Minor changes on top of small_optimizations PR#45
Merged
Conversation
- config_normalization: strip underscores from alias keys at map-build time so "mutex_string" (and similar) actually resolves to "Mutex". Restore unconditional underscore-stripping on the returned key to preserve prior behavior for unrecognized keys. - rat_config_parser._attempt_decryption: replace the unreachable conditional trailing return with an unconditional raise to make the "decrypt-or-raise" invariant explicit. - config_decryptor_aes_with_iv: restore the -> list[bytes] and -> dict[str, str] return type hints that were dropped during reformatting. - config_decryptor_aes_with_iv._get_aes_metadata: document why key_size/block_size/algo are extracted once and shared across all metadata candidates. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request refactors the decryption attempt logic to raise an exception directly if all decryptors fail, updates configuration key normalization to strip underscores during both map construction and lookup, and includes minor formatting and documentation improvements. The review feedback suggests further enhancing the normalization process by making it case-insensitive to ensure more robust key mapping.
PR #44 introduced a `successfully_decrypted_count == 0` guard at the end of `decrypt_encrypted_strings` that raises if no string was successfully decrypted. For template/builder samples (e.g. unconfigured AsyncRAT builds where every config value is a placeholder like `%Anti%`), every value fails the b64/length filter and is passed through unchanged without any decryption being attempted. The guard then raised, causing `_attempt_decryption` to discard the AES decryptor and fall through to the plaintext decryptor, which has no salt -- so `report["salt"]` was reported as "None" instead of the actual extracted salt. Track attempted decryptions separately and only raise when at least one string was actually attempted but every attempt failed. Template samples have zero attempts and now fall through cleanly with the AES decryptor intact, restoring the master behavior of reporting the salt. Verified against all 14 known sample expected outputs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up changes on top of #44:
config_normalization: Strip underscores from alias keys at map-build time so aliases likemutex_stringactually resolve toMutex. Restore unconditional underscore-stripping on the returned key topreserve the prior behavior for unrecognized keys.
rat_config_parser._attempt_decryption: Replace the unreachable conditional trailingreturnwith an unconditionalraiseto make the "decrypt-or-raise" invariant explicit.config_decryptor_aes_with_iv: Restore the-> list[bytes]and-> dict[str, str]return type hints that were dropped during reformatting, and document whykey_size/block_size/algoareextracted once and shared across all metadata candidates.
config_decryptor_aes_with_iv.decrypt_encrypted_strings: Fix a regression introduced in Small optimizations #44 where the newsuccessfully_decrypted_count == 0guard caused template/builder samples (e.g. unconfiguredAsyncRAT builds whose config values are all placeholders like
%Anti%) to fall through to the plaintext decryptor and lose the reportedsalt. Now tracks attempted decryptions separately and only raises when at least one decryption was attempted and all attempts failed.