename, "rb")
 42 |         data = filein.read()
 43 |         filein.close()
 44 | 
 45 |         pe, isPe = self.detectPE(self.filename)  # Detect PE file using pefile
 46 |         if isPe:
 47 |             print("[+] Warning: Not Guaranteed to work")
 48 |             dll_data = open(self.filename, "rb").read()
 49 |             c2BuffDict = {"C2Buff": b"", "Size": 0}
 50 |             c2BuffDict = self.extractC2Buff(c2BuffDict, dll_data)
 51 | 
 52 |             decDict = self.decryptWrapper(c2BuffDict)
 53 |             print("[+] Finished Decrypting And Extracting Data")
 54 |             outDict = self.parseC2Buffer(decDict)
 55 |             filename1 = f"out_{hashlib.md5(dll_data).hexdigest()}_{int(time.time())}_output"
 56 |             try:
 57 |                 os.mkdir("Logs")
 58 |             except Exception as e:
 59 |                 print(e)
 60 | 
 61 |             outfile = open(f"Logs/{filename1}.txt", "w+")
 62 |             outfile.write(str(outDict))
 63 |             outfile.close()
 64 |         elif data[:2] == b"\x1F\x8B":  # If Detect gzip header
 65 |             print("[+] Identified GZIPLoader")
 66 |             parsedData, key = self.parseGZIPLoader(data)  # Parse Gzip File and extract data and key
 67 |             outdata = self.decrypt(parsedData, size=len(data) - 0x20, key=key)
 68 |             print("[+] Finished Decrypting Data")
 69 |             parsedDict = self.parseDec_GZIPLoader(outdata)
 70 |             self.genDropFiles(parsedDict)
 71 |             print("[+] Finished Extracting Drop Files")
 72 | 
 73 |             outDict = {"key": base64.b64encode(key).decode(), "size": len(data) - 20}
 74 | 
 75 |         else:  # .dat file decryption attempt
 76 |             key = data[-0x10:]  # license.dat key offset = last 16 bytes of data
 77 |             print("[+] decryption key for dat file: %s" % binascii.hexlify(key).decode("utf-8"))
 78 |             outdata = self.decrypt(data, size=len(data) - 20, key=key)
 79 |             print("[+] entropy check: %s" % entropy(outdata))
 80 |             print("[+] Finished Decrypting Data")
 81 |             try:
 82 |                 os.mkdir("Assembled_Payloads_Debug")
 83 |             except Exception as e:
 84 |                 print(e)
 85 | 
 86 |             try:
 87 |                 os.mkdir("Assembled_Payloads")
 88 |             except Exception as e:
 89 |                 print(e)
 90 | 
 91 |             filename = f"out_{hashlib.md5(outdata).hexdigest()}_{int(time.time())}"
 92 |             print("[+] output file for decrypted .dat file: %s" % filename)
 93 |             outfile = open(f"Assembled_Payloads_Debug/{filename}.file", "wb")
 94 |             outfile.write(outdata)
 95 |             outfile.close()
 96 |             outDict = {"key": base64.b64encode(key).decode(), "size": len(data) - 20}
 97 | 
 98 |             parsedData, parsedDict = self.ParseData(outdata)
 99 |             pe_gen = PeGen.PEGen(1, parsedData, parsedDict)  # Supply ParsedData and ParsedDict, arg1 = machType (0,1)
100 | 
101 |             fixed = pe_gen.genExecutable()
102 |             outfile = open(f"Assembled_Payloads/{filename}_fixed_dll.file", "w+b")
103 |             outfile.write(fixed)
104 |             outfile.close()
105 | 
106 |             try:
107 |                 os.mkdir("Logs")
108 |             except Exception as e:
109 |                 print(e)
110 | 
111 |             outfile = open(f"Logs/{filename}.txt", "w+")
112 |             outfile.write(str(parsedDict))
113 |             outfile.close()
114 | 
115 |     def parseC2Buffer(self, dataDict):  # read values from 0xA9 bytes large data block
116 |         data = base64.b64decode(dataDict["Decrypted_Data"])
117 |         buildID = int.from_bytes(data[:4], byteorder="little")
118 |         uriLen = int.from_bytes(data[4:8], byteorder="little")
119 |         uri = data[8:8 + uriLen]
120 |         counter = 8 + uriLen
121 | 
122 |         count2 = self.incNulls(data[counter:])
123 |         counter = counter + count2
124 |         strLen = data[counter]
125 |         c2_1 = data[counter:strLen + counter]
