示例#1
0
 def extractPayload(pe):
     """
     Extracting the payload from the .data section
     """
     for section in pe.sections:
         if ".data" in str(section.Name):
             data = section.get_data()
             payload = asciiz(data[4:])
             return payload
示例#2
0
 def icedid(self, p, matches):
     obfuscationCode = matches.elements["obfuscationCode"][0][2]
     xorCountValue = obfuscationCode[
         3]  ## Getting this values dynamically because... you never know
     countValue = obfuscationCode[-1]
     pe_rep = PE(data=p)
     payload = self.extractPayload(pe_rep)
     decrypted = bytearray()
     for i in range(countValue):
         try:
             decrypted.append(payload[i + xorCountValue] ^ payload[i])
         except IndexError:
             pass
     c2 = asciiz(decrypted)
     config = {'family': self.family, 'urls': [c2.decode()]}
     return config
示例#3
0
def test_asciiz():
    assert asciiz(b"hello\x00world") == b"hello"