import logging from malduck.extractor import Extractor from malduck.procmem import ProcessMemory from malduck.yara import YaraRuleMatch from ..utils import Config, get_rule_metadata logger = logging.getLogger(__name__) class Citadel(Extractor): family: str = "citadel" yara_rules: tuple = ("citadel",) overrides: list = ["zeus"] @Extractor.extractor("briankrebs") def citadel_found(self, p: ProcessMemory, addr: int) -> dict: logger.info("[+] `Coded by Brian Krebs` str @ %X" % addr) return {"family": self.family} @Extractor.rule def citadel(self, p: ProcessMemory, match: YaraRuleMatch) -> Config | bool: _info: Config = get_rule_metadata(match) return _info @Extractor.extractor def cit_salt(self, p: ProcessMemory, addr: int) -> dict: salt = p.uint32v(addr - 8) logger.info("[+] Found salt @ %X - %x" % (addr, salt)) return {self.family: {"salt": salt}}