Deobfuscation and Analysis tool by Shmuel (Seymour J.) Metz

Deobfuscation and Analysis tool
by Shmuel (Seymour J.) Metz

Okay. A few notes to get you started.

The CPAN modules for URI parsing assume that they are syntactically
valid. Unfortunately, there are browsers that accept invalid host
designation and spammers that use them. Because I've received spam
with decimal and hexadecimal integers as hosts in a URL, I've added a
module to Regexp::Common:URI to generate patterns that will recognize
such broken URL's. My parsing still needs more work, because there are
still invalid host names that it will not recognize.

I get an error message whose cause I have yet to track down. It seems
to cause no harm.

readline() on unopened filehandle DATA at
G:/PERLLIB/LIB/site_perl/5.8.2/MIME/WordDecoder.pm line 579.

I take a list of files but I don't support globbing. That's on my
wishlist.

I do minimum parsing on Received header fields. Eventually I'd like to
support the half dozen most common formats in use, but haven't had
time to track them down.

I've made significant changes to BWwhois. If you run into problems
with my version, please don't bother Bill Weinman with them unless
they also occur on the stock version.

I'd appreciate any comments on bugs, on poor Perl style, on efficiency
issues or on desirable enhancements. I've thought of adding QT support
but that's low priority at the moment.

When I redirect STDERR (2>file), some of the debug output
disappears. I'd appreciate any suggestions as to what might
be causing that.

I handle some of the more common formats for the comment in
Received from, but I'd appreciate any information on other
formats that I should recognize.

Now, how to use it.

BWwhois.cmd and unobfuscate.cmd just need to be in the search path and
executable. If you're not running under OS/2 then you probably need to
remove the extproc and adjust the shebang for your system.

BWwhois requires configuration files in a whois subdirectory of ETC:
if there is an ETC environment variable then that is used, otherwise a
system-dependent default is used:

my $etc = ($ENV{ETC} or ($^O eq 'os2') ? OS2::BootDrive() . '\ETC' :
'/etc');

You'll need to tailor whois.conf; the comments should help. You can
probably use tld.conf and sd.conf as is.

You'll need to put badhttp.pm in Regexp/Common/URI; on my system
that's G:\PERLLIB\LIB\site_perl\5.8.2\Regexp\Common\URI

There's some brief documentation in the POD at the end. Briefly,
--debug creates diagnostic output and --lookup creates a lookupinfo
file in the directory created by MIME::Parser. I've attached a sample.

Note that this is very much a work in progress and there's a lot that
I need to clean up, but I believe that it is usable at this point.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT
Atid/2 <http://patriot.net/~shmuel>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

The
SDLU
Page