From c5270d908b3befc0946b1367c9ac815aebc8e646 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Fri, 4 Oct 2024 16:04:09 +0100 Subject: [PATCH] Update packer_vmprotect.py Correct signature to use new format for PE static info --- modules/signatures/all/packer_vmprotect.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/modules/signatures/all/packer_vmprotect.py b/modules/signatures/all/packer_vmprotect.py index 169ef4c2..38826d4b 100644 --- a/modules/signatures/all/packer_vmprotect.py +++ b/modules/signatures/all/packer_vmprotect.py @@ -15,7 +15,6 @@ from lib.cuckoo.common.abstracts import Signature - class VMPPacked(Signature): name = "packer_vmprotect" description = "The executable is likely packed with VMProtect" @@ -29,11 +28,15 @@ class VMPPacked(Signature): mbcs = ["OB0001", "OB0002", "OB0006", "F0001", "F0001.010"] def run(self): - if "static" in self.results and "pe" in self.results["static"]: - if "sections" in self.results["static"]["pe"]: - for section in self.results["static"]["pe"]["sections"]: + ret = False + + target = self.results.get("target", {}) + if target.get("category") in ("file", "static") and target.get("file"): + pe = self.results["target"]["file"].get("pe", []) + if pe: + for section in pe["sections"]: if section["name"].lower().startswith(".vmp"): self.data.append({"section": section}) - return True + ret= True - return False + return ret