There would be no reliable way to extract a password from an executable since they would have to be analyzed manually for every version of the malware out there. I've done my fair share of playin with "crackmes" (
) and so on so I guess I could do it in theory, if there is one or two really common ones, but it feels kind of pointless since there will just be new ones coming out, I'm guessing.
My thought was more like this:
As files are downloaded and assembled rars start appearing. there could be 100 of them for a single download. We don't need all of them to check for this - the flag can be checked for in in the header in any one of them. So, as soon as 1 of them is there, URD could detect this (periodic checking for rar files in download directory as last resort, if URD has no real idea what's actually ending up in the download temp directory, or after yydecode has been run. It doesn't matter if we check x.rar or x.r34, x.03, the flags are in all of them. In fact we'd need just the the first couple 100 bytes of one the files, but easier to wait until at least one rar-part is completely assemebled.
Checking after the download is done wouldn't be worth the effort since the time and bandwidth it already wasted at that point.
But if you see no point in it, or if it's too messy having urdd "polling" the DL dir or whatever we'll scrap the idea, was just an idea
Always fun to play around with binary files every now and then
EDIT: For the hell of it, if someone has a couple of links to malware appearing again and again in downloads containing obfuscated password, I could take a look at it. I like sticking it to the maleware dudes whenever I can
Could perhaps end up to be a separate tool to safely extract passwords