gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-22 15:16:22 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1405 from ooprathamm/ruff

Browse Source 
Linting with ruff
This commit is contained in:
Willi Ballenthin
2023-04-17 10:46:24 +02:00
committed by GitHub
parent 6ba5b2b72b efb07fafb3
commit c85050ac1a
11 changed files with 180 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/ruff.toml vendored Normal file
View File

@@ -0,0 +1,10 @@
# Enable pycodestyle (`E`) codes
select = ["E"]
# E402 module level import not at top of file
# E722 do not use bare 'except'
ignore = ["E402", "E722"]
exclude = ["*_pb2.py", "*_pb2.pyi"]
# Same as pycodestyle.
line-length = 180

2
.github/workflows/tests.yml vendored
View File

@@ -33,6 +33,8 @@ jobs:
python-version: "3.8" python-version: "3.8"
- name: Install dependencies - name: Install dependencies
run: pip install -e .[dev] run: pip install -e .[dev]
- name: Lint with ruff
run: ruff check --config .github/ruff.toml .
- name: Lint with isort - name: Lint with isort
run: isort --profile black --length-sort --line-width 120 --skip-glob "*_pb2.py" -c . run: isort --profile black --length-sort --line-width 120 --skip-glob "*_pb2.py" -c .
- name: Lint with black - name: Lint with black

2
capa/features/extractors/binja/insn.py
View File

@@ -439,7 +439,7 @@ def extract_insn_peb_access_characteristic_features(
return True return True
value = right.value.value value = right.value.value
if not (reg, value) in (("fsbase", 0x30), ("gsbase", 0x60)): if (reg, value) not in (("fsbase", 0x30), ("gsbase", 0x60)):
return True return True
results.append((Characteristic("peb access"), ih.address)) results.append((Characteristic("peb access"), ih.address))

2
capa/features/extractors/ida/insn.py
View File

@@ -73,7 +73,7 @@ def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle)
""" """
insn: idaapi.insn_t = ih.inner insn: idaapi.insn_t = ih.inner
if not insn.get_canon_mnem() in ("call", "jmp"): if insn.get_canon_mnem() not in ("call", "jmp"):
return return
# check calls to imported functions # check calls to imported functions

8
capa/ida/plugin/form.py
View File

@@ -536,7 +536,7 @@ class CapaExplorerForm(idaapi.PluginForm):
@param new_ea: destination ea @param new_ea: destination ea
@param old_ea: source ea @param old_ea: source ea
""" """
if not self.view_tabs.currentIndex() in (0, 1): if self.view_tabs.currentIndex() not in (0, 1):
return return
if idaapi.get_widget_type(widget) != idaapi.BWN_DISASM: if idaapi.get_widget_type(widget) != idaapi.BWN_DISASM:
@@ -607,7 +607,8 @@ class CapaExplorerForm(idaapi.PluginForm):
except UserCancelledError as e: except UserCancelledError as e:
capa.ida.helpers.inform_user_ida_ui("Analysis requires capa rules") capa.ida.helpers.inform_user_ida_ui("Analysis requires capa rules")
logger.warning( logger.warning(
f"You must specify a directory containing capa rules before running analysis. Download and extract the official rules from {CAPA_OFFICIAL_RULESET_URL} (recommended)." "You must specify a directory containing capa rules before running analysis.%s",
f"Download and extract the official rules from {CAPA_OFFICIAL_RULESET_URL} (recommended).",
) )
return False return False
except Exception as e: except Exception as e:
@@ -705,7 +706,8 @@ class CapaExplorerForm(idaapi.PluginForm):
capa.ida.helpers.inform_user_ida_ui("Cached results were generated using different capas rules") capa.ida.helpers.inform_user_ida_ui("Cached results were generated using different capas rules")
logger.warning( logger.warning(
"capa is showing you cached results from a previous analysis run. Your rules have changed since and you should reanalyze the program to see new results." "capa is showing you cached results from a previous analysis run.%s ",
"Your rules have changed since and you should reanalyze the program to see new results.",
) )
view_status_rules = "no rules matched for cache" view_status_rules = "no rules matched for cache"

