From 2392b32bfb4b14d55f1329eeee435b05cf2f6ae0 Mon Sep 17 00:00:00 2001 From: Drew Bonasera Date: Wed, 29 Jun 2016 14:16:22 -0400 Subject: [PATCH 1/5] Fix mixed indenting --- cloakify.py | 6 +++--- decloakify.py | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cloakify.py b/cloakify.py index e87774f..6013104 100644 --- a/cloakify.py +++ b/cloakify.py @@ -51,14 +51,14 @@ base64.encode( open( sys.argv[1] ), open( payloadB64, "w" )) with open( payloadB64 ) as file: - payloadCloaked = file.read() + payloadCloaked = file.read() with open( sys.argv[2]) as file: - arrayCipher = file.readlines() + arrayCipher = file.readlines() for char in payloadCloaked: if char != '\n': print arrayCipher[ array64.index(char) ], if os.path.exists( payloadB64 ): - os.remove( payloadB64 ) + os.remove( payloadB64 ) diff --git a/decloakify.py b/decloakify.py index 3d778cd..2bf74b6 100644 --- a/decloakify.py +++ b/decloakify.py @@ -35,10 +35,10 @@ else: with open( sys.argv[1]) as file: - listExfiltrated = file.readlines() + listExfiltrated = file.readlines() with open( sys.argv[2]) as file: - arrayCipher = file.readlines() + arrayCipher = file.readlines() clear64 = "" From af235dcce3f5528e8da5b2d3b2a7549e212895e9 Mon Sep 17 00:00:00 2001 From: Drew Bonasera Date: Wed, 29 Jun 2016 14:34:04 -0400 Subject: [PATCH 2/5] Add python 3 support --- cloakify.py | 9 +++++---- decloakify.py | 8 ++++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/cloakify.py b/cloakify.py index 6013104..5f5c60a 100644 --- a/cloakify.py +++ b/cloakify.py @@ -38,17 +38,18 @@ # - Creates temporary Base64 file in local directory and deletes when finished, # but does not do "secure delete" (potential digital forensics trail) +from __future__ import division, absolute_import, with_statement, print_function, unicode_literals import os, sys, getopt, base64 array64 = list("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/+=") payloadB64 = "payloadB64.txt"; if ( len(sys.argv) != 3 ): - print "usage: cloakify.py " - exit + print("usage: cloakify.py ") + exit() else: - base64.encode( open( sys.argv[1] ), open( payloadB64, "w" )) + base64.encode( open( sys.argv[1], 'rb' ), open( payloadB64, "wb" )) with open( payloadB64 ) as file: payloadCloaked = file.read() @@ -58,7 +59,7 @@ for char in payloadCloaked: if char != '\n': - print arrayCipher[ array64.index(char) ], + print(arrayCipher[ array64.index(char) ], end='') if os.path.exists( payloadB64 ): os.remove( payloadB64 ) diff --git a/decloakify.py b/decloakify.py index 2bf74b6..c2b4611 100644 --- a/decloakify.py +++ b/decloakify.py @@ -24,14 +24,14 @@ # # $ ./decloakify.py cloakedPayload.txt ciphers/desserts.ciph - +from __future__ import division, absolute_import, with_statement, print_function, unicode_literals import sys, getopt, base64 array64 = list("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/+=") if ( len(sys.argv) != 3 ): - print "usage: decloakify.py " - exit + print("usage: decloakify.py ") + exit() else: with open( sys.argv[1]) as file: @@ -45,4 +45,4 @@ for word in listExfiltrated: clear64 += array64[ arrayCipher.index(word) ] - print base64.b64decode( clear64 ) + print(base64.b64decode( clear64 ).decode('utf8')) From af5b1f318c573038806cce86af622c8426b137c0 Mon Sep 17 00:00:00 2001 From: Drew Bonasera Date: Wed, 29 Jun 2016 14:51:02 -0400 Subject: [PATCH 3/5] PEP8 changes. More pretty! --- cloakify.py | 20 +++++++++++--------- decloakify.py | 17 +++++++++-------- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/cloakify.py b/cloakify.py index 5f5c60a..79c9c9c 100644 --- a/cloakify.py +++ b/cloakify.py @@ -39,27 +39,29 @@ # but does not do "secure delete" (potential digital forensics trail) from __future__ import division, absolute_import, with_statement, print_function, unicode_literals -import os, sys, getopt, base64 +import os +import sys +import base64 array64 = list("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/+=") -payloadB64 = "payloadB64.txt"; +payloadB64 = "payloadB64.txt" -if ( len(sys.argv) != 3 ): +if len(sys.argv) != 3: print("usage: cloakify.py ") exit() else: - base64.encode( open( sys.argv[1], 'rb' ), open( payloadB64, "wb" )) + base64.encode(open(sys.argv[1], 'rb'), open(payloadB64, "wb")) - with