gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-22 15:16:22 -08:00
Code Issues Packages Projects Releases Wiki Activity

tests: ida: tweak tests to fit IDA behavior

Browse Source
This commit is contained in:
William Ballenthin
2020-08-14 13:10:38 -06:00
parent 26061c25a5
commit eee565b596
2 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/fixtures.py
View File

@@ -224,9 +224,10 @@ FEATURE_PRESENCE_TESTS = [
("mimikatz", "file", capa.features.String("ACR > "), True), ("mimikatz", "file", capa.features.String("ACR > "), True),
("mimikatz", "file", capa.features.String("nope"), False), ("mimikatz", "file", capa.features.String("nope"), False),
# file/sections # file/sections
("mimikatz", "file", capa.features.file.Section(".rsrc"), True),
("mimikatz", "file", capa.features.file.Section(".text"), True), ("mimikatz", "file", capa.features.file.Section(".text"), True),
("mimikatz", "file", capa.features.file.Section(".nope"), False), ("mimikatz", "file", capa.features.file.Section(".nope"), False),
# IDA doesn't extract unmapped sections by default
# ("mimikatz", "file", capa.features.file.Section(".rsrc"), True),
# file/exports # file/exports
("kernel32", "file", capa.features.file.Export("BaseThreadInitThunk"), True), ("kernel32", "file", capa.features.file.Export("BaseThreadInitThunk"), True),
("kernel32", "file", capa.features.file.Export("lstrlenW"), True), ("kernel32", "file", capa.features.file.Export("lstrlenW"), True),
@@ -350,12 +351,15 @@ FEATURE_PRESENCE_TESTS = [
("mimikatz", "function=0x4702FD", capa.features.Characteristic("calls from"), False), ("mimikatz", "function=0x4702FD", capa.features.Characteristic("calls from"), False),
# function/characteristic(calls to) # function/characteristic(calls to)
("mimikatz", "function=0x40105D", capa.features.Characteristic("calls to"), True), ("mimikatz", "function=0x40105D", capa.features.Characteristic("calls to"), True),
("mimikatz", "function=0x46C0D2", capa.features.Characteristic("calls to"), False), ("mimikatz", "function=0x4556E5", capa.features.Characteristic("calls to"), False),
] ]
FEATURE_COUNT_TESTS = [ FEATURE_COUNT_TESTS = [
("mimikatz", "function=0x40E5C2", capa.features.basicblock.BasicBlock(), 7), ("mimikatz", "function=0x40E5C2", capa.features.basicblock.BasicBlock(), 7),
("mimikatz", "function=0x4702FD", capa.features.Characteristic("calls from"), 0),
("mimikatz", "function=0x40E5C2", capa.features.Characteristic("calls from"), 3), ("mimikatz", "function=0x40E5C2", capa.features.Characteristic("calls from"), 3),
("mimikatz", "function=0x4556E5", capa.features.Characteristic("calls to"), 0),
("mimikatz", "function=0x40B1F1", capa.features.Characteristic("calls to"), 3),
] ]

13
tests/test_ida_features.py
View File

@@ -29,8 +29,9 @@ def check_input_file(wanted):
# in IDA 7.5 or so, GetInputFileMD5 started returning raw binary # in IDA 7.5 or so, GetInputFileMD5 started returning raw binary
# rather than the hex digest # rather than the hex digest
found = binascii.hexlify(idautils.GetInputFileMD5()[:15]).decode("ascii").lower() found = binascii.hexlify(idautils.GetInputFileMD5()[:15]).decode("ascii").lower()
if not wanted.startswith(found): if not wanted.startswith(found):
raise RuntimeError("please run the tests against `mimikatz.exe`") raise RuntimeError("please run the tests against sample with MD5: `%s`" % (wanted))
def get_ida_extractor(_path): def get_ida_extractor(_path):
@@ -99,10 +100,6 @@ if __name__ == "__main__":
test = getattr(sys.modules[__name__], name) test = getattr(sys.modules[__name__], name)
logger.debug("invoking test: %s", name) logger.debug("invoking test: %s", name)
sys.stderr.flush() sys.stderr.flush()
try: test()
test()
except AssertionError as e: print("DONE")
print("FAIL %s" % (name))
traceback.print_exc()
else:
print("OK %s" % (name))