├── .gitignore
├── LICENSE
├── metatwin.ps1
├── readme.md
└── src
    ├── SigThief-master
        ├── LICENSE
        ├── README.md
        ├── build
        │   └── sigthief
        │   │   ├── out00-Analysis.toc
        │   │   ├── out00-EXE.toc
        │   │   ├── out00-PKG.pkg
        │   │   ├── out00-PKG.toc
        │   │   ├── out00-PYZ.pyz
        │   │   ├── out00-PYZ.toc
        │   │   ├── sigthief.exe.manifest
        │   │   ├── warnsigthief.txt
        │   │   └── xref-sigthief.html
        ├── dist
        │   └── sigthief.exe
        ├── sigthief.py
        └── sigthief.spec
    └── resource_hacker
        └── .keep


/.gitignore:
--------------------------------------------------------------------------------
 1 | ### General ###
 2 | beacon.exe
 3 | revmet.exe
 4 | src/resource_hacker/*
 5 | 
 6 | ### OSX ###
 7 | *.DS_Store
 8 | .AppleDouble
 9 | .LSOverride
10 | 
11 | # Icon must end with two \r
12 | Icon
13 | 
14 | # Thumbnails
15 | ._*
16 | 
17 | # Files that might appear in the root of a volume
18 | .DocumentRevisions-V100
19 | .fseventsd
20 | .Spotlight-V100
21 | .TemporaryItems
22 | .Trashes
23 | .VolumeIcon.icns
24 | .com.apple.timemachine.donotpresent
25 | 
26 | # Directories potentially created on remote AFP share
27 | .AppleDB
28 | .AppleDesktop
29 | Network Trash Folder
30 | Temporary Items
31 | .apdisk
32 | 
33 | ### PowerShell ###
34 | # Exclude packaged modules
35 | *.zip
36 | 
37 | # Exclude .NET assemblies from source
38 | *.dll
39 | 
40 | ### Windows ###
41 | # Windows thumbnail cache files
42 | Thumbs.db
43 | ehthumbs.db
44 | ehthumbs_vista.db
45 | 
46 | # Folder config file
47 | Desktop.ini
48 | 
49 | # Recycle Bin used on file shares
50 | $RECYCLE.BIN/
51 | 
52 | # Windows Installer files
53 | *.cab
54 | *.msi
55 | *.msm
56 | *.msp
57 | 
58 | # Windows shortcuts
59 | *.lnk
60 | 
61 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 Threat Express
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/metatwin.ps1:
--------------------------------------------------------------------------------
  1 | Function Invoke-MetaTwin {
  2 |     
  3 | <#
  4 | .SYNOPSIS  
  5 |     
  6 |     Meta-Twin copies metadata and the AuthenticodeSignature from a source binary and into a target binary
  7 |     
  8 |     Function: Meta-Twin
  9 |     Author: Joe Vest (@joevest), PSv2 Compatibility by Andrew Chiles (@andrewchiles)
 10 |     License: BSD 3-Clause
 11 |     Required Dependencies: ResourceHacker.exe
 12 |     Optional Dependencies: None
 13 |     
 14 | .DESCRIPTION  
 15 |         Meta-Twin copies metadata and the AuthenticodeSignature from a source binary and into a target binary
 16 |         Note: SigThief and Resource Hacker may not detect valid metadata or digital signature.  This project may switch to a different tool set, but for now, be aware of potential limitations.
 17 |         
 18 | .LINK  
 19 |     https://www.github.com/minisllc/metatwin
 20 |     http://threatexpress.com/2017/10/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
 21 |     
 22 | .PARAMETER Source
 23 | 
 24 |         Path to source binary (where you want to copy the resources from)
 25 |         
 26 | .PARAMETER Target
 27 | 
 28 |         Path to target binary (where you want the resources copied to)
 29 |         
 30 | .PARAMETER Sign
 31 | 
 32 |         Switch to perform AuthenticodeSignature copying via SigThief
 33 |         
 34 | .EXAMPLE
 35 |     
 36 |         C:\PS> Invoke-MetaTwin -Source C:\windows\explorer.exe -Target c:\mypayload.exe -Sign
 37 |  
 38 |         Description
 39 |         -----------
 40 |         Copies binary resource metadata and AuthenticodeSignature from a source binary to a new copy of the target binary
 41 | #>
 42 | 
 43 |   Param     (
 44 |     [ValidateScript({Test-Path $_ })]
 45 |         [Parameter(Mandatory=$true,
 46 |         HelpMessage='Source binary')]
 47 |         $Source = '',
 48 |     
 49 |     [ValidateScript({Test-Path $_ })]
 50 |         [Parameter(Mandatory=$true,
 51 |         HelpMessage='Target binary')]
 52 |         $Target = '',
 53 | 
 54 |     [Parameter(Mandatory=$false,
 55 |         HelpMessage='Include digital signature')]
 56 |         [Switch]$Sign
 57 |         
 58 |   )
 59 | 
 60 |   #############################################################
 61 |   # Variables
 62 |   #############################################################
 63 | 
 64 | # Logo
 65 | 
 66 | $logo = @"
 67 | 
 68 | =================================================================
 69 |  ___ ___    ___ ______   ____      ______  __    __  ____  ____  
 70 | |   |   |  /  _]      | /    |    |      ||  |__|  ||    ||    \ 
 71 | | _   _ | /  [_|      ||  o  |    |      ||  |  |  | |  | |  _  |
 72 | |  \_/  ||    _]_|  |_||     | -- |_|  |_||  |  |  | |  | |  |  |
 73 | |   |   ||   [_  |  |  |  _  | --   |  |  |        | |  | |  |  |
 74 | |   |   ||     | |  |  |  |  |      |  |   \      /  |  | |  |  |
 75 | |___|___||_____| |__|  |__|__|      |__|    \_/\_/  |____||__|__|
 76 | =================================================================
 77 | Author: @joevest
 78 | =================================================================
 79 | 
 80 | "@
 81 | 
 82 | Set-StrictMode -Version 2
 83 | 
 84 | # Basic file timestomping, maybe redundant since it will also need to be performed on target
 85 | Function Invoke-TimeStomp ($source, $dest) {
 86 |     $source_attributes = Get-Item $source
 87 |     $dest_attributes = Get-Item $dest 
 88 |     $dest_attributes.CreationTime = $source_attributes.CreationTime
 89 |     $dest_attributes.LastAccessTime = $source_attributes.LastAccessTime
 90 |     $dest_attributes.LastWriteTime = $source_attributes.LastWriteTime
 91 | }
 92 | 
 93 | # Binaries
 94 | $resourceHackerBin = ".\src\resource_hacker\ResourceHacker.exe"
 95 | $sigthiefBin       = ".\src\SigThief-master\dist\sigthief.exe"
 96 | 
 97 | # Perform some quick dependency checking
 98 | If ((Test-Path $resourceHackerBin) -ne $True) 
 99 |     {
100 |         Write-Output "[!] Missing Dependency: $resourceHackerBin"
101 |         Write-Output "[!] Ensure you're running MetaTwin from its local directory. Exiting"
102 |         break
103 |     }
104 | 
105 | If ((Test-Path $sigthiefBin) -ne $True) 
106 |     {
107 |         Write-Output "[!] Missing Dependency: $sigthiefBin"
108 |         Write-Output "[!] Ensure you're running MetaTwin from its local directory. Exiting."
109 |         break
110 |     }
111 | 
112 | $timestamp = Get-Date -f yyyyMMdd_HHmmss
113 | $log_file_base = (".\" + $timestamp + "\" + $timestamp)
114 | $source_binary_filename = Split-Path $Source -Leaf -Resolve
115 | $source_binary_filepath = $Source
116 | $target_binary_filename = Split-Path $Target -Leaf -Resolve
117 | $target_binary_filepath = $Target
118 | $source_resource = (".\" + $timestamp + "\" + $timestamp + "_" + $source_binary_filename + ".res")
119 | $target_saveas = (".\" + $timestamp + "\" + $timestamp + "_" + $target_binary_filename)
120 | $target_saveas_signed = (".\" + $timestamp + "\" + $timestamp + "_signed_" + $target_binary_filename)
121 | 
122 | New-Item ".\$timestamp" -type directory | out-null
123 | Write-Output $logo
124 | Write-Output "Source:         $source_binary_filepath"
125 | Write-Output "Target:         $target_binary_filepath"
126 | Write-Output "Output:         $target_saveas"
127 | Write-Output "Signed Output:  $target_saveas_signed"
128 | Write-Output "---------------------------------------------- "
129 | 
130 | # Clean up existing ResourceHacker.exe that may be running
131 | 
132 | Stop-Process -Name ResourceHacker -ea "SilentlyContinue"
133 | 
134 | # Extract resources using Resource Hacker from source 
135 |  Write-Output "[*] Extracting resources from $source_binary_filename "
136 | 
137 | $log_file = ($log_file_base + "_extract.log")
138 | 
139 | $arg = "-open $source_binary_filepath -action extract -mask ,,, -save $source_resource -log $log_file"
140 | start-process -FilePath $resourceHackerBin -ArgumentList $arg -NoNewWindow -Wait
141 | 
142 | # Check if extract was successful
143 | if (Select-String -Encoding Unicode -path $log_file -pattern "Failed") {
144 |     Write-Output "[!] Failed to extract Metadata from $source_binary_filepath"
145 |     Write-Output "    Perhaps, try a differenct source file. Exiting..."
146 |     break   
147 | }
148 | 
149 | # Copy resources using Resource Hacker
150 | "[*] Copying resources from $source_binary_filename to $target_saveas"
151 | 
152 | $arg = "-open $target_binary_filepath -save $target_saveas -resource $source_resource -action addoverwrite"
153 | start-process -FilePath $resourceHackerBin -ArgumentList $arg -NoNewWindow -Wait
154 | 
155 | # Add Digital Signature using SigThief
156 | if ($Sign) {
157 | 
158 |     # Copy signature from source and add to target
159 |     "[*] Extracting and adding signature ..."
160 |     $arg = "-i $source_binary_filepath -t $target_saveas -o $target_saveas_signed"
161 |     $proc = start-process -FilePath $sigthiefBin -ArgumentList $arg -Wait -PassThru
162 |     #$proc | Select * |Format-List
163 |     #$proc.ExitCode
164 |     if ($proc.ExitCode -ne 0) {
165 |         Write-Output "[-] Cannot extract signature, skipping ..."     
166 |         $Sign = $False   
167 |     }
168 | }
169 | 
170 | # Display Results
171 | Start-Sleep .5
172 | Write-Output "`n[+] Results"
173 | Write-Output " -----------------------------------------------"
174 | 
175 | 
176 | if ($Sign) {
177 | 
178 |     Write-Output "[+] Metadata"
179 |     Get-Item $target_saveas_signed | Select VersionInfo | Format-List
180 | 
181 |     Write-Output "[+] Digital Signature"
182 |     Get-AuthenticodeSignature (gi $target_saveas_signed) | select SignatureType,SignerCertificate,Status | fl
183 |     Invoke-TimeStomp $source_binary_filepath $target_saveas_signed
184 | } 
185 | 
186 | else {
187 |     Write-Output "[+] Metadata"
188 |     Get-Item $target_saveas | Select VersionInfo | Format-List
189 |     Write-Output "[+] Digital Signature"
190 |     Write-Output "    Signature not added ... "
191 |     Invoke-TimeStomp $source_binary_filepath $target_saveas
192 | }
193 | 
194 | }
195 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # META TWIN
 2 | 
 3 | ```
 4 | =================================================================
 5 |  ___ ___    ___ ______   ____      ______  __    __  ____  ____
 6 | |   |   |  /  _]      | /    |    |      ||  |__|  ||    ||    \
 7 | | _   _ | /  [_|      ||  o  |    |      ||  |  |  | |  | |  _  |
 8 | |  \_/  ||    _]_|  |_||     | -- |_|  |_||  |  |  | |  | |  |  |
 9 | |   |   ||   [_  |  |  |  _  | --   |  |  |        | |  | |  |  |
10 | |   |   ||     | |  |  |  |  |      |  |   \      /  |  | |  |  |
11 | |___|___||_____| |__|  |__|__|      |__|    \_/\_/  |____||__|__|
12 | =================================================================
13 | Author: @joevest
14 | =================================================================
15 | ```
16 | 
17 | The project is designed as a file resource cloner.  Metadata, including digital signature, is extracted from one file and injected into another.
18 | Note: Signatures are copied, but no longer valid.  
19 | 
20 | This project is based on a technique I've used for a few years.  This has been updated and modified to include copying digital signatures.
21 | 
22 | Thanks @subtee for the tweet that encouraged this project to be updated and published !!
23 | 
24 | A blog post on this topic can be found at [threatexpress.com](http://threatexpress.com/2017/10/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/)
25 | 
26 | ## Resources
27 | 
28 |  - Casey Smith (@subtee) MS Signed binary in 3 Steps - https://twitter.com/subTee/status/912769644473098240
29 |  - Resource Hacker - http://www.angusj.com/resourcehacker/
30 |  - SigThief - https://github.com/secretsquirrel/SigThief  (Included as a pyinstaller compiled binary)
31 |  - 
32 | Note: SigThief and Resource Hacker may not detect valid metadata or digital signature.  This project may switch to a different tool set, but for now, be aware of potential limitations.
33 | 
34 | ## Install
35 |  
36 |  - Clone this project
37 |  - Download and unzip [Resource Hacker](http://www.angusj.com/resourcehacker/resource_hacker.zip) to .\src\resource_hacker\ResourceHacker.exe
38 |  - Enjoy...
39 | 
40 | ## Description
41 | 
42 | A version of this project has existed for several years to help a binary blend into a target environment by modifying it's metadata.  A binary's metadata can be replaced with the metadata of a source.  This includes values such as Product Name, Product Version, File Version, Copyright, etc.  In addition to standard metadata, sigthief is now used to copy a digital signature.  
43 | 
44 | ## Usage
45 | 
46 | ```
47 | SYNOPSIS
48 |     MetaTwin copies metadata and AuthentiCode signature from one file and injects into another.
49 | 
50 | SYNTAX
51 |     Invoke-MetaTwin [-Source] <Object> [-Target] <Object> [-Sign] 
52 | 
53 |     Source     Source binary containing metadata and signature
54 |     
55 |     Target     Target binary that will be updated
56 | 
57 |     Sign       Optional setting that will add the source's digital signature   
58 | 
59 | ```
60 | 
61 | ## Example
62 | 
63 | ```
64 | c:> powershell -ep bypass
65 | PS> Import-Module c:\tools\metatwin.ps1
66 | PS> cd c:\tools\metatwin\
67 | PS> Invoke-MetaTwin -Source c:\windows\system32\netcfgx.dll -Target .\beacon.exe -Sign
68 | ```
69 | 
70 | 