3
capa/main.py
View File

@@ -255,7 +255,8 @@ def find_capabilities(ruleset: RuleSet, extractor: FeatureExtractor, disable_pro
if disable_progress: if disable_progress:
# do not use tqdm to avoid unnecessary side effects when caller intends # do not use tqdm to avoid unnecessary side effects when caller intends
# to disable progress completely # to disable progress completely
pbar = lambda s, *args, **kwargs: s def pbar(s, *args, **kwargs):
return s
functions = list(extractor.get_functions()) functions = list(extractor.get_functions())
n_funcs = len(functions) n_funcs = len(functions)

26
scripts/capa2yara.py
View File

@@ -59,7 +59,8 @@ unsupported = ["characteristic", "mnemonic", "offset", "subscope", "Range"]
# -- https://github.com/mandiant/capa-rules/blob/master/collection/file-managers/gather-direct-ftp-information.yml # -- https://github.com/mandiant/capa-rules/blob/master/collection/file-managers/gather-direct-ftp-information.yml
# -- https://github.com/mandiant/capa-rules/blob/master/collection/browser/gather-firefox-profile-information.yml # -- https://github.com/mandiant/capa-rules/blob/master/collection/browser/gather-firefox-profile-information.yml
# - count(string (1 rule: /executable/subfile/pe/contain-an-embedded-pe-file.yml) # - count(string (1 rule: /executable/subfile/pe/contain-an-embedded-pe-file.yml)
# - count(match( could be done by creating the referenced rule a 2nd time with the condition, that it hits x times (only 1 rule: ./anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml) # - count(match( could be done by creating the referenced rule a 2nd time with the condition, that it hits x times
# (only 1 rule: ./anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml)
# - it would be technically possible to get the "basic blocks" working, but the rules contain mostly other non supported statements in there => not worth the effort. # - it would be technically possible to get the "basic blocks" working, but the rules contain mostly other non supported statements in there => not worth the effort.
# collect all converted rules to be able to check if we have needed sub rules for match: # collect all converted rules to be able to check if we have needed sub rules for match:
@@ -128,7 +129,8 @@ def convert_capa_number_to_yara_bytes(number):
def convert_rule_name(rule_name): def convert_rule_name(rule_name):
# yara rule names: "Identifiers must follow the same lexical conventions of the C programming language, they can contain any alphanumeric character and the underscore character, but the first character cannot be a digit. Rule identifiers are case sensitive and cannot exceed 128 characters." so we replace any non-alphanum with _ # yara rule names: "Identifiers must follow the same lexical conventions of the C programming language, they can contain any alphanumeric character and the underscore character
# but the first character cannot be a digit. Rule identifiers are case sensitive and cannot exceed 128 characters." so we replace any non-alphanum with _
rule_name = re.sub(r"\W", "_", rule_name) rule_name = re.sub(r"\W", "_", rule_name)
rule_name = "capa_" + rule_name rule_name = "capa_" + rule_name
@@ -197,7 +199,8 @@ def convert_rule(rule, rulename, cround, depth):
# even looking for empty string in dll_regex doesn't work for some files (list below) with pe.imports so do just a string search # even looking for empty string in dll_regex doesn't work for some files (list below) with pe.imports so do just a string search
# yara_condition += '\tpe.imports(/.{0,30}/i, /' + api + '/) ' # yara_condition += '\tpe.imports(/.{0,30}/i, /' + api + '/) '
# 5fbbfeed28b258c42e0cfeb16718b31c, 2D3EDC218A90F03089CC01715A9F047F, 7EFF498DE13CC734262F87E6B3EF38AB, C91887D861D9BD4A5872249B641BC9F9, a70052c45e907820187c7e6bcdc7ecca, 0596C4EA5AA8DEF47F22C85D75AACA95 # 5fbbfeed28b258c42e0cfeb16718b31c, 2D3EDC218A90F03089CC01715A9F047F, 7EFF498DE13CC734262F87E6B3EF38AB,
# C91887D861D9BD4A5872249B641BC9F9, a70052c45e907820187c7e6bcdc7ecca, 0596C4EA5AA8DEF47F22C85D75AACA95
var_name = "api_" + var_names.pop(0) var_name = "api_" + var_names.pop(0)
# limit regex with word boundary \b but also search for appended A and W # limit regex with word boundary \b but also search for appended A and W
@@ -286,7 +289,8 @@ def convert_rule(rule, rulename, cround, depth):
# all .* in the regexes of capa look like they should be maximum 100 chars so take 1000 to speed up rules and prevent yara warnings on poor performance # all .* in the regexes of capa look like they should be maximum 100 chars so take 1000 to speed up rules and prevent yara warnings on poor performance
regex = regex.replace(".*", ".{,1000}") regex = regex.replace(".*", ".{,1000}")
