gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-22 07:10:29 -08:00
Code Issues Packages Projects Releases Wiki Activity

--fix

Browse Source
This commit is contained in:
Pratham Chauhan
2023-04-04 18:28:43 +05:30
parent c04774b4b1
commit a260b35c9d
7 changed files with 119 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
capa/features/extractors/binja/insn.py
View File

@@ -439,7 +439,7 @@ def extract_insn_peb_access_characteristic_features(
return True
value = right.value.value
if not (reg, value) in (("fsbase", 0x30), ("gsbase", 0x60)):
if (reg, value) not in (("fsbase", 48), ("gsbase", 96)):
return True
results.append((Characteristic("peb access"), ih.address))

2
capa/features/extractors/ida/insn.py
View File

@@ -73,7 +73,7 @@ def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle)
"""
insn: idaapi.insn_t = ih.inner
if not insn.get_canon_mnem() in ("call", "jmp"):
if insn.get_canon_mnem() not in ("call", "jmp"):
return
# check calls to imported functions

2
capa/ida/plugin/form.py
View File

@@ -536,7 +536,7 @@ class CapaExplorerForm(idaapi.PluginForm):
@param new_ea: destination ea
@param old_ea: source ea
"""
if not self.view_tabs.currentIndex() in (0, 1):
if self.view_tabs.currentIndex() not in (0, 1):
return
if idaapi.get_widget_type(widget) != idaapi.BWN_DISASM:

3
capa/main.py
View File

@@ -254,7 +254,8 @@ def find_capabilities(ruleset: RuleSet, extractor: FeatureExtractor, disable_pro
if disable_progress:
# do not use tqdm to avoid unnecessary side effects when caller intends
# to disable progress completely
pbar = lambda s, *args, **kwargs: s
def pbar(s, *args, **kwargs):
return s
functions = list(extractor.get_functions())
n_funcs = len(functions)

