def get_payloads()

in tools/icedid/gzip-variant/extract_payloads_from_core.py [0:0]

• 19 lines of code
• 4 McCabe index (conditional complexity)

def get_payloads(path: str) -> dict[str, bytes]:
    result = dict()

    if not (match := RULES.match(path)):
        raise RuntimeError("Failed to find core's functions")

    core = lief.parse(path)

    for string in match[0].strings:
        match string.identifier:
            case "$browser_hook_payloads_decryption":
                for i, payload in enumerate(
                    get_browser_hook_payloads(
                        core,
                        core.offset_to_virtual_address(string.instances[0].offset)
                        + core.imagebase,
                    )
                ):
                    result[f"browser_hook_payload_{i}.cpe"] = payload
            case _:
                continue

    return result