Skip to content

Commit

Permalink
Merge pull request #431 from adepasquale/bugfix/encrypt_pcinfo
Browse files Browse the repository at this point in the history 
Fix bug in encrypt_pcinfo signature
  • Loading branch information
@doomedraven
doomedraven authored May 9, 2024
2 parents ae07458 + b8a3ce8 commit 4ae2a64
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions modules/signatures/windows/malware_data_encryption.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,21 +36,25 @@ def __init__(self, *args, **kwargs):
self.ret = False
self.compname = str()
self.username = str()
self.check_buffers = False
self.buffers = set()
self.safelistprocs = ["winword.exe", "excel.exe", "powerpoint.exe", "acrobat.exe"]

def on_call(self, call, process):
if process["process_name"].lower() not in self.safelistprocs:
if call["api"] == "GetComputerNameW":
self.compname = self.get_argument(call, "ComputerName")
self.check_buffers = True

if call["api"] == "GetUserNameW":
elif call["api"] == "GetUserNameW":
self.username = self.get_argument(call, "Name")
self.check_buffers = True

if call["api"].startswith("Crypt"):
elif self.check_buffers and call["api"].startswith("Crypt"):
buff = self.get_argument(call, "Buffer")
if buff and (self.username or self.compname):
if self.compname.lower() in buff.lower() or self.username.lower() in buff.lower():
if buff:
buff_lower = buff.lower()
if any(n.lower() in buff_lower for n in [self.compname, self.username] if n):
self.ret = True
self.buffers.add(buff)
if self.pid:
Expand Down

0 comments on commit 4ae2a64

Please sign in to comment.