main: load gzip compressed .pat files

2025-12-05 20:40:05 -08:00 · 2021-03-04 18:04:46 -07:00
parent 20894124e6
commit 004ddb3e66
4 changed files with 16 additions and 3 deletions
--- a/capa/main.py
+++ b/capa/main.py
@@ -11,6 +11,7 @@ See the License for the specific language governing permissions and limitations
 import os
 import sys
 import time
+import gzip
 import hashlib
 import logging
 import os.path
@@ -305,6 +306,11 @@ def register_flirt_signature_analyzers(vw, sigpaths):
                with timing("flirt: parsing .pat: " + sigpath):
                    sigs = flirt.parse_pat(f.read().decode("utf-8"))

+        elif sigpath.endswith(".pat.gz"):
+            with gzip.open(sigpath, "rb") as f:
+                with timing("flirt: parsing .pat.gz: " + sigpath):
+                    sigs = flirt.parse_pat(f.read().decode("utf-8"))
+
        else:
            raise ValueError("unexpect signature file extension: " + sigpath)

--- a/sigs/test_aullrem.pat.gz
+++ b/sigs/test_aullrem.pat.gz
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -74,13 +74,14 @@ def get_viv_extractor(path):
    import capa.features.extractors.viv

    aulldiv_pat = os.path.join(CD, "..", "sigs", "test_aulldiv.pat")
+    aullrem_pat = os.path.join(CD, "..", "sigs", "test_aullrem.pat.gz")

    if "raw32" in path:
-        vw = capa.main.get_workspace(path, "sc32", sigpaths=[aulldiv_pat])
+        vw = capa.main.get_workspace(path, "sc32", sigpaths=[aulldiv_pat, aullrem_pat])
    elif "raw64" in path:
-        vw = capa.main.get_workspace(path, "sc64", sigpaths=[aulldiv_pat])
+        vw = capa.main.get_workspace(path, "sc64", sigpaths=[aulldiv_pat, aullrem_pat])
    else:
-        vw = capa.main.get_workspace(path, "auto", sigpaths=[aulldiv_pat])
+        vw = capa.main.get_workspace(path, "auto", sigpaths=[aulldiv_pat, aullrem_pat])
    extractor = capa.features.extractors.viv.VivisectFeatureExtractor(vw, path)
    fixup_viv(path, extractor)
    return extractor
--- a/tests/test_function_id.py
+++ b/tests/test_function_id.py
@@ -10,6 +10,12 @@ def test_function_id_simple_match(pma16_01_extractor):
    assert pma16_01_extractor.get_function_name(0x407490) == "__aulldiv"


+def test_function_id_gz_pat(pma16_01_extractor):
+    # aullrem is stored in `test_aullrem.pat.gz`
+    assert pma16_01_extractor.is_library_function(0x407500) == True
+    assert pma16_01_extractor.get_function_name(0x407500) == "__aullrem"
+
+
@pytest.mark.xfail
 def test_function_id_complex_match(pma16_01_extractor):
    # 0x405714 is __spawnlp which requires recursive match of __spawnvp at 0x407FAB