Merge pull request #377 from buffer/dotnet

[ActiveX] .NET Browser API

tests/Encoding/test_Encoding.py

@@ -15,7 +15,7 @@ def test_unicode(self):
         assert result["encoding"] in ("ascii",)
 
     def test_utf8_bom(self):
-        result = encoding.detect(b"\xEF\xBB\xBF")
+        result = encoding.detect(b"\xef\xbb\xbf")
         assert result["encoding"] in ("UTF-8-SIG",)
 
     def test_unicode_utf8(self):

tests/Logging/modules/test_MongoDB.py

@@ -57,8 +57,9 @@ class TestMongoDB:
     con_method = "iframe"
 
     # Creating a MongoDB object for all the test methods.
-    with patch(pymongo.__name__ + ".MongoClient", new=mongomock.MongoClient), patch(
-        "gridfs.Database", new=mongomock.database.Database
+    with (
+        patch(pymongo.__name__ + ".MongoClient", new=mongomock.MongoClient),
+        patch("gridfs.Database", new=mongomock.database.Database),
     ):
         log.ThugOpts.mongodb_address = "mongodb://localhost:123"
         mongo = MongoDB()

tests/functional/test_exploits.py

@@ -1438,3 +1438,22 @@ def test_Qakbot(self, caplog):
         ]
 
         self.do_perform_test(caplog, sample, expected, useragent="osx10chrome97")
+
+    def test_Mimikatz(self, caplog):
+        sample = os.path.join(self.exploits_path, "mimikatz.js")
+        expected = [
+            "ActiveXObject: system.text.asciiencoding",
+            "[System.Text.ASCIIEncoding] GetByteCount_2 count = 20164",
+            "[System.Text.ASCIIEncoding] GetBytes_4",
+            "ActiveXObject: system.security.cryptography.frombase64transform",
+            "[System.Security.Cryptography.FromBase64ToTransform] TransformFinalBlock",
+            "ActiveXObject: system.io.memorystream",
+            "[System.IO.MemoryStream] Write",
+            "ActiveXObject: system.runtime.serialization.formatters.binary.binaryformatter",
+            "ActiveXObject: system.collections.arraylist",
+            "[System.Runtime.Serialization.Formatters.Binary.BinaryFormatter] Deserialize_2",
+            "[System.Collections.ArrayList] Add",
+            "[System.Collections.ArrayList] ToArray",
+        ]
+
+        self.do_perform_test(caplog, sample, expected)

thug/ActiveX/CLSID.py

@@ -16,6 +16,8 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston,
 # MA  02111-1307  USA
 
+import io
+
 from .modules import AcroPDF
 from .modules import AdodbRecordset
 from .modules import AdodbStream
@@ -94,6 +96,7 @@
 from .modules import StormMps
 from .modules import SymantecAppStream
 from .modules import SymantecBackupExec
+from .modules import System
 from .modules import StreamAudioChainCast
 from .modules import Toshiba
 from .modules import UniversalUpload
@@ -1288,6 +1291,63 @@
             "Set_MonthText11": SymantecBackupExec.Set_MonthText11,
         },
     },
+    # System.Collections.ArrayList
+    {
+        "id": (),
+        "name": ("system.collections.arraylist",),
+        "attrs": {
+            "arraylist": [],
+        },
+        "funcattrs": {},
+        "methods": {
+            "Add": System.Collections.ArrayList.Add,
+            "ToArray": System.Collections.ArrayList.ToArray,
+        },
+    },
+    # System.IO.MemoryStream
+    {
+        "id": (),
+        "name": ("system.io.memorystream",),
+        "attrs": {
+            "stream": io.BytesIO(),
+            "Position": 0,
+        },
+        "funcattrs": {},
+        "methods": {
+            "Write": System.IO.MemoryStream.Write,
+        },
+    },
+    # System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+    {
+        "id": (),
+        "name": ("system.runtime.serialization.formatters.binary.binaryformatter",),
+        "attrs": {},
+        "funcattrs": {},
+        "methods": {
+            "Deserialize_2": System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize_2,
+        },
+    },
+    # System.Security.Cryptography.FromBase64Transform
+    {
+        "id": (),
+        "name": ("system.security.cryptography.frombase64transform",),
+        "attrs": {},
+        "funcattrs": {},
+        "methods": {
+            "TransformFinalBlock": System.Security.Cryptography.FromBase64Transform.TransformFinalBlock,
+        },
+    },
+    # System.Text.ASCIIEncoding
+    {
+        "id": (),
+        "name": ("system.text.asciiencoding",),
+        "attrs": {},
+        "funcattrs": {},
+        "methods": {
+            "GetByteCount_2": System.Text.ASCIIEncoding.GetByteCount_2,
+            "GetBytes_4": System.Text.ASCIIEncoding.GetBytes_4,
+        },
+    },
     # StreamAudioChainCast
     {
         "id": ("2253F320-AB68-4A07-917D-4F12D8884A06",),