open( payloadB64 ) as file: + with open(payloadB64) as file: payloadCloaked = file.read() - with open( sys.argv[2]) as file: + with open(sys.argv[2]) as file: arrayCipher = file.readlines() for char in payloadCloaked: if char != '\n': - print(arrayCipher[ array64.index(char) ], end='') + print(arrayCipher[array64.index(char)], end='') - if os.path.exists( payloadB64 ): - os.remove( payloadB64 ) + if os.path.exists(payloadB64): + os.remove(payloadB64) diff --git a/decloakify.py b/decloakify.py index c2b4611..601607a 100644 --- a/decloakify.py +++ b/decloakify.py @@ -10,8 +10,8 @@ # against human analysts and their workflows. Bonus Feature: Defeats signature-based # malware detection tools (cloak your other tools). # -# Description: Decodes the output of cloakify.py into its underlying Base64 format, -# then does Base64 decoding to unpack the cloaked payload file. Requires the use of the +# Description: Decodes the output of cloakify.py into its underlying Base64 format, +# then does Base64 decoding to unpack the cloaked payload file. Requires the use of the # same cipher that was used to cloak the file prior to exfitration, of course. # # Prepackaged ciphers include: lists of desserts in English, Arabic, Thai, Russian, @@ -25,24 +25,25 @@ # $ ./decloakify.py cloakedPayload.txt ciphers/desserts.ciph from __future__ import division, absolute_import, with_statement, print_function, unicode_literals -import sys, getopt, base64 +import sys +import base64 array64 = list("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/+=") -if ( len(sys.argv) != 3 ): +if len(sys.argv) != 3: print("usage: decloakify.py ") exit() else: - with open( sys.argv[1]) as file: + with open(sys.argv[1]) as file: listExfiltrated = file.readlines() - with open( sys.argv[2]) as file: + with open(sys.argv[2]) as file: arrayCipher = file.readlines() clear64 = "" for word in listExfiltrated: - clear64 += array64[ arrayCipher.index(word) ] + clear64 += array64[arrayCipher.index(word)] - print(base64.b64decode( clear64 ).decode('utf8')) + print(base64.b64decode(clear64).decode('utf-8')) From aa1446d57a61f11edc0733c19ce6703625b75048 Mon Sep 17 00:00:00 2001 From: Drew Bonasera Date: Wed, 29 Jun 2016 14:52:11 -0400 Subject: [PATCH 4/5] Remove need for temp file --- cloakify.py | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/cloakify.py b/cloakify.py index 79c9c9c..c5b76f4 100644 --- a/cloakify.py +++ b/cloakify.py @@ -35,26 +35,19 @@ # Current Limitations (to be fixed in future development): # # - Vulnerable to frequency analysis attacks -# - Creates temporary Base64 file in local directory and deletes when finished, -# but does not do "secure delete" (potential digital forensics trail) from __future__ import division, absolute_import, with_statement, print_function, unicode_literals -import os import sys import base64 array64 = list("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/+=") -payloadB64 = "payloadB64.txt" if len(sys.argv) != 3: print("usage: cloakify.py ") exit() else: - base64.encode(open(sys.argv[1], 'rb'), open(payloadB64, "wb")) - - with open(payloadB64) as file: - payloadCloaked = file.read() + payloadCloaked = base64.b64encode(open(sys.argv[1], 'rb').read()).decode('utf-8') with open(sys.argv[2]) as file: arrayCipher = file.readlines() @@ -62,6 +55,3 @@ for char in payloadCloaked: if char != '\n': print(arrayCipher[array64.index(char)], end='') - - if os.path.exists(payloadB64): - os.remove(payloadB64) From 26ef0dad91edc05966646406c1de1c216b35fa06 Mon Sep 17 00:00:00 2001 From: Drew Bonasera Date: Wed, 29 Jun 2016 15:05:36 -0400 Subject: [PATCH 5/5] Switch to use '/usr/bin/env python' as the interpreter. This makes it so it uses the same version of python as when the user types 'python' --- cloakify.py | 2 +- decloakify.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cloakify.py b/cloakify.py index c5b76f4..7f9a577 100644 --- a/cloakify.py +++ b/cloakify.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python # # Filename: cloakify.py # diff --git a/decloakify.py b/decloakify.py index 601607a..97fccef 100644 --- a/decloakify.py +++ b/decloakify.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python # # Filename: decloakify.py #