Ejemplo n.º 1
0
    def test_rule_with_custom_modules(self):
        cond = yaramod.conjunction([
            yaramod.id("module_test.structure_test.function_test")(yaramod.regexp("abc", "")),
            yaramod.id("cuckoo.sync.mutex")(yaramod.regexp("abc", ""))
        ]).get()
        rule = yaramod.YaraRuleBuilder() \
            .with_name('test') \
            .with_condition(cond)\
            .get()
        yara_file = yaramod.YaraFileBuilder(yaramod.Features.AllCurrent, "./tests/python/testing_modules") \
            .with_module("cuckoo") \
            .with_module("module_test") \
            .with_rule(rule) \
            .get(recheck=True)

        self.assertEqual(yara_file.text_formatted, '''import "cuckoo"
import "module_test"

rule test
{
	condition:
		module_test.structure_test.function_test(/abc/) and
		cuckoo.sync.mutex(/abc/)
}
''')
        self.assertEqual(yara_file.text, '''import "cuckoo"
import "module_test"

rule test {
	condition:
		module_test.structure_test.function_test(/abc/) and cuckoo.sync.mutex(/abc/)
}''')
Ejemplo n.º 2
0
def test_literal_to_hex():
    rule = yaramod.YaraRuleBuilder().with_plain_string("$str", "abc").get()

    new_file = yaramod.YaraFileBuilder()
    yara_file = new_file.with_rule(rule).get()

    ascii_str = yara_file.rules[0].strings[0]
    result = ursify_plain_string(ascii_str)

    assert result.query == "{616263}"
Ejemplo n.º 3
0
            def insert_rule(self, yara_file):
                rule_cond = yaramod.conjunction(
                    [yaramod.id('first_file'),
                     yaramod.id('second_file')])

                another_rule = yaramod.YaraRuleBuilder() \
                    .with_modifier(yaramod.RuleModifier.Private) \
                    .with_name('ANOTHER_RULE') \
                    .with_condition(rule_cond.get()) \
                    .get()

                for rule in yara_file.rules:
                    if not rule.is_private:
                        context = yaramod.TokenStreamContext(rule.condition)
                        output = yaramod.conjunction([
                            yaramod.id(another_rule.name),
                            yaramod.paren(yaramod.YaraExpressionBuilder(
                                rule.condition),
                                          linebreaks=True)
                        ]).get()
                        self.cleanup_tokenstreams(context, output)
                        rule.condition = output

                yara_file.insert_rule(0, another_rule)
Ejemplo n.º 4
0
 def setUp(self):
     self.new_file = yaramod.YaraFileBuilder(yaramod.ImportFeatures.AllCurrent)
     self.new_rule = yaramod.YaraRuleBuilder()
Ejemplo n.º 5
0
 def setUp(self):
     self.new_file = yaramod.YaraFileBuilder()
     self.new_rule = yaramod.YaraRuleBuilder()