def test_rule_with_complex_condition(self):
cond = yaramod.for_loop(
yaramod.any(), 'i',
yaramod.set(
[yaramod.int_val(1),
yaramod.int_val(2),
yaramod.int_val(3)]),
yaramod.match_at(
'$1', yaramod.paren(yaramod.entrypoint() + yaramod.id('i'))))
rule = self.new_rule \
.with_name('rule_with_complex_condition') \
.with_plain_string('$1', 'This is plaing string.') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, '''rule rule_with_complex_condition {
strings:
$1 = "This is plaing string."
condition:
for any i in (1, 2, 3) : ( $1 at (entrypoint + i) )
}''')
def insert_rule(self, yara_file):
rule_cond = yaramod.conjunction(
[yaramod.id('first_file'),
yaramod.id('second_file')])
another_rule = yaramod.YaraRuleBuilder() \
.with_modifier(yaramod.RuleModifier.Private) \
.with_name('ANOTHER_RULE') \
.with_condition(rule_cond.get()) \
.get()
for rule in yara_file.rules:
if not rule.is_private:
context = yaramod.TokenStreamContext(rule.condition)
output = yaramod.conjunction([
yaramod.id(another_rule.name),
yaramod.paren(yaramod.YaraExpressionBuilder(
rule.condition),
linebreaks=True)
]).get()
self.cleanup_tokenstreams(context, output)
rule.condition = output
yara_file.insert_rule(0, another_rule)