shadowbrokers-exploits/windows/Resources/TeDi/PyScripts/sigs.py

import datastore
import utils
import dsz.cmd
import dsz.lp
import os
from utils import limitedget, file_exists, reg_exists

def find_01():
    result = utils.reg_exists('L', 'software\\microsoft\\windows\\currentversion\\StrtdCfg', None, True)
    if result:
        return True
    for key in datastore.HKEY_USERS_DATA:
        result = utils.reg_exists('U', ('%s\\software\\microsoft\\windows\\currentversion\\StrtdCfg' % key), None, True)
        if result:
            return True
    return False

def find_02():
    result = utils.reg_exists('L', 'System\\CurrentControlSet\\Control\\CrashImage', None, True)
    if result:
        return True
    return False

def find_03():
    if ('driver32' in datastore.SYSTEMROOT_FILE_SET):
        return True
    return False

def find_04():
    if ('$NtUninstallQ817473$' in datastore.SYSPATH_FILE_SET):
        return True
    for f in ['Hd1', 'Hd2', 'IdeDrive1', 'IdeDrive2']:
        if utils.file_exists('\\\\.', (f + '\\')):
            return True
    return False

def find_05():
    if ('systmgmt' in datastore.SERVICE_NAME_SET):
        return True
    return False

def find_06():
    if utils.reg_exists('L', 'Software\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run\\ipmontr'):
        return True
    if utils.reg_exists('L', 'Software\\Microsoft\\WinKernel\\Explorer\\Run\\ipmontr'):
        return True
    return False

def find_07():
    return utils.reg_exists('L', 'Software\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run\\Internet32')

def find_08():
    if ('s7otbxsx.dll' in datastore.SYSTEMROOT_FILE_SET):
        return True
    if ('mrxcls' in datastore.SERVICE_NAME_SET):
        return True
    if utils.file_exists(('%s\\inf' % datastore.SYSPATH_STR), 'mdmcpq3.pnf'):
        return True
    return False

def find_09():
    (cmdStatus, cmdId) = dsz.cmd.RunEx(('dir -mask * -path "%s\\Common Files\\Microsoft Shared"' % datastore.PROGRAM_FILES_STR), dsz.RUN_FLAG_RECORD)
    if (not cmdStatus):
        return False
    try:
        names = dsz.cmd.data.Get('DirItem::FileItem::name', dsz.TYPE_STRING, cmdId)
    except RuntimeError:
        names = None
    if (names is not None):
        if (('msaudio' in names) or ('mssecuritymgr' in names) or ('MSAPackages' in names)):
            return True
    return False

def find_10():
    if ('icsvnt32.dll' in datastore.SYSTEMROOT_FILE_SET):
        return True
    (cmdStatus, cmdId) = dsz.cmd.RunEx('registryquery -hive L -key "SYSTEM\\CurrentControlCet\\Control\\timezoneinformation"', dsz.RUN_FLAG_RECORD)
    if (not cmdStatus):
        return False
    try:
        value_names = dsz.cmd.data.Get('key::value::name', dsz.TYPE_STRING, cmdId)
    except RuntimeError:
        value_names = None
    if (value_names is not None):
        if (('standarddatebias' in value_names) or ('standardtimebias' in value_names)):
            return True
    return False

def find_11():
    if (('ups32.exe' in datastore.PROCESS_NAME_SET) or ('utilman32.exe' in datastore.PROCESS_NAME_SET)):
        return True
    if ('ups32.exe' in datastore.DRIVERPATH_FILE_SET):
        return True
    search_set = set(('ups32.exe', 'utilman32.exe', 'utliman32.exe', 'msvcp11.dll', 'msxml10.dll'))
    if (not datastore.SYSTEMROOT_FILE_SET.isdisjoint(search_set)):
        return True
    return False

def find_12():
    if utils.file_exists(('%s\\All Users\\Application Data' % datastore.PROFILE_PATH), 'Network'):
        return True
    if utils.reg_exists('L', 'Software\\Microsoft\\MSFix'):
        return True
    for key in datastore.HKEY_USERS_DATA:
        if utils.reg_exists('U', ('%s\\Software\\Microsoft\\MSFix' % key)):
            return True
    return False

