mirror of
https://github.com/mandiant/capa.git
synced 2025-12-06 21:00:57 -08:00
923e5e1130
* use _yield from []_ to create empty generator when needed #2572 * Update PR with fixes * solved CI code style error * Fixed formatting with black * Fixed formatting with black * code styles error * code styles error * code styles error * code style error * Update capa-rules submodule to master * Similar changes to other files --------- Co-authored-by: Willi Ballenthin <wballenthin@google.com>
187 lines
9.5 KiB
Python
187 lines
9.5 KiB
Python
# -*- coding: utf-8 -*-
|
|
# Copyright 2022 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import io
|
|
import zlib
|
|
from pathlib import Path
|
|
|
|
from fixtures import get_data_path_by_name
|
|
|
|
import capa.features.extractors.elf
|
|
|
|
|
|
def test_elf_sh_notes():
|
|
# guess: osabi: None
|
|
# guess: ph notes: None
|
|
# guess: sh notes: OS.LINUX
|
|
# guess: linker: None
|
|
# guess: ABI versions needed: None
|
|
# guess: symtab: None
|
|
# guess: needed dependencies: None
|
|
path = get_data_path_by_name("2f7f5f")
|
|
with Path(path).open("rb") as f:
|
|
assert capa.features.extractors.elf.detect_elf_os(f) == "linux"
|
|
|
|
|
|
def test_elf_pt_notes():
|
|
# guess: osabi: None
|
|
# guess: ph notes: None
|
|
# guess: sh notes: OS.LINUX
|
|
# guess: linker: OS.LINUX
|
|
# guess: ABI versions needed: OS.LINUX
|
|
# guess: symtab: None
|
|
# guess: needed dependencies: None
|
|
path = get_data_path_by_name("7351f.elf")
|
|
with Path(path).open("rb") as f:
|
|
assert capa.features.extractors.elf.detect_elf_os(f) == "linux"
|
|
|
|
|
|
def test_elf_so_needed():
|
|
# guess: osabi: None
|
|
# guess: ph notes: None
|
|
# guess: sh notes: OS.HURD
|
|
# guess: linker: None
|
|
# guess: ABI versions needed: OS.HURD
|
|
# guess: symtab: None
|
|
# guess: needed dependencies: OS.HURD
|
|
path = get_data_path_by_name("b5f052")
|
|
with Path(path).open("rb") as f:
|
|
assert capa.features.extractors.elf.detect_elf_os(f) == "hurd"
|
|
|
|
|
|
def test_elf_abi_version_hurd():
|
|
# guess: osabi: None
|
|
# guess: ph notes: None
|
|
# guess: sh notes: OS.HURD
|
|
# guess: linker: None
|
|
# guess: ABI versions needed: OS.HURD
|
|
# guess: symtab: None
|
|
