summaryrefslogtreecommitdiff
path: root/tests/analysis/scan
diff options
context:
space:
mode:
authorCyrille Bagard <nocbos@gmail.com>2023-10-18 20:27:58 (GMT)
committerCyrille Bagard <nocbos@gmail.com>2023-10-18 20:27:58 (GMT)
commite42109df9964b153a80ec65a5f1badc02bfb8fa6 (patch)
tree2e175960e2f023fef46be3c7f4adc58c9311c45c /tests/analysis/scan
parent3402b000429c6189b0103ed549edd811d68e7d5e (diff)
Add support for the crc32 checksum.
Diffstat (limited to 'tests/analysis/scan')
-rw-r--r--tests/analysis/scan/pyapi.py24
1 files changed, 21 insertions, 3 deletions
diff --git a/tests/analysis/scan/pyapi.py b/tests/analysis/scan/pyapi.py
index 0574d2c..e81e947 100644
--- a/tests/analysis/scan/pyapi.py
+++ b/tests/analysis/scan/pyapi.py
@@ -139,15 +139,21 @@ class TestRostPythonAPI(ChrysalideTestCase):
return struct.unpack('<I', t)[0]
- mod = find_token_modifiers_for_name('ror13')
+ # Example :
+ # - PlugX (2020) - https://vms.drweb.fr/virus/?i=21512304
+
+ mod = find_token_modifiers_for_name('crc32')
self.assertIsNotNone(mod)
- source = b'GetProcAddress'
+ source = b'GetCurrentProcess\x00'
transformed = mod.transform(source)
- self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa)
+ self.assertEqual(b2i(transformed[0]), 0x3690e66)
+ # Example :
+ # - GuLoader (2020) - https://www.crowdstrike.com/blog/guloader-malware-analysis/
+
mod = find_token_modifiers_for_name('djb2')
self.assertIsNotNone(mod)
@@ -157,6 +163,18 @@ class TestRostPythonAPI(ChrysalideTestCase):
self.assertEqual(b2i(transformed[0]), 0xcf31bb1f)
+ # Example :
+ # - ?? (2021) - https://www.threatspike.com/blogs/reflective-dll-injection
+
+ mod = find_token_modifiers_for_name('ror13')
+ self.assertIsNotNone(mod)
+
+ source = b'GetProcAddress'
+ transformed = mod.transform(source)
+
+ self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa)
+
+
def testBytePatternModifiersAPI(self):
"""Validate the API for pattern modifiers."""