def process(ctx, instance, report, maxcount):
"""Process raw task data into reports."""
init_console_logging(level=ctx.parent.level)
if instance:
init_logfile("process-%s.json" % instance)
Database().connect()
# Load additional Signatures.
load_signatures()
# Initialize all modules & Yara rules.
init_modules()
init_yara(False)
try:
# Regenerate one or more reports.
if report:
process_task_range(report)
elif not instance:
print ctx.get_help(), "\n"
sys.exit("In automated mode an instance name is required!")
else:
log.info(
"Initialized instance=%s, ready to process some tasks",
instance
)
process_tasks(instance, maxcount)
except KeyboardInterrupt:
print(red("Aborting (re-)processing of your analyses.."))
def process(ctx, instance, report, maxcount):
"""Process raw task data into reports."""
init_console_logging(level=ctx.parent.level)
if instance:
init_logfile("process-%s.json" % instance)
Database().connect()
# Load additional Signatures.
load_signatures()
# Initialize all modules & Yara rules.
init_modules()
init_yara(False)
try:
# Regenerate one or more reports.
if report:
process_task_range(report)
elif not instance:
print ctx.get_help(), "\n"
sys.exit("In automated mode an instance name is required!")
else:
log.info(
"Initialized instance=%s, ready to process some tasks",
instance
)
process_tasks(instance, maxcount)
except KeyboardInterrupt:
print(red("Aborting (re-)processing of your analyses.."))
def process(ctx, instance, report, maxcount):
"""Process raw task data into reports."""
init_console_logging(level=ctx.parent.level)
if instance:
pidfile = Pidfile(instance)
if pidfile.exists():
log.error(red(
"Cuckoo process instance '%s' already exists. PID: %s\n"
), instance, pidfile.pid)
sys.exit(1)
pidfile.create()
init_logfile("process-%s.json" % instance)
Database().connect()
# Load additional Signatures.
load_signatures()
try:
# Initialize all modules & Yara rules.
init_modules()
init_yara()
except CuckooCriticalError as e:
message = red("{0}: {1}".format(e.__class__.__name__, e))
if len(log.handlers):
log.critical(message)
else:
sys.stderr.write("{0}\n".format(message))
sys.exit(1)
try:
# Regenerate one or more reports.
if report:
process_task_range(report)
elif not instance:
print ctx.get_help(), "\n"
sys.exit("In automated mode an instance name is required!")
else:
log.info(
"Initialized instance=%s, ready to process some tasks",
instance
)
process_tasks(instance, maxcount)
except KeyboardInterrupt:
print(red("Aborting (re-)processing of your analyses.."))
if instance:
Pidfile(instance).remove()
def process(ctx, instance, report, maxcount):
"""Process raw task data into reports."""
init_console_logging(level=ctx.parent.level)
if instance:
pidfile = Pidfile(instance)
if pidfile.exists():
log.error(red(
"Cuckoo process instance '%s' already exists. PID: %s\n"
), instance, pidfile.pid)
sys.exit(1)
pidfile.create()
init_logfile("process-%s.json" % instance)
Database().connect()
# Load additional Signatures.
load_signatures()
try:
# Initialize all modules & Yara rules.
init_modules()
init_yara()
except CuckooCriticalError as e:
message = red("{0}: {1}".format(e.__class__.__name__, e))
if len(log.handlers):
log.critical(message)
else:
sys.stderr.write("{0}\n".format(message))
sys.exit(1)
try:
# Regenerate one or more reports.
if report:
process_task_range(report)
elif not instance:
print ctx.get_help(), "\n"
sys.exit("In automated mode an instance name is required!")
else:
log.info(
"Initialized instance=%s, ready to process some tasks",
instance
)
process_tasks(instance, maxcount)
except KeyboardInterrupt:
print(red("Aborting (re-)processing of your analyses.."))
if instance:
Pidfile(instance).remove()
def cuckoo_init(level, ctx, cfg=None):
"""Initialize Cuckoo configuration.
