Merge pull request #345 from CybercentreCanada/id_vbs

Adding strong indicators for vbs
CybercentreCanada · Sep 2, 2021 · 15a2ab4 · 15a2ab4
2 parents 09c2bdf + 9a0240b
commit 15a2ab4
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/assemblyline/common/identify.py b/assemblyline/common/identify.py
@@ -30,6 +30,8 @@
         re.compile(rb'(^|\n)ExecuteGlobal'),
         re.compile(rb'(^|\n)REM[ \t]+'),
         re.compile(rb'(ubound|lbound)\('),
+        re.compile(rb'CreateObject\('),
+        re.compile(rb'Set[ \t]+\w+[ \t]*='),
     ],
     'code/javascript': [
         re.compile(rb'function([ \t]*|[ \t]+[\w]+[ \t]*)\([\w \t,]*\)[ \t]*{'),

diff --git a/test/test_identify.py b/test/test_identify.py
@@ -75,6 +75,11 @@ def test_constants():
         (b"\nREM\t", ["code/vbs"]),
         (b"ubound(", ["code/vbs"]),
         (b"lbound(", ["code/vbs"]),
+        (b"CreateObject(", ["code/vbs"]),
+        (b"Set blah =", ["code/vbs"]),
+        (b"Set\tblah\t=", ["code/vbs"]),
+        (b"Set\tblah=", ["code/vbs"]),
+        (b"Setblah=", []),
         # JS
         (b"function(){", ["code/javascript"]),
         (b"function( ) {", ["code/javascript"]),