fox-srt · November 10, 2023 17:11 · fox-srt · Dec 18, 2023
diff --git a/defender.py b/defender.py
 from dissect.cstruct import cstruct

 defender_def= """
 struct QuarantineEntryFileHeader {
    CHAR        MagicHeader[4];
    CHAR        Unknown[4];
    CHAR        _Padding[32];
    DWORD       Section1Size;
    DWORD       Section2Size;
    DWORD       Section1CRC;
    DWORD       Section2CRC;
    CHAR        MagicFooter[4];
 };

 struct QuarantineEntrySection1 {
    CHAR    Id[16];
    CHAR    ScanId[16];
    QWORD   Timestamp;
    QWORD   ThreatId;
    DWORD   One;
    CHAR    DetectionName[];
 };

 struct QuarantineEntrySection2 {
    DWORD   EntryCount;
    DWORD   EntryOffsets[EntryCount];
 };

 struct QuarantineEntryResource {
    WCHAR   DetectionPath[];
    WORD    FieldCount;
    CHAR    DetectionType[];
 };

 struct QuarantineEntryResourceField {
    WORD        Size;
    WORD        Identifier:12;
    FIELD_TYPE  Type:4;
    CHAR        Data[Size];
 };
 """

 c_defender = cstruct()
 c_defender.load(defender_def)


 class QuarantineEntry:
    def __init__(self, fh: BinaryIO):
        # Decrypt & parse the header so that we know the section sizes
        self.header = c_defender.QuarantineEntryFileHeader(rc4_crypt(fh.read(60)))

        # Decrypt & parse Section 1. This will tell us some information about this quarantine entry.
        # These properties are shared for all quarantine entry resources associated with this quarantine entry.
        self.metadata = c_defender.QuarantineEntrySection1(rc4_crypt(fh.read(self.header.Section1Size)))

        # [...] 

        # The second section contains the number of quarantine entry resources contained in this quarantine entry,
        # as well as their offsets. After that, the individal quarantine entry resources start.
        resource_buf = BytesIO(rc4_crypt(fh.read(self.header.Section2Size)))
	from dissect.cstruct import cstruct

	defender_def= """
	struct QuarantineEntryFileHeader {
	CHAR MagicHeader[4];
	CHAR Unknown[4];
	CHAR _Padding[32];
	DWORD Section1Size;
	DWORD Section2Size;
	DWORD Section1CRC;
	DWORD Section2CRC;
	CHAR MagicFooter[4];
	};

	struct QuarantineEntrySection1 {
	CHAR Id[16];
	CHAR ScanId[16];
	QWORD Timestamp;
	QWORD ThreatId;
	DWORD One;
	CHAR DetectionName[];
	};

	struct QuarantineEntrySection2 {
	DWORD EntryCount;
	DWORD EntryOffsets[EntryCount];
	};

	struct QuarantineEntryResource {
	WCHAR DetectionPath[];
	WORD FieldCount;
	CHAR DetectionType[];
	};

	struct QuarantineEntryResourceField {
	WORD Size;
	WORD Identifier:12;
	FIELD_TYPE Type:4;
	CHAR Data[Size];
	};
	"""

	c_defender = cstruct()
	c_defender.load(defender_def)


	class QuarantineEntry:
	def __init__(self, fh: BinaryIO):
	# Decrypt & parse the header so that we know the section sizes
	self.header = c_defender.QuarantineEntryFileHeader(rc4_crypt(fh.read(60)))

	# Decrypt & parse Section 1. This will tell us some information about this quarantine entry.
	# These properties are shared for all quarantine entry resources associated with this quarantine entry.
	self.metadata = c_defender.QuarantineEntrySection1(rc4_crypt(fh.read(self.header.Section1Size)))

	# [...]

	# The second section contains the number of quarantine entry resources contained in this quarantine entry,
	# as well as their offsets. After that, the individal quarantine entry resources start.
	resource_buf = BytesIO(rc4_crypt(fh.read(self.header.Section2Size)))