@param quiet: enable quiet mode.
"""
logo()
# It would appear this is the first time Cuckoo is being run (on this
# Cuckoo Working Directory anyway).
if not os.path.isdir(cwd()) or not os.listdir(cwd()):
cuckoo_create(ctx.user, cfg)
sys.exit(0)
# Determine if this is a proper CWD.
if not os.path.exists(cwd(".cwd")):
sys.exit(
"No proper Cuckoo Working Directory was identified, did you pass "
"along the correct directory?"
)
# Determine if any CWD updates are required.
current = open(cwd(".cwd"), "rb").read()
latest = open(cwd(".cwd", private=True), "rb").read()
if current != latest:
pass
check_configs()
check_version()
if ctx.log:
init_logging(level)
else:
init_console_logging(level)
Database().connect()
# Load additional Signatures.
load_signatures()
init_modules()
init_tasks()
init_yara(True)
init_binaries()
init_rooter()
init_routing()
def cuckoo_init(level, ctx, cfg=None):
"""Initialize Cuckoo configuration.
@param quiet: enable quiet mode.
"""
logo()
# It would appear this is the first time Cuckoo is being run (on this
# Cuckoo Working Directory anyway).
if not os.path.isdir(cwd()) or not os.listdir(cwd()):
cuckoo_create(ctx.user, cfg)
sys.exit(0)
# Determine if this is a proper CWD.
if not os.path.exists(cwd(".cwd")):
sys.exit(
"No proper Cuckoo Working Directory was identified, did you pass "
"along the correct directory?"
)
init_console_logging(level)
check_configs()
check_version()
ctx.log and init_logging(level)
# Determine if any CWD updates are required and if so, do them.
current = open(cwd(".cwd"), "rb").read().strip()
latest = open(cwd(".cwd", private=True), "rb").read().strip()
if current != latest:
migrate_cwd()
open(cwd(".cwd"), "wb").write(latest)
Database().connect()
# Load additional Signatures.
load_signatures()
init_modules()
init_tasks()
init_yara(True)
init_binaries()
init_rooter()
init_routing()
def test_init_modules(p, q, r):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
load_signatures()
logs = []
def log(fmt, *args):
logs.append(fmt % args if args else fmt)
p.debug.side_effect = log
r.index_time_pattern = "yearly"
init_modules()
logs = "\n".join(logs)
assert "KVM" in logs
assert "Xen" in logs
assert "CreatesExe" in logs
assert "SystemMetrics" in logs
def test_init_modules(p, q, r):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
load_signatures()
logs = []
def log(fmt, *args):
logs.append(fmt % args if args else fmt)
p.debug.side_effect = log
r.index_time_pattern = "yearly"
init_modules()
logs = "\n".join(logs)
assert "KVM" in logs
assert "Xen" in logs
assert "CreatesExe" in logs
assert "SystemMetrics" in logs
def test_modules_init_once(p):
class A(Auxiliary):
pass
class B(Machinery):
pass
class C(Processing):
pass
class D(Signature):
pass
class E(Report):
pass
l = []
for x in xrange(5):
l.append(mock.MagicMock(__name__="name"))
a, b, c, d, e = l
p.plugins = {
"auxiliary": [A, a],
"machinery": [B, b],
"processing": [C, c],
"signatures": [D, d],
"reporting": [E, e],
}
init_modules()
a.init_once.assert_called_once()
b.init_once.assert_called_once()
c.init_once.assert_called_once()
d.init_once.assert_called_once()
e.init_once.assert_called_once()
def test_modules_init_once(p):
class A(Auxiliary):
pass
class B(Machinery):
pass
class C(Processing):
pass
class D(Signature):
pass
class E(Report):
pass
l = []
for x in xrange(5):
l.append(mock.MagicMock(__name__="name"))
a, b, c, d, e = l
p.plugins = {
"auxiliary": [A, a],
"machinery": [B, b],
"processing": [C, c],
"signatures": [D, d],
"reporting": [E, e],
}
init_modules()
a.init_once.assert_called_once()
b.init_once.assert_called_once()
c.init_once.assert_called_once()
d.init_once.assert_called_once()
e.init_once.assert_called_once()
def cuckoo_init(level, ctx, cfg=None):
"""Initialize Cuckoo configuration.
