def setUpClass(cls):
super(PETests, cls).setUpClass()
cls.psexec_fn = helpers.getTestPath('windows', 'i386', 'PsExec.exe')
cls.vw_psexec = helpers.getTestWorkspace('windows', 'i386',
'PsExec.exe')
cls.vw_sphinx = helpers.getTestWorkspace('windows', 'i386',
'sphinx_livepretend.exe')
def setUpClass(cls):
super(PETests, cls).setUpClass()
cls.psexec_fn = helpers.getTestPath('windows', 'i386', 'PsExec.exe')
cls.vw_psexec = helpers.getTestWorkspace('windows', 'i386',
'PsExec.exe')
cls.vw_sphinx = helpers.getTestWorkspace('windows', 'i386',
'sphinx_livepretend.exe')
cls.vw_mimi = vivisect.VivWorkspace()
mimi_fn = helpers.getTestPath('windows', 'i386', 'mimikatz.exe_')
cls.vw_mimi.loadFromFile(mimi_fn)
def test_consecutive_jump_table_diff_func(self):
vw = helpers.getTestWorkspace('linux', 'i386', 'vdir.llvm')
jumptabl = [
0x8059718, 0x8059b68, 0x8059b78, 0x8059b90, 0x8059ba4, 0x8059bb8,
0x8059d9c, 0x8059e30, 0x8059fac
]
# list of tuples of (xref addr, func addr, number of xrefs from xref addr)
ans = [
(0x804a468, 0x804a210, 62),
(0x804ad21, 0x804a210, 5),
(0x804b00a, 0x804a210, 7), # 0x8059b78
(0x804beee, 0x804bee0, 6),
(0x804d1c9, 0x804d1a0, 6),
(0x804d28f, 0x804d1a0, 15), # 0x8059bb8
(0x804d1e7, 0x804d1a0, 6),
(0x804d95b, 0x804d820, 3),
(0x804fd01, 0x804fc70, 9) # 0x8059fac
]
for i, tablva in enumerate(jumptabl):
refva = vw.getXrefsTo(tablva)
self.assertEqual(len(refva), 1)
refva = refva[0]
func = vw.getFunction(refva[0])
refs = vw.getXrefsFrom(refva[0])
test = ans[i]
self.assertEqual(refva[0], test[0])
self.assertEqual(func, test[1])
self.assertEqual(len(refs), test[2])
def test_features(self):
dirn = os.path.dirname(__file__)
for filename, binpath in self.testfiles:
testpath = os.path.join(dirn, 'stabilitydata', filename)
with open(testpath, mode='r', encoding='utf-8') as fd:
base = json.load(fd)
vw = helpers.getTestWorkspace(*binpath)
self._compare(filename, base, vw)
def setUpClass(cls):
super(PETests, cls).setUpClass()
cls.psexec_fn = helpers.getTestPath('windows', 'i386', 'PsExec.exe')
cls.vw_psexec = helpers.getTestWorkspace('windows', 'i386',
'PsExec.exe')
cls.vw_sphinx = helpers.getTestWorkspace('windows', 'i386',
'sphinx_livepretend.exe')
cls.vw_mimi = vivisect.VivWorkspace()
mimi_fn = helpers.getTestPath('windows', 'i386', 'mimikatz.exe_')
cls.vw_mimi.loadFromFile(mimi_fn)
# this binary is a little big (1MB)
# and we only care about the delay import table
# so, don't do a full analysis
fn_471 = helpers.getTestPath(
'windows', 'i386',
'471ce36855fec6b44398b9b1e3cfb9e74b122fb2cc20fdf6603ebda39f86dddf')
cls.vw_471 = vivisect.VivWorkspace()
vivisect.parsers.pe.parseFile(cls.vw_471, fn_471)
def test_bad_pe_sectname(self):
vw = helpers.getTestWorkspace('windows', 'i386',
'HelloSection-err.exe')
segs = vw.getSegments()
pesections = [
# about as blunt and direct of a name as we can get
"[invalid name] b'\\xfftext\\x00\\x00\\x00'",
'.rdata\x00\x00',
'.data\x00\x00\x00',
'.rsrc\x00\x00\x00',
'.reloc\x00\x00',
]
sections = [x.Name for x in vw.parsedbin.getSections()]
valids = [x.isNameValid() for x in vw.parsedbin.getSections()]
self.eq(valids, [False, True, True, True, True])
self.len(sections, 5)
for name in pesections:
self.isin(name, sections)
def test_consecutive_jump_table(self):
vw = helpers.getTestWorkspace('linux', 'i386', 'chgrp.llvm')
primaryJumpOpVa = 0x804c9b6
secondJumpOpVa = 0x804ca2b
pfva = vw.getFunction(primaryJumpOpVa)
sfva = vw.getFunction(secondJumpOpVa)
self.assertEqual(pfva, sfva)
self.assertTrue(pfva is not None)
# 2 actual codeblocks and 1 xref to the jumptable itself
prefs = vw.getXrefsFrom(primaryJumpOpVa)
self.assertEqual(len(prefs), 3)
cmnt = vw.getComment(0x804c9bd)
self.assertEqual(
cmnt, 'Other Case(s): 2, 6, 8, 11, 15, 20, 21, 34, 38, 40, 47')
# 13 actual codeblocks and 1 xref to the jumptable itself
srefs = vw.getXrefsFrom(secondJumpOpVa)
self.assertEqual(len(srefs), 14)
cmnt = vw.getComment(0x804ca4a)
self.assertEqual(cmnt, 'Other Case(s): 41')
def setUpClass(cls):
cls.chgrp_vw = helpers.getTestWorkspace('linux', 'i386', 'chgrp.llvm')
cls.vdir_vw = helpers.getTestWorkspace('linux', 'i386', 'vdir.llvm')
cls.gcc_vw = helpers.getTestWorkspace('linux', 'amd64', 'gcc-7')
def setUpClass(cls):
cls.firefox_vw = helpers.getTestWorkspace('windows', 'amd64',
'firefox.exe')
cls.chgrp_vw = helpers.getTestWorkspace('linux', 'i386', 'chgrp.llvm')
cls.vdir_vw = helpers.getTestWorkspace('linux', 'i386', 'vdir.llvm')
def setUpClass(cls):
cls.vw = helpers.getTestWorkspace('windows', 'i386', 'helloworld.exe')
def test_PE64(self):
vw = helpers.getTestWorkspace('windows', 'amd64', 'GO_hello_PE64.exe')
assert vw.isFunction(0x42dc00)
def test_PE32_findcase(self):
vw = helpers.getTestWorkspace('windows', 'i386',
'GO_find2case_PE32.exe')
assert vw.isFunction(0x424e10)
def test_PE32_stripped(self):
vw = helpers.getTestWorkspace('windows', 'i386',
'GO_hello_PE32_stripped.exe')
assert vw.isFunction(0x428880)
def setUpClass(cls):
cls.vw = helpers.getTestWorkspace('windows', 'amd64', 'firefox.exe')
def setUpClass(cls):
cls.i386_vw = helpers.getTestWorkspace('linux', 'i386', 'vdir.llvm')
