def test_signature_severity(p):
class sig(object):
name = "foobar"
matched = True
severity = 42
marks = []
def init(self):
pass
def on_complete(self):
pass
def results(self):
return self.__class__.__dict__
rs = RunSignatures({})
rs.signatures = sig(),
rs.run()
assert p.debug.call_count == 2
assert p.debug.call_args_list[1][1]["extra"] == {
"action": "signature.match",
"status": "success",
"signature": "foobar",
"severity": 42,
}
def test_mark_config():
class sig(Signature):
name = "foobar"
def on_complete(self):
self.mark_config({
"family": "foobar",
"cnc": "thisiscnc.com",
"url": [
"url1",
"url2",
],
})
return True
rs = RunSignatures({
"metadata": {},
})
rs.signatures = sig(rs), sig(rs)
rs.run()
assert rs.results["metadata"] == {
"cfgextr": [{
"family": "foobar",
"cnc": [
"thisiscnc.com",
],
"url": [
"url1",
"url2",
],
}],
}
def test_mark_config():
class sig(Signature):
name = "foobar"
def on_complete(self):
self.mark_config({
"family": "foobar",
"cnc": "thisiscnc.com",
"url": [
"url1", "url2",
],
})
return True
rs = RunSignatures({
"metadata": {},
})
rs.signatures = sig(rs),
rs.run()
assert rs.results["metadata"] == {
"cfgextr": [{
"family": "foobar",
"cnc": [
"thisiscnc.com",
],
"url": [
"url1", "url2",
],
"key": None,
"type": None,
}],
}
def test_signature_severity(p):
class sig(object):
name = "foobar"
matched = True
severity = 42
marks = []
def init(self):
pass
def on_complete(self):
pass
def results(self):
return self.__class__.__dict__
rs = RunSignatures({})
rs.signatures = sig(),
rs.run()
assert p.debug.call_count == 2
assert p.debug.call_args_list[1][1]["extra"] == {
"action": "signature.match", "status": "success",
"signature": "foobar", "severity": 42,
}
def test_on_extract():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
Database().connect()
mkdir(cwd(analysis=2))
cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4")
ex = ExtractManager.for_task(2)
ex.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
results = RunProcessing(task=Dictionary({
"id": 2,
"category": "file",
"target": __file__,
})).run()
assert results["extracted"] == [{
"category":
"script",
"pid":
1,
"first_seen":
2,
"program":
"cmd",
"raw":
cwd("extracted", "0.bat", analysis=2),
"yara": [],
"info": {},
}]
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_yara(self):
pass
on_extract = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
sig1.on_extract.assert_called_once()
em = sig1.on_extract.call_args_list[0][0][0]
assert em.category == "script"
def test_on_yara():
set_cwd(os.path.realpath(tempfile.mkdtemp()))
cuckoo_create()
init_modules()
shutil.copy(cwd("yara", "binaries", "vmdetect.yar"),
cwd("yara", "memory", "vmdetect.yar"))
init_yara()
mkdir(cwd(analysis=1))
open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b")
mkdir(cwd("files", analysis=1))
open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68")
mkdir(cwd("memory", analysis=1))
open(cwd("memory", "1-0.dmp", analysis=1), "wb").write(
struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01")
Database().connect()
ExtractManager._instances = {}
results = RunProcessing(task=Dictionary({
"id": 1,
"category": "file",
"target": __file__,
})).run()
assert results["target"]["file"]["yara"][0]["offsets"] == {
"virtualpc": [(0, 0)],
}
assert results["procmemory"][0]["regions"] == [{
"addr": "0x00400000",
"end": "0x00401000",
"offset": 24,
"protect": None,
"size": 4096,
"state": 0,
"type": 0,
}]
assert results["procmemory"][0]["yara"][0]["offsets"] == {
"vmcheckdll": [(24, 0)],
}
assert results["dropped"][0]["yara"][0]["offsets"] == {
"vmware": [(0, 0)],
"vmware1": [(0, 0)],
}
class sig1(Signature):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self, sig):
pass
def on_complete(self):
pass
def on_extract(self, match):
pass
on_yara = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(rs),
rs.run()
assert sig1.on_yara.call_count == 3
sig1.on_yara.assert_any_call("sample", cwd("binary", analysis=1), mock.ANY)
