Fix TrickBot parser

modules/processing/parsers/malwareconfig/TrickBot.py

@@ -99,13 +99,16 @@ def get_rsrc(pe):
                             ret.append((name,data,resource_lang.data.struct.Size,resource_type))
     return ret
 
+def va_to_fileoffset(pe, va):
+    rva = va - pe.OPTIONAL_HEADER.ImageBase
+    for section in pe.sections:
+        if rva >= section.VirtualAddress and rva < section.VirtualAddress + section.Misc_VirtualSize:
+            return rva - section.VirtualAddress + section.PointerToRawData
+
 def decode_onboard_config(data):
     try:
         pe = pefile.PE(data=data)
         rsrcs = get_rsrc(pe)
-        for section in pe.sections:
-            if b".text" in section.Name:
-                delta = pe.OPTIONAL_HEADER.ImageBase + section.VirtualAddress - section.PointerToRawData
     except:
         return
 
@@ -130,9 +133,10 @@ def decode_onboard_config(data):
         return
     offset = int(snippet['$snippet1'])
     key_len     = struct.unpack("<L", data[offset+10:offset+14])[0]
-    key_offset  = struct.unpack("<L", data[offset+15:offset+19])[0] - delta
-    data_offset = struct.unpack("<L", data[offset+20:offset+24])[0] - delta
-    size_offset = struct.unpack("<L", data[offset+53:offset+57])[0] - delta
+    key_offset  = struct.unpack("<L", data[offset+15:offset+19])[0]
+    key_offset  = va_to_fileoffset(pe, int(struct.unpack("<L", data[offset+15:offset+19])[0]))
+    data_offset = va_to_fileoffset(pe, int(struct.unpack("<L", data[offset+20:offset+24])[0]))
+    size_offset = va_to_fileoffset(pe, int(struct.unpack("<L", data[offset+53:offset+57])[0]))
     size = size_offset - data_offset
     key = data[key_offset:key_offset+key_len]
     key = [key[i:i+4] for i in range(0, len(key), 4)]
@@ -147,7 +151,10 @@ def decode_onboard_config(data):
 
 def config(data):
     xml = decode_onboard_config(data)
-    root = ET.fromstring(xml)
+    try:
+        root = ET.fromstring(xml)
+    except:
+        return
     raw_config = {}
     for child in root: