fix when default mask is used

fixes errors cause when looking at .NET binaries.
Cisco-Talos · May 12, 2017 · f04489d · f04489d
1 parent 59bba2a
commit f04489d
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/clamav_sig_creator.py b/clamav_sig_creator.py
@@ -494,7 +494,7 @@ def __init__(self, bits):
     def get_masking(self):
         return []
 
-    def set_masking(self):
+    def set_masking(self, masking):
         pass
 
     def register_signals(self, apply_mask_func, custom_ui_func):
@@ -647,6 +647,19 @@ def register_gui_signals(self, gui_obj, apply_mask_func, custom_ui_func):
     def setEnable(self, gui_obj, is_enabled=False):
         pass
 
+    def mask_instruction(self, ea, maskings):
+        instruction = IDAW.DecodeInstruction(ea)
+        if not instruction:
+            return ('db 0x{0:02}'.format(Byte(ea)), ' '.join(['{:02x}'.format(IDAW.Byte(ea))]))
+
+        size = IDAW.DecodeInstruction(ea).size
+        original = ' '.join(['{:02x}'.format(IDAW.Byte(ea + i)) for i in xrange(size)])
+        disassembly = IDAW.tag_remove(IDAW.generate_disasm_line(ea, 1))
+        if ';' in disassembly:
+            disassembly = disassembly[:disassembly.index(';')].rstrip()
+
+        return (disassembly, original)
+
 class IntelParser(CASCParser):
     prefixes = '^([\xf0\xf3\xf2\x2e\x36\x3e\x26\x64\x65\x66\x67]{1,4})'
     prefixes_x64 = '^((?:[\xf0\xf3\xf2\x2e\x36\x3e\x26\x64\x65\x66\x67]|\x0f(?:\x38|\x3a){0,1}){1,4})'
@@ -1292,7 +1305,7 @@ def fixup_opcodes(self, opcodes):
                         _opcodes[i][k - len(prev_data)] = replace
                     else:
                         _opcodes[next][k - len(prev_data) - len(cur_data)] = replace
-                        
+
         return [' '.join(x) for x in _opcodes]
 
     def mask_opcodes_tuple(self, options):