def test_mbr_nt5_with_whitelist(whitelist): sampleName = os.path.join('test_data', 'mbr_5.bin') dParsed = {} dExpected = { 'record_type': 'MBR', 'sample_name': sampleName, 'partition_table': [(1, True, 'NTFS', 63, 73368792)], 'disk_signature': '059c059c'.decode('hex'), 'oem_id': None, 'code_SHA256': 'b5ed343494f0326a08aa6abf7cc9aa4d96207532cf0d2b39453c6eb7bede19e3'.decode('hex'), 'record_raw': '33c08ed0bc007cfb5007501ffcbe1b7cbf1b065057b9e501f3a4cbbdbe07b104386e007c09751383c510e2f4cd188bf5' '83c610497419382c74f6a0b507b4078bf0ac3c0074fcbb0700b40ecd10ebf2884e10e84600732afe4610807e040b740b' '807e040c7405a0b60775d2804602068346080683560a00e821007305a0b607ebbc813efe7d55aa740b807e100074c8a0' 'b707eba98bfc1e578bf5cbbf05008a5600b408cd1372238ac1243f988ade8afc43f7e38bd186d6b106d2ee42f7e23956' '0a77237205394608731cb80102bb007c8b4e028b5600cd1373514f744e32e48a5600cd13ebe48a560060bbaa55b441cd' '13723681fb55aa7530f6c101742b61606a006a00ff760aff76086a0068007c6a016a10b4428bf4cd136161730e4f740b' '32e48a5600cd13ebd661f9c35461626c6520646520706172746974696f6e206e6f6e2076616c69646500457272657572' '206c6f7273206475206368617267656d656e7420647520737973748a6d652064276578706c6f69746174690053797374' '8a6d652064276578706c6f69746174696f6e20616273656e740000000000000000000000000000000000000000000000' '00000000002c4a7c059c059c00008001010007feffff3f000000d8845f04000000000000000000000000000000000000' '00000000000000000000000000000000000000000000000000000000000055aa'.decode('hex'), 'suspicious_behaviour': [], 'known_code_signature': ['NT5.1/NT5.2 MBR'], } with open(sampleName, 'rb') as f_mbr: objMBR = MasterBootRecord(f_mbr, os.path.getsize(f_mbr.name), whitelist=whitelist) dParsed = objMBR.getDictRecord() assert dParsed == dExpected
def test_mbr_empty_code_with_whitelist(whitelist): sampleName = os.path.join('test_data', 'mbr_empty_code.bin') dParsed = {} dExpected = { 'record_type': 'MBR', 'sample_name': sampleName, 'partition_table': [ { 'Number': 1, 'Attributes': 'Active', 'Type': 'NTFS', 'Start sector': 2048, 'Size in sectors': 204800 }, { 'Number': 2, 'Attributes': 'Inactive', 'Type': 'NTFS', 'Start sector': 206848, 'Size in sectors': 40685568 }, { 'Number': 3, 'Attributes': 'Inactive', 'Type': 'NTFS', 'Start sector': 40892416, 'Size in sectors': 1046528 }, ], 'disk_signature': '14a90642'.decode('hex'), 'oem_id': None, 'code_SHA256': None, 'record_raw': '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000014a9064200008020210007df130c000800000020030000df140c07feffff0028030000d06c0200fe' 'ffff07feffff00f86f0200f80f000000000000000000000000000000000055aa'. decode('hex'), 'suspicious_behaviour': ['Code section is null'], 'known_code_signature': [], } with open(sampleName, 'rb') as f_mbr: objMBR = MasterBootRecord(f_mbr, os.path.getsize(f_mbr.name), whitelist=whitelist) dParsed = objMBR.getDictRecord() assert dParsed == dExpected
