1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372

# Volatility
#
# Authors:
# Michael Hale Ligh <michael.ligh@mnin.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details. 
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
#

import os, sys
import volatility.obj as obj
import volatility.debug as debug
import volatility.utils as utils
import volatility.win32.tasks as tasks
import volatility.addrspace as addrspace
import volatility.plugins.malware as malware
import yara
import struct

zeus_types = {
    '_ZEUS_MAGIC' : [ 0x1E6, {
    'struct_size' :   [ 0x0, ['unsigned int']], \
    'guid' :   [ 0x4, ['array', 0x30, ['unsigned short']]], \
    'guid2' : [ 0x7C, ['array', 0x10, ['unsigned char']]], \
    'rc4key' : [ 0x8C, ['array', 0x100, ['unsigned char']]], \
    'exefile' : [ 0x18E, ['array', 0x14, ['unsigned char']]], \
    'datfile' : [ 0x1A2, ['array', 0x14, ['unsigned char']]], \
    'keyname' : [ 0x1B6, ['array', 0xA, ['unsigned char']]], \
    'value1' : [ 0x1C0, ['array', 0xA, ['unsigned char']]], \
    'value2' : [ 0x1CA, ['array', 0xA, ['unsigned char']]], \
    'value3' : [ 0x1D4, ['array', 0xA, ['unsigned char']]], \
    'guid_xor_key' : [ 0x1DE, ['unsigned int']], \
    'xorkey' : [ 0x1E2, ['unsigned int']], \
    }]}

"""
These YARA rules use locate assembly instructions that reference 
the configuration data in the unpacked Zeus binary. 

The z1 rule looks for this:

    PUSH ESI
    MOV  EDX, ????0000   ; config size (immediate)
    PUSH EDX
    PUSH OFFSET ???????? ; config_data
    PUSH EAX
    CALL ????????        ; custom_memcpy
    MOV  ESI, ????????   ; last_section_rva
    MOV  ECX, ????????   ; imagebase

The z2 rule looks for this:

    PUSH EBP
    MOV  EBP, ESP
    PUSH ECX
    MOV  EAX, ????????   ; imagebase
    MOV  ECX, ????????   ; last_section_rva
    PUSH ESI
    LEA  ESI, [ECX+EAX]
    MOV  EAX, ????????
    MOV  ECX, ????????   ; config_data

The z5 rule looks for this:

    PUSH ESI
    MOV  EDX, ????0000   ; config size (immediate)
    PUSH EDX 
    PUSH OFFSET ???????? ; config_data
    PUSH EAX
    CALL ????????        ; custom_memcpy
    MOV ECX, ????????    ; last_section_rva
    ADD ECX, ????????    ; imagebase

These YARA rules use locate assembly instructions that reference 
the RC4 key data in the unpacked Zeus binary. 

The z3 rules looks for this:

    PUSH 102h
    LEA  EAX, [ESP+????????]
    PUSH EAX
    LEA  EAX, [ESP+??]
    PUSH EAX
    CALL ????????        ; custom_memcpy
    MOV  EAX, 1E6h
    PUSH EAX
    PUSH OFFSET ???????? ; encoded_magic

The z4 rules looks for this:

    PUSH 102h
    LEA  EAX, [EBP-????????]
    PUSH EAX
    LEA  EAX, [EBP-????????]
    PUSH EAX
    CALL ????????        ; custom_memcpy
    MOV  EAX, 1E6h
    PUSH EAX
    PUSH OFFSET ???????? ; encoded_magic
"""

zeus_key_sigs = {
    'namespace1':'rule z1 {strings: $a = {56 BA ?? ?? 00 00 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B 0D ?? ?? ?? ??} condition: $a}',
    'namespace5':'rule z5 {strings: $a = {56 BA ?? ?? 00 00 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 03 0D ?? ?? ?? ??} condition: $a}',
    'namespace2':'rule z2 {strings: $a = {55 8B EC 51 A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 56 8D 34 01 A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ??} condition: $a}',
    'namespace3':'rule z3 {strings: $a = {68 02 01 00 00 8D 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? 50 E8 ?? ?? ?? ?? B8 E6 01 00 00 50 68 ?? ?? ?? ??} condition: $a}',
    'namespace4':'rule z4 {strings: $a = {68 02 01 00 00 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? B8 E6 01 00 00 50 68 ?? ?? ?? ??} condition: $a}'
}

class ZeusScan2(malware.ApiHooks):
    "Scan for and dump Zeus RC4 keys"

    def __init__(self, config, *args):
        malware.ApiHooks.__init__(self, config, *args)
        config.remove_option("KERNEL")
        config.add_option('DUMP-DIR', short_option = 'D', default = None,
                          help = 'Directory in which to dump the files')

