summaryrefslogtreecommitdiff
path: root/tests/analysis
diff options
context:
space:
mode:
Diffstat (limited to 'tests/analysis')
-rw-r--r--tests/analysis/scan/pyapi.py18
1 files changed, 18 insertions, 0 deletions
diff --git a/tests/analysis/scan/pyapi.py b/tests/analysis/scan/pyapi.py
index e81e947..cfd12b3 100644
--- a/tests/analysis/scan/pyapi.py
+++ b/tests/analysis/scan/pyapi.py
@@ -165,6 +165,7 @@ class TestRostPythonAPI(ChrysalideTestCase):
# Example :
# - ?? (2021) - https://www.threatspike.com/blogs/reflective-dll-injection
+ # - Mustang Panda (2022) - https://blog.talosintelligence.com/mustang-panda-targets-europe/
mod = find_token_modifiers_for_name('ror13')
self.assertIsNotNone(mod)
@@ -174,6 +175,23 @@ class TestRostPythonAPI(ChrysalideTestCase):
self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa)
+ source = b'VirtualAlloc'
+ transformed = mod.transform(source)
+
+ self.assertEqual(b2i(transformed[0]), 0x91afca54)
+
+
+ # Example
+ # - Energetic Bear (2019) - https://insights.sei.cmu.edu/blog/api-hashing-tool-imagine-that/
+
+ mod = find_token_modifiers_for_name('sll1-add-hash32')
+ self.assertIsNotNone(mod)
+
+ source = b'LoadLibraryA'
+ transformed = mod.transform(source)
+
+ self.assertEqual(b2i(transformed[0]), 0x000d5786)
+
def testBytePatternModifiersAPI(self):
"""Validate the API for pattern modifiers."""