126 |         counter += strLen
127 |         strLen = data[counter]
128 |         c2_2 = data[counter:strLen + counter]
129 |         unkData = data[-0x14:]
130 |         outDict = {"BuildID": buildID, "uri": uri.decode(), "c2_1": c2_1[1:-1].decode(), "c2_2": c2_2[1:-1].decode(),
131 |                    "UnknownData": base64.b64encode(unkData).decode()}
132 |         return outDict
133 | 
134 |     def ParseData(self, data):
135 |         buffer = data[0x81:]
136 |         """Struct payload_segment_config {
137 |                 qword ImageBase;
138 |                 dword ImageVirtualSize;
139 |                 dword ImageEntryPoint;
140 |                 dword Import Table Offset;
141 |                 dword Import table Virtual Offset;
142 |                 dword Import Table Size;
143 |             }
144 | """
145 | 
146 |         dataSizeTemp = int.from_bytes(buffer[0x8:0xC], byteorder="little")
147 | 
148 |         outBuffer = b"\x00" * int(0x1000 * (round(dataSizeTemp / 0x1000)))
149 |         dataSegments = int.from_bytes(buffer[0x1c:0x20], byteorder="little")
150 |         imagBase = int.from_bytes(buffer[:0x8], byteorder="little")
151 | 
152 |         imagSize = int.from_bytes(buffer[0x8:0xC], byteorder="little")
153 |         imagEntry = int.from_bytes(buffer[0xC:0x10], byteorder="little")
154 |         impTableOff = int.from_bytes(buffer[0x10:0x14], byteorder="little")
155 |         impTableVirtOff = int.from_bytes(buffer[0x14:0x18], byteorder="little")
156 |         impTableSize = int.from_bytes(buffer[0x18:0x1C], byteorder="little")
157 | 
158 |         tempOut = b""
159 |         print(dataSegments)
160 |         segDict = {"SegmentIndex": 0, "SegmentSize": 0, "RawSegmentOffset": 0,
161 |                    "VirtualSegmentOffset": 0}  # Initialize dicts for unpacking values
162 |         bigDict = {"Segments": [], "ImageBase": imagBase, "ImageSize": imagSize, "ImageBaseEntry": imagEntry,
163 |                    "ImportTableOffset": impTableOff, "ImportTableSize": impTableSize}
164 | 
165 |         print(bigDict)
166 | 
167 |         totalSize = 0
168 |         for i in range(dataSegments):
169 |             """Source: malwarebytes analysis of iced
170 |                 struct section {
171 |                     dword VA;
172 |                     dword Virtual_Size
173 |                     dword raw_offset
174 |                     dword raw_size
175 |                     byte access
176 |                 }"""
177 | 
178 |             x = i * 0x11  # each buffer is 0x11 bytes large, with the first header being 0x20 bytes large
179 |             dataOff = int.from_bytes(buffer[0x28 + x:0x2c + x], byteorder="little")
180 |             dataSize = int.from_bytes(buffer[0x2C + x:0x30 + x], byteorder="little")
181 |             virtualOffset = int.from_bytes(buffer[0x20 + x:0x24 + x], byteorder="little")
182 | 
183 |             print(f"[+] Data Segment Size {hex(dataSize)}")
184 |             print(f"[+] Data Offset {hex(dataOff)}")
185 |             print(f"[+] Virtual Offset: {hex(virtualOffset)}")
186 |             segDict["SegmentIndex"] = i
187 |             segDict["SegmentSize"] = dataSize
188 |             segDict["RawSegmentOffset"] = dataOff
189 |             segDict["VirtualSegmentOffset"] = virtualOffset
190 |             bigDict["Segments"].append(segDict)
191 |             segDict = {"SegmentIndex": 0, "SegmentSize": 0, "RawSegmentOffset": 0,
192 |                        "VirtualSegmentOffset": 0}  # zero dict
193 |             totalSize = int(0x1000 * (round((totalSize + dataSize) / 0x1000)))
194 | 
195 |             tempOut = outBuffer[:virtualOffset] + buffer[dataOff:dataOff + dataSize] + outBuffer[
196 |                                                                                        virtualOffset + dataSize:]
197 |             outBuffer = tempOut
198 |         bigDict["SizeOfImage"] = totalSize + 0x1000
199 |         return outBuffer, bigDict
200 | 
201 |     def fixKey(self, key, x, y):
202 |         tempKey = b""
203 |         tempVal = key[y:y + 4]