115
tests/test_engine.py
View File

@@ -17,112 +17,93 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004)
def test_number():
assert Number(1).evaluate({Number(0): {ADDR1}}) == False
assert Number(1).evaluate({Number(1): {ADDR1}}) == True
assert Number(1).evaluate({Number(2): {ADDR1, ADDR2}}) == False
assert Number(1).evaluate({Number(0): {ADDR1}}) is False
assert Number(1).evaluate({Number(1): {ADDR1}}) is True
assert Number(1).evaluate({Number(2): {ADDR1, ADDR2}}) is False
def test_and():
assert And([Number(1)]).evaluate({Number(0): {ADDR1}}) == False
assert And([Number(1)]).evaluate({Number(1): {ADDR1}}) == True
assert And([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) == False
assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) == False
assert And([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) == False
assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) == True
assert And([Number(1)]).evaluate({Number(0): {ADDR1}}) is False
assert And([Number(1)]).evaluate({Number(1): {ADDR1}}) is True
assert And([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) is False
assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is False
assert And([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is False
assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) is True
def test_or():
assert Or([Number(1)]).evaluate({Number(0): {ADDR1}}) == False
assert Or([Number(1)]).evaluate({Number(1): {ADDR1}}) == True
assert Or([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) == False
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) == True
assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) == True
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) == True
assert Or([Number(1)]).evaluate({Number(0): {ADDR1}}) is False
assert Or([Number(1)]).evaluate({Number(1): {ADDR1}}) is True
assert Or([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) is False
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True
assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is True
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) is True
def test_not():
assert Not(Number(1)).evaluate({Number(0): {ADDR1}}) == True
assert Not(Number(1)).evaluate({Number(1): {ADDR1}}) == False
assert Not(Number(1)).evaluate({Number(0): {ADDR1}}) is True
assert Not(Number(1)).evaluate({Number(1): {ADDR1}}) is False
def test_some():
assert Some(0, [Number(1)]).evaluate({Number(0): {ADDR1}}) == True
assert Some(1, [Number(1)]).evaluate({Number(0): {ADDR1}}) == False
assert Some(0, [Number(1)]).evaluate({Number(0): {ADDR1}}) is True
assert Some(1, [Number(1)]).evaluate({Number(0): {ADDR1}}) is False
assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}}) == False
assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) == False
assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}}) is False
assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) is False
assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}
)
== True
Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}) is True
)
assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}
)
== True
Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}) is True
)
assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{
Number(0): {ADDR1},
Number(1): {ADDR1},
Number(2): {ADDR1},
Number(3): {ADDR1},
Number(4): {ADDR1},
}
)
== True
Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}, Number(4): {ADDR1}}) is True
)
def test_complex():
assert True == Or(
[And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5), Number(6)])])]
).evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})
assert True is Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5), Number(6)])])]).evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})
assert False == Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5)])])]).evaluate(
{Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}
)
assert False is Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5)])])]).evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})
def test_range():
# unbounded range, but no matching feature
# since the lower bound is zero, and there are zero matches, ok
assert Range(Number(1)).evaluate({Number(2): {}}) == True
assert Range(Number(1)).evaluate({Number(2): {}}) is True
# unbounded range with matching feature should always match
assert Range(Number(1)).evaluate({Number(1): {}}) == True
assert Range(Number(1)).evaluate({Number(1): {ADDR1}}) == True
assert Range(Number(1)).evaluate({Number(1): {}}) is True
assert Range(Number(1)).evaluate({Number(1): {ADDR1}}) is True
# unbounded max
assert Range(Number(1), min=1).evaluate({Number(1): {ADDR1}}) == True
assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1}}) == False
assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1, ADDR2}}) == True
assert Range(Number(1), min=1).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1}}) is False
assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1, ADDR2}}) is True
# unbounded min
assert Range(Number(1), max=0).evaluate({Number(1): {ADDR1}}) == False
assert Range(Number(1), max=1).evaluate({Number(1): {ADDR1}}) == True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1}}) == True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2}}) == True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) == False
assert Range(Number(1), max=0).evaluate({Number(1): {ADDR1}}) is False
assert Range(Number(1), max=1).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2}}) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) is False
# we can do an exact match by setting min==max
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {}}) == False
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1}}) == True
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1, ADDR2}}) == False
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {}}) is False
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1, ADDR2}}) is False
# bounded range
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {}}) == False
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1}}) == True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2}}) == True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) == True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3, ADDR4}}) == False
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {}}) is False
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2}}) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3, ADDR4}}) is False
def test_short_circuit():
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) == True
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True
# with short circuiting, only the children up until the first satisfied child are captured.
assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}, short_circuit=True).children) == 1
@@ -131,8 +112,8 @@ def test_short_circuit():
def test_eval_order():
# base cases.
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) == True
assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) == True
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True
assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is True
# with short circuiting, only the children up until the first satisfied child are captured.
assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}).children) == 1

6
tests/test_function_id.py
View File

@@ -4,20 +4,20 @@ import capa.features.insn
def test_function_id_simple_match(pma16_01_extractor):
assert pma16_01_extractor.is_library_function(0x407490) == True
assert pma16_01_extractor.is_library_function(4224144) is True
assert pma16_01_extractor.get_function_name(0x407490) == "__aulldiv"
def test_function_id_gz_pat(pma16_01_extractor):
# aullrem is stored in `test_aullrem.pat.gz`
assert pma16_01_extractor.is_library_function(0x407500) == True
assert pma16_01_extractor.is_library_function(4224256) is True
assert pma16_01_extractor.get_function_name(0x407500) == "__aullrem"
def test_function_id_complex_match(pma16_01_extractor):
# 0x405714 is __spawnlp which requires recursive match of __spawnvp at 0x407FAB
# (and __spawnvpe at 0x409DE8)
assert pma16_01_extractor.is_library_function(0x405714) == True
assert pma16_01_extractor.is_library_function(4216596) is True
assert pma16_01_extractor.get_function_name(0x405714) == "__spawnlp"

