Skip to content

Commit

Permalink
style: Automatic code formatting
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Aug 5, 2024
1 parent 09de187 commit 587e6b9
Showing 1 changed file with 14 additions and 14 deletions.
28 changes: 14 additions & 14 deletions modules/processing/parsers/CAPE/SparkRAT.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import json
import io
import json
import logging
from contextlib import suppress

Expand All @@ -18,56 +18,56 @@


def extract_data_before_string(data, search_string, offset):
search_bytes = search_string.encode('utf-8')
search_bytes = search_string.encode("utf-8")

position = data.find(search_bytes)
if position == -1:
return b''
return b""

start_position = max(position - offset, 0)
return data[start_position:position]


def decrypt_config(enc_data, key, iv):
counter = Counter.new(128, initial_value=int.from_bytes(iv, 'big'))
counter = Counter.new(128, initial_value=int.from_bytes(iv, "big"))
cipher = AES.new(key, mode=AES.MODE_CTR, counter=counter)
dec_data = cipher.decrypt(enc_data)
config = dec_data.decode('utf-8')
config = dec_data.decode("utf-8")
return json.loads(config)


def extract_config(data):
if not HAVE_PYCYPTODOMEX:
log.error('Missed pycryptodomex. Run: poetry install')
log.error("Missed pycryptodomex. Run: poetry install")
return {}

search_string = 'DXGI_ERROR_DRIVER_INTERNAL'
search_string = "DXGI_ERROR_DRIVER_INTERNAL"
config_buf_size = 0x180
config_buf = extract_data_before_string(data, search_string, offset=config_buf_size)

if len(config_buf) == 0:
log.error('Configuration is not found.')
log.error("Configuration is not found.")
return {}

if config_buf == b'\x19' * config_buf_size:
log.debug('Configuration does not exist because the template data in the ConfigBuffer was not replaced.')
if config_buf == b"\x19" * config_buf_size:
log.debug("Configuration does not exist because the template data in the ConfigBuffer was not replaced.")
return {}

try:
with io.BytesIO(config_buf) as f:
data_len = int.from_bytes(f.read(2), 'big')
data_len = int.from_bytes(f.read(2), "big")
key = f.read(16)
iv = f.read(16)
enc_data = f.read(data_len - 32)
return decrypt_config(enc_data, key, iv)
except Exception as e:
log.error('Configuration decryption failed: %s', e)
log.error("Configuration decryption failed: %s", e)
return {}


if __name__ == '__main__':
if __name__ == "__main__":
import sys
from pathlib import Path

data = Path(sys.argv[1]).read_bytes()
print(extract_config(data))
print(extract_config(data))

0 comments on commit 587e6b9

Please sign in to comment.