def find_13():
    if ('WOWmanager' in datastore.SERVICE_NAME_SET):
        return True
    if ('winstat.pdr' in datastore.SYSPATH_FILE_SET):
        return True
    search_set = set(('winview.ocs', 'Mfc42l00.pdb', 'ISUninst.bin', 'mswmpdat.tlb', 'wmmini.swp', 'wowmgr.exe'))
    if (not datastore.SYSTEMROOT_FILE_SET.isdisjoint(search_set)):
        return True
    return False

def find_14():
    valid = False
    if utils.file_exists('c:\\win\\drivers', 'slidebar.exe'):
        vals = ['newval', 'WindowsFirewallSecurityServ', 'slidebar', 'MSDeviceDriver']
        keys = (['SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'] * len(vals))
        valid = any(map(utils.reg_exists, (['L'] * len(vals)), keys, vals))
    return valid

def find_15():
    if ('TlbControl' in datastore.SERVICE_NAME_SET):
        return True
    if (('tlbcon32.exe' in datastore.SYSTEMROOT_FILE_SET) or ('con32.nls' in datastore.SYSTEMROOT_FILE_SET)):
        return True
    return False

def find_16():
    if ('indsvc32.ocx' in datastore.SYSTEMROOT_FILE_SET):
        return True
    if utils.file_exists(('%s\\temp' % datastore.SYSPATH_STR), 'indsvc32.ocx'):
        return True
    return False

def find_17():
    search_set = set(('ADWM.DLL', 'ASFIPC.DLL', 'BROWUI.DLL', 'CAPESPN.DLL', 'CFGKRNL3.DLL', 'CRYPTKRN.DLL', 'DESKKRNE.DLL', 'DSKMGR.DLL', 'EXPLORED.DLL', 'FMEM.DLL', 'HDDBACK4.DLL', 'HWMAP.DLL', 'ipnetd.dll', 'IPNETD.DLL', 'KNRLADD.DLL', 'MAILAPIC.DLL', 'MSGRTHLP.DLL', 'MSIAXCPL.DLL', 'MSID32.DLL', 'MSRECV40.DLL', 'NCFG.DLL', 'PARALEUI.DLL', 'secur16.dll', 'SECUR16.DLL', 'SOUNDLOC.DLL', 'WINF.DLL', 'WMCRT.DLL'))
    if (not datastore.SYSTEMROOT_FILE_SET.isdisjoint(search_set)):
        return True
    if utils.reg_exists('R', 'Lnkfile\\shellex\\IconHandler', 'OptionFlags'):
        return True
    return False

def find_18():
    if (('msprnt.exe' in datastore.SYSTEMROOT_FILE_SET) or ('fmem.dll' in datastore.SYSTEMROOT_FILE_SET)):
        return True
    search_set = set(('pnppci', 'ethio', 'ntdos505', 'ndisio'))
    if (not datastore.SERVICE_NAME_SET.isdisjoint(search_set)):
        return True
    (cmdStatus, cmdId) = dsz.cmd.RunEx(('dir -mask * -path "%s\\All Users\\Application Data"' % datastore.PROFILE_PATH), dsz.RUN_FLAG_RECORD)
    if (not cmdStatus):
        return False
    try:
        names = dsz.cmd.data.Get('DirItem::FileItem::name', dsz.TYPE_STRING, cmdId)
    except RuntimeError:
        names = None
    if (names is None):
        return False
    if (('msncp.exe' in names) or ('netsvcs.exe' in names)):
        return True
    (cmdStatus, cmdId) = dsz.cmd.RunEx(('dir -mask * -path "%s\\common files\\microsoft shared\\Triedit"' % datastore.PROGRAM_FILES_STR), dsz.RUN_FLAG_RECORD)
    if (not cmdStatus):
        return False
    try:
        names = dsz.cmd.data.Get('DirItem::FileItem::name', dsz.TYPE_STRING, cmdId)
    except RuntimeError:
        names = None
    if (names is None):
        return False
    if (('htmlprsr.exe' in names) or ('dhtmled.dll' in names) or ('TRIEDIT.TLB' in names)):
        return True
    return False

