Thread: Kaspersky Rescue Disk Report - can't see full paths
View Single Post
  #6  
Old June 6th 19, 07:15 AM posted to alt.comp.hardware.pc-homebuilt,alt.comp.anti-virus,alt.computer.security
Paul[_28_]
external usenet poster
  
Posts: 1,467
Default Kaspersky Rescue Disk Report - can't see full paths
Apd wrote:
"Paul" wrote:
When you look at the klr.enc1 files, what's the first
thing you notice ? There's a couple of groups of 0xCF hex
bytes. "Real" encryption would have high entropy.
This smells funny...

CF CF CF CF CF CF CF CF CF CF CF CF

It smells like spaces!

XOR the base64 with 0xEF and you have plain text with a single
linefeed terminating each line. It's an XML report. Here's a line from
your second example, krdeicar.txt (wrapped for ease of reading):

Event1 Action="Detect" Time="132042218823887019"
"
Info="EICAR-Test-File" /

Yup. Even when the problem switched from "encryption"
to "encoding", I still couldn't see it. And I've had
trouble spotting XOR() related patterns before too.
It's a disease.

*******

I tried to implement the function in gawk, but the conversion
from substr() to number insisted on doing the wrong thing when the
msb of a character is set. So I had to punt and use C instead.
For which, somebody already wrote our program for us. Just change
the XORBYTE constant, and it's ready to compile.

It required a little touch-up here and there though.

https://stackoverflow.com/questions/...-to-a-new-file

#include stdio.h
#include string.h
#include errno.h

/* gcc -o xorfile.exe xorfile.c */

int main(int argc, char *argv[]) {
FILE *fpi, *fpo;
int c;

if (argc != 3) {
fprintf(stderr, "usage: xorfile input_file output_file\n");
return -1 ;
}

if ((fpi = fopen(argv[1], "rb")) == NULL) {
fprintf(stderr,"cannot open input file %s\n", argv[1]);
return 1;
}
if ((fpo = fopen(argv[2], "wb")) == NULL) {
fprintf(stderr,"cannot open output file %s\n", argv[2]);
fclose(fpi);
return 2;
}

while ( (c = getc(fpi)) != EOF ) {
if (c == (0x0a ^ 0xEF)) putc( 0x0d, fpo ); /* convert LF to CR LF */
putc(c ^ 0xEF, fpo);
}
fclose(fpi);
fclose(fpo);

return 0;
}

In MinGW, for example

gcc -o xorfile.exe xorfile.c

xorfile report_2019.06.05_15.15.24.klr.enc1 readable.txt

Looks like this. At first, it had the squares in it, because
the line endings weren't the best. So I quickly bodged in
enough of a fix so you wouldn't need Wordpad to read it.

Report
Metadata Version="1" PCID="{B47CF509-3A3B-3F43-B782-9C05D74106FD}" LastModification="2019.06.05 15:37:17.135" /
EventBlocks
Block0 Type="Scan" Processed="18204" Found="1" Neutralized="0"
Event0 Action="Scan" Time="132042217819347678" Object="" Info="Started" /
Event1 Action="Detect" Time="132042218823887019" " Info="EICAR-Test-File" /
Event2 Action="Scan" Time="132042226096655583" Object="" Info="Finished" /
Event3 Action="Select action" Time="132042226311598366" " Info="Quarantine" /
Event4 Action="Disinfection" Time="132042226311607367" Object="" Info="Started" /
Event5 Action="Quarantined" Time="132042226311647998" " Info="" /
Event6 Action="Disinfection" Time="132042226311706514" Object="" Info="Finished" /
/Block0
/EventBlocks
/Report

HTH,
Paul