--------------------------------------------------------------------------------
/src/SigThief-master/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2017, Josh Pitts
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/src/SigThief-master/README.md:
--------------------------------------------------------------------------------
 1 | # SigThief
 2 | Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this:
 3 | https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
 4 | 
 5 | https://twitter.com/subTee/status/912769644473098240
 6 | ![alt text](https://i.imgur.com/T05kwwn.png "https://twitter.com/subTee/status/912769644473098240")
 7 | 
 8 | ## For security professionals only...
 9 | 
10 | ## What is this?
11 | 
12 | I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.
13 | 
14 | So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. 
15 | 
16 | In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. 
17 | 
18 | Of course it's **not a valid signature** and that's the point!
19 | 
20 | I look forward to hearing about your results!
21 | 
22 | 
23 | ## How to use
24 | 
25 | ### Usage
26 | ```
27 | Usage: sigthief.py [options]
28 | 
29 | Options:
30 |   -h, --help            show this help message and exit
31 |   -i FILE, --file=FILE  file still signature from
32 |   -r, --rip             rip signature off inputfile
33 |   -a, --add             add signautre to targetfile
34 |   -o OUTPUTFILE, --output=OUTPUTFILE
35 |                         output file
36 |   -s SIGFILE, --sig=SIGFILE
37 |                         binary signature from disk
38 |   -t TARGETFILE, --target=TARGETFILE
39 |                         file to append signature too
40 |   -c, --checksig        file to check if signed; does not verify signature
41 |   -T, --truncate        truncate signature (i.e. remove sig)
42 | ```
43 | 
44 | ### Take a Signature from a binary and add it to another binary
45 | ```
46 | $ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
47 | Output file: /tmp/msftesting_tcpview.exe
48 | Signature appended. 
49 | FIN.
50 | ```
51 | 
52 | ### Save Signature to disk for use later
53 | ```
54 | $ ./sigthief.py -i tcpview.exe -r                                                        
55 | Ripping signature to file!
56 | Output file: tcpview.exe_sig
57 | Signature ripped. 
58 | FIN.
59 | 
60 | ```
61 | 
62 | ### Use the ripped signature
63 | ```
64 | $ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
65 | Output file: x86_meterpreter_stager.exe_signed
66 | Signature appended. 
67 | FIN.
68 | 
69 | ```
70 | 
71 | ### Truncate (remove) signature
72 | This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)
73 | 
74 | ```
75 | $ ./sigthief.py -i tcpview.exe -T    
76 | Inputfile is signed!
77 | Output file: tcpview.exe_nosig
78 | Overwriting certificate table pointer and truncating binary
79 | Signature removed. 
80 | FIN.
81 | ```
82 | 
83 | ### Check if there is a signature (does not check validity)
84 | ```
85 | $ ./sigthief.py -i tcpview.exe -c
86 | Inputfile is signed!
87 | ```
88 | 


