def test_plain_strings_with_modifiers(self): yara_file = yaramod.parse_string(''' rule rule_with_plain_strings_with_modifiers { strings: $1 = "Hello World!" nocase wide $2 = "Bye World." fullword condition: true }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertEqual(rule.name, 'rule_with_plain_strings_with_modifiers') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(len(rule.strings), 2) string = rule.strings[0] self.assertFalse(string.is_ascii) self.assertTrue(string.is_wide) self.assertTrue(string.is_nocase) self.assertFalse(string.is_fullword) string = rule.strings[1] self.assertTrue(string.is_ascii) self.assertFalse(string.is_wide) self.assertFalse(string.is_nocase) self.assertTrue(string.is_fullword)
def test_rule_with_metas(self): yara_file = yaramod.parse_string(''' rule rule_with_metas { meta: str_meta = "string meta" int_meta = 42 bool_meta = true condition: true }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertEqual(rule.name, 'rule_with_metas') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(len(rule.metas), 3) self.assertEqual(len(rule.strings), 0) self.assertEqual(len(rule.tags), 0) self.assertEqual(rule.metas[0].key, 'str_meta') self.assertTrue(rule.metas[0].value.is_string) self.assertEqual(rule.metas[0].value.text, '"string meta"') self.assertEqual(rule.metas[0].value.pure_text, 'string meta') self.assertEqual(rule.metas[1].key, 'int_meta') self.assertTrue(rule.metas[1].value.is_int) self.assertEqual(rule.metas[1].value.text, '42') self.assertEqual(rule.metas[2].key, 'bool_meta') self.assertTrue(rule.metas[2].value.is_bool) self.assertEqual(rule.metas[2].value.text, 'true')
def test_for_string_set_condition(self): yara_file = yaramod.parse_string(''' import "pe" rule for_string_set_condition { strings: $a = "dummy1" $b = "dummy2" condition: for any of ($a,$b) : ( $ at entrypoint ) }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue(isinstance(rule.condition, yaramod.ForStringExpression)) self.assertTrue( isinstance(rule.condition.variable, yaramod.AnyExpression)) self.assertTrue( isinstance(rule.condition.iterated_set, yaramod.SetExpression)) self.assertTrue( isinstance(rule.condition.body, yaramod.StringAtExpression)) self.assertEqual(rule.condition.text, 'for any of ($a, $b) : ( $ at entrypoint )')
def test_rule_with_plain_strings(self): yara_file = yaramod.parse_string(''' rule rule_with_plain_strings { strings: $1 = "Hello World!" $2 = "Bye World." condition: true }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertEqual(rule.name, 'rule_with_plain_strings') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(len(rule.metas), 0) self.assertEqual(len(rule.strings), 2) self.assertEqual(len(rule.tags), 0) hello_world = rule.strings[0] self.assertEqual(hello_world.identifier, '$1') self.assertEqual(hello_world.text, '"Hello World!"') self.assertEqual(hello_world.pure_text, 'Hello World!') self.assertTrue(hello_world.is_ascii) bye_world = rule.strings[1] self.assertEqual(bye_world.identifier, '$2') self.assertEqual(bye_world.text, '"Bye World."') self.assertEqual(bye_world.pure_text, 'Bye World.') self.assertTrue(bye_world.is_ascii)
def test_int_literal_condition(self): yara_file = yaramod.parse_string(''' rule int_literal_condition { condition: 10 }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.IntLiteralExpression)) self.assertEqual(rule.condition.text, '10')
def test_double_literal_condition(self): yara_file = yaramod.parse_string(''' rule double_literal_condition { condition: 1.23 }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.DoubleLiteralExpression)) self.assertEqual(rule.condition.text, '1.23')
def test_bool_literal_condition(self): yara_file = yaramod.parse_string(''' rule bool_literal_condition { condition: false }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.BoolLiteralExpression)) self.assertEqual(rule.condition.text, 'false')
def test_private_rule(self): yara_file = yaramod.parse_string(''' private rule private_rule { condition: true }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertEqual(rule.name, 'private_rule') self.assertEqual(rule.modifier, yaramod.RuleModifier.Private) self.assertFalse(rule.is_global) self.assertTrue(rule.is_private)
