def test_rule_with_complex_condition(self): cond = yaramod.for_loop( yaramod.any(), 'i', yaramod.set( [yaramod.int_val(1), yaramod.int_val(2), yaramod.int_val(3)]), yaramod.match_at( '$1', yaramod.paren(yaramod.entrypoint() + yaramod.id('i')))) rule = self.new_rule \ .with_name('rule_with_complex_condition') \ .with_plain_string('$1', 'This is plaing string.') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual( yara_file.text, '''rule rule_with_complex_condition { strings: $1 = "This is plaing string." condition: for any i in (1, 2, 3) : ( $1 at (entrypoint + i) ) }''')
def test_rule_with_for_loop_over_dictionary(self): cond = yaramod.for_loop( yaramod.any(), 'k', 'v', yaramod.id('pe').access('version_info'), yaramod.conjunction([ yaramod.id('k') == yaramod.string_val('CompanyName'), yaramod.id('v').contains(yaramod.string_val('Microsoft')) ]) ) rule = self.new_rule \ .with_name('rule_with_for_loop_over_dictionary') \ .with_plain_string('$1', 'This is plain string.') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_for_loop_over_dictionary { strings: $1 = "This is plain string." condition: for any k, v in pe.version_info : ( k == "CompanyName" and v contains "Microsoft" ) } ''') self.assertEqual(yara_file.text, '''rule rule_with_for_loop_over_dictionary { strings: $1 = "This is plain string." condition: for any k, v in pe.version_info : ( k == "CompanyName" and v contains "Microsoft" ) }''')