output.txt

vladimir@anon ~/dev/research/find_detected_strings % python3 find_bad_strings.py

StringRef(index=449, paddr=658672, vaddr=6443112688, length=59, size=120, section='(.rdata)', encoding='utf16le', content="ERROR kuhl_m_kerberos_ask ; '%wZ' Kerberos name not found!\\n", is_replaced=False, is_bad=False)

We got 5080 string objects
Good, masking all the strings has an impact on the AV's verdict
                                                                                        
Found a bad string, re-masking it                                                                       
Pass-the-ccache [NT6]                                                                                   
                                                                                        
Found a bad string, re-masking it                                                                       
ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x%08x)\n                       
                                                                                        
Found a bad string, re-masking it                                                                       
ERROR kuhl_m_crypto_l_certificates ; CertGetCertificateContextProperty (0x%08x)\n                       
                                                                                        
Found a bad string, re-masking it                                                                       
ERROR kuhl_m_crypto_l_certificates ; CertGetNameString (0x%08x)\n                                       
                                                                                        
Found a bad string, re-masking it                                                                       
lsasrv.dll                                                                                              
                                                                                        
Found a bad string, re-masking it                                                                       
ERROR kuhl_m_lsadump_sam ; CreateFile (SYSTEM hive) (0x%08x)\n                                          
                                                                                        
Found a bad string, re-masking it                                                                       
SamIFree_SAMPR_USER_INFO_BUFFER                                                                         
                                                                                        
Found a bad string, re-masking it                                                                       
KiwiAndRegistryTools                                                                                    
                                                                                        
Found a bad string, re-masking it                                                                       
wdigest.dll                                                                                             
                                                                                        
Found a bad string, re-masking it                                                                       
multirdp                                                                                                
                                                                                        
Found a bad string, re-masking it                                                                       
logonPasswords                                                                                          
                                                                                        
Found a bad string, re-masking it                                                                       
credman                                                                                                 
                                                                                        
Found a bad string, re-masking it                                                                       
[%x;%x]-%1u-%u-%08x-%wZ@%wZ-%wZ.%s                                                                                                                                                           

Found a bad string, re-masking it                                                                       
n.e. (KIWI_MSV1_0_CREDENTIALS KO)                                                                       
                                                                                        
Found a bad string, re-masking it                                                                       
\\.\mimidrv

                                                                                             
 74%|█████████████████████████████████████████████▎               | 3773/5080 [2:32:56<48:54,  2.25s/it]Traceback (most recent call last):
  File "find_bad_strings.py", line 253, in <module>
    explore(sample_file)
  File "find_bad_strings.py", line 220, in explore
    binary = patch_binary(binary, string, dump_path, False)
  File "find_bad_strings.py", line 164, in patch_binary
    f.write(new_bin)
OSError: [Errno 28] No space left on device
python3 find_bad_strings.py  8411.79s user 766.15s system 99% cpu 2:33:04.12 total                      
1 vladimir@anon ~/dev/research/find_detected_strings %