def extractPayload(pe):
"""
Extracting the payload from the .data section
"""
for section in pe.sections:
if ".data" in str(section.Name):
data = section.get_data()
payload = asciiz(data[4:])
return payload
def icedid(self, p, matches):
obfuscationCode = matches.elements["obfuscationCode"][0][2]
xorCountValue = obfuscationCode[
3] ## Getting this values dynamically because... you never know
countValue = obfuscationCode[-1]
pe_rep = PE(data=p)
payload = self.extractPayload(pe_rep)
decrypted = bytearray()
for i in range(countValue):
try:
decrypted.append(payload[i + xorCountValue] ^ payload[i])
except IndexError:
pass
c2 = asciiz(decrypted)
config = {'family': self.family, 'urls': [c2.decode()]}
return config
def test_asciiz():
assert asciiz(b"hello\x00world") == b"hello"