CuckooSanbox自定义规则 - on_call遇到的一些小问题
阎功
今天早上整理以前写的规则,我把其中一条规则on_call函数中的process参数去掉了
原来的规则如下
class ATBroker(Signature):
name = "atbroker"
description = "Using ATBroker for AutoRun"
severity = 40
categories = ["AutoRun"]
authors = ["Danyang.Wang"]
minimum = "2.0"
filter_apinames = [
"RegSetValueExA",
"RegSetValueExW",
"NtSetValueKey",
]
indicator = ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\.*"
def on_call(self, call, process):
if re.match(self.indicator, call["arguments"]["regkey"], re.I):
self.mark_call()
def on_complete(self):
return self.has_marks()可以看到在on_call函数中没有用到这个process参数,我就删掉它了,上传更新规则后,后台日志报错了,日志提示说
在on_call中给了三个参数,你只获取了两个
随后我又把process加上,才算正常,后面我用python写了个小demo测试,发现这原来是python语法问题
测试demo:
def test(a, b):
print a+b
test(10, 20, 30)结果:
Traceback (most recent call last):
File "E:/0 - Projects/pyLAB/test.py", line 6, in <module>
test(10, 20, 30)
TypeError: test() takes exactly 2 arguments (3 given)
类似资料: