def testExportsOneYaraMatchPerYaraStringMatch(self):
sample = self.GenerateSample([
rdf_memory.YaraMatch(
rule_name="foo1",
string_matches=[
rdf_memory.YaraStringMatch(string_id="bar1", offset=5),
rdf_memory.YaraStringMatch(string_id="bar2", offset=10),
]),
rdf_memory.YaraMatch(rule_name="foo2",
string_matches=[
rdf_memory.YaraStringMatch(
string_id="bar3", offset=15),
]),
])
converter = memory.YaraProcessScanMatchConverter()
converted = list(converter.Convert(self.metadata, sample))
self.assertLen(converted, 3)
self.assertEqual(converted[0].rule_name, "foo1")
self.assertEqual(converted[0].process.pid, 2)
self.assertEqual(converted[0].string_id, "bar1")
self.assertEqual(converted[0].offset, 5)
self.assertEqual(converted[1].rule_name, "foo1")
self.assertEqual(converted[1].process.pid, 2)
self.assertEqual(converted[1].string_id, "bar2")
self.assertEqual(converted[1].offset, 10)
self.assertEqual(converted[2].rule_name, "foo2")
self.assertEqual(converted[2].process.pid, 2)
self.assertEqual(converted[2].string_id, "bar3")
self.assertEqual(converted[2].offset, 15)
def testExportsSingleMatchCorrectly(self):
sample = self.GenerateSample([
rdf_memory.YaraMatch(rule_name="foo",
string_matches=[
rdf_memory.YaraStringMatch(
string_id="bar", offset=5)
])
])
converter = memory.YaraProcessScanMatchConverter()
converted = list(converter.Convert(self.metadata, sample))
self.assertLen(converted, 1)
self.assertIsInstance(converted[0],
memory.ExportedYaraProcessScanMatch)
self.assertEqual(converted[0].metadata, self.metadata)
self.assertEqual(converted[0].process.pid, 2)
self.assertEqual(converted[0].process.ppid, 1)
self.assertEqual(converted[0].process.cmdline, "cmd.exe")
self.assertEqual(converted[0].process.exe, "c:\\windows\\cmd.exe")
self.assertEqual(converted[0].process.ctime, 1333718907167083)
self.assertEqual(converted[0].rule_name, "foo")
self.assertEqual(converted[0].process_scan_time_us, 42)
self.assertEqual(converted[0].string_id, "bar")
self.assertEqual(converted[0].offset, 5)
def _StringMatchToYaraStringMatch(
self, string_match: memory_pb2.StringMatch) -> rdf_memory.YaraStringMatch:
result = rdf_memory.YaraStringMatch()
if string_match.HasField("string_id"):
result.string_id = string_match.string_id
if string_match.HasField("offset"):
result.offset = string_match.offset
if string_match.HasField("data"):
result.data = string_match.data
return result
def Convert(
self, metadata: base.ExportedMetadata,
value: rdf_memory.YaraProcessScanMatch
) -> Iterator[ExportedYaraProcessScanMatch]:
"""See base class."""
conv = process.ProcessToExportedProcessConverter(options=self.options)
proc = list(conv.Convert(metadata, value.process))[0]
yara_matches = value.match or [rdf_memory.YaraMatch()]
for yara_match in yara_matches:
sm = yara_match.string_matches or [rdf_memory.YaraStringMatch()]
for yara_string_match in sm:
yield ExportedYaraProcessScanMatch(
metadata=metadata,
process=proc,
rule_name=yara_match.rule_name,
process_scan_time_us=value.scan_time_us,
string_id=yara_string_match.string_id,
offset=yara_string_match.offset)
