def test_signature_severity(p): class sig(object): name = "foobar" matched = True severity = 42 marks = [] def init(self): pass def on_complete(self): pass def results(self): return self.__class__.__dict__ rs = RunSignatures({}) rs.signatures = sig(), rs.run() assert p.debug.call_count == 2 assert p.debug.call_args_list[1][1]["extra"] == { "action": "signature.match", "status": "success", "signature": "foobar", "severity": 42, }
def test_mark_config(): class sig(Signature): name = "foobar" def on_complete(self): self.mark_config({ "family": "foobar", "cnc": "thisiscnc.com", "url": [ "url1", "url2", ], }) return True rs = RunSignatures({ "metadata": {}, }) rs.signatures = sig(rs), sig(rs) rs.run() assert rs.results["metadata"] == { "cfgextr": [{ "family": "foobar", "cnc": [ "thisiscnc.com", ], "url": [ "url1", "url2", ], }], }
def test_mark_config(): class sig(Signature): name = "foobar" def on_complete(self): self.mark_config({ "family": "foobar", "cnc": "thisiscnc.com", "url": [ "url1", "url2", ], }) return True rs = RunSignatures({ "metadata": {}, }) rs.signatures = sig(rs), rs.run() assert rs.results["metadata"] == { "cfgextr": [{ "family": "foobar", "cnc": [ "thisiscnc.com", ], "url": [ "url1", "url2", ], "key": None, "type": None, }], }
def test_on_extract(): set_cwd(tempfile.mkdtemp()) cuckoo_create() init_modules() Database().connect() mkdir(cwd(analysis=2)) cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4") ex = ExtractManager.for_task(2) ex.push_script({ "pid": 1, "first_seen": 2, }, cmd) results = RunProcessing(task=Dictionary({ "id": 2, "category": "file", "target": __file__, })).run() assert results["extracted"] == [{ "category": "script", "pid": 1, "first_seen": 2, "program": "cmd", "raw": cwd("extracted", "0.bat", analysis=2), "yara": [], "info": {}, }] class sig1(object): name = "sig1" @property def matched(self): return False @matched.setter def matched(self, value): pass def init(self): pass def on_signature(self): pass def on_complete(self): pass def on_yara(self): pass on_extract = mock.MagicMock() rs = RunSignatures(results) rs.signatures = sig1(), rs.run() sig1.on_extract.assert_called_once() em = sig1.on_extract.call_args_list[0][0][0] assert em.category == "script"
def test_on_yara(): set_cwd(os.path.realpath(tempfile.mkdtemp())) cuckoo_create() init_modules() shutil.copy(cwd("yara", "binaries", "vmdetect.yar"), cwd("yara", "memory", "vmdetect.yar")) init_yara() mkdir(cwd(analysis=1)) open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b") mkdir(cwd("files", analysis=1)) open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68") mkdir(cwd("memory", analysis=1)) open(cwd("memory", "1-0.dmp", analysis=1), "wb").write( struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01") Database().connect() ExtractManager._instances = {} results = RunProcessing(task=Dictionary({ "id": 1, "category": "file", "target": __file__, })).run() assert results["target"]["file"]["yara"][0]["offsets"] == { "virtualpc": [(0, 0)], } assert results["procmemory"][0]["regions"] == [{ "addr": "0x00400000", "end": "0x00401000", "offset": 24, "protect": None, "size": 4096, "state": 0, "type": 0, }] assert results["procmemory"][0]["yara"][0]["offsets"] == { "vmcheckdll": [(24, 0)], } assert results["dropped"][0]["yara"][0]["offsets"] == { "vmware": [(0, 0)], "vmware1": [(0, 0)], } class sig1(Signature): name = "sig1" @property def matched(self): return False @matched.setter def matched(self, value): pass def init(self): pass def on_signature(self, sig): pass def on_complete(self): pass def on_extract(self, match): pass on_yara = mock.MagicMock() rs = RunSignatures(results) rs.signatures = sig1(rs), rs.run() assert sig1.on_yara.call_count == 3 sig1.on_yara.assert_any_call("sample", cwd("binary", analysis=1), mock.ANY) sig1.on_yara.assert_any_call("dropped", cwd("files", "1.txt", analysis=1), mock.ANY) sig1.on_yara.assert_any_call("procmem", cwd("memory", "1-0.dmp", analysis=1), mock.ANY) ym = sig1.on_yara.call_args_list[0][0][2] assert ym.offsets == { "virtualpc": [(0, 0)], } assert ym.string("virtualpc", 0) == "\x0f\x3f\x07\x0b"