--------------------------------------------------------------------------------
/src/SigThief-master/build/sigthief/out00-Analysis.toc:
--------------------------------------------------------------------------------
  1 | (['C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\sigthief.py'],
  2 |  ['C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master',
  3 |   'C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master'],
  4 |  ['codecs'],
  5 |  [],
  6 |  [],
  7 |  [],
  8 |  False,
  9 |  False,
 10 |  '2.7.14 (v2.7.14:84471935ed, Sep 16 2017, 20:25:58) [MSC v.1500 64 bit (AMD64)]',
 11 |  [('sigthief',
 12 |    'C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\sigthief.py',
 13 |    'PYSOURCE')],
 14 |  [('encodings.aliases',
 15 |    'c:\\python27\\lib\\encodings\\aliases.py',
 16 |    'PYMODULE'),
 17 |   ('encodings', 'c:\\python27\\lib\\encodings\\__init__.py', 'PYMODULE'),
 18 |   ('encodings.idna', 'c:\\python27\\lib\\encodings\\idna.py', 'PYMODULE'),
 19 |   ('re', 'c:\\python27\\lib\\re.py', 'PYMODULE'),
 20 |   ('sre_constants', 'c:\\python27\\lib\\sre_constants.py', 'PYMODULE'),
 21 |   ('sre', 'c:\\python27\\lib\\sre.py', 'PYMODULE'),
 22 |   ('warnings', 'c:\\python27\\lib\\warnings.py', 'PYMODULE'),
 23 |   ('types', 'c:\\python27\\lib\\types.py', 'PYMODULE'),
 24 |   ('linecache', 'c:\\python27\\lib\\linecache.py', 'PYMODULE'),
 25 |   ('os', 'c:\\python27\\lib\\os.py', 'PYMODULE'),
 26 |   ('subprocess', 'c:\\python27\\lib\\subprocess.py', 'PYMODULE'),
 27 |   ('pickle', 'c:\\python27\\lib\\pickle.py', 'PYMODULE'),
 28 |   ('doctest', 'c:\\python27\\lib\\doctest.py', 'PYMODULE'),
 29 |   ('collections', 'c:\\python27\\lib\\collections.py', 'PYMODULE'),
 30 |   ('dummy_thread', 'c:\\python27\\lib\\dummy_thread.py', 'PYMODULE'),
 31 |   ('heapq', 'c:\\python27\\lib\\heapq.py', 'PYMODULE'),
 32 |   ('keyword', 'c:\\python27\\lib\\keyword.py', 'PYMODULE'),
 33 |   ('_abcoll', 'c:\\python27\\lib\\_abcoll.py', 'PYMODULE'),
 34 |   ('abc', 'c:\\python27\\lib\\abc.py', 'PYMODULE'),
 35 |   ('_weakrefset', 'c:\\python27\\lib\\_weakrefset.py', 'PYMODULE'),
 36 |   ('tempfile', 'c:\\python27\\lib\\tempfile.py', 'PYMODULE'),
 37 |   ('random', 'c:\\python27\\lib\\random.py', 'PYMODULE'),
 38 |   ('_strptime', 'c:\\python27\\lib\\_strptime.py', 'PYMODULE'),
 39 |   ('calendar', 'c:\\python27\\lib\\calendar.py', 'PYMODULE'),
 40 |   ('locale', 'c:\\python27\\lib\\locale.py', 'PYMODULE'),
 41 |   ('functools', 'c:\\python27\\lib\\functools.py', 'PYMODULE'),
 42 |   ('hashlib', 'c:\\python27\\lib\\hashlib.py', 'PYMODULE'),
 43 |   ('logging', 'c:\\python27\\lib\\logging\\__init__.py', 'PYMODULE'),
 44 |   ('atexit', 'c:\\python27\\lib\\atexit.py', 'PYMODULE'),
 45 |   ('weakref', 'c:\\python27\\lib\\weakref.py', 'PYMODULE'),
 46 |   ('pdb', 'c:\\python27\\lib\\pdb.py', 'PYMODULE'),
 47 |   ('shlex', 'c:\\python27\\lib\\shlex.py', 'PYMODULE'),
 48 |   ('pprint', 'c:\\python27\\lib\\pprint.py', 'PYMODULE'),
 49 |   ('repr', 'c:\\python27\\lib\\repr.py', 'PYMODULE'),
 50 |   ('bdb', 'c:\\python27\\lib\\bdb.py', 'PYMODULE'),
 51 |   ('fnmatch', 'c:\\python27\\lib\\fnmatch.py', 'PYMODULE'),
 52 |   ('cmd', 'c:\\python27\\lib\\cmd.py', 'PYMODULE'),
 53 |   ('difflib', 'c:\\python27\\lib\\difflib.py', 'PYMODULE'),
 54 |   ('unittest', 'c:\\python27\\lib\\unittest\\__init__.py', 'PYMODULE'),
 55 |   ('unittest.signals', 'c:\\python27\\lib\\unittest\\signals.py', 'PYMODULE'),
 56 |   ('unittest.main', 'c:\\python27\\lib\\unittest\\main.py', 'PYMODULE'),
 57 |   ('getopt', 'c:\\python27\\lib\\getopt.py', 'PYMODULE'),
 58 |   ('unittest.runner', 'c:\\python27\\lib\\unittest\\runner.py', 'PYMODULE'),
 59 |   ('unittest.loader', 'c:\\python27\\lib\\unittest\\loader.py', 'PYMODULE'),
 60 |   ('unittest.suite', 'c:\\python27\\lib\\unittest\\suite.py', 'PYMODULE'),
 61 |   ('unittest.case', 'c:\\python27\\lib\\unittest\\case.py', 'PYMODULE'),
 62 |   ('unittest.result', 'c:\\python27\\lib\\unittest\\result.py', 'PYMODULE'),
 63 |   ('unittest.util', 'c:\\python27\\lib\\unittest\\util.py', 'PYMODULE'),
 64 |   ('inspect', 'c:\\python27\\lib\\inspect.py', 'PYMODULE'),
 65 |   ('tokenize', 'c:\\python27\\lib\\tokenize.py', 'PYMODULE'),
 66 |   ('token', 'c:\\python27\\lib\\token.py', 'PYMODULE'),
 67 |   ('dis', 'c:\\python27\\lib\\dis.py', 'PYMODULE'),
 68 |   ('opcode', 'c:\\python27\\lib\\opcode.py', 'PYMODULE'),
 69 |   ('__future__', 'c:\\python27\\lib\\__future__.py', 'PYMODULE'),
 70 |   ('StringIO', 'c:\\python27\\lib\\StringIO.py', 'PYMODULE'),
 71 |   ('threading', 'c:\\python27\\lib\\threading.py', 'PYMODULE'),
 72 |   ('_threading_local', 'c:\\python27\\lib\\_threading_local.py', 'PYMODULE'),
 73 |   ('traceback', 'c:\\python27\\lib\\traceback.py', 'PYMODULE'),
 74 |   ('UserDict', 'c:\\python27\\lib\\UserDict.py', 'PYMODULE'),
 75 |   ('os2emxpath', 'c:\\python27\\lib\\os2emxpath.py', 'PYMODULE'),
 76 |   ('genericpath', 'c:\\python27\\lib\\genericpath.py', 'PYMODULE'),
 77 |   ('stat', 'c:\\python27\\lib\\stat.py', 'PYMODULE'),
 78 |   ('ntpath', 'c:\\python27\\lib\\ntpath.py', 'PYMODULE'),
 79 |   ('posixpath', 'c:\\python27\\lib\\posixpath.py', 'PYMODULE'),
 80 |   ('string', 'c:\\python27\\lib\\string.py', 'PYMODULE'),
 81 |   ('copy', 'c:\\python27\\lib\\copy.py', 'PYMODULE'),
 82 |   ('copy_reg', 'c:\\python27\\lib\\copy_reg.py', 'PYMODULE'),
 83 |   ('sre_parse', 'c:\\python27\\lib\\sre_parse.py', 'PYMODULE'),
 84 |   ('sre_compile', 'c:\\python27\\lib\\sre_compile.py', 'PYMODULE'),
 85 |   ('stringprep', 'c:\\python27\\lib\\stringprep.py', 'PYMODULE'),
 86 |   ('encodings.mbcs', 'c:\\python27\\lib\\encodings\\mbcs.py', 'PYMODULE'),
 87 |   ('encodings.raw_unicode_escape',
 88 |    'c:\\python27\\lib\\encodings\\raw_unicode_escape.py',
 89 |    'PYMODULE'),
 90 |   ('encodings.gb18030',
 91 |    'c:\\python27\\lib\\encodings\\gb18030.py',
 92 |    'PYMODULE'),
 93 |   ('encodings.shift_jisx0213',
 94 |    'c:\\python27\\lib\\encodings\\shift_jisx0213.py',
 95 |    'PYMODULE'),
 96 |   ('encodings.ascii', 'c:\\python27\\lib\\encodings\\ascii.py', 'PYMODULE'),
 97 |   ('encodings.cp861', 'c:\\python27\\lib\\encodings\\cp861.py', 'PYMODULE'),
 98 |   ('encodings.cp860', 'c:\\python27\\lib\\encodings\\cp860.py', 'PYMODULE'),
 99 |   ('encodings.cp863', 'c:\\python27\\lib\\encodings\\cp863.py', 'PYMODULE'),
100 |   ('encodings.cp862', 'c:\\python27\\lib\\encodings\\cp862.py', 'PYMODULE'),
101 |   ('encodings.cp865', 'c:\\python27\\lib\\encodings\\cp865.py', 'PYMODULE'),
102 |   ('encodings.big5hkscs',
103 |    'c:\\python27\\lib\\encodings\\big5hkscs.py',
104 |    'PYMODULE'),
105 |   ('encodings.cp866', 'c:\\python27\\lib\\encodings\\cp866.py', 'PYMODULE'),
106 |   ('encodings.cp869', 'c:\\python27\\lib\\encodings\\cp869.py', 'PYMODULE'),
107 |   ('encodings.mac_latin2',
108 |    'c:\\python27\\lib\\encodings\\mac_latin2.py',
109 |    'PYMODULE'),
110 |   ('encodings.hex_codec',
111 |    'c:\\python27\\lib\\encodings\\hex_codec.py',
112 |    'PYMODULE'),
113 |   ('encodings.cp950', 'c:\\python27\\lib\\encodings\\cp950.py', 'PYMODULE'),
114 |   ('encodings.quopri_codec',
115 |    'c:\\python27\\lib\\encodings\\quopri_codec.py',
116 |    'PYMODULE'),
117 |   ('quopri', 'c:\\python27\\lib\\quopri.py', 'PYMODULE'),
118 |   ('encodings.utf_32_be',
119 |    'c:\\python27\\lib\\encodings\\utf_32_be.py',
120 |    'PYMODULE'),
121 |   ('encodings.string_escape',
122 |    'c:\\python27\\lib\\encodings\\string_escape.py',
123 |    'PYMODULE'),
124 |   ('encodings.cp1250', 'c:\\python27\\lib\\encodings\\cp1250.py', 'PYMODULE'),
125 |   ('encodings.cp1251', 'c:\\python27\\lib\\encodings\\cp1251.py', 'PYMODULE'),
126 |   ('encodings.cp1252', 'c:\\python27\\lib\\encodings\\cp1252.py', 'PYMODULE'),
127 |   ('encodings.cp1253', 'c:\\python27\\lib\\encodings\\cp1253.py', 'PYMODULE'),
128 |   ('encodings.cp1254', 'c:\\python27\\lib\\encodings\\cp1254.py', 'PYMODULE'),
129 |   ('encodings.cp1255', 'c:\\python27\\lib\\encodings\\cp1255.py', 'PYMODULE'),
130 |   ('encodings.cp1256', 'c:\\python27\\lib\\encodings\\cp1256.py', 'PYMODULE'),
131 |   ('encodings.cp1257', 'c:\\python27\\lib\\encodings\\cp1257.py', 'PYMODULE'),
132 |   ('encodings.cp1258', 'c:\\python27\\lib\\encodings\\cp1258.py', 'PYMODULE'),
133 |   ('encodings.euc_jp', 'c:\\python27\\lib\\encodings\\euc_jp.py', 'PYMODULE'),
134 |   ('encodings.hz', 'c:\\python27\\lib\\encodings\\hz.py', 'PYMODULE'),
135 |   ('encodings.mac_cyrillic',
136 |    'c:\\python27\\lib\\encodings\\mac_cyrillic.py',
137 |    'PYMODULE'),
138 |   ('encodings.iso2022_kr',
139 |    'c:\\python27\\lib\\encodings\\iso2022_kr.py',
140 |    'PYMODULE'),
141 |   ('encodings.unicode_internal',
142 |    'c:\\python27\\lib\\encodings\\unicode_internal.py',
143 |    'PYMODULE'),
144 |   ('encodings.cp500', 'c:\\python27\\lib\\encodings\\cp500.py', 'PYMODULE'),
145 |   ('encodings.iso8859_10',
146 |    'c:\\python27\\lib\\encodings\\iso8859_10.py',
147 |    'PYMODULE'),
148 |   ('encodings.iso8859_11',
149 |    'c:\\python27\\lib\\encodings\\iso8859_11.py',
150 |    'PYMODULE'),
151 |   ('encodings.iso8859_13',
152 |    'c:\\python27\\lib\\encodings\\iso8859_13.py',
153 |    'PYMODULE'),
154 |   ('encodings.iso8859_14',
155 |    'c:\\python27\\lib\\encodings\\iso8859_14.py',
156 |    'PYMODULE'),
157 |   ('encodings.cp424', 'c:\\python27\\lib\\encodings\\cp424.py', 'PYMODULE'),
158 |   ('encodings.iso8859_16',
159 |    'c:\\python27\\lib\\encodings\\iso8859_16.py',
160 |    'PYMODULE'),
161 |   ('encodings.cp1006', 'c:\\python27\\lib\\encodings\\cp1006.py', 'PYMODULE'),
162 |   ('encodings.hp_roman8',
163 |    'c:\\python27\\lib\\encodings\\hp_roman8.py',
164 |    'PYMODULE'),
165 |   ('encodings.charmap',
166 |    'c:\\python27\\lib\\encodings\\charmap.py',
167 |    'PYMODULE'),
168 |   ('encodings.utf_32', 'c:\\python27\\lib\\encodings\\utf_32.py', 'PYMODULE'),
169 |   ('encodings.latin_1',
