diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/analysis/scan/pyapi.py | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/tests/analysis/scan/pyapi.py b/tests/analysis/scan/pyapi.py index 0574d2c..e81e947 100644 --- a/tests/analysis/scan/pyapi.py +++ b/tests/analysis/scan/pyapi.py @@ -139,15 +139,21 @@ class TestRostPythonAPI(ChrysalideTestCase): return struct.unpack('<I', t)[0] - mod = find_token_modifiers_for_name('ror13') + # Example : + # - PlugX (2020) - https://vms.drweb.fr/virus/?i=21512304 + + mod = find_token_modifiers_for_name('crc32') self.assertIsNotNone(mod) - source = b'GetProcAddress' + source = b'GetCurrentProcess\x00' transformed = mod.transform(source) - self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa) + self.assertEqual(b2i(transformed[0]), 0x3690e66) + # Example : + # - GuLoader (2020) - https://www.crowdstrike.com/blog/guloader-malware-analysis/ + mod = find_token_modifiers_for_name('djb2') self.assertIsNotNone(mod) @@ -157,6 +163,18 @@ class TestRostPythonAPI(ChrysalideTestCase): self.assertEqual(b2i(transformed[0]), 0xcf31bb1f) + # Example : + # - ?? (2021) - https://www.threatspike.com/blogs/reflective-dll-injection + + mod = find_token_modifiers_for_name('ror13') + self.assertIsNotNone(mod) + + source = b'GetProcAddress' + transformed = mod.transform(source) + + self.assertEqual(b2i(transformed[0]), 0x7c0dfcaa) + + def testBytePatternModifiersAPI(self): """Validate the API for pattern modifiers.""" |