Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

windows analyzer tweaks for test capabilities #2043

Closed
wants to merge 20 commits into from
Closed

windows analyzer tweaks for test capabilities #2043

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
fab737f
refactor the Windows analyzer
nbargnesi Apr 4, 2024
8b27e98
pull out some obvious rot in the Windows analyzer
nbargnesi Apr 4, 2024
2874f46
fix vbs/vbe regex
nbargnesi Apr 4, 2024
7515483
start Windows analyzer module tests
nbargnesi Apr 4, 2024
7901fe9
call the analysis_loop
nbargnesi Apr 4, 2024
135ecd9
call out a few BUG's
nbargnesi Apr 4, 2024
1235707
tweak workflow triggers
nbargnesi Apr 9, 2024
e7016b9
add heavily patched test for analyzer prepare()
nbargnesi Apr 9, 2024
20dd22b
pull package selection out and test it
nbargnesi Apr 9, 2024
1bb08b2
fill out the package test cases
nbargnesi Apr 9, 2024
1160b03
IsInstance → Equal
nbargnesi Apr 9, 2024
9246c4d
fix class name assertions
nbargnesi Apr 9, 2024
41bc522
make analyzer test case classes distinct
nbargnesi Apr 11, 2024
95575a2
add basic import/instantiate analysis pkg tests
nbargnesi Apr 11, 2024
b93cde3
ran ruff 🐶
nbargnesi Apr 11, 2024
218961f
extend protected path tests
nbargnesi Apr 11, 2024
a0a7ca1
capture protected path BUGs in test failures
nbargnesi Apr 11, 2024
fc0c305
fix analyzer bug when protecting bytes and str's
nbargnesi Apr 11, 2024
5763f5b
fix bad Process kwarg tid
nbargnesi Apr 11, 2024
39107bc
init analyzer = None and rebind to guard NameError
nbargnesi Apr 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 1 addition & 5 deletions .github/workflows/python-package-windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,7 @@ name: Python tests on windows
env:
COLUMNS: 120

on:
push:
branches: [ master, staging ]
pull_request:
branches: [ master, staging ]
on: [push, pull_request, workflow_dispatch]

jobs:
test:
Expand Down
229 changes: 109 additions & 120 deletions analyzer/windows/analyzer.py
View file
Open in desktop

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions analyzer/windows/lib/api/process.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,12 +124,12 @@ def __init__(self, options=None, config=None, pid=0, h_process=0, thread_id=0, h

def __del__(self):
"""Close open handles."""
if self.h_process and self.h_process != KERNEL32.GetCurrentProcess():
if hasattr(self, "h_process") and self.h_process != KERNEL32.GetCurrentProcess():
KERNEL32.CloseHandle(self.h_process)
if self.h_thread:
if hasattr(self, "h_thread") and self.h_thread != 0:
KERNEL32.CloseHandle(self.h_thread)

def get_system_info(self):
def fill_system_info(self):
"""Get system information."""
KERNEL32.GetSystemInfo(byref(self.system_info))

Expand Down
2 changes: 1 addition & 1 deletion analyzer/windows/lib/core/packages.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ def choose_package(file_type, file_name, exports, target):
elif (
file_name.endswith((".vbs", ".vbe"))
or re.findall(rb"\s?Dim\s", file_content, re.I)
or re.findall(b"\s?\x00D\x00i\x00m\x00\s", file_content, re.I)
or re.findall(rb"\s?\x00D\x00i\x00m\x00\s", file_content, re.I)
):
return "vbs"
elif b"Set-StrictMode" in file_content[:100]:
Expand Down
11 changes: 11 additions & 0 deletions analyzer/windows/tests/lib/api/test_process.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
import os
import unittest
import threading
from unittest.mock import MagicMock, patch

from lib.api.process import Process
Expand All @@ -16,3 +18,12 @@ def test_known_image_name(self):
with patch("lib.api.process.Process.get_image_name", mock_image_name):
process = Process()
assert f"{process}" == f"<Process 0 {self.id()}>"

def test_process_self(self):
_ = Process(pid=os.getpid(), thread_id=threading.get_ident())

def test_process_fill_system_info(self):
p = Process()
p.fill_system_info()
# arbitrary sysinfo field assertion here
self.assertNotEqual(0, p.system_info.dwPageSize)
289 changes: 289 additions & 0 deletions analyzer/windows/tests/test_analysis_packages.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,289 @@
"""Basic import/instantiate test for analysis packages."""