def test_not_condition(self): yara_file = yaramod.parse_string(''' rule not_condition { condition: not true }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue(isinstance(rule.condition, yaramod.NotExpression)) self.assertTrue( isinstance(rule.condition.operand, yaramod.BoolLiteralExpression)) self.assertEqual(rule.condition.text, 'not true')
def test_string_condition(self): yara_file = yaramod.parse_string(''' rule string_condition { strings: $1 = "Hello World!" condition: $1 }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue(isinstance(rule.condition, yaramod.StringExpression)) self.assertEqual(rule.condition.text, '$1')
def test_import(self): yara_file = yaramod.parse_string(''' import "pe" rule dummy_rule { condition: true }''') self.assertEqual(len(yara_file.imports), 1) self.assertEqual(len(yara_file.rules), 1) module = yara_file.imports[0] self.assertEqual(module.name, 'pe')
def test_function_call_condition(self): yara_file = yaramod.parse_string(''' import "pe" rule function_call_condition { condition: pe.is_dll() }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.FunctionCallExpression)) self.assertEqual(rule.condition.text, 'pe.is_dll()')
def test_structure_access_condition(self): yara_file = yaramod.parse_string(''' import "pe" rule structure_access_condition { condition: pe.linker_version.major }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.StructAccessExpression)) self.assertEqual(rule.condition.text, 'pe.linker_version.major')
def test_unary_minus_condition(self): yara_file = yaramod.parse_string(''' rule unary_minus_condition { condition: -10 }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.UnaryMinusExpression)) self.assertTrue( isinstance(rule.condition.operand, yaramod.IntLiteralExpression)) self.assertEqual(rule.condition.text, '-10')
def test_array_access_condition(self): yara_file = yaramod.parse_string(''' import "pe" rule array_access_condition { condition: pe.sections[0] }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.ArrayAccessExpression)) self.assertEqual(rule.condition.text, 'pe.sections[0]')
def test_rule_with_tags(self): yara_file = yaramod.parse_string(''' rule rule_with_tags : Tag1 Tag2 Tag3 { condition: true }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertEqual(rule.name, 'rule_with_tags') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(len(rule.metas), 0) self.assertEqual(len(rule.strings), 0) self.assertListEqual(rule.tags, ['Tag1', 'Tag2', 'Tag3'])
def test_bitwise_not_condition(self): yara_file = yaramod.parse_string(''' rule xor_condition { condition: ~10 }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.BitwiseNotExpression)) self.assertTrue( isinstance(rule.condition.operand, yaramod.IntLiteralExpression)) self.assertEqual(rule.condition.text, '~10')
def test_empty_rule(self): yara_file = yaramod.parse_string(''' rule empty_rule { condition: true }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertEqual(rule.name, 'empty_rule') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(len(rule.metas), 0) self.assertEqual(len(rule.strings), 0) self.assertEqual(len(rule.tags), 0)
def test_parentheses_condition(self): yara_file = yaramod.parse_string(''' rule parentheses_condition { condition: (true) }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.ParenthesesExpression)) self.assertTrue( isinstance(rule.condition.enclosed_expr, yaramod.BoolLiteralExpression)) self.assertEqual(rule.condition.text, '(true)')
def test_match_length_condition(self): yara_file = yaramod.parse_string(''' rule match_length_condition { strings: $1 = "Hello World" condition: !1 }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.StringLengthExpression)) self.assertEqual(rule.condition.index_expr, None) self.assertEqual(rule.condition.text, '!1')
def test_int_function_condition(self): yara_file = yaramod.parse_string(''' rule int_function_condition { condition: int32be(5) }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.IntFunctionExpression)) self.assertTrue( isinstance(rule.condition.argument, yaramod.IntLiteralExpression)) self.assertEqual(rule.condition.function, 'int32be') self.assertEqual(rule.condition.text, 'int32be(5)')
def test_string_in_range_condition(self): yara_file = yaramod.parse_string(''' rule string_in_condition { strings: $1 = "Hello World!" condition: $1 in (10 .. 20) }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.StringInRangeExpression)) self.assertTrue( isinstance(rule.condition.range_expr, yaramod.RangeExpression)) self.assertEqual(rule.condition.text, '$1 in (10 .. 20)')