204 |         tempVal = int.from_bytes(tempVal, byteorder="little")  # First grab from y
205 |         rotVal = (tempVal & 7) & 0xFF
206 |         tempVal = key[x:x + 4]  # then grab from x
207 |         tempVal = int.from_bytes(tempVal, byteorder="little")
208 |         tempVal = ror(tempVal, rotVal, 32)
209 |         tempVal += 1
210 |         tempValX = tempVal.to_bytes(4, byteorder="little")  # save to storage var
211 |         rotVal = (tempVal & 7) & 0xFF  # Gen rotVal
212 | 
213 |         tempVal = key[y:y + 4]  # then grab from y (again)
214 |         tempVal = int.from_bytes(tempVal, byteorder="little")
215 |         tempVal = ror(tempVal, rotVal, 32)
216 |         tempVal += 1
217 |         tempValY = tempVal.to_bytes(4, byteorder="little")
218 | 
219 |         # fix Key
220 |         tempKey = key[:x] + tempValX + key[x + 4:]
221 |         tempKey = tempKey[:y] + tempValY + tempKey[y + 4:]
222 | 
223 |         return tempKey
224 | 
225 |     def decrypt(self, data, size, key):
226 |         outList = []
227 |         if size > 400:
228 |             print(f"[+] Size of data: {len(data)}")
229 |             print(f"[+] Size: {size}")
230 |         for i in range(size):
231 |             x = (i & 3)
232 |             y = ((i + 1) & 3)
233 | 
234 |             c = key[y * 4] + key[x * 4]
235 |             c = (c ^ data[i]) & 0xFF
236 | 
237 |             outList.append(c.to_bytes(1, byteorder="little"))
238 | 
239 |             key = self.fixKey(key, x * 4, y * 4)
240 | 
241 |         return b''.join(outList)
242 | 
243 |     def extractC2Buff(self, outdict, data):
244 |         pe = pefile.PE(data=data)
245 | 
246 |         for section in pe.sections:
247 |             if b".data" in section.Name:
248 |                 RVA_Base = section.PointerToRawData
249 |                 if RVA_Base == 0x0:
250 |                     RVA_Base = section.VirtualAddress
251 | 
252 |                 break
253 |         C2BuffOffset = RVA_Base
254 |         C2BuffSize = rb"\x66\xC7.....\x48\xC7.....(....)[\xFF\xE8]"  # Use Regex to find C2 Buffer in exe
255 |         dataSizeMatch = re.search(C2BuffSize, data, re.DOTALL)
256 | 
257 |         if dataSizeMatch:
258 |             dataSize = struct.unpack("<L", dataSizeMatch.group(1))[0]
259 |         else:
260 |             print("[!] Encrypted Data Size Not Found")
261 | 
262 |             dataSize = 0x25C
263 |         outdict["Size"] = dataSize
264 |         outdict["C2Buff"] = data[C2BuffOffset:C2BuffOffset + dataSize]
265 |         return outdict
266 | 
267 |     def decryptWrapper(self, inDict):
268 |         outdict = {"Decrypted_Data": ""}  # decrypt C2 Buffer
269 |         data = inDict["C2Buff"]
270 |         size = inDict["Size"]
271 |         key = data[-0x10:]
272 | 
273 |         outdata = self.decrypt(data, size=size, key=key)
274 |         outb64 = base64.b64encode(outdata)
275 |         try:
276 |             outb64 = outb64.decode()
277 |         except Exception as e:
278 |             outb64 = outb64
279 |         outdict["Decrypted_Data"] = outb64
280 |         return outdict
281 | 
282 |     def detectPE(self, filename):
283 |         try:
284 |             pe = pefile.PE(filename)  # attempt pefile load pe file
285 |             return pe, 1
286 |         except Exception as e:
287 |             return None, 0
288 | 
289 |     def bruteforceKey(self, data, buffsize=0x100):
290 |         data_part = data[:buffsize]  # Grab part of the data so we don't need to bruteforce 5MB
291 |         tempData = data_part  # tempData holder
292 |         i = 0
293 | 
294 |         while tempData[0x20:0x24] != b"\x00\x00\x00\x00":
295 |             key = data[-0x20 + i:-0x10 + i]
296 | 
297 |             tempData = self.decrypt(data_part, size=len(data_part), key=key)
298 |             i += 1
299 |             if b"\x00\x00\x00\x00" in tempData:
300 |                 print(tempData)
301 | 
302 |         return key
303 | 
304 |     def parseGZIPLoader(self, data):
305 |         '''Gzip Data format
306 |         first 10 bytes: 1f8b0808000000000000;
307 |         CSTR Filename;
308 |         buffer DATA;
309 |         ...
