def test_sorting_by_size(self): results = list( L('emit A AA B ABA C ABABABB CD EFEW A BVB')[L('sorted -a size')]) self.assertEqual(results, [ B'A', B'A', B'B', B'C', B'AA', B'CD', B'ABA', B'BVB', B'EFEW', B'ABABABB' ])
def test_warzone_sample(self): data = self.download_sample( '4537fab9de768a668ab4e72ae2cce3169b7af2dd36a1723ddab09c04d31d61a5') pipeline = L('vsect .bss') | L('struct I{key:{}}{}')[ L('rc4 eat:key') | L('struct I{host:{}}{port:H} {host:u16}:{port}')] self.assertEqual(str(data | pipeline), '165.22.5' '.' '66:1111')
def test_subtraction_range(self): data = B'\xC0\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' data = data + self.generate_random_buffer(50) sub1 = L('put k x::1 [') | L('sub add[var:k]:range::10 ]') sub2 = L('sub x::1 ') | L('sub range::10') out1 = bytes(sub1(data)) out2 = bytes(sub2(data)) self.assertEqual(out1, out2)
def test_depth3(self): p = L('snip :3 3 4 5:')[ # noqa L('scope 1:3') | L('rex .')[ # noqa L('rep 3')[L('ccp X')] # noqa ] # noqa ] # noqa self.assertEqual(B'AAAXBXBXBXCXCXCDDD', p(B'AAABCDDD'))
def test_example_02_hawkeye_config(self): data = self.download_from_malshare('ee790d6f09c2292d457cbe92729937e06b3e21eb6b212bf2e32386ba7c2ff22c') rsrc = L('perc RCDATA')(data) pipeline = L('xtp guid') [ L('PBKDF2 48 rep[8]:H:00') | self.ldu('cca', rsrc) | L('aes CBC x::32 --iv=x::16 -Q') ] | L('dnds') result = json.loads(pipeline(data)) config = result[2]['Data']['Members'] self.assertEqual(config['_EmailServer'], F'mail{"."}bandaichemical{"."}com') self.assertEqual(config['_EmailUsername'], F'cv{"@"}bandaichemical{"."}com') self.assertEqual(config['_EmailPassword'], F'kingqqqqqq1164') self.assertEqual(config['_EmailPort'], 587)
def test_vnc_backdoor_sample(self): data = self.download_sample( '6d9e2f54382ea697203d714424caefdacf1524c001efbaa7c33320738301808d') pipe = L( 'vsnip 0x00403020: | xor h:760000006E00 | jcalg | carve-pe | xtp') result = data | pipe | {str} self.assertSetEqual(result, {'185.82.202' '.132:443'})
def test_maldoc(self): data = self.download_sample( '969ff75448ea54feccc0d5f652e00172af8e1848352e9a5877d705fc97fa0238') pipeline = L('xtdoc', 'WordDoc') | L('push') \ [ L('drp') | L('pop', 'junk') | L('repl', 'var:junk') | L('carve', '-ds', 'b64') | L('u16') | L('deob-ps1') | L('repl', 'var:junk', 'http') | L('xtp', 'url') ] c2s = pipeline(data) self.assertIn(B'http://depannage-vehicule-maroc' B'.com/wp-admin/c/', c2s)
def test_filter_by_size(self): pl = L('emit Tim Ada Jake Elisabeth James Meredith') [ self.load('size > 3') | L('cull') | L('sep') ] self.assertEqual(pl(), B'\n'.join([ B'Jake', B'Elisabeth', B'James', B'Meredith' ]))
def test_multiple_pops(self): data = B'$a = "foo"; $b = "bar"; $c = "baz"; decode-decode("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", $a, $b, $c)' pl = L( 'push [[| carve -dm5 string | pop foo bar baz ]| carve -sd string | cfmt {foo}-{bar}-{baz}-{} ]' ) result = pl(data) self.assertEqual(result, B'foo-bar-baz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
def test_documentation_example_04(self): p = L('emit aaaaaaaa namtaB')[ # noqa L('scope 0') | L('rex .')[ # noqa L('ccp N') # noqa ] | L('scope 1') | L('rev') | L('sep -') # noqa ] self.assertEqual(B'NaNaNaNaNaNaNaNa-Batman', p(B''))
