summaryrefslogtreecommitdiff
path: root/tests/analysis
diff options
context:
space:
mode:
Diffstat (limited to 'tests/analysis')
-rw-r--r--tests/analysis/scan/pyapi.py24
1 files changed, 21 insertions, 3 deletions
diff --git a/tests/analysis/scan/pyapi.py b/tests/analysis/scan/pyapi.py
index 0574d2c..e81e947 100644
--- a/tests/analysis/scan/pyapi.py
+++ b/tests/analysis/scan/pyapi.py
@@ -139,15 +139,21 @@ class TestRostPythonAPI(ChrysalideTestCase):
return struct.unpack('<I', t)[0]
- mod = find_token_modifiers_for_name('ror13')
+ # Example :
+ # - PlugX (2020) - https://vms.drweb.fr/virus/?i=21512304
+
+ mod = find_token_modifiers_for_name('crc32')
self.assertIsNotNone(mod)
- source = b'GetProcAddress'
+ source = b'GetCurrentProcess\x00'
transformed = mod.transform(source)
- self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa)
+ self.assertEqual(b2i(transformed[0]), 0x3690e66)
+ # Example :
+ # - GuLoader (2020) - https://www.crowdstrike.com/blog/guloader-malware-analysis/
+
mod = find_token_modifiers_for_name('djb2')
self.assertIsNotNone(mod)
@@ -157,6 +163,18 @@ class TestRostPythonAPI(ChrysalideTestCase):
self.assertEqual(b2i(transformed[0]), 0xcf31bb1f)
+ # Example :
+ # - ?? (2021) - https://www.threatspike.com/blogs/reflective-dll-injection
+
+ mod = find_token_modifiers_for_name('ror13')
+ self.assertIsNotNone(mod)
+
+ source = b'GetProcAddress'
+ transformed = mod.transform(source)
+
+ self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa)
+
+
def testBytePatternModifiersAPI(self):
"""Validate the API for pattern modifiers."""