def test_rule_with_custom_modules(self): cond = yaramod.conjunction([ yaramod.id("module_test.structure_test.function_test")(yaramod.regexp("abc", "")), yaramod.id("cuckoo.sync.mutex")(yaramod.regexp("abc", "")) ]).get() rule = yaramod.YaraRuleBuilder() \ .with_name('test') \ .with_condition(cond)\ .get() yara_file = yaramod.YaraFileBuilder(yaramod.Features.AllCurrent, "./tests/python/testing_modules") \ .with_module("cuckoo") \ .with_module("module_test") \ .with_rule(rule) \ .get(recheck=True) self.assertEqual(yara_file.text_formatted, '''import "cuckoo" import "module_test" rule test { condition: module_test.structure_test.function_test(/abc/) and cuckoo.sync.mutex(/abc/) } ''') self.assertEqual(yara_file.text, '''import "cuckoo" import "module_test" rule test { condition: module_test.structure_test.function_test(/abc/) and cuckoo.sync.mutex(/abc/) }''')
def test_rule_with_and_condition(self): cond = yaramod.conjunction([ yaramod.filesize() > yaramod.int_val(100), yaramod.filesize() < yaramod.int_val(200) ]) rule = self.new_rule \ .with_name('rule_with_and_condition') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual( yara_file.text_formatted, '''rule rule_with_and_condition { condition: filesize > 100 and filesize < 200 } ''') self.assertEqual( yara_file.text, '''rule rule_with_and_condition { condition: filesize > 100 and filesize < 200 }''')
def test_rule_with_and_condition_with_comments(self): cond = yaramod.conjunction( [[yaramod.filesize() > yaramod.int_val(100), 'comment1'], [yaramod.filesize() < yaramod.int_val(200), 'comment2']]) rule = self.new_rule \ .with_name('rule_with_and_condition_with_comments') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual( yara_file.text_formatted, '''rule rule_with_and_condition_with_comments { condition: /* comment1 */ filesize > 100 and /* comment2 */ filesize < 200 } ''') self.assertEqual( yara_file.text, '''rule rule_with_and_condition_with_comments { condition: filesize > 100 and filesize < 200 }''')
def insert_rule(self, yara_file): rule_cond = yaramod.conjunction( [yaramod.id('first_file'), yaramod.id('second_file')]) another_rule = yaramod.YaraRuleBuilder() \ .with_modifier(yaramod.RuleModifier.Private) \ .with_name('ANOTHER_RULE') \ .with_condition(rule_cond.get()) \ .get() for rule in yara_file.rules: if not rule.is_private: context = yaramod.TokenStreamContext(rule.condition) output = yaramod.conjunction([ yaramod.id(another_rule.name), yaramod.paren(yaramod.YaraExpressionBuilder( rule.condition), linebreaks=True) ]).get() self.cleanup_tokenstreams(context, output) rule.condition = output yara_file.insert_rule(0, another_rule)
def test_rule_with_for_loop_over_dictionary(self): cond = yaramod.for_loop( yaramod.any(), 'k', 'v', yaramod.id('pe').access('version_info'), yaramod.conjunction([ yaramod.id('k') == yaramod.string_val('CompanyName'), yaramod.id('v').contains(yaramod.string_val('Microsoft')) ]) ) rule = self.new_rule \ .with_name('rule_with_for_loop_over_dictionary') \ .with_plain_string('$1', 'This is plain string.') \ .with_condition(cond.get()) \ .get() yara_file = self.new_file \ .with_rule(rule) \ .get() self.assertEqual(yara_file.text_formatted, '''rule rule_with_for_loop_over_dictionary { strings: $1 = "This is plain string." condition: for any k, v in pe.version_info : ( k == "CompanyName" and v contains "Microsoft" ) } ''') self.assertEqual(yara_file.text, '''rule rule_with_for_loop_over_dictionary { strings: $1 = "This is plain string." condition: for any k, v in pe.version_info : ( k == "CompanyName" and v contains "Microsoft" ) }''')