python-obfuscation-framework 1.4.1__py3-none-any.whl

pof/evasion/fs/file_exist.py

@@ -0,0 +1,29 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class FileExistEvasion(BaseEvasion):
+    def __init__(self, file) -> None:
+        self.file = file
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """`not os.path.isfile('/tmp/a')`."""
+        return [
+            (NAME, "not"),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "path"),
+            (OP, "."),
+            (NAME, "isfile"),
+            (LPAR, "("),
+            (STRING, repr(self.file)),
+            (RPAR, ")"),
+        ]

pof/evasion/fs/file_list_exist.py

@@ -0,0 +1,46 @@
+import io
+from tokenize import LPAR, NAME, OP, RPAR, generate_tokens
+
+from pof.evasion.base import BaseEvasion
+
+
+class FileListExistEvasion(BaseEvasion):
+    def __init__(self, file_list) -> None:
+        self.file_list = file_list
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """Trigger evasion if any file from the list is absent on the system.
+
+        `not all([os.path.isfile(p)for p in['/tmp/a','/tmp/b',...]])`
+        """
+        # TODO (deoktr): change
+        io_obj = io.StringIO(repr(self.file_list))
+        file_list_tokens = list(generate_tokens(io_obj.readline))
+
+        return [
+            (NAME, "not"),
+            (NAME, "all"),
+            (LPAR, "("),
+            (OP, "["),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "path"),
+            (OP, "."),
+            (NAME, "isfile"),
+            (LPAR, "("),
+            (NAME, "p"),
+            (RPAR, ")"),
+            (NAME, "for"),
+            (NAME, "p"),
+            (NAME, "in"),
+            *file_list_tokens,
+            (OP, "]"),
+            (RPAR, ")"),
+        ]

pof/evasion/fs/file_list_missing.py

@@ -0,0 +1,45 @@
+import io
+from tokenize import LPAR, NAME, OP, RPAR, generate_tokens
+
+from pof.evasion.base import BaseEvasion
+
+
+class FileListMissingEvasion(BaseEvasion):
+    def __init__(self, file_list) -> None:
+        self.file_list = file_list
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """Trigger evasion if any file from the list is present on the system.
+
+        `any([os.path.isfile(p) for p in ['/tmp/a', '/tmp/b', ...]])`
+        """
+        # TODO (deoktr): change
+        io_obj = io.StringIO(repr(self.file_list))
+        file_list_tokens = list(generate_tokens(io_obj.readline))
+
+        return [
+            (NAME, "any"),
+            (LPAR, "("),
+            (OP, "["),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "path"),
+            (OP, "."),
+            (NAME, "isfile"),
+            (LPAR, "("),
+            (NAME, "p"),
+            (RPAR, ")"),
+            (NAME, "for"),
+            (NAME, "p"),
+            (NAME, "in"),
+            *file_list_tokens,
+            (OP, "]"),
+            (RPAR, ")"),
+        ]

pof/evasion/fs/file_missing.py

@@ -0,0 +1,31 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class FileMissingEvasion(BaseEvasion):
+    def __init__(self, file) -> None:
+        self.file = file
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """Trigger evasion if a file is present on the system.
+
+        `os.path.isfile('/tmp/a')`
+        """
+        return [
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "path"),
+            (OP, "."),
+            (NAME, "isfile"),
+            (LPAR, "("),
+            (STRING, repr(self.file)),
+            (RPAR, ")"),
+        ]