# strange: capa accepts regexes with unescaped / like - string: /com/exe4j/runtime/exe4jcontroller/i in capa-rules/compiler/exe4j/compiled-with-exe4j.yml, needs a fix for yara: # strange: capa accepts regexes with unescaped /
# like - string: /com/exe4j/runtime/exe4jcontroller/i in capa-rules/compiler/exe4j/compiled-with-exe4j.yml, needs a fix for yara:
# would assume that get_value_str() gives the raw string # would assume that get_value_str() gives the raw string
regex = re.sub(r"(?<!\\)/", r"\/", regex) regex = re.sub(r"(?<!\\)/", r"\/", regex)
@@ -294,7 +298,8 @@ def convert_rule(rule, rulename, cround, depth):
# /reg(|.exe)/ => /reg(.exe)?/ # /reg(|.exe)/ => /reg(.exe)?/
regex = re.sub(r"\(\|([^\)]+)\)", r"(\1)?", regex) regex = re.sub(r"\(\|([^\)]+)\)", r"(\1)?", regex)
# change beginning of line to null byte, e.g. /^open => /\x00open (not word boundary because we're not looking for the beginning of a word in a text but usually a function name if there's ^ in a capa rule) # change beginning of line to null byte, e.g. /^open => /\x00open
# (not word boundary because we're not looking for the beginning of a word in a text but usually a function name if there's ^ in a capa rule)
regex = re.sub(r"^\^", r"\\x00", regex) regex = re.sub(r"^\^", r"\\x00", regex)
# regex = re.sub(r"^\^", r"\\b", regex) # regex = re.sub(r"^\^", r"\\b", regex)
@@ -420,7 +425,8 @@ def convert_rule(rule, rulename, cround, depth):
) )
# remove last 'or' # remove last 'or'
# yara_condition = re.sub(r'\sor $', ' ', yara_condition) # yara_condition = re.sub(r'\sor $', ' ', yara_condition)
rule_comment += "This rule is incomplete because a branch inside an Or-statement had an unsupported feature and was skipped => coverage is reduced compared to the original capa rule. " rule_comment += "This rule is incomplete because a branch inside an Or-statement had an unsupported feature and was skipped "
rule_comment += "=> coverage is reduced compared to the original capa rule. "
x += 1 x += 1
incomplete = 1 incomplete = 1
continue continue
@@ -446,7 +452,8 @@ def convert_rule(rule, rulename, cround, depth):
+ str(depth) + str(depth)
) )
rule_comment += "This rule is incomplete because a branch inside an Or-statement had an unsupported feature and was skipped => coverage is reduced compared to the original capa rule. " rule_comment += "This rule is incomplete because a branch inside an Or-statement had an unsupported feature and was skipped"
rule_comment += "=> coverage is reduced compared to the original capa rule. "
x += 1 x += 1
incomplete = 1 incomplete = 1
continue continue
@@ -669,7 +676,8 @@ def convert_rules(rules, namespaces, cround, make_priv):
yara += " condition:" + condition_header + yara_condition + "\n}" yara += " condition:" + condition_header + yara_condition + "\n}"
# TODO: now the rule is finished and could be automatically checked with the capa-testfile(s) named in meta (doing it for all of them using yara-ci upload at the moment) # TODO: now the rule is finished and could be automatically checked with the capa-testfile(s) named in meta
# (doing it for all of them using yara-ci upload at the moment)
output_yar(yara) output_yar(yara)
converted_rules.append(rule_name) converted_rules.append(rule_name)
count_incomplete += incomplete count_incomplete += incomplete
@@ -719,7 +727,7 @@ def main(argv=None):
"// Rules from Mandiant's https://github.com/mandiant/capa-rules converted to YARA using https://github.com/mandiant/capa/blob/master/scripts/capa2yara.py by Arnim Rupp" "// Rules from Mandiant's https://github.com/mandiant/capa-rules converted to YARA using https://github.com/mandiant/capa/blob/master/scripts/capa2yara.py by Arnim Rupp"
) )
output_yar( output_yar(
"// Beware: These are less rules than capa (because not all fit into YARA, stats at EOF) and is less precise because e.g. capas function scopes are applied to the whole file" "// Beware: These are less rules than capa (because not all fit into YARA, stats at EOF) and is less precise e.g. capas function scopes are applied to the whole file"
) )
output_yar( output_yar(
'// Beware: Some rules are incomplete because an optional branch was not supported by YARA. These rules are marked in a comment in meta: (search for "incomplete")' '// Beware: Some rules are incomplete because an optional branch was not supported by YARA. These rules are marked in a comment in meta: (search for "incomplete")'