def test_or_condition(self): yara_file = yaramod.parse_string(''' rule or_condition { condition: true or not false }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue(isinstance(rule.condition, yaramod.OrExpression)) self.assertTrue( isinstance(rule.condition.left_operand, yaramod.BoolLiteralExpression)) self.assertTrue( isinstance(rule.condition.right_operand, yaramod.NotExpression)) self.assertEqual(rule.condition.text, 'true or not false')
def test_matches_condition(self): yara_file = yaramod.parse_string(''' rule matches_condition { condition: "Hello" matches /^Hell.*$/ }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue(isinstance(rule.condition, yaramod.MatchesExpression)) self.assertTrue( isinstance(rule.condition.left_operand, yaramod.StringLiteralExpression)) self.assertTrue( isinstance(rule.condition.right_operand, yaramod.RegexpExpression)) self.assertEqual(rule.condition.text, '"Hello" matches /^Hell.*$/')
def test_modulo_condition(self): yara_file = yaramod.parse_string(''' rule modulo_condition { condition: filesize % 10 }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue(isinstance(rule.condition, yaramod.ModuloExpression)) self.assertTrue( isinstance(rule.condition.left_operand, yaramod.KeywordExpression)) self.assertTrue( isinstance(rule.condition.right_operand, yaramod.IntLiteralExpression)) self.assertEqual(rule.condition.text, 'filesize % 10')
def test_match_offset_with_index_condition(self): yara_file = yaramod.parse_string(''' rule match_offset_with_index_condition { strings: $1 = "Hello World" condition: @1[0] }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue( isinstance(rule.condition, yaramod.StringOffsetExpression)) self.assertTrue( isinstance(rule.condition.index_expr, yaramod.IntLiteralExpression)) self.assertEqual(rule.condition.text, '@1[0]')
def test_contains_condition(self): yara_file = yaramod.parse_string(''' rule contains_condition { condition: "Hello" contains "Hell" }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue(isinstance(rule.condition, yaramod.ContainsExpression)) self.assertTrue( isinstance(rule.condition.left_operand, yaramod.StringLiteralExpression)) self.assertTrue( isinstance(rule.condition.right_operand, yaramod.StringLiteralExpression)) self.assertEqual(rule.condition.text, '"Hello" contains "Hell"')
def test_for_integer_set_condition(self): yara_file = yaramod.parse_string(''' import "pe" rule for_integer_set_condition { condition: for all i in (1,2,3) : ( i ) }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertTrue(isinstance(rule.condition, yaramod.ForIntExpression)) self.assertTrue( isinstance(rule.condition.variable, yaramod.AllExpression)) self.assertTrue( isinstance(rule.condition.iterated_set, yaramod.SetExpression)) self.assertTrue(isinstance(rule.condition.body, yaramod.IdExpression)) self.assertEqual(rule.condition.text, 'for all i in (1, 2, 3) : ( i )')
def test_multiple_rules(self): yara_file = yaramod.parse_string(''' rule rule_1 { strings: $1 = "String from Rule 1" condition: true } rule rule_2 { strings: $1 = "String from Rule 2" condition: true } rule rule_3 { strings: $1 = "String from Rule 3" condition: true }''') self.assertEqual(len(yara_file.rules), 3) rule = yara_file.rules[0] self.assertEqual(rule.name, 'rule_1') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(rule.strings[0].identifier, '$1') self.assertEqual(rule.strings[0].pure_text, 'String from Rule 1') rule = yara_file.rules[1] self.assertEqual(rule.name, 'rule_2') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(rule.strings[0].identifier, '$1') self.assertEqual(rule.strings[0].pure_text, 'String from Rule 2') rule = yara_file.rules[2] self.assertEqual(rule.name, 'rule_3') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(rule.strings[0].identifier, '$1') self.assertEqual(rule.strings[0].pure_text, 'String from Rule 3')
def test_rule_with_regexp(self): yara_file = yaramod.parse_string(''' rule rule_with_regexp { strings: $1 = /abcd/ condition: true }''') self.assertEqual(len(yara_file.rules), 1) rule = yara_file.rules[0] self.assertEqual(rule.name, 'rule_with_regexp') self.assertEqual(rule.modifier, yaramod.RuleModifier.Empty) self.assertEqual(len(rule.strings), 1) string = rule.strings[0] self.assertTrue(string.is_regexp) self.assertEqual(string.identifier, '$1') self.assertEqual(string.text, '/abcd/')