From 05f8e2445aa716e575834fe5e8577b0b41e09103 Mon Sep 17 00:00:00 2001
From: William Ballenthin <william.ballenthin@fireeye.com>
Date: Wed, 11 Aug 2021 09:29:05 -0600
Subject: [PATCH] fixtures: add tests demonstrating extraction of features from
 ELF files

---
 tests/fixtures.py             | 9 +++++++++
 tests/test_pefile_features.py | 7 +++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/tests/fixtures.py b/tests/fixtures.py
index 3bf065f0..f6e59e25 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -203,6 +203,8 @@ def get_data_path_by_name(name):
         return os.path.join(CD, "data", "773290480d5445f11d3dc1b800728966.exe_")
     elif name.startswith("3b13b"):
         return os.path.join(CD, "data", "3b13b6f1d7cd14dc4a097a12e2e505c0a4cff495262261e2bfc991df238b9b04.dll_")
+    elif name == "7351f.elf":
+        return os.path.join(CD, "data", "7351f8a40c5450557b24622417fc478d.elf_")
     else:
         raise ValueError("unexpected sample fixture: %s" % name)
 
@@ -248,6 +250,8 @@ def get_sample_md5_by_name(name):
     elif name.startswith("3b13b"):
         # file name is SHA256 hash
         return "56a6ffe6a02941028cc8235204eef31d"
+    elif name == "7351f.elf":
+        return "7351f8a40c5450557b24622417fc478d"
     else:
         raise ValueError("unexpected sample fixture: %s" % name)
 
@@ -515,6 +519,11 @@ FEATURE_PRESENCE_TESTS = sorted(
         ("pma16-01", "file", CHARACTERISTIC_ELF, False),
         ("pma16-01", "function=0x404356", CHARACTERISTIC_PE, True),
         ("pma16-01", "function=0x404356,bb=0x4043B9", CHARACTERISTIC_PE, True),
+        # elf support
+        ("7351f.elf", "file", CHARACTERISTIC_LINUX, True),
+        ("7351f.elf", "file", CHARACTERISTIC_ELF, True),
+        ("7351f.elf", "function=0x408753", capa.features.common.String("/dev/null"), True),
+        ("7351f.elf", "function=0x408753,bb=0x408781", capa.features.insn.API("open"), True),
     ],
     # order tests by (file, item)
     # so that our LRU cache is most effective.
diff --git a/tests/test_pefile_features.py b/tests/test_pefile_features.py
index 8bb46d43..2e1afc7b 100644
--- a/tests/test_pefile_features.py
+++ b/tests/test_pefile_features.py
@@ -20,9 +20,12 @@ import capa.features.file
 )
 def test_pefile_features(sample, scope, feature, expected):
     if scope.__name__ != "file":
-        pytest.xfail("pefile only extract file scope features")
+        pytest.xfail("pefile only extracts file scope features")
 
     if isinstance(feature, capa.features.file.FunctionName):
-        pytest.xfail("pefile only doesn't extract function names")
+        pytest.xfail("pefile doesn't extract function names")
+
+    if ".elf" in sample:
+        pytest.xfail("pefile doesn't handle ELF files")
 
     fixtures.do_test_feature_presence(fixtures.get_pefile_extractor, sample, scope, feature, expected)