1
setup.py
View File

@@ -74,6 +74,7 @@ setuptools.setup(
"pytest-instafail==0.5.0", "pytest-instafail==0.5.0",
"pytest-cov==4.0.0", "pytest-cov==4.0.0",
"pycodestyle==2.10.0", "pycodestyle==2.10.0",
"ruff==0.0.260",
"black==23.3.0", "black==23.3.0",
"isort==5.11.4", "isort==5.11.4",
"mypy==1.2.0", "mypy==1.2.0",

130
tests/test_engine.py
View File

@@ -17,112 +17,116 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004)
def test_number(): def test_number():
assert Number(1).evaluate({Number(0): {ADDR1}}) == False assert bool(Number(1).evaluate({Number(0): {ADDR1}})) is False
assert Number(1).evaluate({Number(1): {ADDR1}}) == True assert bool(Number(1).evaluate({Number(1): {ADDR1}})) is True
assert Number(1).evaluate({Number(2): {ADDR1, ADDR2}}) == False assert bool(Number(1).evaluate({Number(2): {ADDR1, ADDR2}})) is False
def test_and(): def test_and():
assert And([Number(1)]).evaluate({Number(0): {ADDR1}}) == False assert bool(And([Number(1)]).evaluate({Number(0): {ADDR1}})) is False
assert And([Number(1)]).evaluate({Number(1): {ADDR1}}) == True assert bool(And([Number(1)]).evaluate({Number(1): {ADDR1}})) is True
assert And([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) == False assert bool(And([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}})) is False
assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) == False assert bool(And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is False
assert And([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) == False assert bool(And([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is False
assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) == True assert bool(And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}})) is True
def test_or(): def test_or():
assert Or([Number(1)]).evaluate({Number(0): {ADDR1}}) == False assert bool(Or([Number(1)]).evaluate({Number(0): {ADDR1}})) is False
assert Or([Number(1)]).evaluate({Number(1): {ADDR1}}) == True assert bool(Or([Number(1)]).evaluate({Number(1): {ADDR1}})) is True
assert Or([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) == False assert bool(Or([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}})) is False
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) == True assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True
assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) == True assert bool(Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is True
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) == True assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}})) is True
def test_not(): def test_not():
assert Not(Number(1)).evaluate({Number(0): {ADDR1}}) == True assert bool(Not(Number(1)).evaluate({Number(0): {ADDR1}})) is True
assert Not(Number(1)).evaluate({Number(1): {ADDR1}}) == False assert bool(Not(Number(1)).evaluate({Number(1): {ADDR1}})) is False
def test_some(): def test_some():
assert Some(0, [Number(1)]).evaluate({Number(0): {ADDR1}}) == True assert bool(Some(0, [Number(1)]).evaluate({Number(0): {ADDR1}})) is True
assert Some(1, [Number(1)]).evaluate({Number(0): {ADDR1}}) == False assert bool(Some(1, [Number(1)]).evaluate({Number(0): {ADDR1}})) is False
assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}}) == False assert bool(Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}})) is False
assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) == False assert bool(Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}})) is False
assert ( assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate( bool(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}} Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}
)
) )
== True is True
) )
assert ( assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate( bool(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}} Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}
)
) )
== True is True
) )
assert ( assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate( bool(
{ Some(2, [Number(1), Number(2), Number(3)]).evaluate(
Number(0): {ADDR1}, {Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}, Number(4): {ADDR1}}
Number(1): {ADDR1}, )
Number(2): {ADDR1},
Number(3): {ADDR1},
Number(4): {ADDR1},
}
) )
== True is True
) )
def test_complex(): def test_complex():
assert True == Or( assert True is bool(
[And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5), Number(6)])])] Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5), Number(6)])])]).evaluate(
).evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) {Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}
)
)
assert False == Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5)])])]).evaluate( assert False is bool(
{Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}} Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5)])])]).evaluate(
{Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}
)
) )
def test_range(): def test_range():
# unbounded range, but no matching feature # unbounded range, but no matching feature
# since the lower bound is zero, and there are zero matches, ok # since the lower bound is zero, and there are zero matches, ok
assert Range(Number(1)).evaluate({Number(2): {}}) == True assert bool(Range(Number(1)).evaluate({Number(2): {}})) is True
# unbounded range with matching feature should always match # unbounded range with matching feature should always match
assert Range(Number(1)).evaluate({Number(1): {}}) == True assert bool(Range(Number(1)).evaluate({Number(1): {}})) is True
assert Range(Number(1)).evaluate({Number(1): {ADDR1}}) == True assert bool(Range(Number(1)).evaluate({Number(1): {ADDR1}})) is True
# unbounded max # unbounded max
assert Range(Number(1), min=1).evaluate({Number(1): {ADDR1}}) == True assert bool(Range(Number(1), min=1).evaluate({Number(1): {ADDR1}})) is True
assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1}}) == False assert bool(Range(Number(1), min=2).evaluate({Number(1): {ADDR1}})) is False
assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1, ADDR2}}) == True assert bool(Range(Number(1), min=2).evaluate({Number(1): {ADDR1, ADDR2}})) is True
# unbounded min # unbounded min
assert Range(Number(1), max=0).evaluate({Number(1): {ADDR1}}) == False assert bool(Range(Number(1), max=0).evaluate({Number(1): {ADDR1}})) is False
assert Range(Number(1), max=1).evaluate({Number(1): {ADDR1}}) == True assert bool(Range(Number(1), max=1).evaluate({Number(1): {ADDR1}})) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1}}) == True assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1}})) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2}}) == True assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2}})) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) == False assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}})) is False
# we can do an exact match by setting min==max # we can do an exact match by setting min==max
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {}}) == False assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {}})) is False
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1}}) == True assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1}})) is True
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1, ADDR2}}) == False assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1, ADDR2}})) is False
# bounded range # bounded range
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {}}) == False assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {}})) is False
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1}}) == True assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1}})) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2}}) == True assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2}})) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) == True assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}})) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3, ADDR4}}) == False assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3, ADDR4}})) is False
def test_short_circuit(): def test_short_circuit():
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) == True assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True
# with short circuiting, only the children up until the first satisfied child are captured. # with short circuiting, only the children up until the first satisfied child are captured.
assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}, short_circuit=True).children) == 1 assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}, short_circuit=True).children) == 1
@@ -131,8 +135,8 @@ def test_short_circuit():
def test_eval_order(): def test_eval_order():
# base cases. # base cases.
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) == True assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True
assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) == True assert bool(Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is True
# with short circuiting, only the children up until the first satisfied child are captured. # with short circuiting, only the children up until the first satisfied child are captured.
assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}).children) == 1 assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}).children) == 1

