[Forensics-changes] [yara] 246/368: Add test case for #429

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:30:44 UTC 2017


This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit 9b141382c88c3f83525842b83d73550540938343
Author: Hilko Bengen <bengen at hilluzination.de>
Date:   Thu Mar 31 01:27:50 2016 +0200

    Add test case for #429
    
    ... without adding malware samples to the source tree :-)
---
 Makefile.am                    |   4 +++-
 tests/data/tiny-idata-51ff.exe | Bin 0 -> 32768 bytes
 tests/data/tiny-idata-5200.exe | Bin 0 -> 32768 bytes
 tests/data/tiny.exe            | Bin 0 -> 32768 bytes
 tests/data/tiny.notes          |  22 ++++++++++++++++++++++
 tests/test-pe.c                |  19 +++++++++++++++++++
 6 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 8901d58..4d4f7fa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -15,10 +15,12 @@ yarac_SOURCES = args.c args.h yarac.c
 yarac_LDADD = libyara/.libs/libyara.a
 
 TESTS = $(check_PROGRAMS)
-check_PROGRAMS = test-alignment test-rules
+check_PROGRAMS = test-alignment test-rules test-pe
 test_alignment_SOURCES = tests/test-alignment.c
 test_rules_SOURCES = tests/test-rules.c tests/util.c
 test_rules_LDADD = libyara/.libs/libyara.a
+test_pe_SOURCES = tests/test-pe.c tests/util.c
+test_pe_LDADD = libyara/.libs/libyara.a
 
 # man pages
 man1_MANS = yara.man yarac.man
diff --git a/tests/data/tiny-idata-51ff.exe b/tests/data/tiny-idata-51ff.exe
new file mode 100644
index 0000000..f2fed16
Binary files /dev/null and b/tests/data/tiny-idata-51ff.exe differ
diff --git a/tests/data/tiny-idata-5200.exe b/tests/data/tiny-idata-5200.exe
new file mode 100755
index 0000000..9547e7e
Binary files /dev/null and b/tests/data/tiny-idata-5200.exe differ
diff --git a/tests/data/tiny.exe b/tests/data/tiny.exe
new file mode 100755
index 0000000..0513854
Binary files /dev/null and b/tests/data/tiny.exe differ
diff --git a/tests/data/tiny.notes b/tests/data/tiny.notes
new file mode 100644
index 0000000..d2c0e68
--- /dev/null
+++ b/tests/data/tiny.notes
@@ -0,0 +1,22 @@
+tiny.exe was compiled from a simple oneliner,
+
+    int main() { return 42; }
+
+    $ i686-w64-mingw32-gcc -s -Wl,--file-alignment=4096 -o tiny.exe tiny.c
+
+To demonstrate issue #429, two patched executables have been generated
+where the PointerToRawData for the .idata section (offset 0x22c) was
+changed from 0x5000 to 0x51ff (tiny-idata-51ff.exe) and 0x5200
+(tiny-idata-5200.exe), respectively. While tiny-idata-51ff.exe can be
+executed in Windows XP, tiny-idata-5200.exe can not.
+
+
+
+Compiler version used to produce tiny.exe:
+
+$ i686-w64-mingw32-gcc --version
+i686-w64-mingw32-gcc (GCC) 5.3.1 20160205
+Copyright (C) 2015 Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
diff --git a/tests/test-pe.c b/tests/test-pe.c
new file mode 100644
index 0000000..6b2b60b
--- /dev/null
+++ b/tests/test-pe.c
@@ -0,0 +1,19 @@
+#include <yara.h>
+#include "util.h"
+
+int main(int argc, char** argv)
+{
+  yr_initialize();
+
+  assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+      "tests/data/tiny.exe");
+
+  assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+      "tests/data/tiny-idata-51ff.exe");
+
+  assert_false_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+      "tests/data/tiny-idata-5200.exe");
+
+  yr_finalize();
+  return 0;
+}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git



More information about the forensics-changes mailing list