170 |    'c:\\python27\\lib\\encodings\\latin_1.py',
171 |    'PYMODULE'),
172 |   ('encodings.utf_16_be',
173 |    'c:\\python27\\lib\\encodings\\utf_16_be.py',
174 |    'PYMODULE'),
175 |   ('encodings.cp737', 'c:\\python27\\lib\\encodings\\cp737.py', 'PYMODULE'),
176 |   ('encodings.utf_16', 'c:\\python27\\lib\\encodings\\utf_16.py', 'PYMODULE'),
177 |   ('encodings.cp437', 'c:\\python27\\lib\\encodings\\cp437.py', 'PYMODULE'),
178 |   ('encodings.mac_roman',
179 |    'c:\\python27\\lib\\encodings\\mac_roman.py',
180 |    'PYMODULE'),
181 |   ('encodings.mac_centeuro',
182 |    'c:\\python27\\lib\\encodings\\mac_centeuro.py',
183 |    'PYMODULE'),
184 |   ('encodings.mac_croatian',
185 |    'c:\\python27\\lib\\encodings\\mac_croatian.py',
186 |    'PYMODULE'),
187 |   ('encodings.punycode',
188 |    'c:\\python27\\lib\\encodings\\punycode.py',
189 |    'PYMODULE'),
190 |   ('encodings.unicode_escape',
191 |    'c:\\python27\\lib\\encodings\\unicode_escape.py',
192 |    'PYMODULE'),
193 |   ('encodings.bz2_codec',
194 |    'c:\\python27\\lib\\encodings\\bz2_codec.py',
195 |    'PYMODULE'),
196 |   ('encodings.rot_13', 'c:\\python27\\lib\\encodings\\rot_13.py', 'PYMODULE'),
197 |   ('encodings.cp874', 'c:\\python27\\lib\\encodings\\cp874.py', 'PYMODULE'),
198 |   ('encodings.cp875', 'c:\\python27\\lib\\encodings\\cp875.py', 'PYMODULE'),
199 |   ('encodings.cp720', 'c:\\python27\\lib\\encodings\\cp720.py', 'PYMODULE'),
200 |   ('encodings.tis_620',
201 |    'c:\\python27\\lib\\encodings\\tis_620.py',
202 |    'PYMODULE'),
203 |   ('encodings.zlib_codec',
204 |    'c:\\python27\\lib\\encodings\\zlib_codec.py',
205 |    'PYMODULE'),
206 |   ('encodings.iso2022_jp_2004',
207 |    'c:\\python27\\lib\\encodings\\iso2022_jp_2004.py',
208 |    'PYMODULE'),
209 |   ('encodings.euc_jisx0213',
210 |    'c:\\python27\\lib\\encodings\\euc_jisx0213.py',
211 |    'PYMODULE'),
212 |   ('encodings.ptcp154',
213 |    'c:\\python27\\lib\\encodings\\ptcp154.py',
214 |    'PYMODULE'),
215 |   ('encodings.uu_codec',
216 |    'c:\\python27\\lib\\encodings\\uu_codec.py',
217 |    'PYMODULE'),
218 |   ('encodings.utf_16_le',
219 |    'c:\\python27\\lib\\encodings\\utf_16_le.py',
220 |    'PYMODULE'),
221 |   ('encodings.iso2022_jp_2',
222 |    'c:\\python27\\lib\\encodings\\iso2022_jp_2.py',
223 |    'PYMODULE'),
224 |   ('encodings.iso2022_jp_3',
225 |    'c:\\python27\\lib\\encodings\\iso2022_jp_3.py',
226 |    'PYMODULE'),
227 |   ('encodings.iso2022_jp_1',
228 |    'c:\\python27\\lib\\encodings\\iso2022_jp_1.py',
229 |    'PYMODULE'),
230 |   ('encodings.mac_romanian',
231 |    'c:\\python27\\lib\\encodings\\mac_romanian.py',
232 |    'PYMODULE'),
233 |   ('encodings.cp1026', 'c:\\python27\\lib\\encodings\\cp1026.py', 'PYMODULE'),
234 |   ('encodings.mac_farsi',
235 |    'c:\\python27\\lib\\encodings\\mac_farsi.py',
236 |    'PYMODULE'),
237 |   ('encodings.undefined',
238 |    'c:\\python27\\lib\\encodings\\undefined.py',
239 |    'PYMODULE'),
240 |   ('encodings.mac_turkish',
241 |    'c:\\python27\\lib\\encodings\\mac_turkish.py',
242 |    'PYMODULE'),
243 |   ('encodings.koi8_u', 'c:\\python27\\lib\\encodings\\koi8_u.py', 'PYMODULE'),
244 |   ('encodings.koi8_r', 'c:\\python27\\lib\\encodings\\koi8_r.py', 'PYMODULE'),
245 |   ('encodings.utf_8_sig',
246 |    'c:\\python27\\lib\\encodings\\utf_8_sig.py',
247 |    'PYMODULE'),
248 |   ('encodings.iso2022_jp',
249 |    'c:\\python27\\lib\\encodings\\iso2022_jp.py',
250 |    'PYMODULE'),
251 |   ('encodings.palmos', 'c:\\python27\\lib\\encodings\\palmos.py', 'PYMODULE'),
252 |   ('encodings.mac_greek',
253 |    'c:\\python27\\lib\\encodings\\mac_greek.py',
254 |    'PYMODULE'),
255 |   ('encodings.shift_jis_2004',
256 |    'c:\\python27\\lib\\encodings\\shift_jis_2004.py',
257 |    'PYMODULE'),
258 |   ('encodings.gbk', 'c:\\python27\\lib\\encodings\\gbk.py', 'PYMODULE'),
259 |   ('encodings.mac_iceland',
260 |    'c:\\python27\\lib\\encodings\\mac_iceland.py',
261 |    'PYMODULE'),
262 |   ('encodings.cp858', 'c:\\python27\\lib\\encodings\\cp858.py', 'PYMODULE'),
263 |   ('encodings.cp850', 'c:\\python27\\lib\\encodings\\cp850.py', 'PYMODULE'),
264 |   ('encodings.cp852', 'c:\\python27\\lib\\encodings\\cp852.py', 'PYMODULE'),
265 |   ('encodings.cp855', 'c:\\python27\\lib\\encodings\\cp855.py', 'PYMODULE'),
266 |   ('encodings.cp856', 'c:\\python27\\lib\\encodings\\cp856.py', 'PYMODULE'),
267 |   ('encodings.cp857', 'c:\\python27\\lib\\encodings\\cp857.py', 'PYMODULE'),
268 |   ('encodings.iso8859_4',
269 |    'c:\\python27\\lib\\encodings\\iso8859_4.py',
270 |    'PYMODULE'),
271 |   ('encodings.iso8859_5',
272 |    'c:\\python27\\lib\\encodings\\iso8859_5.py',
273 |    'PYMODULE'),
274 |   ('encodings.iso8859_6',
275 |    'c:\\python27\\lib\\encodings\\iso8859_6.py',
276 |    'PYMODULE'),
277 |   ('encodings.iso8859_7',
278 |    'c:\\python27\\lib\\encodings\\iso8859_7.py',
279 |    'PYMODULE'),
280 |   ('encodings.iso8859_1',
281 |    'c:\\python27\\lib\\encodings\\iso8859_1.py',
282 |    'PYMODULE'),
283 |   ('encodings.iso8859_2',
284 |    'c:\\python27\\lib\\encodings\\iso8859_2.py',
285 |    'PYMODULE'),
286 |   ('encodings.iso8859_3',
287 |    'c:\\python27\\lib\\encodings\\iso8859_3.py',
288 |    'PYMODULE'),
289 |   ('encodings.gb2312', 'c:\\python27\\lib\\encodings\\gb2312.py', 'PYMODULE'),
290 |   ('encodings.iso8859_8',
291 |    'c:\\python27\\lib\\encodings\\iso8859_8.py',
292 |    'PYMODULE'),
293 |   ('encodings.iso8859_9',
294 |    'c:\\python27\\lib\\encodings\\iso8859_9.py',
295 |    'PYMODULE'),
296 |   ('encodings.cp949', 'c:\\python27\\lib\\encodings\\cp949.py', 'PYMODULE'),
297 |   ('encodings.cp864', 'c:\\python27\\lib\\encodings\\cp864.py', 'PYMODULE'),
298 |   ('encodings.base64_codec',
299 |    'c:\\python27\\lib\\encodings\\base64_codec.py',
300 |    'PYMODULE'),
301 |   ('base64', 'c:\\python27\\lib\\base64.py', 'PYMODULE'),
302 |   ('encodings.cp037', 'c:\\python27\\lib\\encodings\\cp037.py', 'PYMODULE'),
303 |   ('encodings.utf_8', 'c:\\python27\\lib\\encodings\\utf_8.py', 'PYMODULE'),
304 |   ('encodings.mac_arabic',
305 |    'c:\\python27\\lib\\encodings\\mac_arabic.py',
306 |    'PYMODULE'),
307 |   ('encodings.euc_kr', 'c:\\python27\\lib\\encodings\\euc_kr.py', 'PYMODULE'),
308 |   ('encodings.utf_7', 'c:\\python27\\lib\\encodings\\utf_7.py', 'PYMODULE'),
309 |   ('encodings.shift_jis',
310 |    'c:\\python27\\lib\\encodings\\shift_jis.py',
311 |    'PYMODULE'),
312 |   ('encodings.utf_32_le',
313 |    'c:\\python27\\lib\\encodings\\utf_32_le.py',
314 |    'PYMODULE'),
315 |   ('encodings.euc_jis_2004',
316 |    'c:\\python27\\lib\\encodings\\euc_jis_2004.py',
317 |    'PYMODULE'),
318 |   ('encodings.cp775', 'c:\\python27\\lib\\encodings\\cp775.py', 'PYMODULE'),
319 |   ('encodings.cp1140', 'c:\\python27\\lib\\encodings\\cp1140.py', 'PYMODULE'),
320 |   ('encodings.big5', 'c:\\python27\\lib\\encodings\\big5.py', 'PYMODULE'),
321 |   ('encodings.iso8859_15',
322 |    'c:\\python27\\lib\\encodings\\iso8859_15.py',
323 |    'PYMODULE'),
324 |   ('encodings.iso2022_jp_ext',
325 |    'c:\\python27\\lib\\encodings\\iso2022_jp_ext.py',
326 |    'PYMODULE'),
327 |   ('encodings.johab', 'c:\\python27\\lib\\encodings\\johab.py', 'PYMODULE'),
328 |   ('encodings.cp932', 'c:\\python27\\lib\\encodings\\cp932.py', 'PYMODULE'),
329 |   ('codecs', 'c:\\python27\\lib\\codecs.py', 'PYMODULE'),
330 |   ('optparse', 'c:\\python27\\lib\\optparse.py', 'PYMODULE'),
331 |   ('gettext', 'c:\\python27\\lib\\gettext.py', 'PYMODULE'),
332 |   ('textwrap', 'c:\\python27\\lib\\textwrap.py', 'PYMODULE'),
333 |   ('io', 'c:\\python27\\lib\\io.py', 'PYMODULE'),
334 |   ('shutil', 'c:\\python27\\lib\\shutil.py', 'PYMODULE'),
335 |   ('zipfile', 'c:\\python27\\lib\\zipfile.py', 'PYMODULE'),
336 |   ('py_compile', 'c:\\python27\\lib\\py_compile.py', 'PYMODULE'),
337 |   ('distutils.spawn', 'c:\\python27\\lib\\distutils\\spawn.py', 'PYMODULE'),
338 |   ('distutils.sysconfig',
339 |    'c:\\python27\\lib\\distutils\\sysconfig.py',
340 |    'PYMODULE'),
341 |   ('distutils.text_file',
342 |    'c:\\python27\\lib\\distutils\\text_file.py',
343 |    'PYMODULE'),
344 |   ('_osx_support', 'c:\\python27\\lib\\_osx_support.py', 'PYMODULE'),
345 |   ('contextlib', 'c:\\python27\\lib\\contextlib.py', 'PYMODULE'),
346 |   ('distutils.log', 'c:\\python27\\lib\\distutils\\log.py', 'PYMODULE'),
347 |   ('distutils', 'c:\\python27\\lib\\distutils\\__init__.py', 'PYMODULE'),
348 |   ('distutils.debug', 'c:\\python27\\lib\\distutils\\debug.py', 'PYMODULE'),
349 |   ('distutils.errors', 'c:\\python27\\lib\\distutils\\errors.py', 'PYMODULE'),
350 |   ('tarfile', 'c:\\python27\\lib\\tarfile.py', 'PYMODULE'),
351 |   ('gzip', 'c:\\python27\\lib\\gzip.py', 'PYMODULE'),
352 |   ('struct', 'c:\\python27\\lib\\struct.py', 'PYMODULE')],
353 |  [(u'Microsoft.VC90.CRT.manifest',
354 |    u'C:\\Windows\\WinSxS\\Manifests\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f.manifest',
355 |    'BINARY'),
356 |   (u'msvcr90.dll',
357 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcr90.dll',
358 |    'BINARY'),
359 |   (u'msvcp90.dll',
360 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcp90.dll',
361 |    'BINARY'),
362 |   (u'msvcm90.dll',
363 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcm90.dll',
364 |    'BINARY'),
365 |   ('python27.dll', 'C:\\Windows\\system32\\python27.dll', 'BINARY'),
366 |   ('unicodedata', 'c:\\python27\\DLLs\\unicodedata.pyd', 'EXTENSION'),
367 |   ('_hashlib', 'c:\\python27\\DLLs\\_hashlib.pyd', 'EXTENSION'),
368 |   ('select', 'c:\\python27\\DLLs\\select.pyd', 'EXTENSION'),
369 |   ('bz2', 'c:\\python27\\DLLs\\bz2.pyd', 'EXTENSION')],
370 |  [],
371 |  [],
372 |  [('Include\\pyconfig.h', 'c:\\python27\\Include\\pyconfig.h', 'DATA')],
373 |  [BindingRedirect(name=u'Microsoft.VC90.CRT', language=None, arch=u'amd64', oldVersion=(9, 0, 21022, 8), newVersion=(9, 0, 30729, 9247), publicKeyToken=u'1fc8b3b9a1e18e3b')])
374 | 


