def config(raw_data):
pe = pefile.PE(data=raw_data, fast_load=False)
for section in pe.sections:
if section.Name.rstrip('\x00') == ".bss":
config = section.get_data()[:section.SizeOfRawData]
if config == None:
return
config_list = config.split(b'\x00')
# Crude check to make sure we have a decrypted section
if config_list[0] == "ADVAPI32.DLL":
config_dict = parse_config(config_list)
return config_dict
return
评论列表
文章目录
