def test_rule_with_and_condition_with_comments(self):
cond = yaramod.conjunction(
[[yaramod.filesize() > yaramod.int_val(100), 'comment1'],
[yaramod.filesize() < yaramod.int_val(200), 'comment2']])
rule = self.new_rule \
.with_name('rule_with_and_condition_with_comments') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text_formatted,
'''rule rule_with_and_condition_with_comments
{
condition:
/* comment1 */
filesize > 100 and
/* comment2 */
filesize < 200
}
''')
self.assertEqual(
yara_file.text, '''rule rule_with_and_condition_with_comments {
condition:
filesize > 100 and
filesize < 200
}''')
def test_rule_with_or_condition(self):
cond = yaramod.disjunction([
yaramod.filesize() > yaramod.int_val(100),
yaramod.filesize() < yaramod.int_val(200)
])
rule = self.new_rule \
.with_name('rule_with_or_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text_formatted, '''rule rule_with_or_condition
{
condition:
filesize > 100 or
filesize < 200
}
''')
self.assertEqual(
yara_file.text, '''rule rule_with_or_condition {
condition:
filesize > 100 or filesize < 200
}''')
def test_rule_with_or_condition_with_comments(self):
cond = yaramod.disjunction(
[[yaramod.filesize() > yaramod.int_val(100), 'skip small files'],
[yaramod.filesize() < yaramod.int_val(200),
'also too big files']])
rule = self.new_rule \
.with_name('rule_with_or_condition_with_comments') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text_formatted,
'''rule rule_with_or_condition_with_comments
{
condition:
/* skip small files */
filesize > 100 or
/* also too big files */
filesize < 200
}
''')
self.assertEqual(
yara_file.text, '''rule rule_with_or_condition_with_comments {
condition:
filesize > 100 or
filesize < 200
}''')
def test_rule_with_of_in_range_condition(self):
cond = yaramod.of(yaramod.all(), yaramod.them(), yaramod.range(yaramod.filesize() - yaramod.int_val(1024), yaramod.filesize()))
rule = self.new_rule \
.with_name('rule_with_of_in_range_condition') \
.with_plain_string('$a1', 'This is plain string 1.') \
.with_plain_string('$a2', 'This is plain string 2.') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_of_in_range_condition
{
strings:
$a1 = "This is plain string 1."
$a2 = "This is plain string 2."
condition:
all of them in (filesize - 1024 .. filesize)
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_of_in_range_condition {
strings:
$a1 = "This is plain string 1."
$a2 = "This is plain string 2."
condition:
all of them in (filesize - 1024 .. filesize)
}''')
def test_rule_with_shift_right_condition(self):
cond = yaramod.filesize() >> yaramod.int_val(100)
rule = self.new_rule \
.with_name('rule_with_shift_right_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, '''rule rule_with_shift_right_condition {
condition:
filesize >> 100
}''')
def test_rule_with_not_condition(self):
cond = yaramod.not_(yaramod.filesize() < yaramod.int_val(100))
rule = self.new_rule \
.with_name('rule_with_not_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, '''rule rule_with_not_condition {
condition:
not filesize < 100
}''')
def test_rule_with_bitwise_and_condition(self):
cond = yaramod.filesize() & yaramod.int_val(100)
rule = self.new_rule \
.with_name('rule_with_bitwise_and_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, '''rule rule_with_bitwise_and_condition {
condition:
filesize & 100
}''')
def test_rule_with_divide_condition(self):
cond = yaramod.filesize() / yaramod.int_val(100)
rule = self.new_rule \
.with_name('rule_with_divide_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, r'''rule rule_with_divide_condition {
condition:
filesize \ 100
}''')
def test_rule_with_xor_condition(self):
cond = yaramod.filesize() ^ yaramod.int_val(100)
rule = self.new_rule \
.with_name('rule_with_xor_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_xor_condition
{
condition:
filesize ^ 100
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_xor_condition {
condition:
filesize ^ 100
}''')