Malware hunting & Reverse engineering notes

Python 🐍


All notes related to Python goes here

Base64 custom alphabet python #

Here’s a brief Python code snippet for decoding base64 data that uses a non-standard alphabet. The Darkgate sample was observed to use this custom alphabet.

import base64

def custom_b64_decode(s):
     custom_base64 = "KHkFLg9RnhcZNSDl1TsOj2JveVUpfC4Bq67XyIbm5Q8EGi3A=Madwr0uYzt+oWPx"
     std_base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/="
     o = str(s).translate(str(s).maketrans(custom_base64, std_base64chars))
     return base64.b64decode(o)


PE with pefile #

Snippet of code to read each resource of a PE:

pe = pefile.PE("<path to PE>")

offset: int = 0
size: int = 0
resource_type: str = ""

for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
    resource_type = str(
    for directory in
      for resource in
	  offset =
	  size =
	  content = pe.get_memory_mapped_image()[offset : offset + size]

	      f"read resource {resource_type} at offset 0x{offset:x} on 0x{size:x} bytes"