thug/ActiveX/modules/System/Collections/ArrayList.py

@@ -0,0 +1,14 @@
+import logging
+
+log = logging.getLogger("Thug")
+
+
+def Add(self, value):
+    log.ThugLogging.add_behavior_warn("[System.Collections.ArrayList] Add")
+    self.arraylist.append(value)
+    return self.arraylist.index(value)
+
+
+def ToArray(self):
+    log.ThugLogging.add_behavior_warn("[System.Collections.ArrayList] ToArray")
+    return list(self.arraylist)

thug/ActiveX/modules/System/Collections/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "ArrayList",
+]
+
+from . import ArrayList

thug/ActiveX/modules/System/IO/MemoryStream.py

@@ -0,0 +1,17 @@
+import io
+import logging
+
+log = logging.getLogger("Thug")
+
+
+def Write(self, buffer, offset=0, count=-1):
+    log.ThugLogging.add_behavior_warn("[System.IO.MemoryStream] Write")
+
+    buflen = count if count > -1 else len(buffer)
+    bufdat = buffer[: buflen - 1]
+
+    streamdata = self.stream.getvalue()
+    data = f"{streamdata[:offset]}{bufdat}{streamdata[offset:]}"
+
+    self.stream = io.BytesIO(data.encode())
+    self.Position = len(data)

thug/ActiveX/modules/System/IO/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "MemoryStream",
+]
+
+from . import MemoryStream

thug/ActiveX/modules/System/Runtime/Activator.py

@@ -0,0 +1,6 @@
+class Activator:
+    def __init__(self, delegate):
+        self.delegate = delegate
+
+    def CreateInstance(self, Type):
+        pass

thug/ActiveX/modules/System/Runtime/Delegate.py

@@ -0,0 +1,9 @@
+from .Activator import Activator
+
+
+class Delegate:
+    def __init__(self, code):
+        self.code = code
+
+    def DynamicInvoke(self, args):
+        return Activator(self)

thug/ActiveX/modules/System/Runtime/Serialization/Formatters/Binary/BinaryFormatter.py

@@ -0,0 +1,14 @@
+import logging
+
+from thug.ActiveX.modules.System.Runtime.Delegate import Delegate
+
+log = logging.getLogger("Thug")
+
+
+def Deserialize_2(self, buf):
+    log.ThugLogging.add_behavior_warn(
+        "[System.Runtime.Serialization.Formatters.Binary.BinaryFormatter] Deserialize_2"
+    )
+
+    data = buf.stream.getvalue()
+    return Delegate(data)

thug/ActiveX/modules/System/Runtime/Serialization/Formatters/Binary/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "BinaryFormatter",
+]
+
+from . import BinaryFormatter

thug/ActiveX/modules/System/Runtime/Serialization/Formatters/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "Binary",
+]
+
+from . import Binary

thug/ActiveX/modules/System/Runtime/Serialization/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "Formatters",
+]
+
+from . import Formatters

thug/ActiveX/modules/System/Runtime/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "Serialization",
+]
+
+from . import Serialization

thug/ActiveX/modules/System/Security/Cryptography/FromBase64Transform.py

@@ -0,0 +1,11 @@
+import base64
+import logging
+
+log = logging.getLogger("Thug")
+
+
+def TransformFinalBlock(self, buffer, offset, count):
+    log.ThugLogging.add_behavior_warn(
+        "[System.Security.Cryptography.FromBase64ToTransform] TransformFinalBlock"
+    )
+    return bytes(base64.b64decode("".join(buffer[offset : offset + count])))

thug/ActiveX/modules/System/Security/Cryptography/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "FromBase64Transform",
+]
+
+from . import FromBase64Transform

thug/ActiveX/modules/System/Security/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "Cryptography",
+]
+
+from . import Cryptography

thug/ActiveX/modules/System/Text/ASCIIEncoding.py

@@ -0,0 +1,16 @@
+import logging
+
+log = logging.getLogger("Thug")
+
+
+def GetByteCount_2(self, chars):
+    count = len(chars.encode("utf-8"))
+    log.ThugLogging.add_behavior_warn(
+        f"[System.Text.ASCIIEncoding] GetByteCount_2 count = {count}"
+    )
+    return count
+
+
+def GetBytes_4(self, chars):
+    log.ThugLogging.add_behavior_warn("[System.Text.ASCIIEncoding] GetBytes_4")
+    return list(chars)

thug/ActiveX/modules/System/Text/__init__.py

@@ -0,0 +1,5 @@
+__all__ = [
+    "ASCIIEncoding",
+]
+
+from . import ASCIIEncoding

thug/ActiveX/modules/System/__init__.py

@@ -0,0 +1,7 @@
+__all__ = ["Collections", "IO", "Runtime", "Security", "Text"]
+
+from . import Collections
+from . import IO
+from . import Runtime
+from . import Security
+from . import Text