def test_rule_with_complex_condition(self):
cond = yaramod.for_loop(
yaramod.any(), 'i',
yaramod.set(
[yaramod.int_val(1),
yaramod.int_val(2),
yaramod.int_val(3)]),
yaramod.match_at(
'$1', yaramod.paren(yaramod.entrypoint() + yaramod.id('i'))))
rule = self.new_rule \
.with_name('rule_with_complex_condition') \
.with_plain_string('$1', 'This is plaing string.') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, '''rule rule_with_complex_condition {
strings:
$1 = "This is plaing string."
condition:
for any i in (1, 2, 3) : ( $1 at (entrypoint + i) )
}''')
def test_rule_with_for_loop_over_dictionary(self):
cond = yaramod.for_loop(
yaramod.any(),
'k',
'v',
yaramod.id('pe').access('version_info'),
yaramod.conjunction([
yaramod.id('k') == yaramod.string_val('CompanyName'),
yaramod.id('v').contains(yaramod.string_val('Microsoft'))
])
)
rule = self.new_rule \
.with_name('rule_with_for_loop_over_dictionary') \
.with_plain_string('$1', 'This is plain string.') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_for_loop_over_dictionary
{
strings:
$1 = "This is plain string."
condition:
for any k, v in pe.version_info : (
k == "CompanyName" and
v contains "Microsoft"
)
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_for_loop_over_dictionary {
strings:
$1 = "This is plain string."
condition:
for any k, v in pe.version_info : ( k == "CompanyName" and v contains "Microsoft" )
}''')