import importlib
import inspect
import unittest

from lib.common.abstracts import Package


class TestAnalysisPackages(unittest.TestCase):
def class_from_analysis_package(self, module_name):
module = importlib.import_module(module_name)
members = inspect.getmembers(module)
member_classes = [m[1] for m in members if inspect.isclass(m[1])]
pkg_classes = [c for c in member_classes if issubclass(c, Package) and c != Package]
self.assertEqual(1, len(pkg_classes))
return pkg_classes[0]

def test_choose_package_Shellcode_Unpacker(self):
pkg_class = self.class_from_analysis_package("modules.packages.Shellcode-Unpacker")
pkg_class()

def test_Shellcode(self):
pkg_class = self.class_from_analysis_package("modules.packages.Shellcode")
pkg_class()

def test_Shellcode_x64(self):
pkg_class = self.class_from_analysis_package("modules.packages.Shellcode_x64")
pkg_class()

def test_Unpacker(self):
pkg_class = self.class_from_analysis_package("modules.packages.Unpacker")
pkg_class()

def test_Unpacker_dll(self):
pkg_class = self.class_from_analysis_package("modules.packages.Unpacker_dll")
pkg_class()

def test_Unpacker_js(self):
pkg_class = self.class_from_analysis_package("modules.packages.Unpacker_js")
pkg_class()

def test_Unpacker_ps1(self):
pkg_class = self.class_from_analysis_package("modules.packages.Unpacker_ps1")
pkg_class()

def test_Unpacker_regsvr(self):
pkg_class = self.class_from_analysis_package("modules.packages.Unpacker_regsvr")
pkg_class()

def test_Unpacker_zip(self):
pkg_class = self.class_from_analysis_package("modules.packages.Unpacker_zip")
pkg_class()

def test_access(self):
pkg_class = self.class_from_analysis_package("modules.packages.access")
pkg_class()

def test_applet(self):
pkg_class = self.class_from_analysis_package("modules.packages.applet")
pkg_class()

def test_archive(self):
pkg_class = self.class_from_analysis_package("modules.packages.archive")
pkg_class()

def test_autoit(self):
pkg_class = self.class_from_analysis_package("modules.packages.autoit")
pkg_class()

def test_chm(self):
pkg_class = self.class_from_analysis_package("modules.packages.chm")
pkg_class()

def test_chrome(self):
pkg_class = self.class_from_analysis_package("modules.packages.chrome")
pkg_class()

def test_chromium(self):
pkg_class = self.class_from_analysis_package("modules.packages.chromium")
pkg_class()

def test_cpl(self):
pkg_class = self.class_from_analysis_package("modules.packages.cpl")
pkg_class()

def test_dll(self):
pkg_class = self.class_from_analysis_package("modules.packages.dll")
pkg_class()

def test_doc(self):
pkg_class = self.class_from_analysis_package("modules.packages.doc")
pkg_class()

def test_doc2016(self):
pkg_class = self.class_from_analysis_package("modules.packages.doc2016")
pkg_class()

def test_doc_antivm(self):
pkg_class = self.class_from_analysis_package("modules.packages.doc_antivm")
pkg_class()

def test_edge(self):
pkg_class = self.class_from_analysis_package("modules.packages.edge")
pkg_class()

def test_eml(self):
pkg_class = self.class_from_analysis_package("modules.packages.eml")
pkg_class()

def test_exe(self):
pkg_class = self.class_from_analysis_package("modules.packages.exe")
pkg_class()

def test_firefox(self):
pkg_class = self.class_from_analysis_package("modules.packages.firefox")
pkg_class()

def test_generic(self):
pkg_class = self.class_from_analysis_package("modules.packages.generic")
pkg_class()

def test_hta(self):
pkg_class = self.class_from_analysis_package("modules.packages.hta")
pkg_class()

def test_hwp(self):
pkg_class = self.class_from_analysis_package("modules.packages.hwp")
pkg_class()

def test_ichitaro(self):
pkg_class = self.class_from_analysis_package("modules.packages.ichitaro")
pkg_class()

def test_ie(self):
pkg_class = self.class_from_analysis_package("modules.packages.ie")
pkg_class()

