def _test_dll_emu(self, fpath):
data = util.get_test_bin_data(fpath)
self.report = util.run_test(self.config, data)
eps = self.report["entry_points"]
self.assertEqual(len(eps), 3)
dll_entry = eps[0]
msgbox = self._get_api_calls(dll_entry, "USER32.MessageBoxA")
self.assertEqual(1, len(msgbox))
msgbox = msgbox[0]
self.assertEqual(msgbox["args"][1], "Inside process attach")
self.assertEqual(msgbox["args"][2], "My caption")
self.assertEqual(dll_entry["ret_val"], "0x1")
ep = eps[1]
msgbox = self._get_api_calls(ep, "USER32.MessageBoxA")
self.assertEqual(1, len(msgbox))
msgbox = msgbox[0]
self.assertEqual(msgbox["args"][1], "Inside emu_test_one")
self.assertEqual(msgbox["args"][2], "First export")
self.assertEqual(ep["ret_val"], "0x41414141")
ep = eps[2]
msgbox = self._get_api_calls(ep, "USER32.MessageBoxW")
self.assertEqual(1, len(msgbox))
msgbox = msgbox[0]
self.assertEqual(msgbox["args"][1], "Inside emu_test_two")
self.assertEqual(msgbox["args"][2], "Second export")
self.assertEqual(ep["ret_val"], "0x42424242")
def _test_dll_emu(self, fpath):
data = util.get_test_bin_data(fpath)
self.report = util.run_test(self.config, data)
eps = self.report['entry_points']
self.assertEqual(len(eps), 3)
dll_entry = eps[0]
msgbox = self._get_api_calls(dll_entry, 'USER32.MessageBoxA')
self.assertEqual(1, len(msgbox))
msgbox = msgbox[0]
self.assertEqual(msgbox['args'][1], 'Inside process attach')
self.assertEqual(msgbox['args'][2], 'My caption')
self.assertEqual(dll_entry['ret_val'], '0x1')
ep = eps[1]
msgbox = self._get_api_calls(ep, 'USER32.MessageBoxA')
self.assertEqual(1, len(msgbox))
msgbox = msgbox[0]
self.assertEqual(msgbox['args'][1], 'Inside emu_test_one')
self.assertEqual(msgbox['args'][2], 'First export')
self.assertEqual(ep['ret_val'], '0x41414141')
ep = eps[2]
msgbox = self._get_api_calls(ep, 'USER32.MessageBoxW')
self.assertEqual(1, len(msgbox))
msgbox = msgbox[0]
self.assertEqual(msgbox['args'][1], 'Inside emu_test_two')
self.assertEqual(msgbox['args'][2], 'Second export')
self.assertEqual(ep['ret_val'], '0x42424242')
def test_seh_dispatch(self):
self.config['exceptions']['dispatch_handlers'] = True
data = util.get_test_bin_data('seh_test_x86.exe.xz')
report = util.run_test(self.config, data)
ep = report['entry_points']
printfs = []
for api in ep[0]['apis']:
if '__stdio_common_vfprintf' in api['api_name']:
printfs.append(api)
fmt_strings = [p['args'][2] for p in printfs]
self.assertEqual(len(fmt_strings), len(self.dispatch_script))
for i, s in enumerate(fmt_strings):
self.assertEqual(s, self.dispatch_script[i])
def test_seh_dispatch(self):
self.config["exceptions"]["dispatch_handlers"] = True
data = util.get_test_bin_data("seh_test_x86.exe.xz")
report = util.run_test(self.config, data)
ep = report["entry_points"]
printfs = []
for api in ep[0]["apis"]:
if "__stdio_common_vfprintf" in api["api_name"]:
printfs.append(api)
fmt_strings = [p["args"][2] for p in printfs]
self.assertEqual(len(fmt_strings), len(self.dispatch_script))
for i, s in enumerate(fmt_strings):
self.assertEqual(s, self.dispatch_script[i])
def _test_argv_exe(self, fpath):
argv_len = 10
argv = ["argument_%d" % (i + 1) for i in range(argv_len)]
data = util.get_test_bin_data(fpath)
report = util.run_test(self.config, data, argv=argv)
ep = report["entry_points"]
printfs = []
for api in ep[0]["apis"]:
if "__stdio_common_vfprintf" in api["api_name"]:
printfs.append(api)
self.assertEqual(len(printfs) - 2, argv_len)
for i, p in enumerate(printfs[2:]):
i += 1
args = p["args"]
fmt_str = args[2]
test_str = "argv[%d] = argument_%d\n" % (i, i)
self.assertEqual(test_str, fmt_str)
def test_seh_without_dispatch(self):
self.config['exceptions']['dispatch_handlers'] = False
data = util.get_test_bin_data('seh_test_x86.exe.xz')
report = util.run_test(self.config, data)
ep = report['entry_points']
printfs = []
for api in ep[0]['apis']:
if '__stdio_common_vfprintf' in api['api_name']:
printfs.append(api)
break
self.assertEqual(1, len(printfs))
error = ep[0]['error']
self.assertEqual(error['type'], 'invalid_write')
self.assertEqual(error['address'], '0x0')
self.assertEqual(error['instr'], 'mov dword ptr [0], 0x14')
def test_seh_without_dispatch(self):
self.config["exceptions"]["dispatch_handlers"] = False
data = util.get_test_bin_data("seh_test_x86.exe.xz")
report = util.run_test(self.config, data)
ep = report["entry_points"]
printfs = []
for api in ep[0]["apis"]:
if "__stdio_common_vfprintf" in api["api_name"]:
printfs.append(api)
break
self.assertEqual(1, len(printfs))
error = ep[0]["error"]
self.assertEqual(error["type"], "invalid_write")
self.assertEqual(error["address"], "0x0")
self.assertEqual(error["instr"], "mov dword ptr [0], 0x14")
def _test_file_access(self, fpath):
data = util.get_test_bin_data(fpath)
self.report = util.run_test(self.config, data)
eps = self.report["entry_points"]
driver_entry = eps[0]
create_file = self._get_api_calls(driver_entry, "ntdll.NtCreateFile")
self.assertEqual(1, len(create_file))
create_file = create_file[0]
self.assertEqual(create_file["args"][3], "\\??\\c:\\myfile.txt")
read_file = self._get_api_calls(driver_entry, "ntdll.NtReadFile")
self.assertEqual(1, len(read_file))
printf = self._get_api_calls(
driver_entry, "api-ms-win-crt-stdio-l1-1-0.__stdio_common_vfprintf"
)
self.assertEqual(5, len(printf))
printf = printf[-1]
self.assertIn("File contained:", printf["args"][2])
def _test_emu_wdm_driver(self, fpath):
data = util.get_test_bin_data(fpath)
self.report = util.run_test(self.config, data)