Source Code for Module rekall.plugins.windows.malware.apihooks_test

 1  from rekall import addrspace 
 2  from rekall import testlib 
 3  from rekall.plugins.windows.malware import apihooks 
 4   
 5   
 6 -class TestHookHeuristics(testlib.RekallBaseUnitTestCase): 
 7      """Test the hook detection heuristic. 
 8   
 9      The actual test cases are generated using the nasm assembler in: 
10   
11      rekall/src/hooks/amd64.asm and rekall/src/hooks/i386.asm 
12      """ 
13   
14 -    def testHook(self): 
15          session = self.MakeUserSession() 
16   
17          # The target address should be fixed at this offset. 
18          target = 0x100 
19   
20          heuristic = apihooks.HookHeuristic(session=session) 
21   
22          profile = session.profile = session.LoadProfile("tests/hooks") 
23          for arch in ["AMD64", "I386"]: 
24              for test_case in profile.data[arch]: 
25                  offset = test_case["offset"] 
26                  # Test case data is the assembly snippet mapped at the specified 
27                  # offset in the address space. 
28                  address_space = addrspace.BufferAddressSpace( 
29                      data=test_case["data"].decode("base64"), 
30                      session=session, base_offset=offset) 
31   
32                  function = session.profile.Function( 
33                      offset=offset, vm=address_space, name=test_case["name"], 
34                      mode=arch) 
35   
36                  # Detect the jump in this function 
37                  destination = heuristic.Inspect(function) 
38   
39                  # All hooks in test cases go to the same target offset (0x100). 
40                  self.assertEqual(destination, target) 
41