Restoring McAfee BUP Files

averagejoe

Hello fellow readers,

Its been a while since I’ve posted.

Today at work I was going over malware already flagged by McAfee and sent to the quarantined folder.

The way McAfee encrypts / encodes its quarantined files is pretty basic – XOR (exclusive OR) on each byte by the value of 0x6a (106 in decimal).

Once you know how this is done, writing an application to do this becomes stupid simple.
bup1

You can download the app here:
Restore_Mcafee_BUP_Files

I am looking forward to ToorCon in the next couple of months. Was thinking of doing a talk on bypassing FireEye.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.