310 |         buffer Key = data[(dataStart + 0x0A + len(FileName) + 1) + (dataSize -0x1E - (len(FileName) + 1))):(dataStart + 0x0A + len(FileName) + 1) + (dataSize -0x1E - (len(FileName) + 1))) + 0x10];'''
311 | 
312 |         dataHeader = data[:0x0A]
313 |         filename = b""
314 |         i = 0
315 |         while data[0x0A + i] != 0x00:
316 |             filename += data[0x0A + i].to_bytes(1, byteorder="little")
317 |             i += 1
318 | 
319 |         i += 1
320 |         filename += b"\x00"
321 |         dataSize = len(data)
322 |         print("[+] Found Data Start. Attempting Key Bruteforce...")
323 | 
324 |         key = self.bruteforceKey(
325 |             data[0xA + len(filename):])  # Using extracted data, bruteforce the key using a select batch of keys
326 |         print(f"[+] Identified Key: {key}")
327 |         return data[0xA + len(filename):], key
328 | 
329 |     def extractStrFromBuff(self, data):
330 |         string1 = b""
331 | 
332 |         for i in range(len(data)):
333 |             if data[i] == 0x00:
334 |                 break
335 |             string1 += data[i].to_bytes(1, byteorder="little")
336 |         return string1
337 | 
338 |     def incNulls(self, data):
339 |         i = 0
340 |         while data[i] == 0x00:
341 |             i += 1
342 |         return i
343 | 
344 |     def parseDec_GZIPLoader(self, data):  # Once gziploader is decrypted, parse the 0xA9 byte config
345 |         """
346 |         Struct gziploader_payload_config {
347 |                 Byte hardcoded2Val;
348 |                 Byte Flag;
349 |                 Dword sizeOfDatfile;
350 |                 Dword sizeOfDllFile;
351 |                 Cstr DatFileDir;
352 |                 Buffer[0x14] Reserved;
353 |                 Cstr DatFileName;
354 |                 Buffer[0x13] Reserved;
355 |                 Cstr DllFileName;
356 |                 Buffer[0x12] Reserved;
357 |             }
358 |         """
359 |         hardcoded_val = data[0:1]
360 |         flag = data[1:2]
361 |         datfile_size = int.from_bytes(data[2:6], byteorder="little")
362 |         print("[+] datfile size: ", datfile_size)
363 |         dllfile_size = int.from_bytes(data[6:10], byteorder="little")
364 |         print("[+] dllfile size: ", dllfile_size)
365 |         dirname = self.extractStrFromBuff(data[10:])
366 |         print("[+] Directory Name:", dirname)
367 | 
368 |         count = self.incNulls(data[10 + len(dirname):])
369 |         datname = self.extractStrFromBuff(data[count + 10 + len(dirname):])
370 |         print("[+] Dat Name :", datname)
371 | 
372 |         count = count + 10 + len(dirname) + len(datname)
373 |         datname = datname[1:]
374 |         count2 = self.incNulls(data[count:])
375 |         count = count + count2
376 |         dllname = self.extractStrFromBuff(data[count:])
377 |         print("[+] Dll Name: ", dllname)
378 |         count += len(dllname)
379 |         count2 = self.incNulls(data[count:])
380 |         count += count2
381 |         # datfile offset is now 710 bytes in
382 |         datfile_data = data[710:710 + datfile_size]
383 |         dllfile_start = 710 + datfile_size
384 |         dllfile_data = data[dllfile_start:dllfile_start + dllfile_size]
385 |         datfile_b64 = base64.b64encode(datfile_data).decode()
386 |         dllfile_b64 = base64.b64encode(dllfile_data).decode()
387 |         ParsedDict = {"Directory_Name": dirname.decode(),
388 |                       "DatFile_Name": datname.decode(),
389 |                       "DllFile_Name": dllname.decode(),
390 |                       "DatFile": datfile_b64,
391 |                       "DllFile": dllfile_b64}
392 | 
393 |         return ParsedDict
394 | 
395 |     def genDropFiles(self, data_dict):  # Generate files to write
396 |         try:
397 |             os.mkdir("Payloads")
398 |         except Exception as e:
