def xor_size_value(self):
address = None
for rl in ['$code1']:
for match in match_rule(rl, self.rules[rl], self.filedata):
address = self.pe.get_rva_from_offset(match.strings[0][0])
break
if address is not None:
data = self.pe.get_data(address, 900)
for rl in ['$code5']:
for match in match_rule(rl, self.rules[rl], data):
opcodes = match.strings[0][2]
if self.osa == 0x32:
opcodes = [
'\xC7\x45' + op for op in opcodes.split('\xC7\x45')
if op.strip()
]
else:
opcodes = opcodes.replace('\xC7\x44\x24',
'\xC7\x84\x24')
opcodes = [
'\xC7\x84\x24' + op
for op in opcodes.split('\xC7\x84\x24')
if op.strip()
]
size = to_hex_dword(opcodes[0][-4:])
xor = to_hex_dword(opcodes[1][-4:])
return xor, size
return None, None
def xor_rol_value(self):
ind = 2 if self.osa == 0x32 else 1
for rl in ['$code1']:
for match in match_rule(rl, self.rules[rl], self.filedata):
opcodes = match.strings[0][2]
xor_val = to_hex_dword(opcodes[ind: ind + 4])
rol_val = int(opcodes[-2: -1].encode('hex'), 16)
return xor_val, rol_val
return None, None
def encoded_code_address(self):
ind = 3 if self.osa == 0x32 else 4
for rl in ['$code2']:
for match in match_rule(rl, self.rules[rl], self.filedata):
opcodes = match.strings[0][2]
ind = ind + 3 if 'C78424'.decode('hex') == opcodes[:3] else ind
value = to_str_dword(to_hex_dword(opcodes[ind: ind + 4]) - 1)
address = self.pe.get_rva_from_offset(match.strings[0][0])
data_search = self.pe.get_data(address, 150)
size = self.encoded_size(data_search)
address = self.pe.get_rva_from_offset(self.filedata.index(value) + 4)
return address, size
return None, None
def xor_key(self):
ind = {0x32: 7, 0x64: 3}[self.osa]
for rl in ['$code2']:
for match in match_rule(rl, self.rules[rl], self.filedata):
address = to_hex_dword(match.strings[0][2][ind:ind + 4])
if self.osa == 0x32:
address -= self.pe.OPTIONAL_HEADER.ImageBase
else:
rule_addr = match.strings[0][0] + 7
address = self.pe.get_rva_from_offset(
address + rule_addr -
self.pe.OPTIONAL_HEADER.SizeOfHeaders)
return self.pe.get_data(address, 128)
def loader_shellcode(self):
ind1, ind2 = {0x32: (14, 22), 0x64: (27, 34)}[self.osa]
encoded_shellcode = ''
for rl in ['$code1']:
for match in match_rule(rl, self.rules[rl], self.filedata):
opcodes = match.strings[0][2]
size = to_hex_dword(opcodes[ind1:ind1 + 4])
address = to_hex_dword(opcodes[ind2:ind2 + 4])
if self.osa == 0x32:
address = address - self.pe.OPTIONAL_HEADER.ImageBase
else:
rule_addr = match.strings[0][0] + 38
address = self.pe.get_rva_from_offset(
address + rule_addr -
self.pe.OPTIONAL_HEADER.SizeOfHeaders)
encoded_shellcode = self.pe.get_data(address, size)
return encoded_shellcode
def rol_value(self, code):
for rule in ['$code4']:
for match in match_rule(rule, self.rules[rule], code):
return int(match.strings[0][2][-1].encode('hex'), 16)
return None
def encoded_size(self, data):
for rl in ['$code3']:
for match in match_rule(rl, self.rules[rl], data):
opcodes = match.strings[0][2]
return to_hex_dword(opcodes[-1 - 4: -1])
return None