129
tests/test_rules.py
View File

@@ -40,8 +40,8 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004)
def test_rule_ctor():
r = capa.rules.Rule("test rule", capa.rules.FUNCTION_SCOPE, Or([Number(1)]), {})
assert r.evaluate({Number(0): {ADDR1}}) == False
assert r.evaluate({Number(1): {ADDR2}}) == True
assert r.evaluate({Number(0): {ADDR1}}) is False
assert r.evaluate({Number(1): {ADDR2}}) is True
def test_rule_yaml():
@@ -63,10 +63,10 @@ def test_rule_yaml():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(0): {ADDR1}}) == False
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) == False
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}) == True
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}) == True
assert r.evaluate({Number(0): {ADDR1}}) is False
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) is False
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}) is True
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}) is True
def test_rule_yaml_complex():
@@ -89,8 +89,8 @@ def test_rule_yaml_complex():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) == True
assert r.evaluate({Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) == False
assert r.evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) is True
assert r.evaluate({Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) is False
def test_rule_descriptions():
@@ -167,8 +167,8 @@ def test_rule_yaml_not():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(1): {ADDR1}}) == True
assert r.evaluate({Number(1): {ADDR1}, Number(2): {ADDR1}}) == False
assert r.evaluate({Number(1): {ADDR1}}) is True
assert r.evaluate({Number(1): {ADDR1}, Number(2): {ADDR1}}) is False
def test_rule_yaml_count():
@@ -182,9 +182,9 @@ def test_rule_yaml_count():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(100): set()}) == False
assert r.evaluate({Number(100): {ADDR1}}) == True
assert r.evaluate({Number(100): {ADDR1, ADDR2}}) == False
assert r.evaluate({Number(100): set()}) is False
assert r.evaluate({Number(100): {ADDR1}}) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2}}) is False
def test_rule_yaml_count_range():
@@ -198,10 +198,10 @@ def test_rule_yaml_count_range():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(100): set()}) == False
assert r.evaluate({Number(100): {ADDR1}}) == True
assert r.evaluate({Number(100): {ADDR1, ADDR2}}) == True
assert r.evaluate({Number(100): {ADDR1, ADDR2, ADDR3}}) == False
assert r.evaluate({Number(100): set()}) is False
assert r.evaluate({Number(100): {ADDR1}}) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2}}) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2, ADDR3}}) is False
def test_rule_yaml_count_string():
@@ -215,10 +215,10 @@ def test_rule_yaml_count_string():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({String("foo"): set()}) == False
assert r.evaluate({String("foo"): {ADDR1}}) == False
assert r.evaluate({String("foo"): {ADDR1, ADDR2}}) == True
assert r.evaluate({String("foo"): {ADDR1, ADDR2, ADDR3}}) == False
assert r.evaluate({String("foo"): set()}) is False
assert r.evaluate({String("foo"): {ADDR1}}) is False
assert r.evaluate({String("foo"): {ADDR1, ADDR2}}) is True
assert r.evaluate({String("foo"): {ADDR1, ADDR2, ADDR3}}) is False
def test_invalid_rule_feature():
@@ -466,12 +466,12 @@ def test_number_symbol():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (Number(1) in children) == True
assert (Number(0xFFFFFFFF) in children) == True
assert (Number(2, description="symbol name") in children) == True
assert (Number(3, description="symbol name") in children) == True
assert (Number(4, description="symbol name = another name") in children) == True
assert (Number(0x100, description="symbol name") in children) == True
assert (Number(1) in children) is True
assert (Number(4294967295) in children) is True
assert (Number(2, description="symbol name") in children) is True
assert (Number(3, description="symbol name") in children) is True
assert (Number(4, description="symbol name = another name") in children) is True
assert (Number(256, description="symbol name") in children) is True
def test_count_number_symbol():
@@ -488,11 +488,11 @@ def test_count_number_symbol():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(2): set()}) == False
assert r.evaluate({Number(2): {ADDR1}}) == True
assert r.evaluate({Number(2): {ADDR1, ADDR2}}) == False
assert r.evaluate({Number(0x100, description="symbol name"): {ADDR1}}) == False
assert r.evaluate({Number(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) == True
assert r.evaluate({Number(2): set()}) is False
assert r.evaluate({Number(2): {ADDR1}}) is True
assert r.evaluate({Number(2): {ADDR1, ADDR2}}) is False
assert r.evaluate({Number(256, description="symbol name"): {ADDR1}}) is False
assert r.evaluate({Number(256, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) is True
def test_invalid_number():
@@ -553,11 +553,11 @@ def test_offset_symbol():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (Offset(1) in children) == True
