Commit 633f5252ec08fd96d4656e2934e19bfb93354f40
1 parent
f1bf6a90
tests: Add test for olevba-output for xlm samples
Showing
1 changed file
with
44 additions
and
1 deletions
tests/olevba/test_basic.py
| ... | ... | @@ -4,8 +4,9 @@ Test basic functionality of olevba[3] |
| 4 | 4 | |
| 5 | 5 | import unittest |
| 6 | 6 | import os |
| 7 | -from os.path import join | |
| 7 | +from os.path import join, splitext | |
| 8 | 8 | import re |
| 9 | +import json | |
| 9 | 10 | |
| 10 | 11 | # Directory with test data, independent of current working directory |
| 11 | 12 | from tests.test_utils import DATA_BASE_DIR, call_and_capture |
| ... | ... | @@ -107,6 +108,48 @@ class TestOlevbaBasic(unittest.TestCase): |
| 107 | 108 | # without arg (test takes too long otherwise |
| 108 | 109 | ADD_ARGS = ([], ) |
| 109 | 110 | |
| 111 | + def test_xlm(self): | |
| 112 | + """Test that xlm macros are found.""" | |
| 113 | + XLM_DIR = join(DATA_BASE_DIR, 'excel4-macros') | |
| 114 | + ADD_ARGS = ['-j'] | |
| 115 | + | |
| 116 | + for filename in os.listdir(XLM_DIR): | |
| 117 | + full_name = join(XLM_DIR, filename) | |
| 118 | + suffix = splitext(filename)[1] | |
| 119 | + out_str, ret_code = call_and_capture('olevba', | |
| 120 | + args=[full_name, ] + ADD_ARGS, | |
| 121 | + accept_nonzero_exit=True) | |
| 122 | + output = json.loads(out_str) | |
| 123 | + self.assertEqual(len(output), 3) | |
| 124 | + self.assertEqual(output[0]['type'], 'MetaInformation') | |
| 125 | + self.assertEqual(output[0]['script_name'], 'olevba') | |
| 126 | + self.assertEqual(output[-1]['type'], 'MetaInformation') | |
| 127 | + self.assertEqual(output[-1]['n_processed'], 1) | |
| 128 | + self.assertEqual(output[-1]['return_code'], 0) | |
| 129 | + result = output[1] | |
| 130 | + self.assertTrue(result['json_conversion_successful']) | |
| 131 | + if suffix in ('.xlsb', '.xltm', '.xlsm'): | |
| 132 | + # TODO: cannot extract xlm macros for these types yet | |
| 133 | + self.assertEqual(result['macros'], []) | |
| 134 | + else: | |
| 135 | + code = result['macros'][0]['code'] | |
| 136 | + if suffix == '.slk': | |
| 137 | + self.assertIn('Excel 4 macros extracted', code) | |
| 138 | + else: | |
| 139 | + self.assertIn('Excel 4.0 macro sheet', code) | |
| 140 | + self.assertIn('Auto_Open', code) | |
| 141 | + if 'excel5' not in filename: # TODO: is not found in excel5 | |
| 142 | + self.assertIn('ALERT(', code) | |
| 143 | + self.assertIn('HALT()', code) | |
| 144 | + | |
| 145 | + self.assertIn(len(result['analysis']), (2, 3)) | |
| 146 | + types = [entry['type'] for entry in result['analysis']] | |
| 147 | + keywords = [entry['keyword'] for entry in result['analysis']] | |
| 148 | + self.assertIn('Auto_Open', keywords) | |
| 149 | + self.assertIn('XLM macro', keywords) | |
| 150 | + self.assertIn('AutoExec', types) | |
| 151 | + self.assertIn('Suspicious', types) | |
| 152 | + | |
| 110 | 153 | |
| 111 | 154 | # just in case somebody calls this file as a script |
| 112 | 155 | if __name__ == '__main__': | ... | ... |