From 604fae35199bc5c83e8fd38f13278e82a8083580 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 22 Apr 2026 22:19:59 +0300 Subject: [PATCH] fix: replace zipfile with pyzipper in minimize_vmray_results.py so output archive is AES-encrypted zipfile.ZipFile.setpassword() only affects reads; writing encrypted entries requires pyzipper with WZ_AES encryption. Add pyzipper to scripts optional dependencies. --- CHANGELOG.md | 2 +- pyproject.toml | 1 + scripts/minimize_vmray_results.py | 14 ++++++++++---- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 517396c1..e07a3544 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,8 +48,8 @@ - fix: remove unreachable backports.functools_lru_cache fallback and dead dependency @williballenthin - fix: Scopes.from_dict uses cls instead of self so subclasses return the correct type @williballenthin - fix: correct wrong dict key in VMRay _compute_monitor_threads assertion (used thread_id instead of process_id) @williballenthin -fix: replace assert with isinstance guard in get_callee for invalid MethodSpec tokens @williballenthin - fix: replace assert with isinstance guard in get_callee for invalid MethodSpec tokens @williballenthin +- fix: replace zipfile with pyzipper in minimize_vmray_results.py so output archive is AES-encrypted @williballenthin (SURF-88) - fix: assign yara_strings/yara_condition to empty string when Some has cmin=0 to prevent UnboundLocalError @williballenthin (SURF-87) - fix: parenthesize s_type checks in capa2yara.py so kid.name != "Some" guard applies to And/Or/Not uniformly @williballenthin (SURF-86) - fix: correct operator precedence in FeatureRegexRegistryControlSetMatchIncomplete to avoid false positives on unrelated currentcontrolset patterns @williballenthin (SURF-85) diff --git a/pyproject.toml b/pyproject.toml index 2bcf8208..b9187030 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -163,6 +163,7 @@ scripts = [ "stix2==3.0.1", "sarif_om==1.0.4", "requests>=2.32.4", + "pyzipper>=0.3.6", ] ghidra = [ "pyghidra>=3.0.0", diff --git a/scripts/minimize_vmray_results.py b/scripts/minimize_vmray_results.py index e90c1a17..37e20a29 100644 --- a/scripts/minimize_vmray_results.py +++ b/scripts/minimize_vmray_results.py @@ -19,10 +19,11 @@ Extract files relevant to capa analysis from VMRay Analysis Archive and create a import sys import logging -import zipfile import argparse from pathlib import Path +import pyzipper + from capa.features.extractors.vmray import DEFAULT_ARCHIVE_PASSWORD, VMRayAnalysis logger = logging.getLogger(__name__) @@ -55,11 +56,16 @@ def main(argv=None): sample_sha256: str = vmra.submission_meta.hash_values.sha256.lower() new_zip_name = f"{analysis_archive.parent / analysis_archive.stem}_min.zip" - with zipfile.ZipFile(new_zip_name, "w") as new_zip: + with pyzipper.AESZipFile( + new_zip_name, "w", compression=pyzipper.ZIP_DEFLATED, encryption=pyzipper.WZ_AES + ) as new_zip: + new_zip.setpassword(args.password.encode("ascii")) new_zip.writestr("logs/summary_v2.json", sv2_json) new_zip.writestr("logs/flog.xml", flog_xml) - new_zip.writestr(f"internal/static_analyses/{sample_sha256}/objects/files/{sample_sha256}", sample_file_buf) - new_zip.setpassword(args.password.encode("ascii")) + new_zip.writestr( + f"internal/static_analyses/{sample_sha256}/objects/files/{sample_sha256}", + sample_file_buf, + ) # ensure capa loads the minimized archive assert isinstance(VMRayAnalysis(Path(new_zip_name)), VMRayAnalysis)