Various bugfixes

src/rat_king_parser/_version.py

@@ -23,4 +23,4 @@
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
-__version__ = "4.2.2"
+__version__ = "4.2.3"

src/rat_king_parser/config_parser/utils/config_item.py

@@ -132,7 +132,7 @@ def _derive_item_value(self, folder_id: bytes) -> str:
         try:
             return SpecialFolder(bytes_to_int(folder_id)).name
         except ValueError:
-            return None
+            return f"UnknownFolder({bytes_to_int(folder_id)})"
 
 class EncryptedStringConfigItem(ConfigItem):
     def __init__(self) -> None:

src/rat_king_parser/config_parser/utils/dotnetpe_payload.py

@@ -211,7 +211,12 @@ def offset_from_rva(self, rva: int) -> int:
 
     # Given an RVA, derives the corresponding User String
     def user_string_from_rva(self, rva: int) -> str:
-        return self.dotnetpe.net.user_strings.get(rva ^ MDT_STRING).value
+        result = self.dotnetpe.net.user_strings.get(rva ^ MDT_STRING)
+        if result is None:
+            raise ConfigParserException(
+                f"Could not find user string for RVA {hex(rva)}"
+            )
+        return result.value
 
     def custom_attribute_from_type(self, typespacename: str, typename: str) -> dict:
         """
@@ -250,15 +255,15 @@ def custom_attribute_from_type(self, typespacename: str, typename: str) -> dict:
                 for pd_row_index, pd in enumerate(
                     self.dotnetpe.net.mdtables.Property.rows
                 ):
-                    if pd.Name.value.startswith(
+                    if pd.Name.value.startswith((
                         "Boolean_",
                         "BorderStyle_",
                         "Color_",
                         "Byte",
                         "Int32_",
                         "SizeF_",
                         "String_",
-                    ):
+                    )):
                         continue
                     # CustomAttribute Parent index is 1-based
                     target_index = pd_row_index + 1

src/rat_king_parser/extern/maco/rkp_maco.py

@@ -30,7 +30,6 @@
 from logging import getLogger
 from pathlib import Path
 from re import search
-from typing import Optional
 
 import validators
 from maco import extractor, model
@@ -64,13 +63,13 @@ class RKPMACO(extractor.Extractor):
     author = "jeFF0Falltrades"
     last_modified = "2024-10-18"
     sharing = "TLP:WHITE"
-    yara_rule = open(str(Path(__file__).parent / YARA_PATH)).read()
+    yara_rule = (Path(__file__).parent / YARA_PATH).read_text()
 
     def run(
         self, stream: typing.BinaryIO, matches: typing.List[Match]
     ) -> typing.Optional[model.ExtractorModel]:
         report = RATConfigParser(
-            load(str(Path(__file__).parent / YARC_PATH)),
+            yara_rule=load(str(Path(__file__).parent / YARC_PATH)),
             data=stream.read(),
             remap_config=True,
         ).report
@@ -191,7 +190,7 @@ def run(
 
     # Helper function to handle both IPv4 and IPv6 values
     def _add_tcp_ip(
-        self, model: model.ExtractorModel, server_ip: str, server_port: Optional[int]
+        self, model: model.ExtractorModel, server_ip: str, server_port: typing.Optional[int]
     ) -> None:
         model.tcp.append(
             model.Connection(server_ip=server_ip, server_port=server_port, usage="c2")
@@ -201,7 +200,7 @@ def _add_tcp_ip(
     # suffixed to the host/IP
     def _split_network_value(
         self, network_value: str
-    ) -> typing.Tuple[str, Optional[int]]:
+    ) -> typing.Tuple[str, typing.Optional[int]]:
         match = search(r":([0-9]+)$", network_value)
         if match is not None:
             try: