Commit 633f5252ec08fd96d4656e2934e19bfb93354f40
1 parent
f1bf6a90
tests: Add test for olevba-output for xlm samples
Showing
1 changed file
with
44 additions
and
1 deletions
tests/olevba/test_basic.py
| @@ -4,8 +4,9 @@ Test basic functionality of olevba[3] | @@ -4,8 +4,9 @@ Test basic functionality of olevba[3] | ||
| 4 | 4 | ||
| 5 | import unittest | 5 | import unittest |
| 6 | import os | 6 | import os |
| 7 | -from os.path import join | 7 | +from os.path import join, splitext |
| 8 | import re | 8 | import re |
| 9 | +import json | ||
| 9 | 10 | ||
| 10 | # Directory with test data, independent of current working directory | 11 | # Directory with test data, independent of current working directory |
| 11 | from tests.test_utils import DATA_BASE_DIR, call_and_capture | 12 | from tests.test_utils import DATA_BASE_DIR, call_and_capture |
| @@ -107,6 +108,48 @@ class TestOlevbaBasic(unittest.TestCase): | @@ -107,6 +108,48 @@ class TestOlevbaBasic(unittest.TestCase): | ||
| 107 | # without arg (test takes too long otherwise | 108 | # without arg (test takes too long otherwise |
| 108 | ADD_ARGS = ([], ) | 109 | ADD_ARGS = ([], ) |
| 109 | 110 | ||
| 111 | + def test_xlm(self): | ||
| 112 | + """Test that xlm macros are found.""" | ||
| 113 | + XLM_DIR = join(DATA_BASE_DIR, 'excel4-macros') | ||
| 114 | + ADD_ARGS = ['-j'] | ||
| 115 | + | ||
| 116 | + for filename in os.listdir(XLM_DIR): | ||
| 117 | + full_name = join(XLM_DIR, filename) | ||
| 118 | + suffix = splitext(filename)[1] | ||
| 119 | + out_str, ret_code = call_and_capture('olevba', | ||
| 120 | + args=[full_name, ] + ADD_ARGS, | ||
| 121 | + accept_nonzero_exit=True) | ||
| 122 | + output = json.loads(out_str) | ||
| 123 | + self.assertEqual(len(output), 3) | ||
| 124 | + self.assertEqual(output[0]['type'], 'MetaInformation') | ||
| 125 | + self.assertEqual(output[0]['script_name'], 'olevba') | ||
| 126 | + self.assertEqual(output[-1]['type'], 'MetaInformation') | ||
| 127 | + self.assertEqual(output[-1]['n_processed'], 1) | ||
| 128 | + self.assertEqual(output[-1]['return_code'], 0) | ||
| 129 | + result = output[1] | ||
| 130 | + self.assertTrue(result['json_conversion_successful']) | ||
| 131 | + if suffix in ('.xlsb', '.xltm', '.xlsm'): | ||
| 132 | + # TODO: cannot extract xlm macros for these types yet | ||
| 133 | + self.assertEqual(result['macros'], []) | ||
| 134 | + else: | ||
| 135 | + code = result['macros'][0]['code'] | ||
| 136 | + if suffix == '.slk': | ||
| 137 | + self.assertIn('Excel 4 macros extracted', code) | ||
| 138 | + else: | ||
| 139 | + self.assertIn('Excel 4.0 macro sheet', code) | ||
| 140 | + self.assertIn('Auto_Open', code) | ||
| 141 | + if 'excel5' not in filename: # TODO: is not found in excel5 | ||
| 142 | + self.assertIn('ALERT(', code) | ||
| 143 | + self.assertIn('HALT()', code) | ||
| 144 | + | ||
| 145 | + self.assertIn(len(result['analysis']), (2, 3)) | ||
| 146 | + types = [entry['type'] for entry in result['analysis']] | ||
| 147 | + keywords = [entry['keyword'] for entry in result['analysis']] | ||
| 148 | + self.assertIn('Auto_Open', keywords) | ||
| 149 | + self.assertIn('XLM macro', keywords) | ||
| 150 | + self.assertIn('AutoExec', types) | ||
| 151 | + self.assertIn('Suspicious', types) | ||
| 152 | + | ||
| 110 | 153 | ||
| 111 | # just in case somebody calls this file as a script | 154 | # just in case somebody calls this file as a script |
| 112 | if __name__ == '__main__': | 155 | if __name__ == '__main__': |