Fix AV false-positives by packing executables

This commit is contained in:
Florian Bach 2022-06-15 19:29:55 +02:00
parent 1271d099e7
commit b5978dc7c4
5 changed files with 72 additions and 12 deletions

View File

@ -7,15 +7,14 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
container: debian:bullseye
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Install compilers - name: Install compilers
run: | run: |
apt update sudo apt update
apt install -y gcc-mingw-w64-i686 gcc-mingw-w64-x86-64 sudo apt install -y gcc-mingw-w64-i686 gcc-mingw-w64-x86-64
apt install -y wget make zip sudo apt install -y wget make zip
- name: Compile - name: Compile
run: | run: |

View File

@ -13,6 +13,23 @@ pushd keyextract
# Compile C programs: # Compile C programs:
make make
base64 decrypt_win32.exe > decrypt_win32_b64.txt
base64 decrypt_win64.exe > decrypt_win64_b64.txt
# Base64-encode binaries and place them inside decryptor.py:
sed "/@@@CALIBRE_DECRYPTOR_WIN32_B64@@@/ {
r decrypt_win32_b64.txt
d
}" -i ../keyextractDecryptor.py
sed "/@@@CALIBRE_DECRYPTOR_WIN64_B64@@@/ {
r decrypt_win64_b64.txt
d
}" -i ../keyextractDecryptor.py
rm decrypt_win32_b64.txt decrypt_win64_b64.txt
rm decrypt_win32.exe decrypt_win64.exe
popd popd
# Delete cache # Delete cache
@ -20,7 +37,7 @@ rm -r __pycache__
rm *.pyc rm *.pyc
# Set module ID. This needs to be changed if any of the module ZIPs change. # Set module ID. This needs to be changed if any of the module ZIPs change.
echo -n "2022-05-14-02" > module_id.txt echo -n "2022-06-15-01" > module_id.txt
# Copy LICENSE and README.md so it'll be included in the ZIP. # Copy LICENSE and README.md so it'll be included in the ZIP.
cp ../LICENSE LICENSE cp ../LICENSE LICENSE

View File

@ -192,14 +192,27 @@ class DeACSM(FileTypePlugin):
if islinux: if islinux:
# Also extract EXE files needed for WINE ADE key extraction # Also extract EXE files needed for WINE ADE key extraction
names = [ "keyextract/decrypt_win32.exe", "keyextract/decrypt_win64.exe" ] # EXE files are obfuscated with base64 so that stupid AV programs
lib_dict = self.load_resources(names) # don't flag this whole plugin as malicious.
for entry, data in lib_dict.items(): # See keyextractDecryptor.py and the folder "keyextract" for more information.
file_path = os.path.join(rand_path, entry.split('/')[1])
f = open(file_path, "wb") try:
f.write(data) print("{0} v{1}: Extracting WINE key tools ...".format(PLUGIN_NAME, PLUGIN_VERSION))
from keyextractDecryptor import get_win32_data, get_win64_data
file32 = os.path.join(rand_path, "decrypt_win32.exe")
f = open(file32, "wb")
f.write(get_win32_data())
f.close() f.close()
file64 = os.path.join(rand_path, "decrypt_win64.exe")
f = open(file64, "wb")
f.write(get_win64_data())
f.close()
except:
print("{0} v{1}: Error while extracting packed WINE ADE key extraction EXE files ".format(PLUGIN_NAME, PLUGIN_VERSION))
traceback.print_exc()
# Write module ID # Write module ID
if id_plugin is not None: if id_plugin is not None:

View File

@ -5,7 +5,7 @@ clean:
rm decrypt_win32.exe decrypt_win64.exe 2>/dev/null || /bin/true rm decrypt_win32.exe decrypt_win64.exe 2>/dev/null || /bin/true
decrypt_win32.exe: main.c Makefile decrypt_win32.exe: main.c Makefile
i686-w64-mingw32-gcc main.c -O2 -o decrypt_win32.exe -lcrypt32 i686-w64-mingw32-gcc main.c -Os -o decrypt_win32.exe -lcrypt32
i686-w64-mingw32-strip decrypt_win32.exe i686-w64-mingw32-strip decrypt_win32.exe
decrypt_win64.exe: main.c Makefile decrypt_win64.exe: main.c Makefile

View File

@ -0,0 +1,31 @@
# NOTE:
# This file contains the two Windows executables "decrypt_win32.exe" and "decrypt_win64.exe"
# in base64-encoded form. The source code for these files can be found inside the main.c file
# in the "keyextract" directory. It's only ~200 lines of harmless C source code.
# These two programs are used only for Linux-based OSes, in order to run them in a WINE
# environment to extract ADE account data from an ADE instance running in WINE.
# Because these programs are decrypting data that belongs to another program (account data
# from ADE), various antivirus programs might detect them as malicious and try to block the
# plugin. As these executables aren't needed on Windows and MacOS (only on Linux), they
# are included here in obfuscated form and are only extracted when on Linux. This should make
# antivirus programs shut up and stop reporting this plugin as a virus.
import base64
def get_win32_data():
return base64.b64decode(data_win32)
def get_win64_data():
return base64.b64decode(data_win64)
data_win32 = """
@@@CALIBRE_DECRYPTOR_WIN32_B64@@@
"""
data_win64 = """
@@@CALIBRE_DECRYPTOR_WIN64_B64@@@
"""