pof/evasion/fs/tmp.py

@@ -0,0 +1,112 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class TmpCountEvasion(BaseEvasion):
+    """Cross-platform evasion that count the number of temp files."""
+
+    def __init__(self, tmp_count=5) -> None:
+        self.tmp_count = tmp_count
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+            (OP, ","),
+            (NAME, "sys"),
+        ]
+
+    def check_tokens(self):
+        r"""Check the number of files present in /tmp.
+
+        `len(os.listdir("/tmp"if sys.platform!="windows"else"C:\windows\temp"))<10`
+        """
+        return [
+            (NAME, "len"),
+            (LPAR, "("),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "listdir"),
+            (LPAR, "("),
+            (STRING, repr("/tmp")),  # noqa: S108
+            (NAME, "if"),
+            (NAME, "sys"),
+            (OP, "."),
+            (NAME, "platform"),
+            (OP, "!="),
+            (STRING, repr("windows")),
+            (NAME, "else"),
+            (STRING, repr("C:\\windows\\temp")),
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (OP, "<"),
+            (STRING, repr(self.tmp_count)),
+        ]
+
+
+class LinuxTmpCountEvasion(BaseEvasion):
+    def __init__(self, tmp_count=5) -> None:
+        self.tmp_count = tmp_count
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+            (OP, ","),
+            (NAME, "sys"),
+        ]
+
+    def check_tokens(self):
+        """Check the number of files present in /tmp.
+
+        `len(os.listdir("/tmp")) < 10`
+        """
+        return [
+            (NAME, "len"),
+            (LPAR, "("),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "listdir"),
+            (LPAR, "("),
+            (STRING, repr("/tmp")),  # noqa: S108
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (OP, "<"),
+            (STRING, repr(self.tmp_count)),
+        ]
+
+
+class WinTmpCountEvasion(BaseEvasion):
+    def __init__(self, tmp_count=5) -> None:
+        self.tmp_count = tmp_count
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+            (OP, ","),
+            (NAME, "sys"),
+        ]
+
+    def check_tokens(self):
+        r"""Check the number of files present in /tmp.
+
+        `len(os.listdir("C:\windows\temp")) < 10`
+        """
+        return [
+            (NAME, "len"),
+            (LPAR, "("),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "listdir"),
+            (LPAR, "("),
+            (STRING, repr(r"C:\windows\temp")),
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (OP, "<"),
+            (STRING, repr(self.tmp_count)),
+        ]

pof/evasion/hardware/ram_count.py

@@ -0,0 +1,50 @@
+# TODO (deoktr): make windows version
+from tokenize import LPAR, NAME, NUMBER, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class LinuxRAMCountEvasion(BaseEvasion):
+    def __init__(self, min_ram: int = 2) -> None:
+        """Min RAM in Gib."""
+        self.min_ram = min_ram
+
+    @staticmethod
+    def import_tokens() -> list[tuple[int, str]]:
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self) -> list[tuple[int, str]]:
+        """Linux RAM count evasion tokens.
+
+        `((os.sysconf('SC_PAGE_SIZE') * os.sysconf('SC_PHYS_PAGES')) / (1024.**3)) < 2`
+        """
+        return [
+            (LPAR, "("),
+            (LPAR, "("),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "sysconf"),
+            (LPAR, "("),
+            (STRING, "'SC_PAGE_SIZE'"),
+            (RPAR, ")"),
+            (OP, "*"),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "sysconf"),
+            (LPAR, "("),
+            (STRING, "'SC_PHYS_PAGES'"),
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (OP, "/"),
+            (LPAR, "("),
+            (NUMBER, "1024."),
+            (OP, "**"),
+            (NUMBER, "3"),
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (OP, "<"),
+            (NUMBER, str(self.min_ram)),
+        ]

pof/evasion/hooks/debugger.py

@@ -0,0 +1,36 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class DebuggerEvasion(BaseEvasion):
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "sys"),
+        ]
+
+    @staticmethod
+    def check_tokens():
+        """Detect Python debugger.
+
+        `hasattr(sys, 'gettrace') and sys.gettrace() is not None`
+        """
+        return [
+            (NAME, "hasattr"),
+            (LPAR, "("),
+            (NAME, "sys"),
+            (OP, ","),
+            (STRING, "'gettrace'"),
+            (RPAR, ")"),
+            (NAME, "and"),
+            (NAME, "sys"),
+            (OP, "."),
+            (NAME, "gettrace"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (NAME, "is"),
+            (NAME, "not"),
+            (NAME, "None"),
+        ]

pof/evasion/hooks/tracemalloc.py

@@ -0,0 +1,23 @@
+from tokenize import LPAR, NAME, OP, RPAR
+
+from pof.evasion.base import BaseEvasion
+
+
+class TracemallocEvasion(BaseEvasion):
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "tracemalloc"),
+        ]
+
+    @staticmethod
+    def check_tokens():
+        """`tracemalloc.is_tracing()`."""
+        return [
+            (NAME, "tracemalloc"),
+            (OP, "."),
+            (NAME, "is_tracing"),
+            (LPAR, "("),
+            (RPAR, ")"),
+        ]

