def test_basics(): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd(analysis=1)) init_yara() em = ExtractManager(1) em.write_extracted("foo", "bar") filepath = cwd("extracted", "0.foo", analysis=1) assert open(filepath, "rb").read() == "bar" scr = Scripting() cmd = scr.parse_command("powershell -e %s" % "foobar".encode("utf-16le").encode("base64")) em.push_script({ "pid": 1, "first_seen": 2, }, cmd) filepath = cwd("extracted", "0.ps1", analysis=1) assert open(filepath, "rb").read() == "foobar" em.push_command_line("powershell -e %s" % "world!".encode("utf-16le").encode("base64")) filepath = cwd("extracted", "1.ps1", analysis=1) assert open(filepath, "rb").read() == "world!"
def test_ident_shellcode(p): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd("yara", "scripts")) open(cwd("yara", "scripts", "1.yar"), "wb").write(""" rule Shellcode1 { strings: $Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase condition: all of them } """) # No Yara has been installed. if not init_yara(True): return class Shellcode1(Extractor): yara_rules = "Shellcode1" def handle_yara(self, filepath, match): sc = match.string("Shellcode", 0) self.push_shellcode("".join( chr(int(x, 16)) for x in sc[2:-1].split(","))) p.return_value = Shellcode1, sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read()) sc = ",".join("0x%02x" % ord(ch) for ch in sc) scr = Scripting() ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le") cmd = scr.parse_command("powershell -e %s" % ps1.encode("base64").replace("\n", "")) mkdir(cwd(analysis=1)) em = ExtractManager(1) em.push_script({ "pid": 1, "first_seen": 2, }, cmd) assert len(em.items) == 2 filepath = cwd("extracted", "0.ps1", analysis=1) assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc") buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read() assert "call 0x88" in buf assert "0x00c1: push 0xc69f8957" in buf assert ".db 'www.service.chrome-up.date',0" in buf
def test_cfgextr(): set_cwd(tempfile.mkdtemp()) cuckoo_create() class Trigger1(Extractor): yara_rules = "Trigger1" def handle_yara(self, filepath, match): self.push_config({ "family": "barfoo", "version": "baz", }) ExtractManager.init_once() mkdir(cwd(analysis=1)) em = ExtractManager(1) em.handle_yara( None, YaraMatch({ "name": "Trigger1", "meta": None, "offsets": None, "strings": [], })) assert len(em.items) == 1 results = { "extracted": em.results(), "metadata": {}, "info": {}, } RunSignatures(results).run() assert results == { "info": { "score": 10.0, }, "metadata": { "cfgextr": [{ "family": "barfoo", "version": "baz", }], }, "extracted": mock.ANY, "signatures": [], }