def test_rule_with_dictionary_access_condition(self):
cond = yaramod.id('pe').access('version_info')[yaramod.string_val('CompanyName')]
rule = self.new_rule \
.with_name('rule_with_dictionary_access_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_module('pe') \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''import "pe"
rule rule_with_dictionary_access_condition
{
condition:
pe.version_info["CompanyName"]
}
''')
self.assertEqual(yara_file.text, '''import "pe"
rule rule_with_dictionary_access_condition {
condition:
pe.version_info["CompanyName"]
}''')
def test_rule_with_for_loop_over_dictionary(self):
cond = yaramod.for_loop(
yaramod.any(),
'k',
'v',
yaramod.id('pe').access('version_info'),
yaramod.conjunction([
yaramod.id('k') == yaramod.string_val('CompanyName'),
yaramod.id('v').contains(yaramod.string_val('Microsoft'))
])
)
rule = self.new_rule \
.with_name('rule_with_for_loop_over_dictionary') \
.with_plain_string('$1', 'This is plain string.') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_for_loop_over_dictionary
{
strings:
$1 = "This is plain string."
condition:
for any k, v in pe.version_info : (
k == "CompanyName" and
v contains "Microsoft"
)
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_for_loop_over_dictionary {
strings:
$1 = "This is plain string."
condition:
for any k, v in pe.version_info : ( k == "CompanyName" and v contains "Microsoft" )
}''')