def test_mbr_nt61_with_whitelist(whitelist): sampleName = os.path.join('test_data', 'mbr_61.bin') dParsed = {} dExpected = { 'record_type': 'MBR', 'sample_name': sampleName, 'partition_table': [(1, True, 'NTFS', 2048, 204800), (2, False, 'NTFS', 206848, 40685568), (3, False, 'NTFS', 40892416, 1046528)], 'disk_signature': '14a90642'.decode('hex'), 'oem_id': None, 'code_SHA256': '088995559ab317af9b3291408da689651e8353f62e0a478d92eb0b5a947063fd'.decode('hex'), 'record_raw': '33c08ed0bc007c8ec08ed8be007cbf0006b90002fcf3a450681c06cbfbb90400bdbe07807e00007c0b0f850e0183c510' 'e2f1cd1888560055c6461105c6461000b441bbaa55cd135d720f81fb55aa7509f7c101007403fe46106660807e100074' '2666680000000066ff760868000068007c680100681000b4428a56008bf4cd139f83c4109eeb14b80102bb007c8a5600' '8a76018a4e028a6e03cd136661731cfe4e11750c807e00800f848a00b280eb845532e48a5600cd135deb9e813efe7d55' 'aa756eff7600e88d007517fab0d1e664e88300b0dfe660e87c00b0ffe664e87500fbb800bbcd1a6623c0753b6681fb54' '435041753281f90201722c666807bb00006668000200006668080000006653665366556668000000006668007c000066' '6168000007cd1a5a32f6ea007c0000cd18a0b707eb08a0b607eb03a0b50732e40500078bf0ac3c007409bb0700b40ecd' '10ebf2f4ebfd2bc9e464eb002402e0f82402c3496e76616c696420706172746974696f6e207461626c65004572726f72' '206c6f6164696e67206f7065726174696e672073797374656d004d697373696e67206f7065726174696e672073797374' '656d000000637b9a14a9064200008020210007df130c000800000020030000df140c07feffff0028030000d06c0200fe' 'ffff07feffff00f86f0200f80f000000000000000000000000000000000055aa'.decode('hex'), 'suspicious_behaviour': [], 'known_code_signature': ['NT6.1+ MBR'], } with open(sampleName, 'rb') as f_mbr: objMBR = MasterBootRecord(f_mbr, os.path.getsize(f_mbr.name), whitelist=whitelist) dParsed = objMBR.getDictRecord() assert dParsed == dExpected
def test_mbr_nt60_with_whitelist(whitelist): sampleName = os.path.join('test_data', 'mbr_60.bin') dParsed = {} dExpected = { 'record_type': 'MBR', 'sample_name': sampleName, 'partition_table': [(1, True, 'NTFS', 2048, 41938944)], 'disk_signature': 'c9eda2df'.decode('hex'), 'oem_id': None, 'code_SHA256': '4799e8c92d32bca8e5103110a322523adb7a3909324132bd9abab8f3345e094a'.decode('hex'), 'record_raw': '33c08ed0bc007c8ec08ed8be007cbf0006b90002fcf3a450681c06cbfbb90400bdbe07807e00007c0b0f85100183c510' 'e2f1cd1888560055c6461105c6461000b441bbaa55cd135d720f81fb55aa7509f7c101007403fe46106660807e100074' '2666680000000066ff760868000068007c680100681000b4428a56008bf4cd139f83c4109eeb14b80102bb007c8a5600' '8a76018a4e028a6e03cd136661731efe4e110f850c00807e00800f848a00b280eb825532e48a5600cd135deb9c813efe' '7d55aa756eff7600e88a000f851500b0d1e664e87f00b0dfe660e87800b0ffe664e87100b800bbcd1a6623c0753b6681' 'fb54435041753281f90201722c666807bb00006668000200006668080000006653665366556668000000006668007c00' '00666168000007cd1a5a32f6ea007c0000cd18a0b707eb08a0b607eb03a0b50732e40500078bf0ac3c0074fcbb0700b4' '0ecd10ebf22bc9e464eb002402e0f82402c3496e76616c696420706172746974696f6e207461626c65004572726f7220' '6c6f6164696e67206f7065726174696e672073797374656d004d697373696e67206f7065726174696e67207379737465' '6d00000000627a99c9eda2df00008020210007feffff0008000000f07f02000000000000000000000000000000000000' '00000000000000000000000000000000000000000000000000000000000055aa'.decode('hex'), 'suspicious_behaviour': [], 'known_code_signature': ['NT6.0 MBR'], } with open(sampleName, 'rb') as f_mbr: objMBR = MasterBootRecord(f_mbr, os.path.getsize(f_mbr.name), whitelist=whitelist) dParsed = objMBR.getDictRecord() assert dParsed == dExpected
