use anyhow::Result;
use exe::VecPE;
use iced_x86::{Code, Decoder, DecoderOptions};
use yara_x::{Compiler, Scanner};
use crate::{extractor::dmsniff::rules::RULE_PREFIX, utils::get_bitness_from_pe};
pub fn extract_prefix_from_dga_function(pe: &VecPE, function_data: &[u8]) -> Result<String> {
let mut res = String::new();
let mut compiler = Compiler::new();
compiler.add_source(RULE_PREFIX)?;
let rules = compiler.build();
let mut scanner = Scanner::new(&rules);
let results = scanner.scan(function_data)?;
let bitness = get_bitness_from_pe(pe);
for rule in results.matching_rules() {
for pattern in rule.patterns() {
for mat in pattern.matches() {
let decoder = Decoder::new(bitness, mat.data(), DecoderOptions::NONE);
for instruction in decoder {
if !matches!(instruction.code(), Code::Mov_rm8_imm8) {
return Ok(res);
}
let immediate = instruction.immediate8();
if immediate != 0 {
res.push(immediate.into());
}
}
}
}
}
Ok(res)
}