summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorCyrille Bagard <nocbos@gmail.com>2023-10-20 06:45:34 (GMT)
committerCyrille Bagard <nocbos@gmail.com>2023-10-20 06:45:34 (GMT)
commit0140499d4340c074b039194a2e71808d909d8cbd (patch)
tree0b8b16353b5a835245bce55393f206b8e6383dc2 /tests
parente42109df9964b153a80ec65a5f1badc02bfb8fa6 (diff)
Include sll1-add-hash32 as new custom API hash.
Diffstat (limited to 'tests')
-rw-r--r--tests/analysis/scan/pyapi.py18
1 files changed, 18 insertions, 0 deletions
diff --git a/tests/analysis/scan/pyapi.py b/tests/analysis/scan/pyapi.py
index e81e947..cfd12b3 100644
--- a/tests/analysis/scan/pyapi.py
+++ b/tests/analysis/scan/pyapi.py
@@ -165,6 +165,7 @@ class TestRostPythonAPI(ChrysalideTestCase):
# Example :
# - ?? (2021) - https://www.threatspike.com/blogs/reflective-dll-injection
+ # - Mustang Panda (2022) - https://blog.talosintelligence.com/mustang-panda-targets-europe/
mod = find_token_modifiers_for_name('ror13')
self.assertIsNotNone(mod)
@@ -174,6 +175,23 @@ class TestRostPythonAPI(ChrysalideTestCase):
self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa)
+ source = b'VirtualAlloc'
+ transformed = mod.transform(source)
+
+ self.assertEqual(b2i(transformed[0]), 0x91afca54)
+
+
+ # Example
+ # - Energetic Bear (2019) - https://insights.sei.cmu.edu/blog/api-hashing-tool-imagine-that/
+
+ mod = find_token_modifiers_for_name('sll1-add-hash32')
+ self.assertIsNotNone(mod)
+
+ source = b'LoadLibraryA'
+ transformed = mod.transform(source)
+
+ self.assertEqual(b2i(transformed[0]), 0x000d5786)
+
def testBytePatternModifiersAPI(self):
"""Validate the API for pattern modifiers."""