sig1.on_yara.assert_any_call("dropped", cwd("files", "1.txt", analysis=1),
mock.ANY)
sig1.on_yara.assert_any_call("procmem", cwd("memory",
"1-0.dmp",
analysis=1), mock.ANY)
ym = sig1.on_yara.call_args_list[0][0][2]
assert ym.offsets == {
"virtualpc": [(0, 0)],
}
assert ym.string("virtualpc", 0) == "\x0f\x3f\x07\x0b"
def test_on_extract():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
Database().connect()
mkdir(cwd(analysis=2))
cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4")
ex = ExtractManager.for_task(2)
ex.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
results = RunProcessing(task=Dictionary({
"id": 2,
"category": "file",
"target": __file__,
})).run()
assert results["extracted"] == [{
"category": "script",
"pid": 1,
"first_seen": 2,
"program": "cmd",
"script": cwd("extracted", "0.bat", analysis=2),
"yara": [],
}]
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_yara(self):
pass
on_extract = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
sig1.on_extract.assert_called_once()
em = sig1.on_extract.call_args_list[0][0][0]
assert em.category == "script"
def test_on_yara():
set_cwd(os.path.realpath(tempfile.mkdtemp()))
cuckoo_create()
init_modules()
shutil.copy(
cwd("yara", "binaries", "vmdetect.yar"),
cwd("yara", "memory", "vmdetect.yar")
)
init_yara()
mkdir(cwd(analysis=1))
open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b")
mkdir(cwd("files", analysis=1))
open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68")
mkdir(cwd("memory", analysis=1))
open(cwd("memory", "1-0.dmp", analysis=1), "wb").write(
struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01"
)
Database().connect()
results = RunProcessing(task=Dictionary({
"id": 1,
"category": "file",
"target": __file__,
})).run()
assert results["target"]["file"]["yara"][0]["offsets"] == {
"virtualpc": [(0, 0)],
}
assert results["procmemory"][0]["yara"][0]["offsets"] == {
"vmcheckdll": [(24, 0)],
}
assert results["dropped"][0]["yara"][0]["offsets"] == {
"vmware": [(0, 0)],
"vmware1": [(0, 0)],
}
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_extract(self):
pass
on_yara = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
assert sig1.on_yara.call_count == 3
sig1.on_yara.assert_any_call(
"sample", cwd("binary", analysis=1), mock.ANY
)
sig1.on_yara.assert_any_call(
"dropped", cwd("files", "1.txt", analysis=1), mock.ANY
)
sig1.on_yara.assert_any_call(
"procmem", cwd("memory", "1-0.dmp", analysis=1), mock.ANY
)
ym = sig1.on_yara.call_args_list[0][0][2]
assert ym.offsets == {
"virtualpc": [(0, 0)],
}
assert ym.string("virtualpc", 0) == "\x0f\x3f\x07\x0b"
def test_on_yara():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
shutil.copy(
cwd("yara", "binaries", "vmdetect.yar"),
cwd("yara", "memory", "vmdetect.yar")
)
init_yara(True)
mkdir(cwd(analysis=1))
open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b")
mkdir(cwd("files", analysis=1))
open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68")
mkdir(cwd("memory", analysis=1))
open(cwd("memory", "1-0.dmp", analysis=1), "wb").write(
struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01"
)
Database().connect()
results = RunProcessing(task=Dictionary({
"id": 1,
"category": "file",
"target": __file__,
})).run()
assert results["target"]["file"]["yara"][0]["offsets"] == {
"virtualpc": [(0, 0)],
}
assert results["procmemory"][0]["yara"][0]["offsets"] == {
"vmcheckdll": [(24, 0)],
}
assert results["dropped"][0]["yara"][0]["offsets"] == {
"vmware": [(0, 0)],
"vmware1": [(0, 0)],
}
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
on_yara = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
assert sig1.on_yara.call_count == 3
sig1.on_yara.assert_any_call(
"sample", cwd("binary", analysis=1), mock.ANY
)
sig1.on_yara.assert_any_call(
"dropped", cwd("files", "1.txt", analysis=1), mock.ANY
)
sig1.on_yara.assert_any_call(
"procmem", cwd("memory", "1-0.dmp", analysis=1), mock.ANY
)
assert sig1.on_yara.call_args_list[0][0][2]["offsets"] == {
"virtualpc": [(0, 0)],
}