399 |             print(e)
400 |         try:
401 |             os.mkdir(f"Payloads/{data_dict['Directory_Name']}")
402 |         except Exception as e:
403 |             print(e)
404 |         datFileOut = f"Payloads/{data_dict['Directory_Name']}/{data_dict['DatFile_Name']}"
405 |         dllFileOut = f"Payloads/{data_dict['Directory_Name']}/{data_dict['DllFile_Name']}"
406 |         print("[+] output of dll file location: %s" % dllFileOut)
407 |         # rundll string not included anymore
408 |         # rundllOut = f"Payloads/{data_dict['Directory_Name']}/Rundll32Execution.txt"
409 |         datFileData = base64.b64decode(data_dict["DatFile"])
410 |         dllFileData = base64.b64decode(data_dict["DllFile"])
411 |         datout = open(datFileOut, "w+b")
412 |         datout.write(datFileData)
413 |         datout.close()
414 |         dllout = open(dllFileOut, "w+b")
415 |         dllout.write(dllFileData)
416 |         dllout.close()
417 |         rundllstr = 'rundll32.exe "{}",update /i:"{}"'
418 |         rundllstr = rundllstr.format(f"%localappdata%/{dataDict['DllFile_Name']}",f"{dataDict['Directory_Name']}/{dataDict['DatFile_Name']}")
419 | 
420 |         print("Rundll32 String: ",rundllstr)
421 |         rundll  = open(rundllOut,"w+b")
422 |         rundll.write(f"copy {dataDict['DllFile_Name']} C:\\Users\\admin\\Appdata\\Local\\".encode() + b"\r\n")
423 |         rundll.write(f"md C:\\Users\\admin\\Appdata\\Roaming\\{dataDict['Directory_Name']}\\".encode() + b"\r\n")
424 |         rundll.write(f"copy {dataDict['DatFile_Name']} C:\\Users\\admin\\Appdata\\Roaming\\{dataDict['Directory_Name']}\\".encode() + b"\r\n")
425 |         rundll.write(rundllstr.encode() + b"\r\n")
426 |         rundll.close()
427 |         print(f"[+] Wrote {datFileOut}, {dllFileOut}, and {rundllOut}")
428 |         
429 |         try:
430 |             print("[+] Attempting C2 Buffer Decryption")
431 |             iced2 = IcedDecrypt(filename=dllFileOut, output=f"{dllFileOut}_output.file")
432 |             iced2.main()
433 |         except Exception as e:
434 |             print(e)
435 | 
436 |         return
437 | 
438 | 
439 | if __name__ == '__main__':
440 |     parser = argparse.ArgumentParser()
441 |     parser.add_argument('-f', '--filename', help="Input Filename", required=True)
442 |     parser.add_argument('-o', '--output', help="Output Filename", required=False, default="output")
443 |     args = parser.parse_args()
444 |     icedDec = IcedDecrypt(filename=args.filename, output=args.output)
445 |     icedDec.main()
446 | 


--------------------------------------------------------------------------------
/PeGen.py:
--------------------------------------------------------------------------------
  1 | import struct
  2 | import sys
  3 | import re
  4 | import base64
  5 | import pefile
  6 | 
  7 | import time
  8 | 
  9 | class PEGen:
 10 |     def __init__(self,machType,data,dataDict):
 11 |         self.Reserved = b"\x00\x00\x00\x00"
 12 |         self.PEMag = b"\x50\x45\x00\x00"
 13 |         if machType == 0:
 14 |             self.PEMach = b"\x4c\x01"
 15 |         elif machType == 1:
 16 |             self.PEMach = b"\x64\x86"
 17 |         self.data = data
 18 |         self.dataDict = dataDict
 19 | 
 20 |     def genMZ(self):
 21 |         self.MZHead = b"\x4d\x5a\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x00\x00\x00\x0e\x1f\xba\x0e\x00\xb4\x09\xcd\x21\xb8\x01\x4c\xcd\x21\x54\x68\x69\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x20\x63\x61\x6e\x6e\x6f\x74\x20\x62\x65\x20\x72\x75\x6e\x20\x69\x6e\x20\x44\x4f\x53\x20\x6d\x6f\x64\x65\x2e\x0d\x0d\x0a\x24\x00\x00\x00\x00\x00\x00\x00\x59\x78\x8a\xea\x1d\x19\xe4\xb9\x1d\x19\xe4\xb9\x1d\x19\xe4\xb9\x3a\xdf\x9f\xb9\x1f\x19\xe4\xb9\x6e\x7b\xe5\xb8\x16\x19\xe4\xb9\x1d\x19\xe5\xb9\x07\x19\xe4\xb9\xfb\x7d\xe0\xb8\x18\x19\xe4\xb9\xfb\x7d\xe4\xb8\x1c\x19\xe4\xb9\xfb\x7d\xe6\xb8\x1c\x19\xe4\xb9\x52\x69\x63\x68\x1d\x19\xe4\xb9\x00\x00\x00\x00\x00\x00\x00\x00" #MZ header can be relatively static
