Skip to content

Add filename parameter for bytes-based loading#285

Merged
mr-tz merged 1 commit intomasterfrom
worktree-issue-16-filename-param
Mar 25, 2026
Merged

Add filename parameter for bytes-based loading#285
mr-tz merged 1 commit intomasterfrom
worktree-issue-16-filename-param

Conversation

@williballenthin
Copy link
Copy Markdown
Collaborator

@williballenthin williballenthin commented Mar 9, 2026

Summary

  • Adds a filename parameter to Speakeasy.load_module() and Speakeasy.load_shellcode() (and their internal implementations in Win32Emulator and WinKernelEmulator)
  • When loading from bytes without a file path, the emulator previously defaulted to using the SHA256 hash as the module name — now users can override this with a meaningful filename
  • Windows-style paths are handled correctly via ntpath.basename()

Usage

se = Speakeasy()
mod = se.load_module(data=pe_bytes, filename="malware.dll")
se.run_module(mod)

Closes #16

Test plan

  • test_load_module_filename_override — bytes + filename sets correct file_name/mod_name
  • test_load_module_filename_strips_directory — Windows paths are basename-stripped
  • test_load_module_path_still_works — path-only loading unchanged
  • test_load_module_filename_overrides_path — filename takes precedence over path
  • test_load_module_kernel_filename_override — kernel driver loading with filename
  • Full test suite passes (pre-existing failures only)

🤖 Generated with Claude Code

@google-cla
Copy link
Copy Markdown

google-cla bot commented Mar 9, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@williballenthin williballenthin force-pushed the worktree-issue-16-filename-param branch from feb9713 to 908bdf5 Compare March 9, 2026 18:50
williballenthin
williballenthin commented Mar 10, 2026
View reviewed changes
mr-tz
mr-tz requested changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM besides the highlighted tests

@williballenthin
Add filename parameter to load_module and load_shellcode
748fe53 
Allow users to specify a custom filename when loading modules or
shellcode from bytes. This is useful when malware checks its own
filename (e.g. via GetModuleFileName).

Closes #16
@williballenthin williballenthin force-pushed the worktree-issue-16-filename-param branch from 908bdf5 to 748fe53 Compare March 25, 2026 08:06
@williballenthin williballenthin requested a review from mr-tz March 25, 2026 08:06
mr-tz
mr-tz approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@mr-tz mr-tz merged commit 2f008ea into master Mar 25, 2026
6 checks passed
@mr-tz mr-tz deleted the worktree-issue-16-filename-param branch March 26, 2026 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mr-tz mr-tz mr-tz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

allow user to specify filename of emulated module when bytes are provided

2 participants

@williballenthin @mr-tz