--------------------------------------------------------------------------------
/src/SigThief-master/build/sigthief/out00-EXE.toc:
--------------------------------------------------------------------------------
 1 | ('C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\dist\\sigthief.exe',
 2 |  True,
 3 |  False,
 4 |  False,
 5 |  None,
 6 |  None,
 7 |  False,
 8 |  False,
 9 |  u'<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"><assemblyIdentity name="sigthief" processorArchitecture="amd64" type="win32" version="1.0.0.0"/><dependency><dependentAssembly><assemblyIdentity name="Microsoft.VC90.CRT" processorArchitecture="amd64" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.21022.8"/><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/></dependentAssembly></dependency><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/></application></compatibility></assembly>',
10 |  True,
11 |  'sigthief.pkg',
12 |  [('out00-PYZ.pyz',
13 |    'C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\build\\sigthief\\out00-PYZ.pyz',
14 |    'PYZ'),
15 |   ('struct', 'c:\\python27\\lib\\struct.pyc', 'PYMODULE'),
16 |   ('pyimod01_os_path',
17 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\loader\\pyimod01_os_path.pyc',
18 |    'PYMODULE'),
19 |   ('pyimod02_archive',
20 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\loader\\pyimod02_archive.pyc',
21 |    'PYMODULE'),
22 |   ('pyimod03_importers',
23 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\loader\\pyimod03_importers.pyc',
24 |    'PYMODULE'),
25 |   ('pyiboot01_bootstrap',
26 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\loader\\pyiboot01_bootstrap.py',
27 |    'PYSOURCE'),
28 |   ('sigthief',
29 |    'C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\sigthief.py',
30 |    'PYSOURCE'),
31 |   (u'Microsoft.VC90.CRT.manifest',
32 |    u'C:\\Windows\\WinSxS\\Manifests\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f.manifest',
33 |    'BINARY'),
34 |   (u'msvcr90.dll',
35 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcr90.dll',
36 |    'BINARY'),
37 |   (u'msvcp90.dll',
38 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcp90.dll',
39 |    'BINARY'),
40 |   (u'msvcm90.dll',
41 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcm90.dll',
42 |    'BINARY'),
43 |   ('python27.dll', 'C:\\Windows\\system32\\python27.dll', 'BINARY'),
44 |   ('unicodedata', 'c:\\python27\\DLLs\\unicodedata.pyd', 'EXTENSION'),
45 |   ('_hashlib', 'c:\\python27\\DLLs\\_hashlib.pyd', 'EXTENSION'),
46 |   ('select', 'c:\\python27\\DLLs\\select.pyd', 'EXTENSION'),
47 |   ('bz2', 'c:\\python27\\DLLs\\bz2.pyd', 'EXTENSION'),
48 |   ('Include\\pyconfig.h', 'c:\\python27\\Include\\pyconfig.h', 'DATA'),
49 |   ('sigthief.exe.manifest',
50 |    'C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\build\\sigthief\\sigthief.exe.manifest',
51 |    'BINARY'),
52 |   ('pyi-windows-manifest-filename sigthief.exe.manifest', '', 'OPTION')],
53 |  [],
54 |  False,
55 |  False,
56 |  1506704925L,
57 |  [('run.exe',
58 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\bootloader\\Windows-64bit\\run.exe',
59 |    'EXECUTABLE')])
60 | 