    def rc4(self, key, encoded):
        """ Perform a basic RC4 operation """
        # Turn the buffers into lists so the elements are mutable
        key_copy = [ord(c) for c in key]
        enc_copy = [ord(c) for c in encoded]
        # Start with the last two bytes in the key
        var1 = key_copy[0x100]
        var2 = key_copy[0x101]
        # Do the RC4 algorithm
        for i in range(0, len(enc_copy)):
            var1 += 1
            a = var1 & 0xFF
            b = key_copy[a]
            var2 += b
            var2 &= 0xFF
            key_copy[a]  = key_copy[var2]
            key_copy[var2] = b
            enc_copy[i] ^= key_copy[(key_copy[a] + b) & 0xFF]
        # Return the decoded bytes as a string
        decoded = [chr(c) for c in enc_copy]
        return ''.join(decoded)

    def rc4_init(self, data):
        """ Initialize the RC4 keystate """
        # The key starts off as a mutable list
        key = list()
        for i in range(0, 256):
            key.append(i)
        # Add the trailing two bytes
        key.append(0)
        key.append(0)
        # Make a copy of the data so its mutable also
        data_copy = [ord(c) for c in data]
        var1 = 0
        var2 = 0
        for i in range(0, 256):
            a = key[i]
            var2 += (data_copy[var1] + a)
            var2 &= 0xFF
            var1 += 1
            key[i] = key[var2]
            key[var2] = a
        # Return a copy of the key as a string
        return ''.join([chr(c) for c in key])

    def decode_config(self, encoded_config, last_sec_data):
        """ Decode the config buffer with the bytes at the start of the last PE section """
        decoded_config = ''
        for i in range(0, len(encoded_config)):
            decoded_config += chr(ord(last_sec_data[i]) ^ ord(encoded_config[i]))
        return decoded_config

    def parse_string(self, buf):
        s = ''.join([chr(c) for c in buf])
        if s.find('\x00'):
            s = s[0:s.find('\x00')]
        return s

    def get_hex(self, buf):
        # for Volatility 2.0 use the following
        return malware.hd(buf)
        # for Volatility >= 2.1 use the following
        #return "\n".join(["{0:#010x}  {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])

    def calculate(self):
        addr_space = malware.get_malware_space(self._config)
        addr_space.profile.add_types(zeus_types)

        RC4_KEYSIZE = 0x102

        # cycle the processes
        for p in self.filter_tasks(tasks.pslist(addr_space)):

            # get the process address space
            ps_ad = p.get_process_address_space()
            if ps_ad == None:
                continue

            rules  = yara.compile(sources = zeus_key_sigs)

            # traverse the VAD
            for vad in p.VadRoot.traverse():

                if vad == None:
                    continue

                # find the start and end range
                
                ## for Volatility 2.0 use the following
                start = vad.StartingVpn << 12
                end   = ((vad.EndingVpn + 1) << 12) - 1
                data  = malware.get_vad_data(ps_ad, start, end) 
                ## For Volatility >= 2.1 use the following
                #start = vad.get_start()
                #end   = vad.get_end()
                #data  = vad.get_data()

                # last check for PE headers at the base 
                if data[0:2] != 'MZ':
                    continue

                # check for the signature with YARA, both hits must be present
                matches = rules.match(data=data)

                if len(matches) != 2:
                    continue

                # get the NT header
                dos_header = obj.Object("_IMAGE_DOS_HEADER", start, ps_ad)
                nt_header = dos_header.get_nt_header()

                # there must be more than 2 sections 
                if nt_header.FileHeader.NumberOfSections < 2:
                    continue

                # get the last PE section's data 
                sections = list(nt_header.get_sections(unsafe=False))
                
                last_sec = sections[-1]
                last_sec_data = ps_ad.read((last_sec.VirtualAddress + start), last_sec.Misc.VirtualSize)

                # contains C2 URL, RC4 key for decoding local.ds and the magic buffer
                decoded_config = ''
                # contains hw lock info, the user.ds RC4 key, and XOR key
                encoded_magic  = ''

                for match in matches:
                    sigaddr = (match.strings[0][0] + start)
                    debug.debug('Found {0} at {1:#x}'.format(match.rule, sigaddr))
                    if match.rule == 'z1':
                        encoded_config = ps_ad.read(
                            obj.Object('unsigned long', offset = sigaddr + 8, vm = ps_ad),
                            obj.Object('unsigned long', offset = sigaddr + 2, vm = ps_ad))
                        decoded_config = self.decode_config(encoded_config, last_sec_data)
                    elif match.rule == 'z2':
                        config_ptr = obj.Object('unsigned long', offset = sigaddr + 26, vm = ps_ad)
                        config_ptr = obj.Object('unsigned long', offset = config_ptr, vm = ps_ad)
                        encoded_config = ps_ad.read(config_ptr, 0x3c8)
                        decoded_config = self.rc4(self.rc4_init(encoded_config), last_sec_data[2:])
                    elif match.rule == 'z5':
                        encoded_config = ps_ad.read(
                            obj.Object('unsigned long', offset = sigaddr + 8, vm = ps_ad),
                            obj.Object('unsigned long', offset = sigaddr + 2, vm = ps_ad))
                        decoded_config = self.decode_config(encoded_config, last_sec_data)
                    elif match.rule == 'z3':
                        encoded_magic = ps_ad.read(
                            obj.Object('unsigned long', offset = sigaddr + 30, vm = ps_ad),
                            addr_space.profile.get_obj_size('_ZEUS_MAGIC'))
                    elif match.rule == 'z4':
                        encoded_magic = ps_ad.read(
                            obj.Object('unsigned long', offset = sigaddr + 31, vm = ps_ad),
                            addr_space.profile.get_obj_size('_ZEUS_MAGIC'))