@param quiet: enable quiet mode.
"""
logo()
# It would appear this is the first time Cuckoo is being run (on this
# Cuckoo Working Directory anyway).
if not os.path.isdir(cwd()) or not os.listdir(cwd()):
cuckoo_create(ctx.user, cfg)
sys.exit(0)
# Determine if this is a proper CWD.
if not os.path.exists(cwd(".cwd")):
sys.exit(
"No proper Cuckoo Working Directory was identified, did you pass "
"along the correct directory? For new installations please use a "
"non-existant directory to build up the CWD! You can craft a CWD "
"manually, but keep in mind that the CWD layout may change along "
"with Cuckoo releases (and don't forget to fill out '$CWD/.cwd')!"
)
init_console_logging(level)
check_configs()
check_version()
ctx.log and init_logging(level)
# Determine if any CWD updates are required and if so, do them.
current = open(cwd(".cwd"), "rb").read().strip()
latest = open(cwd(".cwd", private=True), "rb").read().strip()
if current != latest:
migrate_cwd()
open(cwd(".cwd"), "wb").write(latest)
Database().connect()
# Load additional Signatures.
load_signatures()
init_modules()
init_tasks()
init_yara()
init_binaries()
init_rooter()
init_routing()
signatures = 0
for sig in cuckoo.signatures:
if not sig.enabled:
continue
signatures += 1
if not signatures:
log.warning(
"It appears that you haven't loaded any Cuckoo Signatures. "
"Signatures are highly recommended and improve & enrich the "
"information extracted during an analysis. They also make up "
"for the analysis score that you see in the Web Interface - so, "
"pretty important!"
)
log.warning(
"You'll be able to fetch all the latest Cuckoo Signaturs, Yara "
"rules, and more goodies by running the following command:"
)
raw = cwd(raw=True)
if raw == "." or raw == "~/.cuckoo":
command = "cuckoo community"
elif " " in raw or "'" in raw:
command = 'cuckoo --cwd "%s" community' % raw
else:
command = "cuckoo --cwd %s community" % raw
log.info("$ %s", green(command))
def test_on_yara():
set_cwd(os.path.realpath(tempfile.mkdtemp()))
cuckoo_create()
init_modules()
shutil.copy(cwd("yara", "binaries", "vmdetect.yar"),
cwd("yara", "memory", "vmdetect.yar"))
init_yara()
mkdir(cwd(analysis=1))
open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b")
mkdir(cwd("files", analysis=1))
open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68")
mkdir(cwd("memory", analysis=1))
open(cwd("memory", "1-0.dmp", analysis=1), "wb").write(
struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01")
Database().connect()
ExtractManager._instances = {}
results = RunProcessing(task=Dictionary({
"id": 1,
"category": "file",
"target": __file__,
})).run()
assert results["target"]["file"]["yara"][0]["offsets"] == {
"virtualpc": [(0, 0)],
}
assert results["procmemory"][0]["regions"] == [{
"addr": "0x00400000",
"end": "0x00401000",
"offset": 24,
"protect": None,
"size": 4096,
"state": 0,
"type": 0,
}]
assert results["procmemory"][0]["yara"][0]["offsets"] == {
"vmcheckdll": [(24, 0)],
}
assert results["dropped"][0]["yara"][0]["offsets"] == {
"vmware": [(0, 0)],
"vmware1": [(0, 0)],
}
class sig1(Signature):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self, sig):
pass
def on_complete(self):
pass
def on_extract(self, match):
pass
on_yara = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(rs),
rs.run()
assert sig1.on_yara.call_count == 3
sig1.on_yara.assert_any_call("sample", cwd("binary", analysis=1), mock.ANY)
