Fix type checks and improve config parsing logic

[doomedraven]

Replaced type() checks with isinstance() for better subclass handling in rat_config_parser.py. Fixed variable naming and logic errors in config_decryptor_random_hardcoded.py. Improved key extraction logic in config_decryptor_rijndael.py. Refactored bytes/int conversion utility functions for clarity and correctness. Optimized CustomAttribute lookup in dotnetpe_payload.py for efficiency.

this is reapply from reverted changes with merged your changes

[gemini-code-assist]

Summary of Changes

Hello @doomedraven, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the robustness, correctness, and efficiency of the configuration parsing and decryption mechanisms. It addresses several areas, including adopting Pythonic type checking, rectifying logic errors in config item processing, refining variable naming for better code clarity, and optimizing attribute lookup performance. The changes collectively aim to improve the reliability and maintainability of the parser's core functionalities.

Highlights

• Type Checking Best Practices: Replaced direct type() comparisons with isinstance() checks for EncryptedStringConfigItem and ByteArrayConfigItem in rat_config_parser.py, ensuring proper handling of subclasses.
• Config Parsing Logic Fixes: Corrected a logic error in rat_config_parser.py where the UrlHost presence check was incorrectly performed against item_data instead of the accumulated decoded_config.
• Variable Naming Clarity: Renamed parameters in bytes_to_int and int_to_bytes functions within data_utils.py from bytes and int to data and value respectively, to avoid shadowing built-in types.
• Hardcoded Host Extraction Correction: Fixed a variable assignment error in config_decryptor_random_hardcoded.py to ensure correct population of the hardcoded_hosts list.
• Rijndael Key Extraction Robustness: Improved the key extraction logic in config_decryptor_rijndael.py by adding checks for search results and ensuring the raw_key_field exists in encrypted_strings before attempting key derivation.
• Performance Optimization: Optimized the custom_attribute_from_type method in dotnetpe_payload.py by pre-caching CustomAttribute rows into a map, significantly improving lookup efficiency.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request introduces several positive changes, including replacing type() checks with isinstance() for better subclass handling, improving key extraction logic in config_decryptor_rijndael.py with added robustness checks, and optimizing CustomAttribute lookup in dotnetpe_payload.py for efficiency. Additionally, parameter names that shadowed Python built-in types have been refactored for clarity. However, a critical bug has been introduced in config_decryptor_random_hardcoded.py due to incorrect variable reassignment, which needs immediate attention.

[jeFF0Falltrades]

@doomedraven : This looks good; Please bump the version in _version.py to 4.2.3 and it should be good to go.

The malware sample CI will not run on PRs from forked branches because it depends on a secret embedded in this repo - GitHub doesn't pass that secret to PRs from forked branches.

That said, it is set up to run on merge, so if anything fails, the merge will let us know.

[doomedraven]

done