def peek_office(self, files):
for filename, content in files.items():
externals = {
"filename": filename,
}
if Buffer(content).get_yara_quick("office", externals):
self.push_blob(content, "office", externals)
def test_yara_quick(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_yara()
buf = (
# The SSEXY payload as per vmdetect.yar
"66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? "
"?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF ")
contents = "A" * 64 + buf.replace("??", "00").replace(" ",
"").decode("hex")
assert Buffer(contents).get_yara_quick("binaries") == ["vmdetect"]