def find_19():
    return ('nsecm.dll' in datastore.SYSTEMROOT_FILE_SET)

def find_20():
    if ('svchost00000000-0000-0000-0000-0000-00000000.dat' in datastore.SYSTEMROOT_FILE_SET):
        return True
    if utils.file_exists(('%s\\All Users\\MSI' % datastore.PROFILE_PATH), 'update.msi'):
        return True
    if utils.file_exists(('%s\\All Users\\Application Data\\MSI' % datastore.PROFILE_PATH), 'update.msi'):
        return True
    if ('ProgramData' in datastore.ENV_VARS):
        prog_data = datastore.ENV_VARS.get('ProgramData')
        if utils.file_exists(('%s\\MSI' % prog_data), 'update.msi'):
            return True
    if utils.file_exists(('%s\\Common Files' % datastore.PROGRAM_FILES_STR), 'wusvcd.exe'):
        return True
    if utils.file_exists(('%s\\Common Files\\%s' % (datastore.PROGRAM_FILES_STR, 'wusvcd')), 'wusvcd.exe'):
        return True
    if (('WinMI32' in datastore.SERVICE_NAME_SET) or ('wusvcd' in datastore.SERVICE_NAME_SET)):
        return True
    if ('Microsoft' in datastore.SYSTEMROOT_FILE_SET):
        if utils.file_exists(('%s\\Microsoft' % datastore.SYSTEMROOT_STR), 'Windows Management Infrastructure'):
            return True
    return False

def find_21():
    if utils.file_exists(('%s\\temp' % datastore.SYSPATH_STR), 'temp56273.pdf'):
        return True
    for ud in datastore.USER_DIRS_LIST:
        if utils.file_exists(('%s\\%s\\Local Settings\\History\\cache' % (datastore.PROFILE_PATH, ud)), 'iecache.dll'):
            return True
    return False

def find_22():
    if utils.file_exists(('%s\\etc' % datastore.DRIVERPATH_STR), 'network.ics'):
        return True
    if ('acelpvc.dll' in datastore.SYSTEMROOT_FILE_SET):
        return True
    (cmdStatus, cmdId) = dsz.cmd.RunEx('registryquery -hive L -key "Software\\Sun\\1.1.2"', dsz.RUN_FLAG_RECORD)
    if (not cmdStatus):
        return False
    try:
        subkeys = dsz.cmd.data.Get('key::subkey::name', dsz.TYPE_STRING, cmdId)
    except RuntimeError:
        subkeys = None
    if (subkeys is not None):
        if (('AppleTlk' in subkeys) or ('IsoTp' in subkeys)):
            return True
    try:
        values = dsz.cmd.data.Get('key::value::name', dsz.TYPE_STRING, cmdId)
    except RuntimeError:
        values = None
    if (values is not None):
        if (('AppleTlk' in values) or ('IsoTp' in values)):
            return True
    return False

def find_23():
    for key in datastore.HKEY_USERS_DATA:
        if utils.reg_exists('U', ('%s\\software\\microsoft\\NetWin' % key)):
            return True
    return False

def find_24():
    if (('mfc64comm.sys' in datastore.DRIVERPATH_FILE_SET) or ('adap64info.sys' in datastore.DRIVERPATH_FILE_SET)):
        return True
    return False

def find_25():
    pass

def find_26():
    if utils.reg_exists('L', 'Software\\Adobe\\Fix'):
        return True
    search_set = set(('result.dat', 'data.dat', 'Acrobat.dll', 'first.tmp'))
    for ud in datastore.USER_DIRS_LIST:
        (cmdStatus, cmdId) = dsz.cmd.RunEx(('dir -mask * -path "%s\\%s\\Local Settings\\Temp"' % (datastore.PROFILE_PATH, ud)), dsz.RUN_FLAG_RECORD)
        if cmdStatus:
            try:
                names = set(dsz.cmd.data.Get('DirItem::FileItem::name', dsz.TYPE_STRING, cmdId))
            except RuntimeError:
                names = None
            if ((names is not None) and (not names.isdisjoint(search_set))):
                return True
    return False

