Trees | Indices | Help |
|
---|
|
1 from rekall import addrspace 2 from rekall import testlib 3 from rekall.plugins.windows.malware import apihooks 4 57 """Test the hook detection heuristic. 8 9 The actual test cases are generated using the nasm assembler in: 10 11 rekall/src/hooks/amd64.asm and rekall/src/hooks/i386.asm 12 """ 134115 session = self.MakeUserSession() 16 17 # The target address should be fixed at this offset. 18 target = 0x100 19 20 heuristic = apihooks.HookHeuristic(session=session) 21 22 profile = session.profile = session.LoadProfile("tests/hooks") 23 for arch in ["AMD64", "I386"]: 24 for test_case in profile.data[arch]: 25 offset = test_case["offset"] 26 # Test case data is the assembly snippet mapped at the specified 27 # offset in the address space. 28 address_space = addrspace.BufferAddressSpace( 29 data=test_case["data"].decode("base64"), 30 session=session, base_offset=offset) 31 32 function = session.profile.Function( 33 offset=offset, vm=address_space, name=test_case["name"], 34 mode=arch) 35 36 # Detect the jump in this function 37 destination = heuristic.Inspect(function) 38 39 # All hooks in test cases go to the same target offset (0x100). 40 self.assertEqual(destination, target)
Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:32 2017 | http://epydoc.sourceforge.net |