def test_real_world_01(self): u = self.ldu encoded = ( B'''3018152148501567213310184800633409362144880559105294049701126311246081131975615343153231062913116111''' B'''1811157103091659005342125241030117185058391257506811185641455415793050760678905403191251022718260080''' B'''7906431133491248306004123002146510940169690710820141169320955312014120171102115059068660995810412198''' B'''2616881062361714809255109191754708061112151124515802166780656805937169201403509433094710978206187056''' B'''2218138176051220720074069511229205186057281368405973054061286713377066441598840591412906137750687906''' B'''4041396607792051271161313019124720712811569074680757406931112780654609788055291148605702141810628505''' B'''8151284909456087890549404926117480955908477066171262212153090600834110276067051380014345098520912112''' B'''2241190813511132231202511818125031403011344099331108705657086800634310034109011420913464079540893910''' B'''4470969005365078580853510871072121313211155088071361612710133620813710651092820619305073070401034210''' B'''1700736108238105500938306036107630802012367076910524001430513808135271167207124119480954609725118261''' B'''1783060490948006355088131302012370073291143410911132710725209182061211224310017126311126607719124590''' B'''8460083860575009354089740698805569074161279005364079321115309035108401031812509134770666308092051560''' B'''8742101371066807584059750686707610133510927307091052361073810533110580851412944099810629305007136760''' B'''6785058391040214112131151286507879064780654110262081570860613789054610829404903140281154709601142450''' B'''9822121301130413987056231204''') decoded = ( B'''wMIc 'prOcess' "cALl" crEAtE "powErsHell -NoNiNtErAC -NoPrOFi -WIn 00000000000000000000000000''' B'''0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000''' B'''0000000000000000000000000000000000000000000000000000000000000000000000000000000000000''' ) pl = L('chop 0x01DC')[ # noqa L('chop 5 -t')[ # noqa L('sorted') | L('snip 2:') | L('sep') # noqa ] | L('pack 10') | L('blockop --dec -sN B-S') # noqa ] self.assertEqual(decoded, pl(encoded))
def test_stream_mode(self): with tempfile.TemporaryDirectory() as root: path = os.path.join(root, 'test') dump = self.load(path, stream=True) data = self.generate_random_buffer(1024) with io.BytesIO(data) as stream: list(stream | L('chop 32')[dump]) self.assertTrue(os.path.exists(path)) with open(path, 'rb') as result: self.assertEqual(result.read(), data)
def test_simple_frame(self): chunks = [B'A' * k for k in (0x14, 0x154, 0x81, 0x12031, 0x1311, 0x8012)] buffer = io.BytesIO() for chunk in (io.BytesIO(B'\n'.join(chunks)) | L('resplit [')): buffer.write(chunk) buffer.seek(0) expected = [] unpacked = FrameUnpacker(buffer) while unpacked.nextframe(): expected.extend(c for c in unpacked) self.assertEqual(chunks, expected)
def test_01(self): pipeline = L('emit ABDF AEC ABE [| rex . [| xfcc ]]') results = {bytes(chunk): chunk['count'] for chunk in pipeline} self.assertEqual(results, { B'A': 3, B'B': 2, B'C': 1, B'D': 1, B'E': 2, B'F': 1, })