# guess: needed dependencies: None
|
|
path = get_data_path_by_name("bf7a9c")
|
|
with Path(path).open("rb") as f:
|
|
assert capa.features.extractors.elf.detect_elf_os(f) == "hurd"
|
|
|
|
|
|
def test_elf_symbol_table():
|
|
# guess: osabi: None
|
|
# guess: ph notes: None
|
|
# guess: sh notes: None
|
|
# guess: linker: None
|
|
# guess: ABI versions needed: None
|
|
# guess: symtab: OS.LINUX
|
|
# guess: needed dependencies: None
|
|
path = get_data_path_by_name("2bf18d")
|
|
with Path(path).open("rb") as f:
|
|
assert capa.features.extractors.elf.detect_elf_os(f) == "linux"
|
|
|
|
|
|
def test_elf_android_notes():
|
|
# DEBUG:capa.features.extractors.elf:guess: osabi: None
|
|
# DEBUG:capa.features.extractors.elf:guess: ph notes: OS.ANDROID
|
|
# DEBUG:capa.features.extractors.elf:guess: sh notes: None
|
|
# DEBUG:capa.features.extractors.elf:guess: linker: None
|
|
# DEBUG:capa.features.extractors.elf:guess: ABI versions needed: None
|
|
# DEBUG:capa.features.extractors.elf:guess: needed dependencies: OS.ANDROID
|
|
path = get_data_path_by_name("1038a2")
|
|
with Path(path).open("rb") as f:
|
|
assert capa.features.extractors.elf.detect_elf_os(f) == "android"
|
|
|
|
|
|
def test_elf_go_buildinfo():
|
|
path = get_data_path_by_name("3da7c")
|
|
with Path(path).open("rb") as f:
|
|
assert capa.features.extractors.elf.detect_elf_os(f) == "linux"
|
|
|
|
|
|
def test_elf_parse_capa_pyinstaller_header():
|
|
# error after misidentified large pydata section with address 0; fixed in #1454
|
|
# compressed ELF header of capa-v5.1.0-linux
|
|
# SHA256 e16974994914466647e24cdcfb6a6f8710297a4def21525e53f73c72c4b52fcf
|
|
elf_header = zlib.decompress(
|
|
b"".join(
|
|
[
|
|
b"\x78\x9c\x8d\x56\x4f\x88\x1c\xd5\x13\xae\x1d\x35\x0a\x7a\x58\x65",
|
|
b"\xd1\xa0\x9b\xb0\x82\x11\x14\x67\x63\xd6\xcd\x26\xf1\xf0\x63\x49",
|
|
b"\xdc\xc4\xc8\x26\x98\x7f\x07\x89\xa4\xed\xe9\x7e\x6f\xa6\x99\xd7",
|
|
b"\xaf\xdb\xee\x37\xbb\x13\x3d\xb8\x78\x8a\x28\x28\x1e\xbc\x09\x7b",
|
|
b"\xf0\xcf\x82\xa0\x41\x10\x23\xa8\x07\x89\x17\x41\x85\x88\x07\x2f",
|
|
b"\xe2\x25\xb0\x17\x51\x7e\x07\xd9\x5b\x52\xf5\xfe\xcc\x36\x71\x0a",
|
|
b"\x6c\x98\xa9\xf7\xbe\xf9\xea\xab\xaf\xea\x35\x3d\xfd\xda\xd2\xf2",
|
|
b"\xd1\xd6\xc4\x04\x84\xab\x05\xff\x03\xda\x2d\xed\x59\xb4\x7b\xf7",
