def testExportsOneYaraMatchPerYaraStringMatch(self): sample = self.GenerateSample([ rdf_memory.YaraMatch( rule_name="foo1", string_matches=[ rdf_memory.YaraStringMatch(string_id="bar1", offset=5), rdf_memory.YaraStringMatch(string_id="bar2", offset=10), ]), rdf_memory.YaraMatch(rule_name="foo2", string_matches=[ rdf_memory.YaraStringMatch( string_id="bar3", offset=15), ]), ]) converter = memory.YaraProcessScanMatchConverter() converted = list(converter.Convert(self.metadata, sample)) self.assertLen(converted, 3) self.assertEqual(converted[0].rule_name, "foo1") self.assertEqual(converted[0].process.pid, 2) self.assertEqual(converted[0].string_id, "bar1") self.assertEqual(converted[0].offset, 5) self.assertEqual(converted[1].rule_name, "foo1") self.assertEqual(converted[1].process.pid, 2) self.assertEqual(converted[1].string_id, "bar2") self.assertEqual(converted[1].offset, 10) self.assertEqual(converted[2].rule_name, "foo2") self.assertEqual(converted[2].process.pid, 2) self.assertEqual(converted[2].string_id, "bar3") self.assertEqual(converted[2].offset, 15)
def testExportsSingleMatchCorrectly(self): sample = self.GenerateSample([ rdf_memory.YaraMatch(rule_name="foo", string_matches=[ rdf_memory.YaraStringMatch( string_id="bar", offset=5) ]) ]) converter = memory.YaraProcessScanMatchConverter() converted = list(converter.Convert(self.metadata, sample)) self.assertLen(converted, 1) self.assertIsInstance(converted[0], memory.ExportedYaraProcessScanMatch) self.assertEqual(converted[0].metadata, self.metadata) self.assertEqual(converted[0].process.pid, 2) self.assertEqual(converted[0].process.ppid, 1) self.assertEqual(converted[0].process.cmdline, "cmd.exe") self.assertEqual(converted[0].process.exe, "c:\\windows\\cmd.exe") self.assertEqual(converted[0].process.ctime, 1333718907167083) self.assertEqual(converted[0].rule_name, "foo") self.assertEqual(converted[0].process_scan_time_us, 42) self.assertEqual(converted[0].string_id, "bar") self.assertEqual(converted[0].offset, 5)
def _StringMatchToYaraStringMatch( self, string_match: memory_pb2.StringMatch) -> rdf_memory.YaraStringMatch: result = rdf_memory.YaraStringMatch() if string_match.HasField("string_id"): result.string_id = string_match.string_id if string_match.HasField("offset"): result.offset = string_match.offset if string_match.HasField("data"): result.data = string_match.data return result
def Convert( self, metadata: base.ExportedMetadata, value: rdf_memory.YaraProcessScanMatch ) -> Iterator[ExportedYaraProcessScanMatch]: """See base class.""" conv = process.ProcessToExportedProcessConverter(options=self.options) proc = list(conv.Convert(metadata, value.process))[0] yara_matches = value.match or [rdf_memory.YaraMatch()] for yara_match in yara_matches: sm = yara_match.string_matches or [rdf_memory.YaraStringMatch()] for yara_string_match in sm: yield ExportedYaraProcessScanMatch( metadata=metadata, process=proc, rule_name=yara_match.rule_name, process_scan_time_us=value.scan_time_us, string_id=yara_string_match.string_id, offset=yara_string_match.offset)