def config(raw_data):
pe = pefile.PE(data=raw_data, fast_load=False)
data = yara_scan(raw_data, '$opcodes03')
key_va = struct.unpack('i', data[0][19:23])[0]
key_hex = pe_data(pe, key_va, 16)
data_2 = yara_scan(raw_data, '$opcodes04')
config_list = []
for section in data_2:
length = struct.unpack('i', section[9:13])[0]
data_va = struct.unpack('i', section[17:21])[0]
sec_data = pe_data(pe, data_va, length)
dec = decrypt_rc4(key_hex, sec_data)
if '\x00' in dec:
dec = dec[:dec.index('\x00')]
config_list.append(dec)
config_dict = parse_config(config_list)
return config_dict
评论列表
文章目录
