in tools/icedid/gzip-variant/extract_payloads_from_core.py [0:0]
def get_browser_hook_payloads(pe: lief.Binary, address: int) -> list[bytes]:
result = list()
payloads_info = find_browser_hook_payloads(pe, address)
if not payloads_info:
raise RuntimeError("Failed to find browser hook payloads' location")
elif 1 == len(payloads_info):
print("Only 1/2 browser hook payloads' location has been found")
for i, (payload_address, payload_size) in enumerate(payloads_info):
if not (
payload := crypto.decrypt_0(
bytes(
pe.get_content_from_virtual_address(payload_address, payload_size)
)
)
):
print(f"Failed to decrypt payload #{i}.")
continue
result.append(payload)
return result