def test_encoding_metavars(self): pfmt = 'emit s: [| put test "s:{}" | peek -m ]' for value, requires_prefix in { 'b64:b64:b64': True, 'accu:@msvc': True, 'u[:!krz--dk': False, 'ftp://t.com': False, }.items(): with errbuf() as stderr: prefix = 's:' * requires_prefix L(pfmt.format(value))() self.assertIn(F'test = {prefix}{value}', stderr.getvalue())
def test_panic(self): data = B'BINARY REFINERY REFINES BINARIES FINER THAN BINARY TOOLS' pp = L('aes -R CBC range:16 --iv rep[16]:H:AC') | L( 'ccp rep[16]:H:AC') | L('aes CBC range:16 --iv x::16') self.assertEqual(pp(data), data)
def test_variable_in_modifier(self): pl = L('push [[') | L('pop x ]') | L('cca cca[cca[var:x]:Q]:T') | L( 'rev ]]') self.assertEqual(pl(B'x'), B'xQTx')
def test_count_restriction(self): pl = L('emit eeny,meeny,miny,moe') | L('resplit -c1 ,') self.assertEqual(pl(), B'eeny\nmeeny,miny,moe')
def test_example_01_maldoc(self): data = self.download_from_malshare('81a1fca7a1fb97fe021a1f2cf0bf9011dd2e72a5864aad674f8fea4ef009417b') # flake8: noqa pipeline = L('xlxtr 9.5:11.5 15.15 12.5:14.5') [ L('scope -n 3') | L('chop -t 5') [ L('sorted') | L('snip 2:') | L('sep') ]| L('pack 10') | L('blockop --dec -sN B-S') ]| L('carveb64z') | L('deob_ps1') | L('carveb64z') | L('deob_ps1') | L('xtp -f domain') with BytesIO(data) as sample: c2servers = set(sample | pipeline) self.assertSetEqual( c2servers, set(c2 % 0x2E for c2 in { b'udatapost%cred', b'marvellstudio%conline', b'sdkscontrol%cpw', b'abrakam%csite', b'hiteronak%cicu', b'ublaznze%conline', b'sutsyiekha%ccasa', b'makretplaise%cxyz', }) )
def test_simple_variable_01(self): pl = L('emit "FOO BAR" [') | L('push') | L('snip :4') | L( 'pop oof') | L('nop') | L('ccp var:oof ]') # noqa self.assertEqual(pl(), B'FOO FOO BAR')
def test_filter_identifier_letters(self): pl = L('emit range::256') | L('chop 1')[self.load('\\w') | L('cull')] self.assertEqual( pl(), B'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz')
def test_push_pop_in_frame(self): pl = L('rex . [') | L('push [') | L('pop copy ]') | L('swap copy ]') self.assertEqual(pl(B'foobar'), B'foobar')
def test_change_separator(self): pl = L('emit eeny,meeny,miny,moe') | L('resplit (,) [') | L('scope 1::2') | L('cfmt - ]') self.assertEqual(pl(), B'eeny-meeny-miny-moe')
def test_pick_only_odd_items(self): pl = L('emit Marry had a little lamb.') [ self.load('index % 2 == 0') | L('cull') | L('sep " "') ] self.assertEqual(pl(), B'Marry a lamb.')
def test_clipboard_copy(self): copy = self.load() with temporary_clipboard(): L('emit Too much technology')[copy]() self.assertEqual(pyperclip.paste(), 'Too')
def test_comparison_01(self): pl = L('emit A BB C D EEE') [ self.load('size', '-ge', '2') ] self.assertEqual(pl(), B'BBEEE')
def test_pop_variable(self): pl = L('emit AB CD EF [') | L('put k x::1') | L('sub xvar:k ]') self.assertEqual(pl(), B'\x01\x01\x01')
def test_variable_outside_modifier(self): pl = L('push [[') | L('pop x ]') | L('cca T') | L('cca var:x') | L( 'rev ]') self.assertEqual(pl(B'x'), B'xTx')
def test_comparison_02(self): pl = L('emit A BB C D EEE') [ self.load('size', '-lt', '2') ] self.assertEqual(pl(), B'ACD')
def test_simple_variable_01(self): pl = L('emit "FOO BAR" [') | L('put ff rep[5]:copy::1') | L('nop') | L( 'ccp var:ff ]') # noqa self.assertEqual(pl(), B'FFFFFFOO BAR')