def find_browser_hook_payloads()

in tools/icedid/gzip-variant/extract_payloads_from_core.py [0:0]

• 18 lines of code
• 4 McCabe index (conditional complexity)

def find_browser_hook_payloads(pe: lief.Binary, address) -> list[tuple[int, int]]:
    cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
    cs.detail = True

    code = bytes(pe.get_content_from_virtual_address(address, SIZE))
    instructions = list(cs.disasm(code, address, SIZE))

    result = list()
    for i, instruction in enumerate(instructions):
        if 2 == len(result):
            break
        if "lea" == instruction.mnemonic:
            payload_address = (
                instruction.operands[1].mem.disp
                + instruction.address
                + instruction.size
            )
            size = instructions[i + 1].operands[1].imm
            result.append((payload_address, size))

    return result