sig1.on_yara.assert_any_call("dropped", cwd("files", "1.txt", analysis=1),
mock.ANY)
sig1.on_yara.assert_any_call("procmem", cwd("memory",
"1-0.dmp",
analysis=1), mock.ANY)
ym = sig1.on_yara.call_args_list[0][0][2]
assert ym.offsets == {
"virtualpc": [(0, 0)],
}
assert ym.string("virtualpc", 0) == "\x0f\x3f\x07\x0b"
def test_on_yara():
set_cwd(os.path.realpath(tempfile.mkdtemp()))
cuckoo_create()
init_modules()
shutil.copy(
cwd("yara", "binaries", "vmdetect.yar"),
cwd("yara", "memory", "vmdetect.yar")
)
init_yara()
mkdir(cwd(analysis=1))
open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b")
mkdir(cwd("files", analysis=1))
open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68")
mkdir(cwd("memory", analysis=1))
open(cwd("memory", "1-0.dmp", analysis=1), "wb").write(
struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01"
)
Database().connect()
results = RunProcessing(task=Dictionary({
"id": 1,
"category": "file",
"target": __file__,
})).run()
assert results["target"]["file"]["yara"][0]["offsets"] == {
"virtualpc": [(0, 0)],
}
assert results["procmemory"][0]["yara"][0]["offsets"] == {
"vmcheckdll": [(24, 0)],
}
assert results["dropped"][0]["yara"][0]["offsets"] == {
"vmware": [(0, 0)],
"vmware1": [(0, 0)],
}
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_extract(self):
pass
on_yara = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
assert sig1.on_yara.call_count == 3
sig1.on_yara.assert_any_call(
"sample", cwd("binary", analysis=1), mock.ANY
)
sig1.on_yara.assert_any_call(
"dropped", cwd("files", "1.txt", analysis=1), mock.ANY
)
sig1.on_yara.assert_any_call(
"procmem", cwd("memory", "1-0.dmp", analysis=1), mock.ANY
)
ym = sig1.on_yara.call_args_list[0][0][2]
assert ym.offsets == {
"virtualpc": [(0, 0)],
}
assert ym.string("virtualpc", 0) == "\x0f\x3f\x07\x0b"
def test_on_extract():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
Database().connect()
mkdir(cwd(analysis=2))
cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4")
ex = ExtractManager.for_task(2)
ex.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
results = RunProcessing(task=Dictionary({
"id": 2,
"category": "file",
"target": __file__,
})).run()
assert results["extracted"] == [{
"category": "script",
"pid": 1,
"first_seen": 2,
"program": "cmd",
"script": cwd("extracted", "0.bat", analysis=2),
"yara": [],
}]
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_yara(self):
pass
on_extract = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
sig1.on_extract.assert_called_once()
em = sig1.on_extract.call_args_list[0][0][0]
assert em.category == "script"
def cuckoo_init(level, ctx, cfg=None):
"""Initialize Cuckoo configuration.
@param quiet: enable quiet mode.
"""
logo()
# It would appear this is the first time Cuckoo is being run (on this
# Cuckoo Working Directory anyway).
if not os.path.isdir(cwd()) or not os.listdir(cwd()):
cuckoo_create(ctx.user, cfg)
sys.exit(0)
# Determine if this is a proper CWD.
if not os.path.exists(cwd(".cwd")):
sys.exit(
"No proper Cuckoo Working Directory was identified, did you pass "
"along the correct directory? For new installations please use a "
"non-existant directory to build up the CWD! You can craft a CWD "
"manually, but keep in mind that the CWD layout may change along "
"with Cuckoo releases (and don't forget to fill out '$CWD/.cwd')!"
