batch_deobfuscator/tests/test_full_script.py at d8494e49a8d3556cb22dc9f6fef1b8d85baa4f75 · gdesmar/batch_deobfuscator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import os
import tempfile

from batch_deobfuscator.batch_interpreter import BatchDeobfuscator


# Taken from 675228b0360a56b2d3ed661635de4359d72089cb0e089eb60961727706797751
# A Grub file that contains a batch script
# The value for the variable in_check contain itself, so it create an infinite recursion when expanding it
def test_in_check_infinite_recursion():
    deobfuscator = BatchDeobfuscator()
    script = rb"""
if "%back%"=="" || set back= && set filefnd= && set in_check= ! call Fn.11 "%in_check%" "1" && exit
call Fn.11 "%in_check%" "1" && exit 1
"""
    with tempfile.TemporaryDirectory() as temp_dir:
        with tempfile.NamedTemporaryFile(dir=temp_dir) as tf:
            tf.write(script)
            tf.flush()
            deobfuscator.analyze(tf.name, temp_dir)

    # No assert, just making sure it does not error out.


def test_concat_logical_lines():
    deobfuscator = BatchDeobfuscator()
    script = rb"""REM download log file
curl -X GET --fail ^
-H "Accept: application/octet-stream" ^
http://server.org/data?accept=data >>met\resultat\output.log"""
    with tempfile.TemporaryDirectory() as temp_dir:
        with tempfile.NamedTemporaryFile(dir=temp_dir) as tf:
            tf.write(script)
            tf.flush()
            bat_filename, _ = deobfuscator.analyze(tf.name, temp_dir)

        with open(os.path.join(temp_dir, bat_filename), "rb") as f:
            result = f.read()
    lines = result.split(b"\r\n")

    assert len(lines) >= 2
    assert lines[0] == b"REM download log file"
    assert lines[1] == (
        rb'curl -X GET --fail -H "Accept: application/octet-stream" '
        rb"http://server.org/data?accept=data >>met\resultat\output.log"
    )


def test_no_substituted_quote_command_splitting():
    deobfuscator = BatchDeobfuscator()
    script = rb"""set QUO="
set %QUO%DATA=bla | foo;bar%QUO%"""
    with tempfile.TemporaryDirectory() as temp_dir:
        with tempfile.NamedTemporaryFile(dir=temp_dir) as tf:
            tf.write(script)
            tf.flush()
            bat_filename, _ = deobfuscator.analyze(tf.name, temp_dir)

        with open(os.path.join(temp_dir, bat_filename), "rb") as f:
            result = f.read()
    lines = result.split(b"\r\n")

    assert len(lines) >= 2
    assert lines[0] == b'set QUO="'
    # 1. Must not split at |
    # 2. Must not replace ; by space
    assert lines[1] == b'set "DATA=bla | foo;bar"'