 22 |         return 1
 23 | 
 24 |     def genPE(self):
 25 |         PESecCo = len(self.dataDict["Segments"]).to_bytes(2,byteorder = "little")
 26 |         PETime = int(time.time()).to_bytes(4,byteorder = "little")
 27 |         PERest = b"\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x22\x20"
 28 |         self.PEHead = self.PEMag + self.PEMach + PESecCo + PETime + PERest
 29 |         return 1
 30 | 
 31 |     def genOptional(self):
 32 |         OPMag = b"\x0B\x02"
 33 |         OPLinker = b"\x0E\x0C"
 34 |         for segm in self.dataDict["Segments"]: #identifies the 3 important segments needed for proper iced reassembly
 35 | 
 36 |             if segm["VirtualSegmentOffset"] == 0x1000:
 37 |                 self.OPCodeSize = segm["SegmentSize"].to_bytes(4,byteorder = "little")
 38 |                 self.textSegSize = segm["SegmentSize"]
 39 |                 self.OPAddress = segm["VirtualSegmentOffset"].to_bytes(4,byteorder = "little")
 40 | 
 41 |             elif segm["VirtualSegmentOffset"] == 0x20000:
 42 |                 self.relocSectionSize = segm["SegmentSize"].to_bytes(4,byteorder = "little")
 43 |                 self.relocAddress = segm["VirtualSegmentOffset"].to_bytes(4,byteorder = "little")
 44 |             elif segm["VirtualSegmentOffset"] == 0x27000:
 45 |                 self.dataAddress = segm["VirtualSegmentOffset"].to_bytes(4,byteorder = "little")
 46 |                 self.dataSectionSize = segm["SegmentSize"].to_bytes(4,byteorder = "little")
 47 | 
 48 | 
 49 | 
 50 | 
 51 | 
 52 |         OPOtherSizes = b"\x00\x08\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00"
 53 |         OPBase = self.OPAddress
 54 |         OPAddressPattern = rb"\x48\x83\xec\x28\xe8....\x85" #Dynamically find the entrypoint using regex
 55 |         m = re.search(OPAddressPattern, self.data,re.DOTALL)
 56 |         if m:
 57 |             self.OPAddress1 = m.start().to_bytes(4,byteorder="little")
 58 | 
 59 |         self.OPHead = OPMag + OPLinker + OPOtherSizes + self.OPAddress1 + OPBase
 60 |         return 1
 61 | 
 62 |     def genOpImageBase(self): #generate the imageBase
 63 |         ImagBase = self.dataDict["ImageBase"].to_bytes(8,byteorder="little")
 64 |         SectionAlignment = b"\x00\x10\x00\x00"
 65 |         FileAlignment = b"\x00\x02\x00\x00"
 66 |         ImagOS = b"\x06\x00\x00\x00"
 67 |         ImagVer = b"\x00\x00\x00\x00"
 68 |         ImagMajSubVer = b"\x06\x00\x00\x00"
 69 |         ImagRes = self.Reserved
 70 |         ImagSize = (self.dataDict["SizeOfImage"]).to_bytes(4,byteorder="little")
 71 |         ImagHeadSize = b"\x00\x10\x00\x00"
 72 |         CheckSum = b"\x3F\xA8\x2F\x00"
 73 |         ImagSubSys = b"\x02\x00"
 74 |         ImagDllCharacts = b"\x60\x00"
 75 |         ImagSHRes = 0x100000.to_bytes(8,byteorder="little")
 76 |         ImagSCommit = 0x1000.to_bytes(8,byteorder="little")
 77 |         ImagHeapRes = 0x100000.to_bytes(8,byteorder="little")
 78 |         ImagHeapCom = 0x1000.to_bytes(8,byteorder="little")
 79 |         ImagLFlags = self.Reserved
 80 |         ImagNoRVASize = 0x10.to_bytes(4,byteorder = "little")
 81 |         self.OPImagBase = ImagBase + SectionAlignment + FileAlignment + ImagOS + ImagVer + ImagMajSubVer + ImagRes + ImagSize + ImagHeadSize + CheckSum + ImagSubSys + ImagDllCharacts + ImagSHRes + ImagSCommit + ImagHeapRes + ImagHeapCom + ImagLFlags + ImagNoRVASize
 82 |         return 1
 83 | 
 84 |     def genOpImageFull(self):
 85 |         self.genOptional()
 86 |         self.genOpImageBase()
 87 |         self.FullOpHeader = self.OPHead + self.OPImagBase
 88 |         return 1
 89 | 
 90 |     def genTables(self):
 91 |         exportTable = self.Reserved #TODO: Find export table
 92 |         exportTableSize = self.Reserved
 93 | 
 94 |         ImportTable_1 = self.dataDict["ImportTableOffset"].to_bytes(4,byteorder="little")
 95 |         ImportTableSize_1 = self.dataDict["ImportTableSize"].to_bytes(4,byteorder="little")
 96 | 
 97 |         ExceptionDir = self.Reserved
 98 |         ExceptDirSize = self.Reserved
 99 |         ExceptDirSec = self.Reserved[:2]
100 | 
101 |         BaseReloc = self.Reserved
102 |         BaseRelocSize = self.Reserved
103 |         BaseRelocRest = b"\x00" * 48
104 | 
105 |         ImportAddr = self.Reserved
106 |         ImportAddrSize = self.Reserved
107 |         ImportAddrRest = b"\x00" * 24
108 | 
109 | 
110 | 
111 |         ImageSectionHeader = b".text\x00\x00\x00"
112 |         ImageSectionSize = self.textSegSize.to_bytes(4,byteorder="little")
113 |         ImageSectionAddr = self.OPAddress
114 |         ImageSectionRSize = self.OPCodeSize
115 |         ImageSectionPtr = self.OPAddress
116 |         ImageSectionRest = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x60"
117 | 
118 |         RelocSectionHeader = b".relocs\x00"
119 |         RelocSectionSize = self.relocSectionSize
120 |         RelocSectionAddr = self.relocAddress
121 |         RelocSectionRSize = self.relocSectionSize
122 |         RelocSectionPtr = self.relocAddress
123 |         RelocSectionRest = ImageSectionRest
124 | 
125 |         DataSectionHeader = b".data\x00"
126 |         DataSectionSize = self.dataSectionSize
127 |         DataSectionAddr = self.dataAddress
128 |         DataSectionRSize = self.dataSectionSize
129 |         DataSectionPtr = self.dataAddress
130 |         DataSectionRest = ImageSectionRest
131 | 
132 |         print(f"[+] Generated .text Section\n\tImage Section Address: {int.from_bytes(ImageSectionAddr,byteorder='little')}\n\tImage Size: {int.from_bytes(ImageSectionSize,byteorder='little')}")
133 |         print(f"[+] Generated .relocs Section\n\tImage Section Address: {int.from_bytes(RelocSectionAddr,byteorder='little')}\n\tImage Size: {int.from_bytes(RelocSectionSize,byteorder='little')}")
134 |         print(f"[+] Generated .data Section\n\tImage Section Address: {int.from_bytes(DataSectionAddr,byteorder='little')}\n\tImage Size: {int.from_bytes(DataSectionSize,byteorder='little')}")
135 |         segmList = [b".rdata",b".data"]
136 | 
137 |         i = 2
138 |         self.segmData = ImageSectionHeader + ImageSectionSize + ImageSectionAddr + ImageSectionRSize + ImageSectionPtr + ImageSectionRest
139 |         self.segmData += RelocSectionHeader + RelocSectionSize + RelocSectionAddr + RelocSectionRSize + RelocSectionPtr + RelocSectionRest
140 |         for segm in self.dataDict["Segments"]:
141 |             if i == 2:
142 |                 ImportTable = segm["VirtualSegmentOffset"].to_bytes(4,byteorder = "little")
143 |                 ImportTableSize = segm["SegmentSize"].to_bytes(4,byteorder="little")
144 |                 ImportTableSize += b"\x00" * 8
145 | 
146 | 
147 |             if segm["VirtualSegmentOffset"] == 0x1000 or segm["VirtualSegmentOffset"] == 0x20000:
148 |                 continue
149 |             segmNameIndex = segm["SegmentIndex"] % len(segmList)
150 |             segmNameCounter = int(segm["SegmentIndex"] / len(segmList))
151 |             if segmNameCounter != 0:
152 |                 segmName = segmList[segmNameIndex] + str(segmNameCounter).encode()
153 |             else:
154 |                 segmName = segmList[segmNameIndex]
155 |             segmName = segmName + ((8 - len(segmName)) * b"\x00")
156 |             segmVirtSize = segm["SegmentSize"].to_bytes(4,byteorder="little")
157 |             segmVirtAddr = segm["VirtualSegmentOffset"].to_bytes(4,byteorder = "little")
158 |             segmRawSize = segmVirtSize
159 |             segmPtr = segmVirtAddr
160 |             i += 1
161 |             segmRest = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x60"
162 |             self.segmData += segmName + segmVirtSize + segmVirtAddr + segmRawSize + segmPtr + segmRest