def test_on_extract(): set_cwd(tempfile.mkdtemp()) cuckoo_create() init_modules() Database().connect() mkdir(cwd(analysis=2)) cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4") ex = ExtractManager.for_task(2) ex.push_script({ "pid": 1, "first_seen": 2, }, cmd) results = RunProcessing(task=Dictionary({ "id": 2, "category": "file", "target": __file__, })).run() assert results["extracted"] == [{ "category": "script", "pid": 1, "first_seen": 2, "program": "cmd", "script": cwd("extracted", "0.bat", analysis=2), "yara": [], }] class sig1(object): name = "sig1" @property def matched(self): return False @matched.setter def matched(self, value): pass def init(self): pass def on_signature(self): pass def on_complete(self): pass def on_yara(self): pass on_extract = mock.MagicMock() rs = RunSignatures(results) rs.signatures = sig1(), rs.run() sig1.on_extract.assert_called_once() em = sig1.on_extract.call_args_list[0][0][0] assert em.category == "script"
def test_on_yara(): set_cwd(os.path.realpath(tempfile.mkdtemp())) cuckoo_create() init_modules() shutil.copy( cwd("yara", "binaries", "vmdetect.yar"), cwd("yara", "memory", "vmdetect.yar") ) init_yara() mkdir(cwd(analysis=1)) open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b") mkdir(cwd("files", analysis=1)) open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68") mkdir(cwd("memory", analysis=1)) open(cwd("memory", "1-0.dmp", analysis=1), "wb").write( struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01" ) Database().connect() results = RunProcessing(task=Dictionary({ "id": 1, "category": "file", "target": __file__, })).run() assert results["target"]["file"]["yara"][0]["offsets"] == { "virtualpc": [(0, 0)], } assert results["procmemory"][0]["yara"][0]["offsets"] == { "vmcheckdll": [(24, 0)], } assert results["dropped"][0]["yara"][0]["offsets"] == { "vmware": [(0, 0)], "vmware1": [(0, 0)], } class sig1(object): name = "sig1" @property def matched(self): return False @matched.setter def matched(self, value): pass def init(self): pass def on_signature(self): pass def on_complete(self): pass def on_extract(self): pass on_yara = mock.MagicMock() rs = RunSignatures(results) rs.signatures = sig1(), rs.run() assert sig1.on_yara.call_count == 3 sig1.on_yara.assert_any_call( "sample", cwd("binary", analysis=1), mock.ANY ) sig1.on_yara.assert_any_call( "dropped", cwd("files", "1.txt", analysis=1), mock.ANY ) sig1.on_yara.assert_any_call( "procmem", cwd("memory", "1-0.dmp", analysis=1), mock.ANY ) ym = sig1.on_yara.call_args_list[0][0][2] assert ym.offsets == { "virtualpc": [(0, 0)], } assert ym.string("virtualpc", 0) == "\x0f\x3f\x07\x0b"
def test_on_yara(): set_cwd(tempfile.mkdtemp()) cuckoo_create() init_modules() shutil.copy( cwd("yara", "binaries", "vmdetect.yar"), cwd("yara", "memory", "vmdetect.yar") ) init_yara(True) mkdir(cwd(analysis=1)) open(cwd("binary", analysis=1), "wb").write("\x0f\x3f\x07\x0b") mkdir(cwd("files", analysis=1)) open(cwd("files", "1.txt", analysis=1), "wb").write("\x56\x4d\x58\x68") mkdir(cwd("memory", analysis=1)) open(cwd("memory", "1-0.dmp", analysis=1), "wb").write( struct.pack("QIIII", 0x400000, 0x1000, 0, 0, 0) + "\x45\xc7\x00\x01" ) Database().connect() results = RunProcessing(task=Dictionary({ "id": 1, "category": "file", "target": __file__, })).run() assert results["target"]["file"]["yara"][0]["offsets"] == { "virtualpc": [(0, 0)], } assert results["procmemory"][0]["yara"][0]["offsets"] == { "vmcheckdll": [(24, 0)], } assert results["dropped"][0]["yara"][0]["offsets"] == { "vmware": [(0, 0)], "vmware1": [(0, 0)], } class sig1(object): name = "sig1" @property def matched(self): return False @matched.setter def matched(self, value): pass def init(self): pass def on_signature(self): pass def on_complete(self): pass on_yara = mock.MagicMock() rs = RunSignatures(results) rs.signatures = sig1(), rs.run() assert sig1.on_yara.call_count == 3 sig1.on_yara.assert_any_call( "sample", cwd("binary", analysis=1), mock.ANY ) sig1.on_yara.assert_any_call( "dropped", cwd("files", "1.txt", analysis=1), mock.ANY ) sig1.on_yara.assert_any_call( "procmem", cwd("memory", "1-0.dmp", analysis=1), mock.ANY ) assert sig1.on_yara.call_args_list[0][0][2]["offsets"] == { "virtualpc": [(0, 0)], }