)
init_console_logging(level)
# Only one Cuckoo process should exist per CWD. Run this check before any
# files are possibly modified. Note that we mkdir $CWD/pidfiles/ here as
# its CWD migration rules only kick in after the pidfile check.
mkdir(cwd("pidfiles"))
pidfile = Pidfile("cuckoo")
if pidfile.exists():
log.error(red("Cuckoo is already running. PID: %s"), pidfile.pid)
sys.exit(1)
pidfile.create()
check_configs()
check_version()
ctx.log and init_logging(level)
# Determine if any CWD updates are required and if so, do them.
current = open(cwd(".cwd"), "rb").read().strip()
latest = open(cwd(".cwd", private=True), "rb").read().strip()
if current != latest:
migrate_cwd()
open(cwd(".cwd"), "wb").write(latest)
Database().connect()
# Load additional Signatures.
load_signatures()
init_modules()
init_tasks()
init_yara()
init_binaries()
init_rooter()
init_routing()
signatures = 0
for sig in cuckoo.signatures:
if not sig.enabled:
continue
signatures += 1
if not signatures:
log.warning(
"It appears that you haven't loaded any Cuckoo Signatures. "
"Signatures are highly recommended and improve & enrich the "
"information extracted during an analysis. They also make up "
"for the analysis score that you see in the Web Interface - so, "
"pretty important!"
)
log.warning(
"You'll be able to fetch all the latest Cuckoo Signaturs, Yara "
"rules, and more goodies by running the following command:"
)
raw = cwd(raw=True)
if raw == "." or raw == "~/.cuckoo":
command = "cuckoo community"
elif " " in raw or "'" in raw:
command = 'cuckoo --cwd "%s" community' % raw
else:
command = "cuckoo --cwd %s community" % raw
log.info("$ %s", green(command))
def cuckoo_init(level, ctx, cfg=None):
"""Initialize Cuckoo configuration.
@param quiet: enable quiet mode.
"""
logo()
# It would appear this is the first time Cuckoo is being run (on this
# Cuckoo Working Directory anyway).
if not os.path.isdir(cwd()) or not os.listdir(cwd()):
cuckoo_create(ctx.user, cfg)
sys.exit(0)
# Determine if this is a proper CWD.
if not os.path.exists(cwd(".cwd")):
sys.exit(
"No proper Cuckoo Working Directory was identified, did you pass "
"along the correct directory?"
)
init_console_logging(level)
check_configs()
check_version()
ctx.log and init_logging(level)
# Determine if any CWD updates are required and if so, do them.
current = open(cwd(".cwd"), "rb").read().strip()
latest = open(cwd(".cwd", private=True), "rb").read().strip()
if current != latest:
migrate_cwd()
open(cwd(".cwd"), "wb").write(latest)
Database().connect()
# Load additional Signatures.
load_signatures()
init_modules()
init_tasks()
init_yara()
init_binaries()
init_rooter()
init_routing()
signatures = 0
for sig in cuckoo.signatures:
if not sig.enabled:
continue
signatures += 1
if not signatures:
log.warning(
"It appears that you haven't loaded any Cuckoo Signatures. "
"Signatures are highly recommended and improve & enrich the "
"information extracted during an analysis. They also make up "
"for the analysis score that you see in the Web Interface - so, "
"pretty important!"
)
log.warning(
"You'll be able to fetch all the latest Cuckoo Signaturs, Yara "
"rules, and more goodies by running the following command:"
)
raw = cwd(raw=True)
if raw == "." or raw == "~/.cuckoo":
command = "cuckoo community"
elif " " in raw or "'" in raw:
command = 'cuckoo --cwd "%s" community' % raw
else:
command = "cuckoo --cwd %s community" % raw
log.info("$ %s", green(command))
def cuckoo_init(level, ctx, cfg=None):
"""Initialize Cuckoo configuration.
@param quiet: enable quiet mode.
