From 3822dada5caa21c441d793707174dc3e5c9cac1d Mon Sep 17 00:00:00 2001 From: msm Date: Wed, 10 Apr 2024 17:37:53 +0200 Subject: [PATCH 1/3] Fix typing and dependencies --- malduck/procmem/procmemelf.py | 4 ++-- requirements.txt | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/malduck/procmem/procmemelf.py b/malduck/procmem/procmemelf.py index ad74814..0b80a7a 100644 --- a/malduck/procmem/procmemelf.py +++ b/malduck/procmem/procmemelf.py @@ -31,7 +31,7 @@ def __init__( image: bool = False, detect_image: bool = False, ) -> None: - self._elf = None + self._elf: Optional[elftools.elf.elffile.ELFFile] = None super().__init__( buf, base=base, regions=regions, image=image, detect_image=detect_image ) @@ -107,7 +107,7 @@ def is_image_loaded_as_memdump(self): @property def imgend(self) -> int: """Address where ELF image ends""" - lastSegment = self.elf.get_segment(self.elf.num_segment() - 1) + lastSegment = self.elf.get_segment(self.elf.num_segments() - 1) return lastSegment.header["p_vaddr"] + lastSegment.header["p_memsz"] diff --git a/requirements.txt b/requirements.txt index b3b9436..e661d55 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,9 +1,9 @@ -click>=7.0 +click~=7.0 pefile>=2022.5.30 pyelftools -pycryptodomex>=3.8.2 -capstone>=4.0.1 +pycryptodomex~=3.8.2 +capstone~=4.0.1 yara-python typing-extensions>=3.7.4.2 -cryptography>=3.1 -dnfile>=0.11.0 +cryptography~=3.1 +dnfile~=0.14.* From 9becdf3b61ab473d223c6391497c955dd4f6d618 Mon Sep 17 00:00:00 2001 From: msm Date: Wed, 10 Apr 2024 17:40:06 +0200 Subject: [PATCH 2/3] Bump dnfile --- malduck/dnpe.py | 2 +- requirements.txt | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/malduck/dnpe.py b/malduck/dnpe.py index 82c7a04..91dc721 100644 --- a/malduck/dnpe.py +++ b/malduck/dnpe.py @@ -62,7 +62,7 @@ def dn_user_string( return None try: - us_string = self.dn_user_strings.get_us(index, encoding=encoding) + us_string = self.dn_user_strings.get(index, encoding=encoding) except UnicodeDecodeError: return None diff --git a/requirements.txt b/requirements.txt index e661d55..686288f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,9 +1,9 @@ -click~=7.0 +click>=7.0 pefile>=2022.5.30 pyelftools -pycryptodomex~=3.8.2 -capstone~=4.0.1 +pycryptodomex>=3.8.2 +capstone>=4.0.1 yara-python typing-extensions>=3.7.4.2 -cryptography~=3.1 -dnfile~=0.14.* +cryptography>=3.1 +dnfile>=0.15.0 From e3b54a4e1fb1c8be10a064640a9b3e8a12b28969 Mon Sep 17 00:00:00 2001 From: msm Date: Wed, 10 Apr 2024 17:51:43 +0200 Subject: [PATCH 3/3] Add tests --- tests/test_procmem.py | 2 +- tests/test_procmemelf.py | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/test_procmem.py b/tests/test_procmem.py index 699a4e0..28d407b 100644 --- a/tests/test_procmem.py +++ b/tests/test_procmem.py @@ -271,4 +271,4 @@ def test_procmemdnpe(): assert p.pe is not None assert p.pe.dn_metadata.struct.Version == b'v4.0.30319\x00\x00' assert p.pe.dn_metadata.struct.NumberOfStreams == len(p.pe.dn_metadata.streams) - + assert p.pe.dn_user_string(1).value == "Hello World!" diff --git a/tests/test_procmemelf.py b/tests/test_procmemelf.py index c64a275..e3af9db 100644 --- a/tests/test_procmemelf.py +++ b/tests/test_procmemelf.py @@ -17,6 +17,7 @@ def test_hello_static(): assert pelf.elf.elfclass == 64 assert pelf.elf.get_machine_arch() == 'x64' assert pelf.elf.little_endian + assert pelf.imgend == 7159808 def test_hello_32(): @@ -26,6 +27,7 @@ def test_hello_32(): assert pelf.elf.elfclass == 32 assert pelf.elf.get_machine_arch() == 'x86' assert pelf.elf.little_endian + assert pelf.imgend == 8192 def test_hello_32_static(): @@ -35,6 +37,7 @@ def test_hello_32_static(): assert pelf.elf.elfclass == 32 assert pelf.elf.get_machine_arch() == 'x86' assert pelf.elf.little_endian + assert pelf.imgend == 135200768 def test_hidden_32_static(): @@ -48,3 +51,4 @@ def test_hidden_32_static(): b"\x00\xcd\x80\x5a\x59\x5b\x58\x68\x73\x87\x04\x08\xc3\x28\x68\x69\x64\x64\x65\x6e\x20\x63\x6f"\ b"\x64\x65\x21\x29\x0a" assert pelf.readv(0x80ed200, len(hidden_code)) == hidden_code + assert pelf.imgend == 135200768