diff --git a/src/rat_king_parser/_version.py b/src/rat_king_parser/_version.py index ec9a29c..f502b9f 100644 --- a/src/rat_king_parser/_version.py +++ b/src/rat_king_parser/_version.py @@ -23,4 +23,4 @@ # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. -__version__ = "4.2.2" +__version__ = "4.2.3" diff --git a/src/rat_king_parser/config_parser/utils/config_item.py b/src/rat_king_parser/config_parser/utils/config_item.py index 89c7ece..b07ca5c 100644 --- a/src/rat_king_parser/config_parser/utils/config_item.py +++ b/src/rat_king_parser/config_parser/utils/config_item.py @@ -132,7 +132,7 @@ def _derive_item_value(self, folder_id: bytes) -> str: try: return SpecialFolder(bytes_to_int(folder_id)).name except ValueError: - return None + return f"UnknownFolder({bytes_to_int(folder_id)})" class EncryptedStringConfigItem(ConfigItem): def __init__(self) -> None: diff --git a/src/rat_king_parser/config_parser/utils/dotnetpe_payload.py b/src/rat_king_parser/config_parser/utils/dotnetpe_payload.py index aae49a4..f720f64 100644 --- a/src/rat_king_parser/config_parser/utils/dotnetpe_payload.py +++ b/src/rat_king_parser/config_parser/utils/dotnetpe_payload.py @@ -211,7 +211,12 @@ def offset_from_rva(self, rva: int) -> int: # Given an RVA, derives the corresponding User String def user_string_from_rva(self, rva: int) -> str: - return self.dotnetpe.net.user_strings.get(rva ^ MDT_STRING).value + result = self.dotnetpe.net.user_strings.get(rva ^ MDT_STRING) + if result is None: + raise ConfigParserException( + f"Could not find user string for RVA {hex(rva)}" + ) + return result.value def custom_attribute_from_type(self, typespacename: str, typename: str) -> dict: """ @@ -250,7 +255,7 @@ def custom_attribute_from_type(self, typespacename: str, typename: str) -> dict: for pd_row_index, pd in enumerate( self.dotnetpe.net.mdtables.Property.rows ): - if pd.Name.value.startswith( + if pd.Name.value.startswith(( "Boolean_", "BorderStyle_", "Color_", @@ -258,7 +263,7 @@ def custom_attribute_from_type(self, typespacename: str, typename: str) -> dict: "Int32_", "SizeF_", "String_", - ): + )): continue # CustomAttribute Parent index is 1-based target_index = pd_row_index + 1 diff --git a/src/rat_king_parser/extern/maco/rkp_maco.py b/src/rat_king_parser/extern/maco/rkp_maco.py index 1a825c6..56d51d5 100644 --- a/src/rat_king_parser/extern/maco/rkp_maco.py +++ b/src/rat_king_parser/extern/maco/rkp_maco.py @@ -30,7 +30,6 @@ from logging import getLogger from pathlib import Path from re import search -from typing import Optional import validators from maco import extractor, model @@ -64,13 +63,13 @@ class RKPMACO(extractor.Extractor): author = "jeFF0Falltrades" last_modified = "2024-10-18" sharing = "TLP:WHITE" - yara_rule = open(str(Path(__file__).parent / YARA_PATH)).read() + yara_rule = (Path(__file__).parent / YARA_PATH).read_text() def run( self, stream: typing.BinaryIO, matches: typing.List[Match] ) -> typing.Optional[model.ExtractorModel]: report = RATConfigParser( - load(str(Path(__file__).parent / YARC_PATH)), + yara_rule=load(str(Path(__file__).parent / YARC_PATH)), data=stream.read(), remap_config=True, ).report @@ -191,7 +190,7 @@ def run( # Helper function to handle both IPv4 and IPv6 values def _add_tcp_ip( - self, model: model.ExtractorModel, server_ip: str, server_port: Optional[int] + self, model: model.ExtractorModel, server_ip: str, server_port: typing.Optional[int] ) -> None: model.tcp.append( model.Connection(server_ip=server_ip, server_port=server_port, usage="c2") @@ -201,7 +200,7 @@ def _add_tcp_ip( # suffixed to the host/IP def _split_network_value( self, network_value: str - ) -> typing.Tuple[str, Optional[int]]: + ) -> typing.Tuple[str, typing.Optional[int]]: match = search(r":([0-9]+)$", network_value) if match is not None: try: diff --git a/tests/samples.enc.zip b/tests/samples.enc.zip old mode 100644 new mode 100755 index 8546e1c..5e5aebd Binary files a/tests/samples.enc.zip and b/tests/samples.enc.zip differ