pof/evasion/human/p.py

@@ -0,0 +1,45 @@
+def promt_unix():
+    # TODO (deoktr): add try: except around tkinter imports
+    from tkinter import E, S, Tk, ttk
+
+    root = Tk()
+
+    clicked = False
+
+    # FIXME (deoktr): Doesn't work ...
+    def click():
+        root.destroy()
+
+    root.title("System Error")
+    root.resizable(0, 0)  # block resize
+
+    root.overrideredirect(1)  # hide window
+
+    root.geometry(
+        "+%d+%d"  # noqa: UP031
+        % (
+            (root.winfo_screenwidth() / 2) - (root.winfo_reqwidth() / 2),
+            (root.winfo_screenheight() / 2) - (root.winfo_reqheight() / 2),
+        ),
+    )
+
+    root.after(int(5 * 1000), func=root.destroy)
+
+    frm = ttk.Frame(root, padding="50 12 50 12")
+    frm.grid()
+    ttk.Label(frm, text="System error 0x02333").grid(column=0, row=0)
+    ttk.Button(frm, text="Close", command=click).grid(column=0, row=1, sticky=(E, S))
+    root.mainloop()
+    return clicked
+
+
+if __name__ == "__main__":
+    import sys
+
+    if not promt_unix():
+        msg = "did not click"
+        sys.stdout(msg)
+        sys.exit(1)
+
+    sys.stdout("Hello, world!")
+    sys.exit(0)

pof/evasion/human/prompt.py

@@ -0,0 +1,69 @@
+# just prompt the user with a dialog box
+# TODO (deoktr): test
+# TODO (deoktr): make a version for linux somehow
+# TODO (deoktr): close prompt after a certain time
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class PromptBase:
+    def __init__(self, title=None, message=None) -> None:
+        # TODO (deoktr): generate randomly the message and title
+        if title is None:
+            title = "System Error 0x18463832"
+        if message is None:
+            message = "Your system encountered an error, please click OK to proceed"
+
+        self.message = message
+        self.title = title
+
+
+class LinuxPromptEvasion(BaseEvasion, PromptBase):
+    """Prompt the user.
+
+    Tkinter is required to prompt user on unix systems, you'll need the `libtk?`
+    library. Run either `apt-get install tk`, `pacman -S tk` or `dnf install tk`.
+    """
+
+    @staticmethod
+    def check_tokens():
+        """Evasion is triggered if the message box is not pressed.
+
+        ``
+        """
+        return [
+            # TODO (deoktr): check file `p.py` in the same directory
+        ]
+
+
+class WinPromptEvasion(BaseEvasion, PromptBase):
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "ctypes"),
+        ]
+
+    def check_tokens(self):
+        """Evasion is triggered if the message box is not pressed.
+
+        `ctypes.windll.user32.MessageBoxW(None, message, title)`
+        """
+        return [
+            (NAME, "not"),
+            (NAME, "ctypes"),
+            (OP, "."),
+            (NAME, "windll"),
+            (OP, "."),
+            (NAME, "user32"),
+            (OP, "."),
+            (NAME, "MessageBoxW"),
+            (LPAR, "("),
+            (NAME, "None"),
+            (OP, ","),
+            (STRING, repr(self.message)),
+            (OP, ","),
+            (STRING, repr(self.title)),
+            (RPAR, ")"),
+        ]