def test_inf(self):
pkg_class = self.class_from_analysis_package("modules.packages.inf")
pkg_class()

def test_inp(self):
pkg_class = self.class_from_analysis_package("modules.packages.inp")
pkg_class()

def test_jar(self):
pkg_class = self.class_from_analysis_package("modules.packages.jar")
pkg_class()

def test_js(self):
pkg_class = self.class_from_analysis_package("modules.packages.js")
pkg_class()

def test_js_antivm(self):
pkg_class = self.class_from_analysis_package("modules.packages.js_antivm")
pkg_class()

def test_lnk(self):
pkg_class = self.class_from_analysis_package("modules.packages.lnk")
pkg_class()

def test_mht(self):
pkg_class = self.class_from_analysis_package("modules.packages.mht")
pkg_class()

def test_msbuild(self):
pkg_class = self.class_from_analysis_package("modules.packages.msbuild")
pkg_class()

def test_msg(self):
pkg_class = self.class_from_analysis_package("modules.packages.msg")
pkg_class()

def test_msi(self):
pkg_class = self.class_from_analysis_package("modules.packages.msi")
pkg_class()

def test_msix(self):
pkg_class = self.class_from_analysis_package("modules.packages.msix")
pkg_class()

def test_nsis(self):
pkg_class = self.class_from_analysis_package("modules.packages.nsis")
pkg_class()

def test_ollydbg(self):
pkg_class = self.class_from_analysis_package("modules.packages.ollydbg")
pkg_class()

def test_one(self):
pkg_class = self.class_from_analysis_package("modules.packages.one")
pkg_class()

def test_pdf(self):
pkg_class = self.class_from_analysis_package("modules.packages.pdf")
pkg_class()

def test_ppt(self):
pkg_class = self.class_from_analysis_package("modules.packages.ppt")
pkg_class()

def test_ppt2016(self):
pkg_class = self.class_from_analysis_package("modules.packages.ppt2016")
pkg_class()

def test_ps1(self):
pkg_class = self.class_from_analysis_package("modules.packages.ps1")
pkg_class()

def test_pub(self):
pkg_class = self.class_from_analysis_package("modules.packages.pub")
pkg_class()

def test_pub2016(self):
pkg_class = self.class_from_analysis_package("modules.packages.pub2016")
pkg_class()

def test_python(self):
pkg_class = self.class_from_analysis_package("modules.packages.python")
pkg_class()

def test_rar(self):
pkg_class = self.class_from_analysis_package("modules.packages.rar")
pkg_class()

def test_reg(self):
pkg_class = self.class_from_analysis_package("modules.packages.reg")
pkg_class()

def test_regsvr(self):
pkg_class = self.class_from_analysis_package("modules.packages.regsvr")
pkg_class()

def test_sct(self):
pkg_class = self.class_from_analysis_package("modules.packages.sct")
pkg_class()

def test_service(self):
pkg_class = self.class_from_analysis_package("modules.packages.service")
pkg_class()

def test_service_dll(self):
pkg_class = self.class_from_analysis_package("modules.packages.service_dll")
pkg_class()

def test_swf(self):
pkg_class = self.class_from_analysis_package("modules.packages.swf")
pkg_class()

def test_vawtrak(self):
pkg_class = self.class_from_analysis_package("modules.packages.vawtrak")
pkg_class()

def test_vbejse(self):
pkg_class = self.class_from_analysis_package("modules.packages.vbejse")
pkg_class()

def test_vbs(self):
pkg_class = self.class_from_analysis_package("modules.packages.vbs")
pkg_class()

def test_wsf(self):
pkg_class = self.class_from_analysis_package("modules.packages.wsf")
pkg_class()

def test_xls(self):
pkg_class = self.class_from_analysis_package("modules.packages.xls")
pkg_class()

def test_xls2016(self):
pkg_class = self.class_from_analysis_package("modules.packages.xls2016")
pkg_class()

def test_xps(self):
pkg_class = self.class_from_analysis_package("modules.packages.xps")
pkg_class()

def test_xslt(self):
pkg_class = self.class_from_analysis_package("modules.packages.xslt")
pkg_class()

def test_zip(self):
pkg_class = self.class_from_analysis_package("modules.packages.zip")
pkg_class()

def test_zip_compound(self):
pkg_class = self.class_from_analysis_package("modules.packages.zip_compound")
pkg_class()
Loading