assert (Offset(2, description="symbol name") in children) == True
assert (Offset(3, description="symbol name") in children) == True
assert (Offset(4, description="symbol name = another name") in children) == True
assert (Offset(0x100, description="symbol name") in children) == True
assert (Offset(1) in children) is True
assert (Offset(2, description="symbol name") in children) is True
assert (Offset(3, description="symbol name") in children) is True
assert (Offset(4, description="symbol name = another name") in children) is True
assert (Offset(256, description="symbol name") in children) is True
def test_count_offset_symbol():
@@ -574,11 +574,11 @@ def test_count_offset_symbol():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Offset(2): set()}) == False
assert r.evaluate({Offset(2): {ADDR1}}) == True
assert r.evaluate({Offset(2): {ADDR1, ADDR2}}) == False
assert r.evaluate({Offset(0x100, description="symbol name"): {ADDR1}}) == False
assert r.evaluate({Offset(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) == True
assert r.evaluate({Offset(2): set()}) is False
assert r.evaluate({Offset(2): {ADDR1}}) is True
assert r.evaluate({Offset(2): {ADDR1, ADDR2}}) is False
assert r.evaluate({Offset(256, description="symbol name"): {ADDR1}}) is False
assert r.evaluate({Offset(256, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) is True
def test_invalid_offset():
@@ -664,8 +664,8 @@ def test_explicit_string_values_int():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (String("123") in children) == True
assert (String("0x123") in children) == True
assert (String("123") in children) is True
assert (String("0x123") in children) is True
def test_string_values_special_characters():
@@ -683,8 +683,8 @@ def test_string_values_special_characters():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (String("hello\r\nworld") in children) == True
assert (String("bye\nbye") in children) == True
assert (String("hello\r\nworld") in children) is True
assert (String("bye\nbye") in children) is True
def test_substring_feature():
@@ -702,9 +702,9 @@ def test_substring_feature():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (Substring("abc") in children) == True
assert (Substring("def") in children) == True
assert (Substring("gh\ni") in children) == True
assert (Substring("abc") in children) is True
assert (Substring("def") in children) is True
assert (Substring("gh\ni") in children) is True
def test_substring_description():
@@ -721,7 +721,7 @@ def test_substring_description():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (Substring("abc") in children) == True
assert (Substring("abc") in children) is True
def test_filter_rules():
@@ -902,9 +902,9 @@ def test_function_name_features():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (FunctionName("strcpy") in children) == True
assert (FunctionName("strcmp", description="copy from here to there") in children) == True
assert (FunctionName("strdup", description="duplicate a string") in children) == True
assert (FunctionName("strcpy") in children) is True
assert (FunctionName("strcmp", description="copy from here to there") in children) is True
assert (FunctionName("strdup", description="duplicate a string") in children) is True
def test_os_features():
@@ -921,8 +921,8 @@ def test_os_features():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (OS(OS_WINDOWS) in children) == True
assert (OS(OS_LINUX) not in children) == True
assert (OS(OS_WINDOWS) in children) is True
assert (OS(OS_LINUX) not in children) is True
def test_format_features():
@@ -939,8 +939,8 @@ def test_format_features():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (Format(FORMAT_PE) in children) == True
assert (Format(FORMAT_ELF) not in children) == True
assert (Format(FORMAT_PE) in children) is True
assert (Format(FORMAT_ELF) not in children) is True
def test_arch_features():
@@ -957,8 +957,8 @@ def test_arch_features():
)
r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children())
assert (Arch(ARCH_AMD64) in children) == True
assert (Arch(ARCH_I386) not in children) == True
assert (Arch(ARCH_AMD64) in children) is True
assert (Arch(ARCH_I386) not in children) is True
def test_property_access():
@@ -973,10 +973,10 @@ def test_property_access():
"""
)
)
assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ): {ADDR1}}) == True
assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ): {ADDR1}}) is True
assert r.evaluate({Property("System.IO.FileInfo::Length"): {ADDR1}}) == False
assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.WRITE): {ADDR1}}) == False
assert r.evaluate({Property("System.IO.FileInfo::Length"): {ADDR1}}) is False
assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.WRITE): {ADDR1}}) is False
def test_property_access_symbol():
@@ -992,8 +992,5 @@ def test_property_access_symbol():
)
)
assert (
r.evaluate(
{Property("System.IO.FileInfo::Length", access=FeatureAccess.READ, description="some property"): {ADDR1}}
)
== True
r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ, description="some property"): {ADDR1}}) is True
)