From 9da9c3aceb0511844cda6c8ae5a6ed63d0de7d7d Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Mon, 28 Mar 2022 12:40:10 -0600 Subject: [PATCH] rules: add valid features for insn scope --- capa/rules.py | 5 ++++ tests/test_rules_insn_scope.py | 45 ++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 tests/test_rules_insn_scope.py diff --git a/capa/rules.py b/capa/rules.py index e2c449d8..18bfa061 100644 --- a/capa/rules.py +++ b/capa/rules.py @@ -126,6 +126,11 @@ SUPPORTED_FEATURES = { capa.features.common.OS, capa.features.common.Arch, }, + INSTRUCTION_SCOPE: { + capa.features.common.Arch, + capa.features.common.OS, + capa.features.insn.Mnemonic, + }, } # all basic block scope features are also function scope features diff --git a/tests/test_rules_insn_scope.py b/tests/test_rules_insn_scope.py new file mode 100644 index 00000000..3e2a3baf --- /dev/null +++ b/tests/test_rules_insn_scope.py @@ -0,0 +1,45 @@ +# Copyright (C) 2022 FireEye, Inc. All Rights Reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: [package root]/LICENSE.txt +# Unless required by applicable law or agreed to in writing, software distributed under the License +# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and limitations under the License. + +import textwrap + +import pytest + +import capa.rules + + +def test_rule_scope_instruction(): + capa.rules.Rule.from_yaml( + textwrap.dedent( + """ + rule: + meta: + name: test rule + scope: instruction + features: + - and: + - mnemonic: mov + - arch: i386 + - os: windows + """ + ) + ) + + with pytest.raises(capa.rules.InvalidRule): + capa.rules.Rule.from_yaml( + textwrap.dedent( + """ + rule: + meta: + name: test rule + scope: instruction + features: + - characteristic: embedded pe + """ + ) + )