def test_rule_with_plus_condition(self):
cond = yaramod.filesize() + yaramod.int_val(100)
rule = self.new_rule \
.with_name('rule_with_plus_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, '''rule rule_with_plus_condition {
condition:
filesize + 100
}''')
def test_rule_with_string_at_condition(self):
cond = yaramod.match_at('$1', yaramod.int_val(100))
rule = self.new_rule \
.with_name('rule_with_string_id_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, '''rule rule_with_string_id_condition {
condition:
$1 at 100
}''')
def test_rule_with_defined_condition(self):
cond = yaramod.int_val(200).defined()
rule = self.new_rule \
.with_name('rule_with_defined_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get(True)
self.assertEqual(yara_file.text_formatted, '''rule rule_with_defined_condition
{
condition:
defined 200
}
''')
def test_rule_with_match_offset_with_index_condition(self):
cond = yaramod.match_offset('$1', yaramod.int_val(0))
rule = self.new_rule \
.with_name('rule_with_match_offset_with_index_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text,
'''rule rule_with_match_offset_with_index_condition {
condition:
@1[0]
}''')
def test_rule_with_array_access_condition(self):
cond = yaramod.id('pe').access('sections')[yaramod.int_val(0)].access(
'name')
rule = self.new_rule \
.with_name('rule_with_array_access_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_module('pe') \
.with_rule(rule) \
.get()
self.assertEqual(
yara_file.text, '''import "pe"
rule rule_with_array_access_condition {
condition:
pe.sections[0].name
}''')
def test_rule_with_shift_right_condition(self):
cond = yaramod.filesize() >> yaramod.int_val(100)
rule = self.new_rule \
.with_name('rule_with_shift_right_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_shift_right_condition
{
condition:
filesize >> 100
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_shift_right_condition {
condition:
filesize >> 100
}''')
def test_rule_with_bitwise_not_condition(self):
cond = ~yaramod.int_val(100)
rule = self.new_rule \
.with_name('rule_with_bitwise_not_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_bitwise_not_condition
{
condition:
~100
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_bitwise_not_condition {
condition:
~100
}''')
def test_rule_with_not_condition(self):
cond = yaramod.not_(yaramod.filesize() < yaramod.int_val(100))
rule = self.new_rule \
.with_name('rule_with_not_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_not_condition
{
condition:
not filesize < 100
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_not_condition {
condition:
not filesize < 100
}''')
def test_rule_with_unary_minus_condition(self):
cond = -yaramod.int_val(10)
rule = self.new_rule \
.with_name('rule_with_unary_minus_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_unary_minus_condition
{
condition:
-10
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_unary_minus_condition {
condition:
-10
}''')
def test_rule_with_divide_condition(self):
cond = yaramod.filesize() / yaramod.int_val(100)
rule = self.new_rule \
.with_name('rule_with_divide_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, r'''rule rule_with_divide_condition
{
condition:
filesize \ 100
}
''')
self.assertEqual(yara_file.text, r'''rule rule_with_divide_condition {
condition:
filesize \ 100
}''')
def test_rule_with_or_condition(self):
cond = yaramod.disjunction([yaramod.filesize() > yaramod.int_val(100), yaramod.filesize() < yaramod.int_val(200)])
rule = self.new_rule \
.with_name('rule_with_or_condition') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_or_condition
{
condition:
filesize > 100 or
filesize < 200
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_or_condition {
condition:
filesize > 100 or filesize < 200
}''')
def test_rule_with_or_condition_with_comments(self):
cond = yaramod.disjunction([[yaramod.filesize() > yaramod.int_val(100), 'skip small files'], [yaramod.filesize() < yaramod.int_val(200), 'also too big files']])
rule = self.new_rule \
.with_name('rule_with_or_condition_with_comments') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_or_condition_with_comments
{
condition:
/* skip small files */
filesize > 100 or
/* also too big files */
filesize < 200
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_or_condition_with_comments {
condition:
filesize > 100 or
filesize < 200
}''')
def test_rule_with_and_condition_with_comments(self):
cond = yaramod.conjunction([[yaramod.filesize() > yaramod.int_val(100), 'comment1'], [yaramod.filesize() < yaramod.int_val(200), 'comment2']])
rule = self.new_rule \
.with_name('rule_with_and_condition_with_comments') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_and_condition_with_comments
{
condition:
/* comment1 */
filesize > 100 and
/* comment2 */
filesize < 200
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_and_condition_with_comments {
condition:
filesize > 100 and
filesize < 200
}''')
def test_rule_with_of_in_range_condition(self):
cond = yaramod.of(yaramod.all(), yaramod.them(), yaramod.range(yaramod.filesize() - yaramod.int_val(1024), yaramod.filesize()))
rule = self.new_rule \
.with_name('rule_with_of_in_range_condition') \
.with_plain_string('$a1', 'This is plain string 1.') \
.with_plain_string('$a2', 'This is plain string 2.') \
.with_condition(cond.get()) \
.get()
yara_file = self.new_file \
.with_rule(rule) \
.get()
self.assertEqual(yara_file.text_formatted, '''rule rule_with_of_in_range_condition
{
strings:
$a1 = "This is plain string 1."
$a2 = "This is plain string 2."
condition:
all of them in (filesize - 1024 .. filesize)
}
''')
self.assertEqual(yara_file.text, '''rule rule_with_of_in_range_condition {
strings:
$a1 = "This is plain string 1."
$a2 = "This is plain string 2."
condition:
all of them in (filesize - 1024 .. filesize)
}''')