|
|
b"\x8d\xf1\xef\x57\x5b\x81\xb3\x08\x07\xe1\x6e\xfc\x9e\x86\x87\x60",
|
|
b"\x07\xee\x6f\x6f\xf2\xfc\x2a\xc4\x9e\xcf\x0a\xf1\x2e\xcf\xbb\xcd",
|
|
b"\xe7\x6d\x78\x7c\xa3\xe5\xf8\x21\x4e\x7b\x5e\x88\xc1\x21\x45\xca",
|
|
b"\xdb\xbe\xb6\x2b\xd3\x75\xe9\x01\xb7\x0b\x11\x26\xb7\xf3\xee\xa0",
|
|
b"\xc5\x8c\xc7\x67\x7c\x9e\x8f\xf9\x8b\x6e\x1b\x62\x33\xcf\xd6\x5b",
|
|
b"\xf3\xf8\x9a\xcf\xf3\xf1\xca\x7e\xb7\x0d\xb1\x99\x47\xb3\xd9\xfc",
|
|
b"\xc6\xed\x37\x7f\x74\xfc\x10\xaf\xf8\x26\x36\x86\xbe\x33\x9f\x47",
|
|
b"\xe3\xa0\xbc\x2d\x9f\xb7\xe5\xf9\x21\x5a\x42\x23\x86\x79\x92\x1c",
|
|
b"\x7d\xae\x7a\xfc\xaa\x9f\x63\x88\xcf\x78\x5e\x88\x61\x86\xcf\x5f",
|
|
b"\x37\x29\xad\x37\xd7\xbd\xcf\x75\xef\xd3\xc7\x27\xe8\xa0\x1a\x31",
|
|
b"\xe4\x9d\xc2\x3c\xf2\xf9\x5f\x2f\xdf\x1e\x9c\x0e\xf5\x98\xb9\xec",
|
|
b"\xf4\xfe\x43\x0c\xe7\xbe\x57\x65\x9d\x85\xf9\xbd\x2a\x6d\xab\x4c",
|
|
b"\x0f\x86\xed\xe1\xc1\x85\xf6\xc2\xfc\x6c\x5d\xcc\xce\x59\x4f\x53",
|
|
b"\xfe\x9e\x3a\x76\xf2\x1c\x9c\xfd\xe5\xd9\x33\xe2\xcc\x4b\x17\x76",
|
|
b"\x7f\xfd\xd1\xd4\xe6\xe5\xa9\xe5\xf3\x4f\xff\x7c\x82\x38\xe4\x81",
|
|
b"\xf4\x88\xd3\x9c\x35\xdd\x12\x94\x7b\xaa\x71\x6e\x30\x31\x03\x6b",
|
|
b"\x13\x93\x2d\xc2\x4e\x7b\x0f\x8f\xed\x7a\x6b\x5a\x9e\x8b\x27\x0f",
|
|
b"\xfd\xff\xcd\x70\x5b\xfe\xeb\xd2\x28\x7a\xdf\x18\xfc\x1a\x0a\x8f",
|
|
b"\xc3\xff\x60\xf0\x0b\xf8\x19\x87\x7f\xc7\xe8\x3f\xc7\xe0\x27\x18",
|
|
b"\x9d\x1b\x0c\x7e\x9d\xc1\xe9\xb8\xc6\xe1\x6f\x33\xf8\x97\x4c\x5f",
|
|
b"\x6d\x86\xbf\x83\xe1\x7f\xc0\xf4\xf5\x08\x83\xff\xc9\xe8\xff\xc5",
|
|
b"\xe8\x4b\x06\x7f\x90\xc1\xdf\x60\xf0\x1f\x18\xfc\x13\xc6\xe7\x49",
|
|
b"\x86\x7f\x88\xc1\xff\x61\xfa\xa2\xa7\xf2\x38\xfc\x08\x83\x7f\xc5",
|
|
b"\xe0\x47\x99\xba\x37\x18\xfc\x4e\x46\xe7\x57\xc6\xe7\xf7\x0c\xfe",
|
|
b"\x2e\xa3\x73\x96\xa9\xfb\x05\xa3\x33\xc7\xf0\x5f\x67\xf4\x7f\x67",
|
|
b"\x74\x1e\x67\xf8\x6d\x46\x9f\x9e\x17\xe1\x2f\xa5\x79\x9d\x67\xf8",
|
|
b"\x9f\x72\x3e\x19\x7c\x91\xc1\x0f\x33\xfe\x1f\x66\xf8\x2f\x33\xfc",
|
|
b"\xfb\x99\x7e\x25\x83\xbf\xcf\xe8\xec\x66\xf0\x75\xc6\xcf\x25\x86",
|
|
b"\xff\x2d\xc3\x7f\x87\xc1\xe9\x99\x3e\x0e\xbf\x87\xe1\xbf\xc0\xf4",
|
|
b"\x45\x7f\xef\xe3\xf0\x0f\x19\xfc\x3d\x06\xa7\xd7\x80\x71\xf8\x01",
|
|
b"\xa6\x6e\xc6\xf0\x3f\x67\xf8\x9f\x31\xfc\x9f\x18\xfc\x51\x66\x0e",
