A robust, multiprocessing-capable, multi-family RAT config parser/config extractor for AsyncRAT, DcRAT, VenomRAT, QuasarRAT, XWorm, Xeno RAT, and cloned/derivative RAT families.
MIT License
32
stars
4
forks
source link
Explore brute-forcing configuration when VerifyHash() is not present #3
Since the initial commit, a handful of samples have been discovered that share a similar configuration structure, but lack the VerifyHash() function used as a marker in the parser today.
It may be possible to bypass using that function marker altogether by examining all static constructors in the file, checking if they meet the known structure of the config, and parsing that way when the VerifyHash() check fails (or, if this turns out to be more reliable, just drop the marker altogether).
Since the initial commit, a handful of samples have been discovered that share a similar configuration structure, but lack the
VerifyHash()function used as a marker in the parser today.It may be possible to bypass using that function marker altogether by examining all static constructors in the file, checking if they meet the known structure of the config, and parsing that way when the
VerifyHash()check fails (or, if this turns out to be more reliable, just drop the marker altogether).