[Forensics-changes] [yara] 246/368: Add test case for #429
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:44 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 9b141382c88c3f83525842b83d73550540938343
Author: Hilko Bengen <bengen at hilluzination.de>
Date: Thu Mar 31 01:27:50 2016 +0200
Add test case for #429
... without adding malware samples to the source tree :-)
---
Makefile.am | 4 +++-
tests/data/tiny-idata-51ff.exe | Bin 0 -> 32768 bytes
tests/data/tiny-idata-5200.exe | Bin 0 -> 32768 bytes
tests/data/tiny.exe | Bin 0 -> 32768 bytes
tests/data/tiny.notes | 22 ++++++++++++++++++++++
tests/test-pe.c | 19 +++++++++++++++++++
6 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 8901d58..4d4f7fa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -15,10 +15,12 @@ yarac_SOURCES = args.c args.h yarac.c
yarac_LDADD = libyara/.libs/libyara.a
TESTS = $(check_PROGRAMS)
-check_PROGRAMS = test-alignment test-rules
+check_PROGRAMS = test-alignment test-rules test-pe
test_alignment_SOURCES = tests/test-alignment.c
test_rules_SOURCES = tests/test-rules.c tests/util.c
test_rules_LDADD = libyara/.libs/libyara.a
+test_pe_SOURCES = tests/test-pe.c tests/util.c
+test_pe_LDADD = libyara/.libs/libyara.a
# man pages
man1_MANS = yara.man yarac.man
diff --git a/tests/data/tiny-idata-51ff.exe b/tests/data/tiny-idata-51ff.exe
new file mode 100644
index 0000000..f2fed16
Binary files /dev/null and b/tests/data/tiny-idata-51ff.exe differ
diff --git a/tests/data/tiny-idata-5200.exe b/tests/data/tiny-idata-5200.exe
new file mode 100755
index 0000000..9547e7e
Binary files /dev/null and b/tests/data/tiny-idata-5200.exe differ
diff --git a/tests/data/tiny.exe b/tests/data/tiny.exe
new file mode 100755
index 0000000..0513854
Binary files /dev/null and b/tests/data/tiny.exe differ
diff --git a/tests/data/tiny.notes b/tests/data/tiny.notes
new file mode 100644
index 0000000..d2c0e68
--- /dev/null
+++ b/tests/data/tiny.notes
@@ -0,0 +1,22 @@
+tiny.exe was compiled from a simple oneliner,
+
+ int main() { return 42; }
+
+ $ i686-w64-mingw32-gcc -s -Wl,--file-alignment=4096 -o tiny.exe tiny.c
+
+To demonstrate issue #429, two patched executables have been generated
+where the PointerToRawData for the .idata section (offset 0x22c) was
+changed from 0x5000 to 0x51ff (tiny-idata-51ff.exe) and 0x5200
+(tiny-idata-5200.exe), respectively. While tiny-idata-51ff.exe can be
+executed in Windows XP, tiny-idata-5200.exe can not.
+
+
+
+Compiler version used to produce tiny.exe:
+
+$ i686-w64-mingw32-gcc --version
+i686-w64-mingw32-gcc (GCC) 5.3.1 20160205
+Copyright (C) 2015 Free Software Foundation, Inc.
+This is free software; see the source for copying conditions. There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
diff --git a/tests/test-pe.c b/tests/test-pe.c
new file mode 100644
index 0000000..6b2b60b
--- /dev/null
+++ b/tests/test-pe.c
@@ -0,0 +1,19 @@
+#include <yara.h>
+#include "util.h"
+
+int main(int argc, char** argv)
+{
+ yr_initialize();
+
+ assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+ "tests/data/tiny.exe");
+
+ assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+ "tests/data/tiny-idata-51ff.exe");
+
+ assert_false_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+ "tests/data/tiny-idata-5200.exe");
+
+ yr_finalize();
+ return 0;
+}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list