From 70b4546c33b1a64df26cfe22e42f8e23e9affc84 Mon Sep 17 00:00:00 2001
From: Michael Hunhoff <mike.hunhoff@gmail.com>
Date: Tue, 11 Aug 2020 14:12:07 -0600
Subject: [PATCH] adding test for unmapped immediate data reference

---
 tests/fixtures.py          | 6 ++++++
 tests/test_viv_features.py | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/tests/fixtures.py b/tests/fixtures.py
index 1ea5b193..a4a59f82 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -83,3 +83,9 @@ def sample_39c05b15e9834ac93f206bc114d0a00c357c888db567ba8f5345da0529cbed41():
 def sample_499c2a85f6e8142c3f48d4251c9c7cd6_raw32():
     path = os.path.join(CD, "data", "499c2a85f6e8142c3f48d4251c9c7cd6.raw32")
     return Sample(viv_utils.getShellcodeWorkspace(path), path)
+
+
+@pytest.fixture
+def sample_al_khaser_x86():
+    path = os.path.join(CD, "data", "al-khaser_x86.exe_")
+    return Sample(viv_utils.getWorkspace(path), path)
diff --git a/tests/test_viv_features.py b/tests/test_viv_features.py
index ce480a7e..4e612bdf 100644
--- a/tests/test_viv_features.py
+++ b/tests/test_viv_features.py
@@ -126,6 +126,11 @@ def test_number_arch_features(mimikatz):
     assert capa.features.insn.Number(0xFF, arch=ARCH_X64) not in features
 
 
+def test_unmapped_immediate_memory_reference_features(sample_al_khaser_x86):
+    features = extract_function_features(viv_utils.Function(sample_al_khaser_x86.vw, 0x41AAB4))
+    assert capa.features.insn.Number(0x7FFE02D4) in features
+
+
 def test_offset_features(mimikatz):
     features = extract_function_features(viv_utils.Function(mimikatz.vw, 0x40105D))
     assert capa.features.insn.Offset(0x0) in features