163 | 
164 |         TablesAll = b"\xFF\xFF\xFF\xFF\x61\x00\x00\x00\x48\x49\x02\x00\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x05\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\x49\x02\x00\x50\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
165 |         self.genExportTable()
166 | 
167 |         TablesAll = TablesAll.replace(b"\x48\x49\x02\x00",ImportTable_1)
168 |         TablesAll = TablesAll.replace(b"\xEC\x00\x00\x00",ImportTableSize_1)
169 |         self.TablesAll = TablesAll.replace(b"\xFF\xFF\xFF\xFF",self.ExportOff)
170 | 
171 |         return 1
172 | 
173 |     def genExportTable(self): #generate export table
174 |         offset = int.from_bytes(self.dataAddress,byteorder="little") + 0x1100
175 |         self.offset = offset
176 |         Timestamp = int(time.time()).to_bytes(4,byteorder = "little")
177 |         MajVer = b"\x00\x00"
178 |         MinVer = b"\x00\x00"
179 |         ordBase = b"\x01\x00\x00\x00"
180 |         cAddrTable =  b"\x01\x00\x00\x00"
181 |         cNamePtr  = b"\x01\x00\x00\x00"
182 |         ExportAddressTbl = (offset + 40).to_bytes(4,byteorder = "little")
183 |         ExportOrdTbl = (offset + 48).to_bytes(4,byteorder = "little")
184 |         ExportNameTbl = (offset + 52).to_bytes(4,byteorder = "little")
185 |         ExportDllOff = (offset + 0x4A).to_bytes(4,byteorder = "little")
186 |         self.exportTable = self.Reserved+Timestamp+MajVer+MinVer+ExportDllOff + ordBase+cAddrTable+cNamePtr + ExportAddressTbl + ExportNameTbl + ExportOrdTbl
187 | 
188 | 
189 |         dllRva = self.OPAddress1
190 |         forwardRva = self.OPAddress1
191 | 
192 |         ordinal = b"\x01\x00\x00\x00"
193 |         self.exportTable = self.exportTable + dllRva + forwardRva + ordinal
194 | 
195 |         lpExportName = (offset + len(self.exportTable)+4).to_bytes(4,byteorder="little")
196 |         ExportName = b"DllRegisterServer\x00"
197 |         DllExportName = b"fixed_loader64.dll\x00"
198 |         ExportDllOff = (offset + 4 + len(self.exportTable) + len(ExportName)).to_bytes(4,byteorder="little")
199 |         self.exportTable = self.Reserved+Timestamp+MajVer+MinVer+lpExportName + ordBase+cAddrTable+cNamePtr + ExportAddressTbl + ExportNameTbl + ExportOrdTbl
200 |         self.exportTable = self.exportTable + dllRva + forwardRva + ordinal
201 |         self.exportTable = self.exportTable + ExportDllOff + ExportName + DllExportName
202 | 
203 |         self.ExportOff = offset.to_bytes(4,byteorder="little")
204 | 
205 | 
206 |     def genExecutable(self): #generate icedid exe
207 |         self.genMZ()
208 |         self.genPE()
209 |         self.genOpImageFull()
210 |         self.genTables()
211 | 
212 |         MZHeader_Part = self.MZHead + self.PEHead + self.FullOpHeader + self.TablesAll + self.segmData
213 |         necNulls = 0x1000 - len(MZHeader_Part)
214 | 
215 |         self.MZHeader_Full = MZHeader_Part + (b"\x00" * necNulls)
216 |         outdata = self.MZHeader_Full + self.data[0x1000:self.offset] + self.exportTable + self.data[self.offset + len(self.exportTable):]
217 |         return outdata
218 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # IcedDecrypt
 2 | IcedID Decryption Tool
 3 | 
 4 | 
 5 | IceDecrypt is a bulk IcedID decryption tool allowing for decryption/payload reassembly for the new license.dat payload drop, along with gziploader payload decryption, and bot config extraction for icedid downloaders (less likely to work due to method of extraction + iced's own defenses).
 6 | 
 7 | # Required Libs
 8 | pefile
 9 | 
10 | argparse
11 | 
12 | # Usage
13 | python3 IcedDecrypt.py -f [input file] -o [optional file output]
14 | 
15 | 
16 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | future==0.18.2
2 | pefile==2019.4.18
3 | 


--------------------------------------------------------------------------------