def on_call(self, call, process):
if call["api"] == "RtlDecompressBuffer":
buf = self.get_argument(call, "UncompressedBuffer")
size = self.get_argument(call, "UncompressedBufferLength")
if size:
size = int(size)
self.compressed_binary = IsPEImage(buf, size)
def on_call(self, call, process):
if call["api"] == "CryptDecrypt":
buf = self.get_argument(call, "Buffer")
size = self.get_argument(call, "Length")
if size:
size = int(size)
self.encrypted_binary = IsPEImage(buf, size)
def on_call(self, call, process):
if call["api"] == "RegSetValueExA" or call["api"] == "RegSetValueExW":
buf = self.get_argument(call, "Buffer")
size = self.get_argument(call, "BufferLength")
if buf:
if size:
size = int(size)
self.reg_binary = IsPEImage(buf, size)