                if not decoded_config or not encoded_magic:
                    continue

                debug.debug("encoded_config:\n{0}\n".format(self.get_hex(encoded_config)))
                debug.debug("decoded_config:\n{0}\n".format(self.get_hex(decoded_config)))
                debug.debug("encoded_magic:\n{0}\n".format(self.get_hex(encoded_magic)))

                offset = 0 

                decoded_magic = ''
                config_key = ''

                found = False

                while offset < len(decoded_config) - RC4_KEYSIZE:

                    config_key = decoded_config[offset:offset+RC4_KEYSIZE]
                    decoded_magic = self.rc4(config_key, encoded_magic)

                    # when the first four bytes of the decoded magic buffer equal the size
                    # of the magic buffer, then we've found a winning RC4 key
                    (struct_size,) = struct.unpack("=I", decoded_magic[0:4])

                    if struct_size == addr_space.profile.get_obj_size('_ZEUS_MAGIC'):
                        found = True
                        break

                    offset += 1

                if not found:
                    debug.debug('Error, cannot decode magic')
                    continue

                debug.debug("decoded_magic:\n{0}\n".format(self.get_hex(decoded_magic)))
                debug.debug("config_key:\n{0}\n".format(self.get_hex(config_key)))

                # grab the URL from the decoded buffer
                url = decoded_config[decoded_config.find("http"):]
                url = url[:url.find('\x00')]

                # report what we've found
                rc4_offset = addr_space.profile.get_obj_offset('_ZEUS_MAGIC', 'rc4key')
                creds_key  = decoded_magic[rc4_offset:rc4_offset + RC4_KEYSIZE]
                yield p, start, url, config_key, creds_key, decoded_config, decoded_magic

    def render_text(self, outfd, data):

        for p, start, url, config_key, creds_key, decoded_config, decoded_magic in data:

            # get a magic object from the buffer
            buffer_space = addrspace.BufferAddressSpace(config=self._config, data=decoded_magic)
            buffer_space.profile.add_types(zeus_types)
            magic_obj = obj.Object('_ZEUS_MAGIC', offset = 0, vm = buffer_space)

            # This simulates how Zeus uses PathRenameExtensionW
            datfile = self.parse_string(magic_obj.datfile)[0:-4] + ".dat"

            syntax = "-" * 50 + '\n' + \
                     "Process:     {0}\n".format(p.ImageFileName) + \
                     "Pid:         {0}\n".format(p.UniqueProcessId) + \
                     "Address:     0x{0:X}\n".format(start) + \
                     "URL:         {0}\n".format(url) + \
                     "Identifier:  {0}\n".format(''.join([chr(c) for c in magic_obj.guid if c != 0])) + \
                     "Mutant key:  0x{0:X}\n".format(magic_obj.guid_xor_key) + \
                     "XOR key:     0x{0:X}\n".format(magic_obj.xorkey) + \
                     "Registry:    HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\{0}\n".format(self.parse_string(magic_obj.keyname)) + \
                     "  Value 1:   {0}\n".format(self.parse_string(magic_obj.value1)) + \
                     "  Value 2:   {0}\n".format(self.parse_string(magic_obj.value2)) + \
                     "  Value 3:   {0}\n".format(self.parse_string(magic_obj.value3)) + \
                     "Executable:  {0}\n".format(self.parse_string(magic_obj.exefile)) + \
                     "Data file:   {0}\n".format(datfile) + "\n" + \
                     "Config RC4 Key:\n{0}\n".format(self.get_hex(config_key)) + \
                     "Credential RC4 Key:\n{0}\n".format(self.get_hex(creds_key)) 

            if self._config.DUMP_DIR:

                fname_conf = "{0}.{1:#x}.conf.key".format(p.UniqueProcessId, start)
                fname_cred = "{0}.{1:#x}.cred.key".format(p.UniqueProcessId, start)

                f = open(os.path.join(self._config.DUMP_DIR, fname_conf), "wb")
                if f:
                    f.write(config_key)
                    f.close()
                
                f = open(os.path.join(self._config.DUMP_DIR, fname_cred), "wb")
                if f:
                    f.write(creds_key)
                    f.close()

            outfd.write(syntax)