def find_27():
    search_set = set(('qtlib.sqt', 'zl4vq.sqt', 'dfrgntfs5.sqt', 'msvcrt58.sqt'))
    if (not datastore.SYSTEMROOT_FILE_SET.isdisjoint(search_set)):
        return True
    return False

def find_28():
    for ud in datastore.USER_DIRS_LIST:
        if utils.file_exists(('%s\\%s\\Local Settings\\Application Data' % (datastore.PROFILE_PATH, ud)), 'S-1-5-31-1286970278978-5713669491-166975984-320'):
            return True
    return False

def find_30():
    if (('msdxofg.dll' in datastore.SYSTEMROOT_FILE_SET) or ('atllib.dll' in datastore.SYSTEMROOT_FILE_SET) or ('ocmsiecon.hlp' in datastore.SYSTEMROOT_FILE_SET)):
        return True
    return False

def find_31():
    if (('wpa.dbl.bak' in datastore.SYSTEMROOT_FILE_SET) or ('sslkey.exe' in datastore.SYSTEMROOT_FILE_SET)):
        return True
    if ('WindowsUpdate.old' in datastore.SYSPATH_FILE_SET):
        return True
    if utils.file_exists(('%s\\temp' % datastore.SYSPATH_STR), '~MS1E.tmp'):
        return True
    if utils.file_exists(('%s\\temp' % datastore.SYSPATH_STR), '~FMIFEN.tmp'):
        return True
    (cmdStatus, cmdId) = dsz.cmd.RunEx('registryquery -hive L -key "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\\Desktop"', dsz.RUN_FLAG_RECORD)
    if (not cmdStatus):
        return False
    try:
        subkeys = set(dsz.cmd.data.Get('key::subkey::name', dsz.TYPE_STRING, cmdId))
    except:
        subkeys = None
    if (subkeys is not None):
        search_set = set(('Default Statusbar Sign', 'Default MenuBars Sign', 'Default Taskbar Sign', 'Default Zone'))
        if (not subkeys.isdisjoint(search_set)):
            return True
    return False

def find_32():
    if utils.reg_exists('L', 'Software\\Microsoft\\Active Setup\\Installed Components\\{FB083534-2709-3378-0000-F0FCD03BA387}'):
        return True
    if utils.reg_exists('L', 'Software\\Microsoft\\Active Setup\\Installed Components\\{FB083534-2709-3378-0001-F0FCD03BA387}'):
        return True
    return False

def find_33():
    return ('INI' in datastore.SYSTEMROOT_FILE_SET)

def find_34():
    return utils.reg_exists('L', 'System\\CurrentControlSet\\Services\\Windows Installer Management')

def find_35():
    for f in datastore.DRIVERPATH_DATA:
        if ((f[1] == 9472) and f[0].endswith('.sys')):
            (cmdStatus, cmdId) = dsz.cmd.RunEx(('grep -mask %s -path %s -pattern 9N' % (f[0], datastore.DRIVERPATH_STR)), dsz.RUN_FLAG_RECORD)
            if (not cmdStatus):
                continue
            try:
                matches = dsz.cmd.data.Get('file::numlines', dsz.TYPE_INT, cmdId)
            except:
                matches = None
            if (matches is not None):
                print ('SIG35: matched %d lines in %s' % (len(matches), f[0]))
                return True
    return False

def find_36():
    xmldir = os.path.normpath(('%s/Data' % dsz.lp.GetLogsDirectory()))
    cmdStr = (u'local grep -mask "*processinfo*" -path "%s" -pattern "kernel32.dll.aslr"' % xmldir)
    (cmdStatus, cmdId) = dsz.cmd.RunEx(cmdStr.encode('utf8'), dsz.RUN_FLAG_RECORD)
    if cmdStatus:
        try:
            matches = dsz.cmd.data.Get('file::location', dsz.TYPE_STRING, cmdId)
        except:
            matches = None
        if (matches is not None):
            print ('matched files: %s' % matches)
            return True
    return False

def find_37():
    return ('godown.dll' in datastore.SYSTEMROOT_FILE_SET)

def find_38():
    if (('winns.exe' in datastore.SYSTEMROOT_FILE_SET) or ('kbdarpe.dll' in datastore.SYSTEMROOT_FILE_SET)):
        return True
    return False