--------------------------------------------------------------------------------
/src/SigThief-master/build/sigthief/out00-PKG.pkg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/threatexpress/metatwin/6d89f53b01aa3ba5814ff4460dec1c4725303a9b/src/SigThief-master/build/sigthief/out00-PKG.pkg


--------------------------------------------------------------------------------
/src/SigThief-master/build/sigthief/out00-PKG.toc:
--------------------------------------------------------------------------------
 1 | ('C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\build\\sigthief\\out00-PKG.pkg',
 2 |  {'BINARY': 1,
 3 |   'DATA': 1,
 4 |   'EXECUTABLE': 1,
 5 |   'EXTENSION': 1,
 6 |   'PYMODULE': 1,
 7 |   'PYSOURCE': 1,
 8 |   'PYZ': 0},
 9 |  [('out00-PYZ.pyz',
10 |    'C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\build\\sigthief\\out00-PYZ.pyz',
11 |    'PYZ'),
12 |   ('struct', 'c:\\python27\\lib\\struct.pyc', 'PYMODULE'),
13 |   ('pyimod01_os_path',
14 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\loader\\pyimod01_os_path.pyc',
15 |    'PYMODULE'),
16 |   ('pyimod02_archive',
17 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\loader\\pyimod02_archive.pyc',
18 |    'PYMODULE'),
19 |   ('pyimod03_importers',
20 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\loader\\pyimod03_importers.pyc',
21 |    'PYMODULE'),
22 |   ('pyiboot01_bootstrap',
23 |    'c:\\python27\\lib\\site-packages\\PyInstaller\\loader\\pyiboot01_bootstrap.py',
24 |    'PYSOURCE'),
25 |   ('sigthief',
26 |    'C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\sigthief.py',
27 |    'PYSOURCE'),
28 |   (u'Microsoft.VC90.CRT.manifest',
29 |    u'C:\\Windows\\WinSxS\\Manifests\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f.manifest',
30 |    'BINARY'),
31 |   (u'msvcr90.dll',
32 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcr90.dll',
33 |    'BINARY'),
34 |   (u'msvcp90.dll',
35 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcp90.dll',
36 |    'BINARY'),
37 |   (u'msvcm90.dll',
38 |    u'C:\\Windows\\WinSxS\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\\msvcm90.dll',
39 |    'BINARY'),
40 |   ('python27.dll', 'C:\\Windows\\system32\\python27.dll', 'BINARY'),
41 |   ('unicodedata', 'c:\\python27\\DLLs\\unicodedata.pyd', 'EXTENSION'),
42 |   ('_hashlib', 'c:\\python27\\DLLs\\_hashlib.pyd', 'EXTENSION'),
43 |   ('select', 'c:\\python27\\DLLs\\select.pyd', 'EXTENSION'),
44 |   ('bz2', 'c:\\python27\\DLLs\\bz2.pyd', 'EXTENSION'),
45 |   ('Include\\pyconfig.h', 'c:\\python27\\Include\\pyconfig.h', 'DATA'),
46 |   ('sigthief.exe.manifest',
47 |    'C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\build\\sigthief\\sigthief.exe.manifest',
48 |    'BINARY'),
49 |   ('pyi-windows-manifest-filename sigthief.exe.manifest', '', 'OPTION')],
50 |  False,
51 |  False,
52 |  False)
53 | 


--------------------------------------------------------------------------------
/src/SigThief-master/build/sigthief/out00-PYZ.pyz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/threatexpress/metatwin/6d89f53b01aa3ba5814ff4460dec1c4725303a9b/src/SigThief-master/build/sigthief/out00-PYZ.pyz


