def test_rule_with_plus_condition(self): cond = yaramod.filesize() + yaramod.int_val(100) rule = self.new_rule \ .with_name('rule_with_plus_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual( yara_file.text, '''rule rule_with_plus_condition { condition: filesize + 100 }''')
def test_rule_with_string_at_condition(self): cond = yaramod.match_at('$1', yaramod.int_val(100)) rule = self.new_rule \ .with_name('rule_with_string_id_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual( yara_file.text, '''rule rule_with_string_id_condition { condition: $1 at 100 }''')
def test_rule_with_defined_condition(self): cond = yaramod.int_val(200).defined() rule = self.new_rule \ .with_name('rule_with_defined_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get(True) self.assertEqual(yara_file.text_formatted, '''rule rule_with_defined_condition { condition: defined 200 } ''')
def test_rule_with_match_offset_with_index_condition(self): cond = yaramod.match_offset('$1', yaramod.int_val(0)) rule = self.new_rule \ .with_name('rule_with_match_offset_with_index_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual( yara_file.text, '''rule rule_with_match_offset_with_index_condition { condition: @1[0] }''')
def test_rule_with_array_access_condition(self): cond = yaramod.id('pe').access('sections')[yaramod.int_val(0)].access( 'name') rule = self.new_rule \ .with_name('rule_with_array_access_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_module('pe') \ .with_rule(rule) \ .get() self.assertEqual( yara_file.text, '''import "pe" rule rule_with_array_access_condition { condition: pe.sections[0].name }''')
def test_rule_with_shift_right_condition(self): cond = yaramod.filesize() >> yaramod.int_val(100) rule = self.new_rule \ .with_name('rule_with_shift_right_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_shift_right_condition { condition: filesize >> 100 } ''') self.assertEqual(yara_file.text, '''rule rule_with_shift_right_condition { condition: filesize >> 100 }''')
def test_rule_with_bitwise_not_condition(self): cond = ~yaramod.int_val(100) rule = self.new_rule \ .with_name('rule_with_bitwise_not_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_bitwise_not_condition { condition: ~100 } ''') self.assertEqual(yara_file.text, '''rule rule_with_bitwise_not_condition { condition: ~100 }''')
def test_rule_with_not_condition(self): cond = yaramod.not_(yaramod.filesize() < yaramod.int_val(100)) rule = self.new_rule \ .with_name('rule_with_not_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_not_condition { condition: not filesize < 100 } ''') self.assertEqual(yara_file.text, '''rule rule_with_not_condition { condition: not filesize < 100 }''')
def test_rule_with_unary_minus_condition(self): cond = -yaramod.int_val(10) rule = self.new_rule \ .with_name('rule_with_unary_minus_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_unary_minus_condition { condition: -10 } ''') self.assertEqual(yara_file.text, '''rule rule_with_unary_minus_condition { condition: -10 }''')
def test_rule_with_divide_condition(self): cond = yaramod.filesize() / yaramod.int_val(100) rule = self.new_rule \ .with_name('rule_with_divide_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, r'''rule rule_with_divide_condition { condition: filesize \ 100 } ''') self.assertEqual(yara_file.text, r'''rule rule_with_divide_condition { condition: filesize \ 100 }''')
def test_rule_with_or_condition(self): cond = yaramod.disjunction([yaramod.filesize() > yaramod.int_val(100), yaramod.filesize() < yaramod.int_val(200)]) rule = self.new_rule \ .with_name('rule_with_or_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_or_condition { condition: filesize > 100 or filesize < 200 } ''') self.assertEqual(yara_file.text, '''rule rule_with_or_condition { condition: filesize > 100 or filesize < 200 }''')
def test_rule_with_or_condition_with_comments(self): cond = yaramod.disjunction([[yaramod.filesize() > yaramod.int_val(100), 'skip small files'], [yaramod.filesize() < yaramod.int_val(200), 'also too big files']]) rule = self.new_rule \ .with_name('rule_with_or_condition_with_comments') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_or_condition_with_comments { condition: /* skip small files */ filesize > 100 or /* also too big files */ filesize < 200 } ''') self.assertEqual(yara_file.text, '''rule rule_with_or_condition_with_comments { condition: filesize > 100 or filesize < 200 }''')
def test_rule_with_and_condition_with_comments(self): cond = yaramod.conjunction([[yaramod.filesize() > yaramod.int_val(100), 'comment1'], [yaramod.filesize() < yaramod.int_val(200), 'comment2']]) rule = self.new_rule \ .with_name('rule_with_and_condition_with_comments') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_and_condition_with_comments { condition: /* comment1 */ filesize > 100 and /* comment2 */ filesize < 200 } ''') self.assertEqual(yara_file.text, '''rule rule_with_and_condition_with_comments { condition: filesize > 100 and filesize < 200 }''')
def test_rule_with_of_in_range_condition(self): cond = yaramod.of(yaramod.all(), yaramod.them(), yaramod.range(yaramod.filesize() - yaramod.int_val(1024), yaramod.filesize())) rule = self.new_rule \ .with_name('rule_with_of_in_range_condition') \ .with_plain_string('$a1', 'This is plain string 1.') \ .with_plain_string('$a2', 'This is plain string 2.') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_of_in_range_condition { strings: $a1 = "This is plain string 1." $a2 = "This is plain string 2." condition: all of them in (filesize - 1024 .. filesize) } ''') self.assertEqual(yara_file.text, '''rule rule_with_of_in_range_condition { strings: $a1 = "This is plain string 1." $a2 = "This is plain string 2." condition: all of them in (filesize - 1024 .. filesize) }''')