def find_39():
    if utils.reg_exists('L', 'Software\\Microsoft\\MS QAG\\U11'):
        return True
    if utils.reg_exists('L', 'Software\\Microsoft\\MS QAG\\U12'):
        return True
    return False

def find_40():
    return utils.reg_exists('L', 'Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad', 'NetIDS')

def find_41():
    if utils.file_exists(('%s\\common files' % datastore.PROGRAM_FILES_STR), 'Log'):
        return True
    elif (datastore.PROGRAM_FILESX86_STR is not None):
        if utils.file_exists(('%s\\common files' % datastore.PROGRAM_FILESX86_STR), 'Log'):
            return True
    (cmdStatus, cmdId) = dsz.cmd.RunEx('registryquery -hive L -key "software\\microsoft\\windows nt\\currentversion\\winlogon" -value Userinit')
    if cmdStatus:
        try:
            value_data = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING, cmdId)
        except RuntimeError:
            value_data = None
        if (value_data is not None):
            if (value_data.find('svchost') >= 0):
                return True
    return False

def find_43():
    filesinsys32 = ['cryptapi32.dll']
    otherfiles = ['%appdata%\\Help\\system32\\cryptapi32.dll']
    regentries = [('L', 'SYSTEM\\CurrentControlSet\\Control', 'DType0')]
    results = []
    for f in filesinsys32:
        results.append((f in datastore.SYSPATH_FILE_SET))
    for f in otherfiles:
        results.append(file_exists(*os.path.split(f)))
    for reg in regentries:
        results.append(reg_exists(*reg))
    return any(results)

def find_44():
    filesinsys32 = ['rasmgr.dll', 'raseap.dll']
    otherfiles = ['%windir%\\AppPatch\\rasmain.sdb']
    results = []
    for f in filesinsys32:
        results.append((f in datastore.SYSPATH_FILE_SET))
    for f in otherfiles:
        results.append(file_exists(*os.path.split(f)))
    return any(results)

def find_45():
    regkey = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'
    val = ('Internet',)
    data = re.compile('C:\\WINDOWS\\system32\\Microsoft\\Protect\\Windows\\sv[s|c]host.exe')
    otherfiles = ['%windir%\\AppPatch\\rasmain.sdb']
    results = []
    for f in filesinsys32:
        results.append((f in datastore.SYSPATH_FILE_SET))
    for f in otherfiles:
        results.append(file_exists(*os.path.split(f)))
    return any(results)

def get_03():
    pass

def get_04():
    pass

def get_05():
    pass

def get_06():
    pass

def get_07():
    pass

def get_11():
    pass

def get_14():
    to_get = ['c:\\applicationdata\\appdata1\\logFile.txt', '%USERPROFILE%\\MyHood\\btmn\\system\\temp\\cnf.txt', 'c:\\syslog\\temp\\012tg7\\system\\cnf.txt']
    for getfile in to_get:
        (path, name) = os.path.split(getfile)
        limitedget(path, name, maxfilesize=256000)

def get_17():
    pass

def get_18():
    pass

def get_43():
    to_get = ['%system%\\mtmon.sdb']
    for getfile in to_get:
        (path, name) = os.path.split(getfile)
        limitedget(path, name, maxfilesize=256000)

def get_44():
    to_get = ['%ProgramFiles%\\Common Files\\System\\ado\\msado39.tlb', '%ProgramFiles%\\Common Files\\System\\ado\\msado29.tlb']
    for getfile in to_get:
        (path, name) = os.path.split(getfile)
        limitedget(path, name, maxfilesize=256000)
FIND_SIG = [find_01, find_02, find_03, find_04, find_05, find_06, find_07, find_08, find_09, find_10, find_11, find_12, find_13, find_14, find_15, find_16, find_17, find_18, find_19, find_20, find_21, find_22, find_23, find_24, find_25, find_26, find_27, find_28, None, find_30, find_31, find_32, find_33, find_34, find_35, find_36, find_37, find_38, find_39, find_40, find_41, None, find_43, find_44]
GET_SIG = [None, None, get_03, get_04, get_05, get_06, get_07, None, None, None, get_11, None, None, get_14, None, None, get_17, get_18, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, get_43, get_44]