Skip to content

Commit

Permalink
fix dnfile 0.15 parsers (#2171)
Browse files Browse the repository at this point in the history
  • Loading branch information
@doomedraven
doomedraven authored Jun 17, 2024
1 parent dab1d69 commit eae3c56
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 7 deletions.
2 changes: 1 addition & 1 deletion modules/processing/parsers/CAPE/Njrat.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ def __init__(self, data: bytes):

# ex: 72 9F 00 00 70 ldstr foo, the index is what comes after 0x72 opcode -> 0x9F
def get_user_string_from_index(self, index):
return self.dotnet_file.net.user_strings.get_us(index).value
return self.dotnet_file.net.user_strings.get(index).value

# in little-endian token is: 12 00 00 04 (0x40000012), where 0x04 is field table index, and 0x12 is the field index
def get_field_name_from_index(self, index):
Expand Down
2 changes: 1 addition & 1 deletion modules/processing/parsers/CAPE/PhemedroneStealer.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ class DnfileParse:
def read_dotnet_user_string(pe, token):
"""read user string from #US stream"""
try:
user_string = pe.net.user_strings.get_us(token.rid)
user_string = pe.net.user_strings.get(token.rid)
except UnicodeDecodeError:
return InvalidToken(token.value)

Expand Down
2 changes: 1 addition & 1 deletion modules/processing/parsers/CAPE/RedLine.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ def extract_config(data):
extracted = []
for match in p.findall(data):
for item in match:
user_string = dn.net.user_strings.get_us(int.from_bytes(item, "little")).value
user_string = dn.net.user_strings.get(int.from_bytes(item, "little")).value
if user_string:
extracted.append(user_string)
if extracted:
Expand Down
8 changes: 4 additions & 4 deletions modules/processing/parsers/CAPE/XWorm.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,14 +84,14 @@ def extract_config(data):
for pattern in mutexPatterns:
mutexMatched = pattern.findall(data)
if mutexMatched:
mutex = dn.net.user_strings.get_us(int.from_bytes(mutexMatched[0], "little")).value
mutex = dn.net.user_strings.get(int.from_bytes(mutexMatched[0], "little")).value
AESKey = deriveAESKey(mutex)
break
else:
return

for match in confPattern.findall(data):
er_string = dn.net.user_strings.get_us(int.from_bytes(match, "little")).value
er_string = dn.net.user_strings.get(int.from_bytes(match, "little")).value
extracted.append(er_string)

for i in range(5):
Expand All @@ -116,10 +116,10 @@ def extract_config(data):
installDirMatch = installDirPattern.findall(data)

if installDirMatch:
installDir = dn.net.user_strings.get_us(int.from_bytes(installDirMatch[0], "little")).value
installDir = dn.net.user_strings.get(int.from_bytes(installDirMatch[0], "little")).value
config_dict["InstallDir"] = decryptAES(AESKey, installDir, AES.MODE_ECB)
if installBinMatch:
installBinName = dn.net.user_strings.get_us(int.from_bytes(installBinMatch[0], "little")).value
installBinName = dn.net.user_strings.get(int.from_bytes(installBinMatch[0], "little")).value
config_dict["InstallBinName"] = decryptAES(AESKey, installBinName, AES.MODE_ECB)
else:
lines = data.decode().split("\n")
Expand Down

0 comments on commit eae3c56

Please sign in to comment.