"""
logo()
# It would appear this is the first time Cuckoo is being run (on this
# Cuckoo Working Directory anyway).
if not os.path.isdir(cwd()) or not os.listdir(cwd()):
cuckoo_create(ctx.user, cfg)
sys.exit(0)
# Determine if this is a proper CWD.
if not os.path.exists(cwd(".cwd")):
sys.exit(
"No proper Cuckoo Working Directory was identified, did you pass "
"along the correct directory? For new installations please use a "
"non-existant directory to build up the CWD! You can craft a CWD "
"manually, but keep in mind that the CWD layout may change along "
"with Cuckoo releases (and don't forget to fill out '$CWD/.cwd')!")
init_console_logging(level)
# Only one Cuckoo process should exist per CWD. Run this check before any
# files are possibly modified. Note that we mkdir $CWD/pidfiles/ here as
# its CWD migration rules only kick in after the pidfile check.
mkdir(cwd("pidfiles"))
pidfile = Pidfile("cuckoo")
if pidfile.exists():
log.error(red("Cuckoo is already running. PID: %s"), pidfile.pid)
sys.exit(1)
pidfile.create()
check_configs()
check_version()
ctx.log and init_logging(level)
# Determine if any CWD updates are required and if so, do them.
current = open(cwd(".cwd"), "rb").read().strip()
latest = open(cwd(".cwd", private=True), "rb").read().strip()
if current != latest:
migrate_cwd()
open(cwd(".cwd"), "wb").write(latest)
# Ensure the user is able to create and read temporary files.
if not ensure_tmpdir():
sys.exit(1)
Database().connect()
# Load additional Signatures.
load_signatures()
init_modules()
init_tasks()
init_yara()
init_binaries()
init_rooter()
init_routing()
signatures = 0
for sig in cuckoo.signatures:
if not sig.enabled:
continue
signatures += 1
if not signatures:
log.warning(
"It appears that you haven't loaded any Cuckoo Signatures. "
"Signatures are highly recommended and improve & enrich the "
"information extracted during an analysis. They also make up "
"for the analysis score that you see in the Web Interface - so, "
"pretty important!")
log.warning(
"You'll be able to fetch all the latest Cuckoo Signaturs, Yara "
"rules, and more goodies by running the following command:")
log.info("$ %s", green(format_command("community")))
def test_on_extract():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
Database().connect()
mkdir(cwd(analysis=2))
cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4")
ex = ExtractManager.for_task(2)
ex.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
results = RunProcessing(task=Dictionary({
"id": 2,
"category": "file",
"target": __file__,
})).run()
assert results["extracted"] == [{
"category":
"script",
"pid":
1,
"first_seen":
2,
"program":
"cmd",
"raw":
cwd("extracted", "0.bat", analysis=2),
"yara": [],
"info": {},
}]
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_yara(self):
pass
on_extract = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
sig1.on_extract.assert_called_once()
em = sig1.on_extract.call_args_list[0][0][0]
assert em.category == "script"
def test_on_yara():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
shutil.copy(
cwd("yara", "binaries", "vmdetect.yar"),
cwd("yara", "memory", "vmdetect.yar")
)
init_yara(True)
mkdir(cwd(analysis=1))
open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b")
mkdir(cwd("files", analysis=1))
open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68")
mkdir(cwd("memory", analysis=1))
open(cwd("memory", "1-0.dmp", analysis=1), "wb").write(
struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01"
)
Database().connect()
results = RunProcessing(task=Dictionary({
"id": 1,
"category": "file",
"target": __file__,
})).run()
assert results["target"]["file"]["yara"][0]["offsets"] == {
"virtualpc": [(0, 0)],
}
assert results["procmemory"][0]["yara"][0]["offsets"] == {
"vmcheckdll": [(24, 0)],
}
assert results["dropped"][0]["yara"][0]["offsets"] == {
"vmware": [(0, 0)],
"vmware1": [(0, 0)],
}
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
on_yara = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
assert sig1.on_yara.call_count == 3
sig1.on_yara.assert_any_call(
"sample", cwd("binary", analysis=1), mock.ANY
)
sig1.on_yara.assert_any_call(
"dropped", cwd("files", "1.txt", analysis=1), mock.ANY
)
sig1.on_yara.assert_any_call(
"procmem", cwd("memory", "1-0.dmp", analysis=1), mock.ANY
)
assert sig1.on_yara.call_args_list[0][0][2]["offsets"] == {
"virtualpc": [(0, 0)],
}