--------------------------------------------------------------------------------
/src/SigThief-master/build/sigthief/out00-PYZ.toc:
--------------------------------------------------------------------------------
  1 | ('C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master\\build\\sigthief\\out00-PYZ.pyz',
  2 |  [('encodings.aliases',
  3 |    'c:\\python27\\lib\\encodings\\aliases.py',
  4 |    'PYMODULE'),
  5 |   ('encodings', 'c:\\python27\\lib\\encodings\\__init__.py', 'PYMODULE'),
  6 |   ('encodings.idna', 'c:\\python27\\lib\\encodings\\idna.py', 'PYMODULE'),
  7 |   ('re', 'c:\\python27\\lib\\re.py', 'PYMODULE'),
  8 |   ('sre_constants', 'c:\\python27\\lib\\sre_constants.py', 'PYMODULE'),
  9 |   ('sre', 'c:\\python27\\lib\\sre.py', 'PYMODULE'),
 10 |   ('warnings', 'c:\\python27\\lib\\warnings.py', 'PYMODULE'),
 11 |   ('types', 'c:\\python27\\lib\\types.py', 'PYMODULE'),
 12 |   ('linecache', 'c:\\python27\\lib\\linecache.py', 'PYMODULE'),
 13 |   ('os', 'c:\\python27\\lib\\os.py', 'PYMODULE'),
 14 |   ('subprocess', 'c:\\python27\\lib\\subprocess.py', 'PYMODULE'),
 15 |   ('pickle', 'c:\\python27\\lib\\pickle.py', 'PYMODULE'),
 16 |   ('doctest', 'c:\\python27\\lib\\doctest.py', 'PYMODULE'),
 17 |   ('collections', 'c:\\python27\\lib\\collections.py', 'PYMODULE'),
 18 |   ('dummy_thread', 'c:\\python27\\lib\\dummy_thread.py', 'PYMODULE'),
 19 |   ('heapq', 'c:\\python27\\lib\\heapq.py', 'PYMODULE'),
 20 |   ('keyword', 'c:\\python27\\lib\\keyword.py', 'PYMODULE'),
 21 |   ('_abcoll', 'c:\\python27\\lib\\_abcoll.py', 'PYMODULE'),
 22 |   ('abc', 'c:\\python27\\lib\\abc.py', 'PYMODULE'),
 23 |   ('_weakrefset', 'c:\\python27\\lib\\_weakrefset.py', 'PYMODULE'),
 24 |   ('tempfile', 'c:\\python27\\lib\\tempfile.py', 'PYMODULE'),
 25 |   ('random', 'c:\\python27\\lib\\random.py', 'PYMODULE'),
 26 |   ('_strptime', 'c:\\python27\\lib\\_strptime.py', 'PYMODULE'),
 27 |   ('calendar', 'c:\\python27\\lib\\calendar.py', 'PYMODULE'),
 28 |   ('locale', 'c:\\python27\\lib\\locale.py', 'PYMODULE'),
 29 |   ('functools', 'c:\\python27\\lib\\functools.py', 'PYMODULE'),
 30 |   ('hashlib', 'c:\\python27\\lib\\hashlib.py', 'PYMODULE'),
 31 |   ('logging', 'c:\\python27\\lib\\logging\\__init__.py', 'PYMODULE'),
 32 |   ('atexit', 'c:\\python27\\lib\\atexit.py', 'PYMODULE'),
 33 |   ('weakref', 'c:\\python27\\lib\\weakref.py', 'PYMODULE'),
 34 |   ('pdb', 'c:\\python27\\lib\\pdb.py', 'PYMODULE'),
 35 |   ('shlex', 'c:\\python27\\lib\\shlex.py', 'PYMODULE'),
 36 |   ('pprint', 'c:\\python27\\lib\\pprint.py', 'PYMODULE'),
 37 |   ('repr', 'c:\\python27\\lib\\repr.py', 'PYMODULE'),
 38 |   ('bdb', 'c:\\python27\\lib\\bdb.py', 'PYMODULE'),
 39 |   ('fnmatch', 'c:\\python27\\lib\\fnmatch.py', 'PYMODULE'),
 40 |   ('cmd', 'c:\\python27\\lib\\cmd.py', 'PYMODULE'),
 41 |   ('difflib', 'c:\\python27\\lib\\difflib.py', 'PYMODULE'),
 42 |   ('unittest', 'c:\\python27\\lib\\unittest\\__init__.py', 'PYMODULE'),
 43 |   ('unittest.signals', 'c:\\python27\\lib\\unittest\\signals.py', 'PYMODULE'),
 44 |   ('unittest.main', 'c:\\python27\\lib\\unittest\\main.py', 'PYMODULE'),
 45 |   ('getopt', 'c:\\python27\\lib\\getopt.py', 'PYMODULE'),
 46 |   ('unittest.runner', 'c:\\python27\\lib\\unittest\\runner.py', 'PYMODULE'),
 47 |   ('unittest.loader', 'c:\\python27\\lib\\unittest\\loader.py', 'PYMODULE'),
 48 |   ('unittest.suite', 'c:\\python27\\lib\\unittest\\suite.py', 'PYMODULE'),
 49 |   ('unittest.case', 'c:\\python27\\lib\\unittest\\case.py', 'PYMODULE'),
 50 |   ('unittest.result', 'c:\\python27\\lib\\unittest\\result.py', 'PYMODULE'),
 51 |   ('unittest.util', 'c:\\python27\\lib\\unittest\\util.py', 'PYMODULE'),
 52 |   ('inspect', 'c:\\python27\\lib\\inspect.py', 'PYMODULE'),
 53 |   ('tokenize', 'c:\\python27\\lib\\tokenize.py', 'PYMODULE'),
 54 |   ('token', 'c:\\python27\\lib\\token.py', 'PYMODULE'),
 55 |   ('dis', 'c:\\python27\\lib\\dis.py', 'PYMODULE'),
 56 |   ('opcode', 'c:\\python27\\lib\\opcode.py', 'PYMODULE'),
 57 |   ('__future__', 'c:\\python27\\lib\\__future__.py', 'PYMODULE'),
 58 |   ('StringIO', 'c:\\python27\\lib\\StringIO.py', 'PYMODULE'),
 59 |   ('threading', 'c:\\python27\\lib\\threading.py', 'PYMODULE'),
 60 |   ('_threading_local', 'c:\\python27\\lib\\_threading_local.py', 'PYMODULE'),
 61 |   ('traceback', 'c:\\python27\\lib\\traceback.py', 'PYMODULE'),
 62 |   ('UserDict', 'c:\\python27\\lib\\UserDict.py', 'PYMODULE'),
 63 |   ('os2emxpath', 'c:\\python27\\lib\\os2emxpath.py', 'PYMODULE'),
 64 |   ('genericpath', 'c:\\python27\\lib\\genericpath.py', 'PYMODULE'),
 65 |   ('stat', 'c:\\python27\\lib\\stat.py', 'PYMODULE'),
 66 |   ('ntpath', 'c:\\python27\\lib\\ntpath.py', 'PYMODULE'),
 67 |   ('posixpath', 'c:\\python27\\lib\\posixpath.py', 'PYMODULE'),
 68 |   ('string', 'c:\\python27\\lib\\string.py', 'PYMODULE'),
 69 |   ('copy', 'c:\\python27\\lib\\copy.py', 'PYMODULE'),
 70 |   ('copy_reg', 'c:\\python27\\lib\\copy_reg.py', 'PYMODULE'),
 71 |   ('sre_parse', 'c:\\python27\\lib\\sre_parse.py', 'PYMODULE'),
 72 |   ('sre_compile', 'c:\\python27\\lib\\sre_compile.py', 'PYMODULE'),
 73 |   ('stringprep', 'c:\\python27\\lib\\stringprep.py', 'PYMODULE'),
 74 |   ('encodings.mbcs', 'c:\\python27\\lib\\encodings\\mbcs.py', 'PYMODULE'),
 75 |   ('encodings.raw_unicode_escape',
 76 |    'c:\\python27\\lib\\encodings\\raw_unicode_escape.py',
 77 |    'PYMODULE'),
 78 |   ('encodings.gb18030',
 79 |    'c:\\python27\\lib\\encodings\\gb18030.py',
 80 |    'PYMODULE'),
 81 |   ('encodings.shift_jisx0213',
 82 |    'c:\\python27\\lib\\encodings\\shift_jisx0213.py',
 83 |    'PYMODULE'),
 84 |   ('encodings.ascii', 'c:\\python27\\lib\\encodings\\ascii.py', 'PYMODULE'),
 85 |   ('encodings.cp861', 'c:\\python27\\lib\\encodings\\cp861.py', 'PYMODULE'),
 86 |   ('encodings.cp860', 'c:\\python27\\lib\\encodings\\cp860.py', 'PYMODULE'),
 87 |   ('encodings.cp863', 'c:\\python27\\lib\\encodings\\cp863.py', 'PYMODULE'),
 88 |   ('encodings.cp862', 'c:\\python27\\lib\\encodings\\cp862.py', 'PYMODULE'),
 89 |   ('encodings.cp865', 'c:\\python27\\lib\\encodings\\cp865.py', 'PYMODULE'),
 90 |   ('encodings.big5hkscs',
 91 |    'c:\\python27\\lib\\encodings\\big5hkscs.py',
 92 |    'PYMODULE'),
 93 |   ('encodings.cp866', 'c:\\python27\\lib\\encodings\\cp866.py', 'PYMODULE'),
 94 |   ('encodings.cp869', 'c:\\python27\\lib\\encodings\\cp869.py', 'PYMODULE'),
 95 |   ('encodings.mac_latin2',
 96 |    'c:\\python27\\lib\\encodings\\mac_latin2.py',
 97 |    'PYMODULE'),
 98 |   ('encodings.hex_codec',
 99 |    'c:\\python27\\lib\\encodings\\hex_codec.py',
100 |    'PYMODULE'),
101 |   ('encodings.cp950', 'c:\\python27\\lib\\encodings\\cp950.py', 'PYMODULE'),
102 |   ('encodings.quopri_codec',
103 |    'c:\\python27\\lib\\encodings\\quopri_codec.py',
104 |    'PYMODULE'),
105 |   ('quopri', 'c:\\python27\\lib\\quopri.py', 'PYMODULE'),
106 |   ('encodings.utf_32_be',
107 |    'c:\\python27\\lib\\encodings\\utf_32_be.py',
108 |    'PYMODULE'),
109 |   ('encodings.string_escape',
110 |    'c:\\python27\\lib\\encodings\\string_escape.py',
111 |    'PYMODULE'),
112 |   ('encodings.cp1250', 'c:\\python27\\lib\\encodings\\cp1250.py', 'PYMODULE'),
113 |   ('encodings.cp1251', 'c:\\python27\\lib\\encodings\\cp1251.py', 'PYMODULE'),
114 |   ('encodings.cp1252', 'c:\\python27\\lib\\encodings\\cp1252.py', 'PYMODULE'),
115 |   ('encodings.cp1253', 'c:\\python27\\lib\\encodings\\cp1253.py', 'PYMODULE'),
116 |   ('encodings.cp1254', 'c:\\python27\\lib\\encodings\\cp1254.py', 'PYMODULE'),
117 |   ('encodings.cp1255', 'c:\\python27\\lib\\encodings\\cp1255.py', 'PYMODULE'),
118 |   ('encodings.cp1256', 'c:\\python27\\lib\\encodings\\cp1256.py', 'PYMODULE'),
119 |   ('encodings.cp1257', 'c:\\python27\\lib\\encodings\\cp1257.py', 'PYMODULE'),
120 |   ('encodings.cp1258', 'c:\\python27\\lib\\encodings\\cp1258.py', 'PYMODULE'),
121 |   ('encodings.euc_jp', 'c:\\python27\\lib\\encodings\\euc_jp.py', 'PYMODULE'),
122 |   ('encodings.hz', 'c:\\python27\\lib\\encodings\\hz.py', 'PYMODULE'),
123 |   ('encodings.mac_cyrillic',
124 |    'c:\\python27\\lib\\encodings\\mac_cyrillic.py',
125 |    'PYMODULE'),
126 |   ('encodings.iso2022_kr',
127 |    'c:\\python27\\lib\\encodings\\iso2022_kr.py',
128 |    'PYMODULE'),
129 |   ('encodings.unicode_internal',
130 |    'c:\\python27\\lib\\encodings\\unicode_internal.py',
131 |    'PYMODULE'),
132 |   ('encodings.cp500', 'c:\\python27\\lib\\encodings\\cp500.py', 'PYMODULE'),
133 |   ('encodings.iso8859_10',
134 |    'c:\\python27\\lib\\encodings\\iso8859_10.py',
135 |    'PYMODULE'),
136 |   ('encodings.iso8859_11',
137 |    'c:\\python27\\lib\\encodings\\iso8859_11.py',
138 |    'PYMODULE'),
139 |   ('encodings.iso8859_13',
140 |    'c:\\python27\\lib\\encodings\\iso8859_13.py',
141 |    'PYMODULE'),
142 |   ('encodings.iso8859_14',
143 |    'c:\\python27\\lib\\encodings\\iso8859_14.py',
144 |    'PYMODULE'),
145 |   ('encodings.cp424', 'c:\\python27\\lib\\encodings\\cp424.py', 'PYMODULE'),
146 |   ('encodings.iso8859_16',
147 |    'c:\\python27\\lib\\encodings\\iso8859_16.py',
148 |    'PYMODULE'),
149 |   ('encodings.cp1006', 'c:\\python27\\lib\\encodings\\cp1006.py', 'PYMODULE'),
150 |   ('encodings.hp_roman8',
151 |    'c:\\python27\\lib\\encodings\\hp_roman8.py',
152 |    'PYMODULE'),
153 |   ('encodings.charmap',
154 |    'c:\\python27\\lib\\encodings\\charmap.py',
155 |    'PYMODULE'),
156 |   ('encodings.utf_32', 'c:\\python27\\lib\\encodings\\utf_32.py', 'PYMODULE'),
157 |   ('encodings.latin_1',
158 |    'c:\\python27\\lib\\encodings\\latin_1.py',
159 |    'PYMODULE'),
160 |   ('encodings.utf_16_be',
161 |    'c:\\python27\\lib\\encodings\\utf_16_be.py',
162 |    'PYMODULE'),
163 |   ('encodings.cp737', 'c:\\python27\\lib\\encodings\\cp737.py', 'PYMODULE'),
164 |   ('encodings.utf_16', 'c:\\python27\\lib\\encodings\\utf_16.py', 'PYMODULE'),
165 |   ('encodings.cp437', 'c:\\python27\\lib\\encodings\\cp437.py', 'PYMODULE'),
166 |   ('encodings.mac_roman',
167 |    'c:\\python27\\lib\\encodings\\mac_roman.py',
168 |    'PYMODULE'),
169 |   ('encodings.mac_centeuro',
170 |    'c:\\python27\\lib\\encodings\\mac_centeuro.py',
171 |    'PYMODULE'),
172 |   ('encodings.mac_croatian',
173 |    'c:\\python27\\lib\\encodings\\mac_croatian.py',
174 |    'PYMODULE'),
175 |   ('encodings.punycode',
176 |    'c:\\python27\\lib\\encodings\\punycode.py',
177 |    'PYMODULE'),
178 |   ('encodings.unicode_escape',
179 |    'c:\\python27\\lib\\encodings\\unicode_escape.py',
180 |    'PYMODULE'),
181 |   ('encodings.bz2_codec',
182 |    'c:\\python27\\lib\\encodings\\bz2_codec.py',
183 |    'PYMODULE'),
184 |   ('encodings.rot_13', 'c:\\python27\\lib\\encodings\\rot_13.py', 'PYMODULE'),
185 |   ('encodings.cp874', 'c:\\python27\\lib\\encodings\\cp874.py', 'PYMODULE'),
186 |   ('encodings.cp875', 'c:\\python27\\lib\\encodings\\cp875.py', 'PYMODULE'),
187 |   ('encodings.cp720', 'c:\\python27\\lib\\encodings\\cp720.py', 'PYMODULE'),
188 |   ('encodings.tis_620',
189 |    'c:\\python27\\lib\\encodings\\tis_620.py',
190 |    'PYMODULE'),
191 |   ('encodings.zlib_codec',
192 |    'c:\\python27\\lib\\encodings\\zlib_codec.py',
193 |    'PYMODULE'),
194 |   ('encodings.iso2022_jp_2004',
195 |    'c:\\python27\\lib\\encodings\\iso2022_jp_2004.py',
196 |    'PYMODULE'),
197 |   ('encodings.euc_jisx0213',
198 |    'c:\\python27\\lib\\encodings\\euc_jisx0213.py',
199 |    'PYMODULE'),
200 |   ('encodings.ptcp154',
201 |    'c:\\python27\\lib\\encodings\\ptcp154.py',
202 |    'PYMODULE'),
203 |   ('encodings.uu_codec',
204 |    'c:\\python27\\lib\\encodings\\uu_codec.py',
205 |    'PYMODULE'),
206 |   ('encodings.utf_16_le',
207 |    'c:\\python27\\lib\\encodings\\utf_16_le.py',
208 |    'PYMODULE'),
209 |   ('encodings.iso2022_jp_2',
210 |    'c:\\python27\\lib\\encodings\\iso2022_jp_2.py',
211 |    'PYMODULE'),
212 |   ('encodings.iso2022_jp_3',
213 |    'c:\\python27\\lib\\encodings\\iso2022_jp_3.py',
214 |    'PYMODULE'),
215 |   ('encodings.iso2022_jp_1',
216 |    'c:\\python27\\lib\\encodings\\iso2022_jp_1.py',
217 |    'PYMODULE'),
218 |   ('encodings.mac_romanian',
219 |    'c:\\python27\\lib\\encodings\\mac_romanian.py',
220 |    'PYMODULE'),
221 |   ('encodings.cp1026', 'c:\\python27\\lib\\encodings\\cp1026.py', 'PYMODULE'),
222 |   ('encodings.mac_farsi',
223 |    'c:\\python27\\lib\\encodings\\mac_farsi.py',
224 |    'PYMODULE'),
225 |   ('encodings.undefined',
226 |    'c:\\python27\\lib\\encodings\\undefined.py',
227 |    'PYMODULE'),
228 |   ('encodings.mac_turkish',
229 |    'c:\\python27\\lib\\encodings\\mac_turkish.py',
230 |    'PYMODULE'),
231 |   ('encodings.koi8_u', 'c:\\python27\\lib\\encodings\\koi8_u.py', 'PYMODULE'),
232 |   ('encodings.koi8_r', 'c:\\python27\\lib\\encodings\\koi8_r.py', 'PYMODULE'),
233 |   ('encodings.utf_8_sig',
234 |    'c:\\python27\\lib\\encodings\\utf_8_sig.py',
235 |    'PYMODULE'),
236 |   ('encodings.iso2022_jp',
237 |    'c:\\python27\\lib\\encodings\\iso2022_jp.py',
238 |    'PYMODULE'),
239 |   ('encodings.palmos', 'c:\\python27\\lib\\encodings\\palmos.py', 'PYMODULE'),
240 |   ('encodings.mac_greek',
241 |    'c:\\python27\\lib\\encodings\\mac_greek.py',
242 |    'PYMODULE'),
243 |   ('encodings.shift_jis_2004',
244 |    'c:\\python27\\lib\\encodings\\shift_jis_2004.py',
245 |    'PYMODULE'),
246 |   ('encodings.gbk', 'c:\\python27\\lib\\encodings\\gbk.py', 'PYMODULE'),
247 |   ('encodings.mac_iceland',
248 |    'c:\\python27\\lib\\encodings\\mac_iceland.py',
249 |    'PYMODULE'),
250 |   ('encodings.cp858', 'c:\\python27\\lib\\encodings\\cp858.py', 'PYMODULE'),
251 |   ('encodings.cp850', 'c:\\python27\\lib\\encodings\\cp850.py', 'PYMODULE'),
252 |   ('encodings.cp852', 'c:\\python27\\lib\\encodings\\cp852.py', 'PYMODULE'),
253 |   ('encodings.cp855', 'c:\\python27\\lib\\encodings\\cp855.py', 'PYMODULE'),
254 |   ('encodings.cp856', 'c:\\python27\\lib\\encodings\\cp856.py', 'PYMODULE'),
255 |   ('encodings.cp857', 'c:\\python27\\lib\\encodings\\cp857.py', 'PYMODULE'),
256 |   ('encodings.iso8859_4',
257 |    'c:\\python27\\lib\\encodings\\iso8859_4.py',
258 |    'PYMODULE'),
259 |   ('encodings.iso8859_5',
260 |    'c:\\python27\\lib\\encodings\\iso8859_5.py',
261 |    'PYMODULE'),
262 |   ('encodings.iso8859_6',
263 |    'c:\\python27\\lib\\encodings\\iso8859_6.py',
264 |    'PYMODULE'),
265 |   ('encodings.iso8859_7',
266 |    'c:\\python27\\lib\\encodings\\iso8859_7.py',
267 |    'PYMODULE'),
268 |   ('encodings.iso8859_1',
269 |    'c:\\python27\\lib\\encodings\\iso8859_1.py',
270 |    'PYMODULE'),
271 |   ('encodings.iso8859_2',
272 |    'c:\\python27\\lib\\encodings\\iso8859_2.py',
273 |    'PYMODULE'),
274 |   ('encodings.iso8859_3',
275 |    'c:\\python27\\lib\\encodings\\iso8859_3.py',
276 |    'PYMODULE'),
277 |   ('encodings.gb2312', 'c:\\python27\\lib\\encodings\\gb2312.py', 'PYMODULE'),
278 |   ('encodings.iso8859_8',
279 |    'c:\\python27\\lib\\encodings\\iso8859_8.py',
280 |    'PYMODULE'),
281 |   ('encodings.iso8859_9',
282 |    'c:\\python27\\lib\\encodings\\iso8859_9.py',
283 |    'PYMODULE'),
284 |   ('encodings.cp949', 'c:\\python27\\lib\\encodings\\cp949.py', 'PYMODULE'),
285 |   ('encodings.cp864', 'c:\\python27\\lib\\encodings\\cp864.py', 'PYMODULE'),
286 |   ('encodings.base64_codec',
287 |    'c:\\python27\\lib\\encodings\\base64_codec.py',
288 |    'PYMODULE'),
289 |   ('base64', 'c:\\python27\\lib\\base64.py', 'PYMODULE'),
290 |   ('encodings.cp037', 'c:\\python27\\lib\\encodings\\cp037.py', 'PYMODULE'),
291 |   ('encodings.utf_8', 'c:\\python27\\lib\\encodings\\utf_8.py', 'PYMODULE'),
292 |   ('encodings.mac_arabic',
293 |    'c:\\python27\\lib\\encodings\\mac_arabic.py',
294 |    'PYMODULE'),
295 |   ('encodings.euc_kr', 'c:\\python27\\lib\\encodings\\euc_kr.py', 'PYMODULE'),
296 |   ('encodings.utf_7', 'c:\\python27\\lib\\encodings\\utf_7.py', 'PYMODULE'),
297 |   ('encodings.shift_jis',
298 |    'c:\\python27\\lib\\encodings\\shift_jis.py',
299 |    'PYMODULE'),
300 |   ('encodings.utf_32_le',
301 |    'c:\\python27\\lib\\encodings\\utf_32_le.py',
302 |    'PYMODULE'),
303 |   ('encodings.euc_jis_2004',
304 |    'c:\\python27\\lib\\encodings\\euc_jis_2004.py',
305 |    'PYMODULE'),
306 |   ('encodings.cp775', 'c:\\python27\\lib\\encodings\\cp775.py', 'PYMODULE'),
307 |   ('encodings.cp1140', 'c:\\python27\\lib\\encodings\\cp1140.py', 'PYMODULE'),
308 |   ('encodings.big5', 'c:\\python27\\lib\\encodings\\big5.py', 'PYMODULE'),
309 |   ('encodings.iso8859_15',
310 |    'c:\\python27\\lib\\encodings\\iso8859_15.py',
311 |    'PYMODULE'),
312 |   ('encodings.iso2022_jp_ext',
313 |    'c:\\python27\\lib\\encodings\\iso2022_jp_ext.py',
314 |    'PYMODULE'),
315 |   ('encodings.johab', 'c:\\python27\\lib\\encodings\\johab.py', 'PYMODULE'),
316 |   ('encodings.cp932', 'c:\\python27\\lib\\encodings\\cp932.py', 'PYMODULE'),
317 |   ('codecs', 'c:\\python27\\lib\\codecs.py', 'PYMODULE'),
318 |   ('optparse', 'c:\\python27\\lib\\optparse.py', 'PYMODULE'),
319 |   ('gettext', 'c:\\python27\\lib\\gettext.py', 'PYMODULE'),
320 |   ('textwrap', 'c:\\python27\\lib\\textwrap.py', 'PYMODULE'),
321 |   ('io', 'c:\\python27\\lib\\io.py', 'PYMODULE'),
322 |   ('shutil', 'c:\\python27\\lib\\shutil.py', 'PYMODULE'),
323 |   ('zipfile', 'c:\\python27\\lib\\zipfile.py', 'PYMODULE'),
324 |   ('py_compile', 'c:\\python27\\lib\\py_compile.py', 'PYMODULE'),
325 |   ('distutils.spawn', 'c:\\python27\\lib\\distutils\\spawn.py', 'PYMODULE'),
326 |   ('distutils.sysconfig',
327 |    'c:\\python27\\lib\\distutils\\sysconfig.py',
328 |    'PYMODULE'),
329 |   ('distutils.text_file',
330 |    'c:\\python27\\lib\\distutils\\text_file.py',
331 |    'PYMODULE'),
332 |   ('_osx_support', 'c:\\python27\\lib\\_osx_support.py', 'PYMODULE'),
333 |   ('contextlib', 'c:\\python27\\lib\\contextlib.py', 'PYMODULE'),
334 |   ('distutils.log', 'c:\\python27\\lib\\distutils\\log.py', 'PYMODULE'),
335 |   ('distutils', 'c:\\python27\\lib\\distutils\\__init__.py', 'PYMODULE'),
336 |   ('distutils.debug', 'c:\\python27\\lib\\distutils\\debug.py', 'PYMODULE'),
337 |   ('distutils.errors', 'c:\\python27\\lib\\distutils\\errors.py', 'PYMODULE'),
338 |   ('tarfile', 'c:\\python27\\lib\\tarfile.py', 'PYMODULE'),
339 |   ('gzip', 'c:\\python27\\lib\\gzip.py', 'PYMODULE'),
340 |   ('struct', 'c:\\python27\\lib\\struct.py', 'PYMODULE')])
341 | 


