Krakz
Malware hunting & Reverse engineering notes

Python 🐍

pbo

All notes related to Python goes here

Base64 custom alphabet python #

Here’s a brief Python code snippet for decoding base64 data that uses a non-standard alphabet. The Darkgate sample was observed to use this custom alphabet.

import base64

def custom_b64_decode(s):
     custom_base64 = "KHkFLg9RnhcZNSDl1TsOj2JveVUpfC4Bq67XyIbm5Q8EGi3A=Madwr0uYzt+oWPx"
     std_base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/="
     o = str(s).translate(str(s).maketrans(custom_base64, std_base64chars))
     return base64.b64decode(o)

custom_b64_decode("jrIO2L2S")

b'SYSTEM'

PE with pefile #

Snippet of code to read each resource of a PE:

pe = pefile.PE("<path to PE>")

offset: int = 0
size: int = 0
resource_type: str = ""

for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
    resource_type = str(entry.name)
    for directory in entry.directory.entries:
      for resource in directory.directory.entries:
	  offset = resource.data.struct.OffsetToData
	  size = resource.data.struct.Size
	  content = pe.get_memory_mapped_image()[offset : offset + size]

	  print(
	      f"read resource {resource_type} at offset 0x{offset:x} on 0x{size:x} bytes"
	  )
Back to top
back to top
« SysWhispers2 analysis 🙊 Focus on XWorm obfuscation 🪱 »