def test_analyze_with_yextend(self, mock_subprocess: mock.MagicMock):
"""Yextend match results are combined with those from yara-python."""
yara_matches = self._analyzer.analyze('/target.exe')
self._assert_subprocess_calls(mock_subprocess)
expected = [
yara_analyzer.YaraMatch(
rule_name='contains_evil',
rule_namespace='evil_check.yar',
rule_metadata={
'author':
'Austin Byers',
'description':
('A helpful description about why this rule '
'matches dastardly evil files.')
},
matched_strings={'$evil_string'},
matched_data={'evil'}),
yara_analyzer.YaraMatch(rule_name='Rule1',
rule_namespace='yextend',
rule_metadata={'scan_type': 'Scan1'},
matched_strings={'$a', '$b', '$c'},
matched_data=set()),
yara_analyzer.YaraMatch(rule_name='Rule3',
rule_namespace='yextend',
rule_metadata={
'author': 'Airbnb',
'description': 'Hello, YARA world',
'scan_type': 'Scan3'
},
matched_strings={'$longer_string_name'},
matched_data=set())
]
self.assertEqual(expected, yara_matches)
def test_convert_complex_matches(self):
"""Multiple rule matches, with offsets and more rule metadata."""
yextend = _YEXTEND_MATCH[0]
expected = [
yara_analyzer.YaraMatch('Rule1', 'yextend', {'scan_type': 'Scan1'},
{'$a', '$b', '$c'}),
yara_analyzer.YaraMatch(
'Rule3', 'yextend', {
'author': 'Airbnb',
'description': 'Hello, YARA world',
'scan_type': 'Scan3'
}, {'$longer_string_name'})
]
self.assertEqual(expected,
yara_analyzer._convert_yextend_to_yara_match(yextend))
def test_convert_complex_matches(self):
"""Multiple rule matches, with offsets and more rule metadata."""
yextend = {
'scan_results': [{
"detected offsets":
["0x30:$a", "0x59:$a", "0x12b3:$b", "0x7078:$c"],
"scan_type":
"Scan1",
"yara_matches_found":
True,
"yara_rule_id":
"Rule1"
}, {
"scan_type": "Scan2",
"yara_matches_found": False,
}, {
"author": "Airbnb",
"detected offsets": ["0x0:$longer_string_name"],
"description": "Hello, YARA world",
"scan_type": "Scan3",
"yara_matches_found": True,
"yara_rule_id": "Rule3"
}],
'yara_matches_found':
True
}
expected = [
yara_analyzer.YaraMatch('Rule1', 'yextend', {'scan_type': 'Scan1'},
{'$a', '$b', '$c'}),
yara_analyzer.YaraMatch(
'Rule3', 'yextend', {
'author': 'Airbnb',
'description': 'Hello, YARA world',
'scan_type': 'Scan3'
}, {'$longer_string_name'})
]
self.assertEqual(expected,
yara_analyzer._convert_yextend_to_yara_match(yextend))
def test_convert_one_match(self):
"""One simple Yextend YARA match is converted into a YaraMatch tuple."""
yextend = {
'scan_results': [{
"child_file_name": "child/file/path.txt",
"parent_file_name": "archive.tar.gz",
"scan_type": "ScanType1",
"yara_matches_found": True,
"yara_rule_id": "Rule1"
}],
'yara_matches_found':
True
}
expected = [
yara_analyzer.YaraMatch('Rule1', 'yextend',
{'scan_type': 'ScanType1'}, set())
]
self.assertEqual(expected,
yara_analyzer._convert_yextend_to_yara_match(yextend))
