in nightMARE/src/nightmare/malware/icedid/custom_pe.py [0:0]
def __apply_relocations_aux(self, relocations_address: int) -> None:
while True:
relocations = ctypes.cast(
relocations_address, ctypes.POINTER(win32.IMAGE_BASE_RELOCATION)
).contents
if not relocations.SizeOfBlock:
break
for address in range(
relocations_address + SIZEOF_IMAGE_BASE_RELOCATION,
relocations_address
+ ((relocations.SizeOfBlock - SIZEOF_IMAGE_BASE_RELOCATION) // 2),
2,
):
relocation = ctypes.cast(
address, ctypes.POINTER(ctypes.c_uint16)
).contents.value
relocation_type = relocation >> 12
relocation_offset = relocation & 0xFFF
match relocation_type:
case win32.IMAGE_REL_BASED_HIGHLOW:
type_ = ctypes.c_uint32
case win32.IMAGE_REL_BASED_DIR64:
type_ = ctypes.c_uint64
case _:
continue
ptr = ctypes.cast(
self.__base_address
+ relocations.VirtualAddress
+ relocation_offset,
ctypes.POINTER(type_),
)
ptr.contents = type_(
ptr.contents.value
- self.__custom_pe.structure.imagebase
+ self.__base_address
)
relocations_address += relocations.SizeOfBlock