Hey all,
Got a client here with an infection which corrupts file headers for particular file types in an effort to "encrypt" them.
However, as it turns out, it's merely the file headers which are corrupt. They can be restored through the use of a Hex Editor and the replacement of the first part of the file with that of an unencrypted file of the same type.
My question is: can XYplorer be used to perform such edits on matching file types in batch? If so, I will post a blog entry about it as well once this is solved to help generate some more traffic for the program!
Thanks!
Script help... rewrite file headers for all files of a type?
-
othersteve
- Posts: 11
- Joined: 25 Jun 2010 14:25
-
Marco
- Posts: 2354
- Joined: 27 Jun 2011 15:20
Re: Script help... rewrite file headers for all files of a t
Yes, it's possible thanks to the readfile() and writefile() functions.
Readfile(): you read the whole infected file except the header into a variable
Then you attach to such variable the correct header
Writefile(): you overwrite the infected file with the variable+header
Readfile(): you read the whole infected file except the header into a variable
Then you attach to such variable the correct header
Writefile(): you overwrite the infected file with the variable+header
Tag Backup - SimpleUpdater - XYplorer Messenger - The Unofficial XYplorer Archive - Everything in XYplorer
Don sees all [cit. from viewtopic.php?p=124094#p124094]
Don sees all [cit. from viewtopic.php?p=124094#p124094]
-
highend
- Posts: 14942
- Joined: 06 Feb 2011 00:33
- Location: Win Server 2022 @100%
Re: Script help... rewrite file headers for all files of a t
This should work, as long as you know how many bytes you need to read from the reference file.
E.g.
Takes one reference file (this must NOT be in the directory where the files to be modified are!) and changes
all files in the current directory with the same extension...
E.g.
Code: Select all
$bytesToRead = input("How many bytes for the header:", , , , , 250, 150);
$refFile = inputfile("<curpath>");
$refFileExt = getpathcomponent($refFile, "ext");
$refHeader = readfile($refFile, "b", $bytesToRead);
$files = listfolder("<curpath>", "*$refFileExt*", 1, "|");
foreach($file, $files, "|") {
$baseName = getpathcomponent($file, "base");
$basePath = getpathcomponent($file, "path");
writefile("$basePath\$baseName-Mod.$refFileExt", $refHeader, "o", "b");
writefile("$basePath\$baseName-Mod.$refFileExt", readfile($file, "b", , , $bytesToRead + 1), "a", "b");
};all files in the current directory with the same extension...
One of my scripts helped you out? Please donate via Paypal
-
othersteve
- Posts: 11
- Joined: 25 Jun 2010 14:25
Re: Script help... rewrite file headers for all files of a t
Awesome. Will work through this on experimentation and report back with my results as soon as I get a moment to try it. Thanks again.
-
othersteve
- Posts: 11
- Joined: 25 Jun 2010 14:25
Re: Script help... rewrite file headers for all files of a t
Well, believe it or not, there were two problems at hand here:
-Contrary to internet reports, the malware did indeed encrypt slightly more than merely the file header. It was actually the first several lines (in a hex editor).
-We actually found most of the client's critical data in a backup archive that had been untouched, negating the need for this approach anyway.
So long story short, I never even got to use this script you took the time to put together for me. However I really appreciate the help regardless!
I did take samples of encrypted and unencrypted files for analysis... so if I get a chance to pore over this more closely maybe it'll see some use yet. Thanks again :-)
-Contrary to internet reports, the malware did indeed encrypt slightly more than merely the file header. It was actually the first several lines (in a hex editor).
-We actually found most of the client's critical data in a backup archive that had been untouched, negating the need for this approach anyway.
So long story short, I never even got to use this script you took the time to put together for me. However I really appreciate the help regardless!
I did take samples of encrypted and unencrypted files for analysis... so if I get a chance to pore over this more closely maybe it'll see some use yet. Thanks again :-)
XYplorer Beta Club