def testExportsOneYaraMatchPerYaraStringMatch(self): sample = self.GenerateSample([ rdf_memory.YaraMatch( rule_name="foo1", string_matches=[ rdf_memory.YaraStringMatch(string_id="bar1", offset=5), rdf_memory.YaraStringMatch(string_id="bar2", offset=10), ]), rdf_memory.YaraMatch(rule_name="foo2", string_matches=[ rdf_memory.YaraStringMatch( string_id="bar3", offset=15), ]), ]) converter = memory.YaraProcessScanMatchConverter() converted = list(converter.Convert(self.metadata, sample)) self.assertLen(converted, 3) self.assertEqual(converted[0].rule_name, "foo1") self.assertEqual(converted[0].process.pid, 2) self.assertEqual(converted[0].string_id, "bar1") self.assertEqual(converted[0].offset, 5) self.assertEqual(converted[1].rule_name, "foo1") self.assertEqual(converted[1].process.pid, 2) self.assertEqual(converted[1].string_id, "bar2") self.assertEqual(converted[1].offset, 10) self.assertEqual(converted[2].rule_name, "foo2") self.assertEqual(converted[2].process.pid, 2) self.assertEqual(converted[2].string_id, "bar3") self.assertEqual(converted[2].offset, 15)
def testExportsSingleMatchCorrectly(self): sample = self.GenerateSample([ rdf_memory.YaraMatch(rule_name="foo", string_matches=[ rdf_memory.YaraStringMatch( string_id="bar", offset=5) ]) ]) converter = memory.YaraProcessScanMatchConverter() converted = list(converter.Convert(self.metadata, sample)) self.assertLen(converted, 1) self.assertIsInstance(converted[0], memory.ExportedYaraProcessScanMatch) self.assertEqual(converted[0].metadata, self.metadata) self.assertEqual(converted[0].process.pid, 2) self.assertEqual(converted[0].process.ppid, 1) self.assertEqual(converted[0].process.cmdline, "cmd.exe") self.assertEqual(converted[0].process.exe, "c:\\windows\\cmd.exe") self.assertEqual(converted[0].process.ctime, 1333718907167083) self.assertEqual(converted[0].rule_name, "foo") self.assertEqual(converted[0].process_scan_time_us, 42) self.assertEqual(converted[0].string_id, "bar") self.assertEqual(converted[0].offset, 5)
def _RuleMatchToYaraMatch( self, rule_match: memory_pb2.RuleMatch) -> rdf_memory.YaraMatch: result = rdf_memory.YaraMatch() if rule_match.HasField("rule_name"): result.rule_name = rule_match.rule_name for string_match in rule_match.string_matches: result.string_matches.append( self._StringMatchToYaraStringMatch(string_match)) return result
def testExportsOneYaraMatchForEmptyYaraStringMatch(self): sample = self.GenerateSample([ rdf_memory.YaraMatch(rule_name="foo"), ]) converter = memory.YaraProcessScanMatchConverter() converted = list(converter.Convert(self.metadata, sample)) self.assertLen(converted, 1) self.assertEqual(converted[0].process_scan_time_us, 42) self.assertEqual(converted[0].rule_name, "foo") self.assertEqual(converted[0].process.pid, 2)
def testCmdlineRegex(self): scan_request = rdf_memory.YaraProcessScanRequest( signature_shard=rdf_memory.YaraSignatureShard(index=0, payload=b"123"), num_signature_shards=1, cmdline_regex="svchost.exe -k def") with mock.patch.object( memory.YaraProcessScan, "_GetMatches", return_value=[rdf_memory.YaraMatch()]): results = self.ExecuteAction(memory.YaraProcessScan, arg=scan_request) self.assertLen(results, 2) self.assertLen(results[0].matches, 1) self.assertEqual(results[0].matches[0].process.pid, 1)
def Convert( self, metadata: base.ExportedMetadata, value: rdf_memory.YaraProcessScanMatch ) -> Iterator[ExportedYaraProcessScanMatch]: """See base class.""" conv = process.ProcessToExportedProcessConverter(options=self.options) proc = list(conv.Convert(metadata, value.process))[0] yara_matches = value.match or [rdf_memory.YaraMatch()] for yara_match in yara_matches: sm = yara_match.string_matches or [rdf_memory.YaraStringMatch()] for yara_string_match in sm: yield ExportedYaraProcessScanMatch( metadata=metadata, process=proc, rule_name=yara_match.rule_name, process_scan_time_us=value.scan_time_us, string_id=yara_string_match.string_id, offset=yara_string_match.offset)