--------------------------------------------------------------------------------
/src/SigThief-master/build/sigthief/sigthief.exe.manifest:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 2 | <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
 3 |   <assemblyIdentity name="sigthief" processorArchitecture="amd64" type="win32" version="1.0.0.0"/>
 4 |   <dependency>
 5 |     <dependentAssembly>
 6 |       <assemblyIdentity name="Microsoft.VC90.CRT" processorArchitecture="amd64" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.21022.8"/>
 7 |       <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>
 8 |     </dependentAssembly>
 9 |   </dependency>
10 |   <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
11 |     <application>
12 |       <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
13 |       <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
14 |       <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
15 |       <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
16 |       <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
17 |     </application>
18 |   </compatibility>
19 | </assembly>


--------------------------------------------------------------------------------
/src/SigThief-master/build/sigthief/warnsigthief.txt:
--------------------------------------------------------------------------------
 1 | missing module named readline - imported by cmd, pdb
 2 | missing module named 'org.python' - imported by pickle
 3 | missing module named fcntl - imported by tempfile, subprocess
 4 | missing module named riscosenviron - imported by os
 5 | missing module named riscospath - imported by os
 6 | missing module named riscos - imported by os
 7 | missing module named ce - imported by os
 8 | missing module named _emx_link - imported by os
 9 | missing module named os2 - imported by os
10 | missing module named pwd - imported by posixpath, shutil, tarfile
11 | missing module named posix - imported by os
12 | missing module named resource - imported by posix
13 | missing module named org - imported by copy
14 | missing module named _sysconfigdata - imported by distutils.sysconfig
15 | missing module named grp - imported by shutil, tarfile
16 | 


--------------------------------------------------------------------------------
/src/SigThief-master/dist/sigthief.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/threatexpress/metatwin/6d89f53b01aa3ba5814ff4460dec1c4725303a9b/src/SigThief-master/dist/sigthief.exe


--------------------------------------------------------------------------------
/src/SigThief-master/sigthief.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # LICENSE: BSD-3
  3 | # Copyright: Josh Pitts @midnite_runr
  4 | 
  5 | import sys
  6 | import struct
  7 | import shutil
  8 | import io
  9 | from optparse import OptionParser
 10 | 
 11 | 
 12 | def gather_file_info_win(binary):
 13 |         """
 14 |         Borrowed from BDF...
 15 |         I could just skip to certLOC... *shrug*
 16 |         """
 17 |         flItms = {}
 18 |         binary = open(binary, 'rb')
 19 |         binary.seek(int('3C', 16))
 20 |         flItms['buffer'] = 0
 21 |         flItms['JMPtoCodeAddress'] = 0
 22 |         flItms['dis_frm_pehdrs_sectble'] = 248
 23 |         flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
 24 |         # Start of COFF
 25 |         flItms['COFF_Start'] = flItms['pe_header_location'] + 4
 26 |         binary.seek(flItms['COFF_Start'])
 27 |         flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
 28 |         binary.seek(flItms['COFF_Start'] + 2, 0)
 29 |         flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
 30 |         flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
 31 |         binary.seek(flItms['COFF_Start'] + 16, 0)
 32 |         flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
 33 |         flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
 34 |         #End of COFF
 35 |         flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
 36 | 
 37 |         #if flItms['SizeOfOptionalHeader']:
 38 |             #Begin Standard Fields section of Optional Header
 39 |         binary.seek(flItms['OptionalHeader_start'])
 40 |         flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
 41 |         flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
 42 |         flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
 43 |         flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
 44 |         flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
 45 |         flItms['SizeOfUninitializedData'] = struct.unpack("<I",
 46 |                                                                binary.read(4))[0]
 47 |         flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
 48 |         flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
 49 |         flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
 50 |         if flItms['Magic'] != 0x20B:
 51 |             flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
 52 |         # End Standard Fields section of Optional Header
 53 |         # Begin Windows-Specific Fields of Optional Header
 54 |         if flItms['Magic'] == 0x20B:
 55 |             flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
 56 |         else:
 57 |             flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
 58 |         flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
 59 |         flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
 60 |         flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
 61 |                                                                    binary.read(2))[0]
 62 |         flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
 63 |                                                                    binary.read(2))[0]
 64 |         flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
 65 |         flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
 66 |         flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
 67 |         flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
 68 |         flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
 69 |         flItms['SizeOfImageLoc'] = binary.tell()
 70 |         flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
 71 |         flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
 72 |         flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
 73 |         flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
 74 |         flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
 75 |         if flItms['Magic'] == 0x20B:
 76 |             flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
 77 |             flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
 78 |             flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
 79 |             flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
 80 | 
 81 |         else:
 82 |             flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
 83 |             flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
 84 |             flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
 85 |             flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
 86 |         flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
 87 |         flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
 88 |         # End Windows-Specific Fields of Optional Header
 89 |         # Begin Data Directories of Optional Header
 90 |         flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
 91 |         flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
 92 |         flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
 93 |         #ImportTable SIZE|LOC
 94 |         flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
 95 |         flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
 96 |         flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
 97 |         flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
 98 |         flItms['CertTableLOC'] = binary.tell()
 99 |         flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
100 |         flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
101 |         binary.close()
102 |         return flItms
103 | 
104 | 
105 | def copyCert(exe):
106 |     flItms = gather_file_info_win(exe)
107 | 
108 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
109 |         # not signed
110 |         print("Input file Not signed!")
111 |         sys.exit(-1)
112 | 
113 |     with open(exe, 'rb') as f:
114 |         f.seek(flItms['CertLOC'], 0)
115 |         cert = f.read(flItms['CertSize'])
116 |     return cert
117 | 
118 | 
119 | def writeCert(cert, exe, output):
120 |     flItms = gather_file_info_win(exe)
121 |     
122 |     if not output: 
123 |         output = output = str(exe) + "_signed"
124 | 
125 |     shutil.copy2(exe, output)
126 |     
127 |     print("Output file: {0}".format(output))
128 | 
129 |     with open(exe, 'rb') as g:
130 |         with open(output, 'wb') as f:
131 |             f.write(g.read())
132 |             f.seek(0)
133 |             f.seek(flItms['CertTableLOC'], 0)
134 |             f.write(struct.pack("<I", len(open(exe, 'rb').read())))
135 |             f.write(struct.pack("<I", len(cert)))
136 |             f.seek(0, io.SEEK_END)
137 |             f.write(cert)
138 | 
139 |     print("Signature appended. \nFIN.")
140 | 
141 | 
142 | def outputCert(exe, output):
143 |     cert = copyCert(exe)
144 |     if not output:
145 |         output = str(exe) + "_sig"
146 | 
147 |     print("Output file: {0}".format(output))
148 | 
149 |     open(output, 'wb').write(cert)
150 | 
151 |     print("Signature ripped. \nFIN.")
152 | 
153 | 
154 | def check_sig(exe):
155 |     flItms = gather_file_info_win(exe)
156 |  
157 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
158 |         # not signed
159 |         print("Inputfile Not signed!")
160 |     else:
161 |         print("Inputfile is signed!")
162 | 
163 | 
164 | def truncate(exe, output):
165 |     flItms = gather_file_info_win(exe)
166 |  
167 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
168 |         # not signed
169 |         print("Inputfile Not signed!")
170 |         sys.exit(-1)
171 |     else:
172 |         print( "Inputfile is signed!")
173 | 
174 |     if not output:
175 |         output = str(exe) + "_nosig"
176 | 
177 |     print("Output file: {0}".format(output))
178 | 
179 |     shutil.copy2(exe, output)
180 | 
181 |     with open(output, "r+b") as binary:
182 |         print('Overwriting certificate table pointer and truncating binary')
183 |         binary.seek(-flItms['CertSize'], io.SEEK_END)
184 |         binary.truncate()
185 |         binary.seek(flItms['CertTableLOC'], 0)
186 |         binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
187 | 
188 |     print("Signature removed. \nFIN.")
189 | 
190 | 
191 | def signfile(exe, sigfile, output):
192 |     flItms = gather_file_info_win(exe)
193 |     
194 |     cert = open(sigfile, 'rb').read()
195 | 
196 |     if not output: 
197 |         output = output = str(exe) + "_signed"
198 | 
199 |     shutil.copy2(exe, output)
200 |     
201 |     print("Output file: {0}".format(output))
202 |     
203 |     with open(exe, 'rb') as g:
204 |         with open(output, 'wb') as f:
205 |             f.write(g.read())
206 |             f.seek(0)
207 |             f.seek(flItms['CertTableLOC'], 0)
208 |             f.write(struct.pack("<I", len(open(exe, 'rb').read())))
209 |             f.write(struct.pack("<I", len(cert)))
210 |             f.seek(0, io.SEEK_END)
211 |             f.write(cert)
212 |     print("Signature appended. \nFIN.")
213 | 
214 | 
215 | if __name__ == "__main__":
216 |     usage = 'usage: %prog [options]'
217 |     parser = OptionParser()
218 |     parser.add_option("-i", "--file", dest="inputfile", 
219 |                   help="file still signature from", metavar="FILE")
220 |     parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
221 |                   help='rip signature off inputfile')
222 |     parser.add_option('-a', '--add', dest='addsig', action='store_true',
223 |                   help='add signautre to targetfile')
224 |     parser.add_option('-o', '--output', dest='outputfile',
225 |                   help='output file')
226 |     parser.add_option('-s', '--sig', dest='sigfile',
227 |                   help='binary signature from disk')
228 |     parser.add_option('-t', '--target', dest='targetfile',
229 |                   help='file to append signature too')
230 |     parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
231 |                   help='file to check if signed; does not verify signature')
232 |     parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
233 |                   help='truncate signature (i.e. remove sig)')
234 |     (options, args) = parser.parse_args()
235 |     
236 |     # rip signature
237 |     # inputfile and rip to outputfile
238 |     if options.inputfile and options.ripsig:
239 |         print("Ripping signature to file!")
240 |         outputCert(options.inputfile, options.outputfile)
241 |         sys.exit()    
242 | 
243 |     # copy from one to another
244 |     # inputfile and rip to targetfile to outputfile    
245 |     if options.inputfile and options.targetfile:
246 |         cert = copyCert(options.inputfile)
247 |         writeCert(cert, options.targetfile, options.outputfile)
248 |         sys.exit()
249 | 
250 |     # check signature
251 |     # inputfile 
252 |     if options.inputfile and options.checksig:
253 |         check_sig(options.inputfile) 
254 |         sys.exit()
255 | 
256 |     # add sig to target file
257 |     if options.targetfile and options.sigfile:
258 |         signfile(options.targetfile, options.sigfile, options.outputfile)
259 |         sys.exit()
260 |         
261 |     # truncate
262 |     if options.inputfile and options.truncate:
263 |         truncate(options.inputfile, options.outputfile)
264 |         sys.exit()
265 | 
266 |     parser.print_help()
267 |     parser.error("You must do something!")
268 | 
269 | 


--------------------------------------------------------------------------------
/src/SigThief-master/sigthief.spec:
--------------------------------------------------------------------------------
 1 | # -*- mode: python -*-
 2 | 
 3 | block_cipher = None
 4 | 
 5 | 
 6 | a = Analysis(['sigthief.py'],
 7 |              pathex=['C:\\Users\\Sec504\\Desktop\\meta_twin\\src\\SigThief-master'],
 8 |              binaries=[],
 9 |              datas=[],
10 |              hiddenimports=[],
11 |              hookspath=[],
12 |              runtime_hooks=[],
13 |              excludes=[],
14 |              win_no_prefer_redirects=False,
15 |              win_private_assemblies=False,
16 |              cipher=block_cipher)
17 | pyz = PYZ(a.pure, a.zipped_data,
18 |              cipher=block_cipher)
19 | exe = EXE(pyz,
20 |           a.scripts,
21 |           a.binaries,
22 |           a.zipfiles,
23 |           a.datas,
24 |           name='sigthief',
25 |           debug=False,
26 |           strip=False,
27 |           upx=True,
28 |           runtime_tmpdir=None,
29 |           console=True )
30 | 


--------------------------------------------------------------------------------
/src/resource_hacker/.keep:
--------------------------------------------------------------------------------
1 | keep
2 | 


--------------------------------------------------------------------------------