def main()

in cortado/rtas/evasion_oversized_dll_load.py [0:0]

• 24 lines of code
• 6 McCabe index (conditional complexity)

def main():
    import win32file  # type: ignore

    if Path(DLL).is_file():
        tempc = os.path.expandvars("%localappdata%\\Temp\\oversized.dll")
        rta_dll = os.path.expandvars("%localappdata%\\Temp\\faultrep.dll")
        rta_pe = os.path.expandvars("%localappdata%\\Temp\\wer.exe")
        # copy files to temp
        win32file.CopyFile(DLL, tempc, 0)  # type: ignore
        win32file.CopyFile(WER, rta_pe, 0)  # type: ignore
        if Path(tempc).is_file():
            log.info(f"{DLL} copied to {tempc}")
        log.info(f"File {tempc} will be appended with null bytes to reach 90MB in size.")
        # append null bytes to makde the DLL oversized 90+MB in size
        with open(tempc, "rb+") as binfile:
            _ = binfile.seek(100000000)
            _ = binfile.write(b"\x00")

        # copied via cmd to trigger the rule - python is signed and won't trigger the file mod part of the rule
        _ = _common.execute_command(["cmd.exe", "/c", "copy", tempc, rta_dll])
        if Path(rta_dll).is_file() and Path(rta_pe).is_file():
            # should trigger rundll32 rules
            _ = _common.execute_command(["rundll32.exe", rta_dll, "DllMain"])
            # should trigger dll sideload from current dir
            _ = _common.execute_command(rta_pe, shell=True)
        # cleanup
        _ = _common.execute_command(["taskkill", "/f", "/im", "notepad.exe"])
        log.info("Cleanup.")
        win32file.DeleteFile(tempc)
        win32file.DeleteFile(rta_dll)
        win32file.DeleteFile(rta_pe)
        log.info("RTA Done!")