|
|
b"\x29\x83\x6f\x31\xf8\xc7\x0c\xbe\x8b\xf1\x99\x73\xcf\x4f\x86\xbf",
|
|
b"\x93\xf1\x9f\x32\xf8\x1e\xee\x79\x88\x75\xef\x45\xb5\xf5\x6b\xee",
|
|
b"\x7d\x22\xbc\x1f\x4d\x79\x7c\xe3\x16\xfc\x37\x8f\x5f\xbe\x05\x87",
|
|
b"\x28\xea\xe6\x85\x8e\x6a\x13\x57\x26\x8a\x20\x55\x89\x2a\x6a\x81",
|
|
b"\xb1\xbe\x98\xe3\x77\x51\x0a\x8d\x41\x54\x55\x51\x41\xa6\xa5\x8a",
|
|
b"\x8d\x08\xf1\xb8\xce\x4c\x14\x36\x4b\x3a\x45\x2d\xe4\xe9\x22\x52",
|
|
b"\x45\x12\x9b\xac\xd0\x50\xc5\x19\x6a\xc9\xa2\xea\xc3\x6a\x9c\x99",
|
|
b"\x32\x23\xce\xb0\xec\x46\x9d\xb8\x16\x3a\xce\x05\xe4\xfd\xd4\x88",
|
|
b"\xbc\x04\x29\xd5\xa0\xee\x41\x6d\xaa\xa4\xbc\x08\x32\xe9\xe5\x45",
|
|
b"\x0a\x95\x88\xd3\x34\xab\xa0\x16\x86\x24\x15\x49\x91\x9f\xd5\xa4",
|
|
b"\xd6\x44\x43\xb6\x4e\x30\x39\x42\xfb\x55\x3a\x28\xa1\x74\x3e\x6d",
|
|
b"\x0b\x36\x31\xeb\xea\x58\x39\x1e\xf2\xf3\x4e\x6d\x0a\x4c\xc6\x04",
|
|
b"\x35\xc4\x8e\x0d\x0c\x34\xbe\x66\xf5\xc9\x05\xb2\xb1\x9c\xc2\x3a",
|
|
b"\x48\x4f\x33\x0d\x5d\x61\xfd\xf6\x33\x65\x05\x4c\xd1\x07\x29\x0a",
|
|
b"\x09\xe8\xc3\x91\x2a\x85\x56\xca\x2a\x31\x0a\x30\xdb\x76\x53\xe5",
|
|
b"\xa4\x93\x8b\x9c\x5c\x25\x4a\xc4\x15\x1a\xc2\x22\xd8\x80\xd0\x2b",
|
|
b"\x58\x56\x96\x55\xa6\x8d\x8c\x92\x5e\x9f\xca\x14\x03\x63\xd9\xb6",
|
|
b"\x65\x3b\xf7\x28\x5a\xa9\x75\x83\x94\x8f\xaa\xe1\x48\xad\xc3\x32",
|
|
b"\x36\x3d\x90\x46\x20\x0e\x5a\x45\x2a\xd6\x5d\x3c\x82\x02\x68\x32",
|
|
b"\x54\x1d\x7d\x53\x2d\x54\xa7\xda\x38\x9a\xa6\x1c\x4d\xd4\x76\x2c",
|
|
b"\x86\x22\x59\x29\xdd\x64\x50\x38\x8a\x82\xb4\xa5\xc9\x0c\x7b\x2b",
|
|
b"\x40\xae\x56\x19\x1e\xb7\xa4\x2c\xa4\x38\xa7\x96\x80\x9d\x10\xe8",
|
|
b"\xfb\xa8\x92\x1e\x55\x5a\x69\x76\x67\xcf\x64\x9b\xee\xc6\xed\xc0",
|
|
b"\xd8\xb8\x3c\x61\x3a\x03\x69\xd3\x71\x5a\x18\xdc\xe1\xe1\xd9\x64",
|
|
b"\x9d\xc4\xdf\x90\x79\x8c\x27\x21\xdd\x0f\xb5\x29\xed\xa0\x6a\x21",
|
|
b"\xfa\x05\x84\xb6\xc8\x9d\x00\x4c\x49\x95\x7b\x4b\xc6\xe5\x2b\xb4",
|
|
b"\xda\x47\xab\xd2\xf4\xc8\x27\xed\x9f\xa4\x7d\x42\xab\x05\x38\xb6",
|
|
b"\x7c\xfc\xf0\x91\x68\x6e\x76\x6e\x76\xff\x68\x7d\x60\xb4\xda\x37",
|
|
b"\x3f\x5a\x3e\x35\x5a\x35\x30\x5c\xc3\x4d\x95\x6e\xa4\x60",
|
|
]
|
|
)
|
|
)
|
|
assert capa.features.extractors.elf.detect_elf_os(io.BytesIO(elf_header)) == "linux"
|