pof/evasion/integrity.py

@@ -0,0 +1,129 @@
+from tokenize import DEDENT, INDENT, LPAR, NAME, NEWLINE, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class IntegrityEvasion(BaseEvasion):
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "hashlib"),
+            (OP, ","),
+            (NAME, "inspect"),
+        ]
+
+    @staticmethod
+    def integrity_function_tokens():
+        """Integrity check tokens.
+
+        ```
+        def integrity(ihash):
+            stack = ""
+            for obj in [integrity]:
+                stack += inspect.getsource(obj)
+            m = hashlib.sha3_512()
+            m.update(stack.encode())
+            m.digest()
+            h = m.hexdigest()
+            return h != ihash
+        # code...
+        ```
+        """
+        return [
+            (NAME, "def"),
+            (NAME, "integrity"),
+            (OP, "("),
+            (NAME, "ihash"),
+            (OP, ")"),
+            (OP, ":"),
+            (NEWLINE, "\n"),
+            (INDENT, "    "),
+            (NAME, "stack"),
+            (OP, "="),
+            (STRING, '""'),
+            (NEWLINE, "\n"),
+            (NAME, "for"),
+            (NAME, "obj"),
+            (NAME, "in"),
+            (OP, "["),
+            (NAME, "integrity"),
+            (OP, "]"),
+            (OP, ":"),
+            (NEWLINE, "\n"),
+            (INDENT, "        "),
+            (NAME, "stack"),
+            (OP, "+="),
+            (NAME, "inspect"),
+            (OP, "."),
+            (NAME, "getsource"),
+            (OP, "("),
+            (NAME, "obj"),
+            (OP, ")"),
+            (NEWLINE, "\n"),
+            (DEDENT, ""),
+            (NAME, "m"),
+            (OP, "="),
+            (NAME, "hashlib"),
+            (OP, "."),
+            (NAME, "sha3_512"),
+            (OP, "("),
+            (OP, ")"),
+            (NEWLINE, "\n"),
+            (NAME, "m"),
+            (OP, "."),
+            (NAME, "update"),
+            (OP, "("),
+            (NAME, "stack"),
+            (OP, "."),
+            (NAME, "encode"),
+            (OP, "("),
+            (OP, ")"),
+            (OP, ")"),
+            (NEWLINE, "\n"),
+            (NAME, "m"),
+            (OP, "."),
+            (NAME, "digest"),
+            (OP, "("),
+            (OP, ")"),
+            (NEWLINE, "\n"),
+            (NAME, "h"),
+            (OP, "="),
+            (NAME, "m"),
+            (OP, "."),
+            (NAME, "hexdigest"),
+            (OP, "("),
+            (OP, ")"),
+            (NEWLINE, "\n"),
+            (NAME, "return"),
+            (NAME, "h"),
+            (OP, "!="),
+            (NAME, "ihash"),
+            (NEWLINE, "\n"),
+            (DEDENT, ""),
+        ]
+
+    @classmethod
+    def add_evasion(cls, tokens):
+        """Detect if the source code has been tampered.
+
+        Only works when executing from a file.
+        """
+        return [
+            *cls.import_tokens(),
+            (NEWLINE, "\n"),
+            (NAME, "if"),
+            (LPAR, "("),
+            (NAME, "integrity"),
+            (OP, "("),
+            (STRING, '"a"'),
+            (OP, ")"),
+            (RPAR, ")"),
+            (OP, ":"),
+            (NEWLINE, "\n"),
+            (INDENT, "    "),
+            *cls.fail_call_tokens(),
+            (NEWLINE, "\n"),
+            (DEDENT, ""),
+            *tokens,
+        ]

pof/evasion/multi.py

@@ -0,0 +1,41 @@
+from tokenize import NEWLINE, OP
+
+from .cpu.cpu_count import CPUCountEvasion
+from .hooks.debugger import DebuggerEvasion
+from .time.expire import ExpireEvasion
+from .time.utc import UTCEvasion
+from pof.evasion.base import BaseEvasion
+
+
+class MultiEvasion(BaseEvasion):
+    def __init__(self, list_evasion=None) -> None:
+        if list_evasion is None:
+            list_evasion = [
+                CPUCountEvasion(),
+                DebuggerEvasion(),
+                ExpireEvasion(),
+                UTCEvasion(),
+            ]
+        self.list_evasion = list_evasion
+
+    def import_tokens(self):
+        tokens = []
+        for evasion in self.list_evasion:
+            if len(tokens) > 0:
+                tokens.append((NEWLINE, "\n"))
+            tokens.extend(evasion.import_tokens())
+        return tokens
+
+    def check_tokens(self):
+        tokens = []
+        for evasion in self.list_evasion:
+            if len(tokens) > 0:
+                tokens.append((OP, "or"))
+            tokens.extend(
+                [
+                    (OP, "("),
+                    *evasion.check_tokens(),
+                    (OP, ")"),
+                ],
+            )
+        return tokens