gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-06 04:41:00 -08:00
Code Issues Packages Projects Releases Wiki Activity

tests: test FLIRT matching

Browse Source
This commit is contained in:
William Ballenthin
2021-03-04 15:50:05 -07:00
parent 22c4e3b8c2
commit 20894124e6
3 changed files with 18 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
sigs/test_aulldiv.pat Normal file
View File

@@ -0,0 +1,4 @@
53568b4424180bc075188b4c24148b44241033d2f7f18bd88b44240cf7f18bd3 48 d0a0 0068 :0000 __aulldiv
558bec83e4e083ec60c5fe7f4c2420c5fe7f0424ff742424ff742424ff74240c 08 6e24 0095 :0000 ___avx_u64div4@@64 ^0028 __aulldiv
558bec83e4f083ec30660f6fd1660f73da04660f6fd8660f7ed0660f73db04f3 1b ed6c 0080 :0000 ___sse2_u64div2@@32 ^003b __aulldiv
---

8
tests/fixtures.py
View File

@@ -73,12 +73,14 @@ def xfail(condition, reason=None):
def get_viv_extractor(path):
import capa.features.extractors.viv
aulldiv_pat = os.path.join(CD, "..", "sigs", "test_aulldiv.pat")
if "raw32" in path:
vw = capa.main.get_workspace(path, "sc32", should_save=False)
vw = capa.main.get_workspace(path, "sc32", sigpaths=[aulldiv_pat])
elif "raw64" in path:
vw = capa.main.get_workspace(path, "sc64", should_save=False)
vw = capa.main.get_workspace(path, "sc64", sigpaths=[aulldiv_pat])
else:
vw = capa.main.get_workspace(path, "auto", should_save=True)
vw = capa.main.get_workspace(path, "auto", sigpaths=[aulldiv_pat])
extractor = capa.features.extractors.viv.VivisectFeatureExtractor(vw, path)
fixup_viv(path, extractor)
return extractor

15
tests/test_function_id.py
View File

@@ -1,14 +1,17 @@
import pytest
import capa.features.insn
from fixtures import pma16_01_extractor, get_function, extract_function_features
def test_function_id_alloca_probe(pma16_01_extractor):
assert pma16_01_extractor.is_library_function(0x403970) == True
assert pma16_01_extractor.get_function_name(0x403970) == "__alloca_probe"
def test_function_id_simple_match(pma16_01_extractor):
assert pma16_01_extractor.is_library_function(0x407490) == True
assert pma16_01_extractor.get_function_name(0x407490) == "__aulldiv"
def test_function_id_spawnlp(pma16_01_extractor):
@pytest.mark.xfail
def test_function_id_complex_match(pma16_01_extractor):
# 0x405714 is __spawnlp which requires recursive match of __spawnvp at 0x407FAB
# (and __spawnvpe at 0x409DE8)
assert pma16_01_extractor.is_library_function(0x405714) == True
@@ -16,6 +19,6 @@ def test_function_id_spawnlp(pma16_01_extractor):
def test_function_id_api_feature(pma16_01_extractor):
f = get_function(pma16_01_extractor, 0x4011D0)
f = get_function(pma16_01_extractor, 0x404548)
features = extract_function_features(pma16_01_extractor, f)
assert capa.features.insn.API("__alloca_probe") in features
assert capa.features.insn.API("__aulldiv") in features