Page 1 of 1

Script help... rewrite file headers for all files of a type?

Posted: 02 Feb 2014 18:05
by othersteve
Hey all,

Got a client here with an infection which corrupts file headers for particular file types in an effort to "encrypt" them.

However, as it turns out, it's merely the file headers which are corrupt. They can be restored through the use of a Hex Editor and the replacement of the first part of the file with that of an unencrypted file of the same type.

My question is: can XYplorer be used to perform such edits on matching file types in batch? If so, I will post a blog entry about it as well once this is solved to help generate some more traffic for the program!

Thanks!

Re: Script help... rewrite file headers for all files of a t

Posted: 02 Feb 2014 18:30
by Marco
Yes, it's possible thanks to the readfile() and writefile() functions.
Readfile(): you read the whole infected file except the header into a variable
Then you attach to such variable the correct header
Writefile(): you overwrite the infected file with the variable+header

Re: Script help... rewrite file headers for all files of a t

Posted: 02 Feb 2014 19:24
by highend
This should work, as long as you know how many bytes you need to read from the reference file.

E.g.

Code: Select all

    $bytesToRead = input("How many bytes for the header:", , , , , 250, 150);
    $refFile = inputfile("<curpath>");
    $refFileExt = getpathcomponent($refFile, "ext");
    $refHeader = readfile($refFile, "b", $bytesToRead);

    $files = listfolder("<curpath>", "*$refFileExt*", 1, "|");
    foreach($file, $files, "|") {
        $baseName = getpathcomponent($file, "base");
        $basePath = getpathcomponent($file, "path");
        writefile("$basePath\$baseName-Mod.$refFileExt", $refHeader, "o", "b");
        writefile("$basePath\$baseName-Mod.$refFileExt", readfile($file, "b", , , $bytesToRead + 1), "a", "b");
    };
Takes one reference file (this must NOT be in the directory where the files to be modified are!) and changes
all files in the current directory with the same extension...

Re: Script help... rewrite file headers for all files of a t

Posted: 02 Feb 2014 21:00
by othersteve
Awesome. Will work through this on experimentation and report back with my results as soon as I get a moment to try it. Thanks again.

Re: Script help... rewrite file headers for all files of a t

Posted: 04 Feb 2014 03:21
by othersteve
Well, believe it or not, there were two problems at hand here:
-Contrary to internet reports, the malware did indeed encrypt slightly more than merely the file header. It was actually the first several lines (in a hex editor).
-We actually found most of the client's critical data in a backup archive that had been untouched, negating the need for this approach anyway.
So long story short, I never even got to use this script you took the time to put together for me. However I really appreciate the help regardless!

I did take samples of encrypted and unencrypted files for analysis... so if I get a chance to pore over this more closely maybe it'll see some use yet. Thanks again :-)