diff options
author | Cyrille Bagard <nocbos@gmail.com> | 2023-10-20 06:45:34 (GMT) |
---|---|---|
committer | Cyrille Bagard <nocbos@gmail.com> | 2023-10-20 06:45:34 (GMT) |
commit | 0140499d4340c074b039194a2e71808d909d8cbd (patch) | |
tree | 0b8b16353b5a835245bce55393f206b8e6383dc2 /tests | |
parent | e42109df9964b153a80ec65a5f1badc02bfb8fa6 (diff) |
Include sll1-add-hash32 as new custom API hash.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/analysis/scan/pyapi.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/tests/analysis/scan/pyapi.py b/tests/analysis/scan/pyapi.py index e81e947..cfd12b3 100644 --- a/tests/analysis/scan/pyapi.py +++ b/tests/analysis/scan/pyapi.py @@ -165,6 +165,7 @@ class TestRostPythonAPI(ChrysalideTestCase): # Example : # - ?? (2021) - https://www.threatspike.com/blogs/reflective-dll-injection + # - Mustang Panda (2022) - https://blog.talosintelligence.com/mustang-panda-targets-europe/ mod = find_token_modifiers_for_name('ror13') self.assertIsNotNone(mod) @@ -174,6 +175,23 @@ class TestRostPythonAPI(ChrysalideTestCase): self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa) + source = b'VirtualAlloc' + transformed = mod.transform(source) + + self.assertEqual(b2i(transformed[0]), 0x91afca54) + + + # Example + # - Energetic Bear (2019) - https://insights.sei.cmu.edu/blog/api-hashing-tool-imagine-that/ + + mod = find_token_modifiers_for_name('sll1-add-hash32') + self.assertIsNotNone(mod) + + source = b'LoadLibraryA' + transformed = mod.transform(source) + + self.assertEqual(b2i(transformed[0]), 0x000d5786) + def testBytePatternModifiersAPI(self): """Validate the API for pattern modifiers.""" |