def test_mbr_uefi_with_whitelist(whitelist): sampleName = os.path.join('test_data', 'mbr_protect_uefi.bin') dParsed = {} dExpected = { 'record_type': 'MBR', 'sample_name': sampleName, 'partition_table': [(1, False, 'PROTECTIVE_MBR', 1, 41943039)], 'disk_signature': '00000000'.decode('hex'), 'oem_id': None, 'code_SHA256': None, 'record_raw': '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000100eefeffff01000000ffff7f02000000000000000000000000000000000000' '00000000000000000000000000000000000000000000000000000000000055aa'.decode('hex'), 'suspicious_behaviour': [], 'known_code_signature': ['Protective MBR', 'UEFI (no legacy boot code)'], } with open(sampleName, 'rb') as f_mbr: objMBR = MasterBootRecord(f_mbr, os.path.getsize(f_mbr.name), whitelist=whitelist) dParsed = objMBR.getDictRecord() assert dParsed == dExpected
def test_mbr_tc_with_whitelist(whitelist): sampleName = os.path.join('test_data', 'mbr_tc.bin') dParsed = {} dExpected = { 'record_type': 'MBR', 'sample_name': sampleName, 'partition_table': [(1, True, 'NTFS', 2048, 204800), (2, False, 'NTFS', 206848, 40685568), (3, False, 'NTFS', 40892416, 1046528)], 'disk_signature': 'c9a7ee57'.decode('hex'), 'oem_id': None, 'code_SHA256': 'e6e6605c48665800786de4651ade2893970aafb1237a06db0943a8603dd4fce1'.decode('hex'), 'record_raw': 'ea1e7c00002054727565437279707420426f6f74204c6f616465720d0a00fa33c08ed88ed0bc007cfbf606b67d017507' '8d36057ce8dc00b80090813e13045c027d0eb80088813e13043c027d03b800208ec032c0bf0001b9ff6efcf3aa8cc02d' '00088ec0b102b004bb0001e8b4006633dbbe0001b90008e8ba006653bb000db106b039f606467d017404b01ab124e891' '00665bbe000d8b0eb07de89700663b1eb27d7425f606467d01750ec606467d01b120f606b77d0275ad8d36557de85300' '8d36057ce84c00ebfe8cc08ed8fa8ed0bc0080fb52680a0d68007a6800810e68e77c06680001cb83c4065a0e1f85c074' '098d36557de81b00ebfe8a36b77d8cc00500088ec08ed8fa8ed0bcfc6ffb06680001cb33dbb40efcac84c07404cd10eb' 'f7c3b500b600b402cd1373078d36477de8e0ffc31e061f6633c0fcac6603d866d1c3e2f71fc3004469736b206572726f' '720d0a0700074c6f616465722064616d61676564212055736520526573637565204469736b3a20526570616972204f70' '74696f6e73203e20526573746f726500000000000000000000000000000000000000000000000000000000000000071a' '722e832e05b50006c9a7ee5700008020210007df130c000800000020030000df140c07feffff0028030000d06c0200fe' 'ffff07feffff00f86f0200f80f000000000000000000000000000000000055aa'.decode('hex'), 'suspicious_behaviour': [], 'known_code_signature': ['TrueCrypt MBR'], } with open(sampleName, 'rb') as f_mbr: objMBR = MasterBootRecord(f_mbr, os.path.getsize(f_mbr.name), whitelist=whitelist) dParsed = objMBR.getDictRecord() assert dParsed == dExpected
def test_mbr_empty_code_with_whitelist(whitelist): sampleName = os.path.join('test_data', 'mbr_empty_code.bin') dParsed = {} dExpected = { 'record_type': 'MBR', 'sample_name': sampleName, 'partition_table': [(1, True, 'NTFS', 2048, 204800), (2, False, 'NTFS', 206848, 40685568), (3, False, 'NTFS', 40892416, 1046528)], 'disk_signature': '14a90642'.decode('hex'), 'oem_id': None, 'code_SHA256': None, 'record_raw': '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' '000000000000000014a9064200008020210007df130c000800000020030000df140c07feffff0028030000d06c0200fe' 'ffff07feffff00f86f0200f80f000000000000000000000000000000000055aa'.decode('hex'), 'suspicious_behaviour': ['Code section is null'], 'known_code_signature': [], } with open(sampleName, 'rb') as f_mbr: objMBR = MasterBootRecord(f_mbr, os.path.getsize(f_mbr.name), whitelist=whitelist) dParsed = objMBR.getDictRecord() assert dParsed == dExpected