6
tests/test_function_id.py
View File

@@ -4,20 +4,20 @@ import capa.features.insn
def test_function_id_simple_match(pma16_01_extractor): def test_function_id_simple_match(pma16_01_extractor):
assert pma16_01_extractor.is_library_function(0x407490) == True assert pma16_01_extractor.is_library_function(0x407490) is True
assert pma16_01_extractor.get_function_name(0x407490) == "__aulldiv" assert pma16_01_extractor.get_function_name(0x407490) == "__aulldiv"
def test_function_id_gz_pat(pma16_01_extractor): def test_function_id_gz_pat(pma16_01_extractor):
# aullrem is stored in `test_aullrem.pat.gz` # aullrem is stored in `test_aullrem.pat.gz`
assert pma16_01_extractor.is_library_function(0x407500) == True assert pma16_01_extractor.is_library_function(0x407500) is True
assert pma16_01_extractor.get_function_name(0x407500) == "__aullrem" assert pma16_01_extractor.get_function_name(0x407500) == "__aullrem"
def test_function_id_complex_match(pma16_01_extractor): def test_function_id_complex_match(pma16_01_extractor):
# 0x405714 is __spawnlp which requires recursive match of __spawnvp at 0x407FAB # 0x405714 is __spawnlp which requires recursive match of __spawnvp at 0x407FAB
# (and __spawnvpe at 0x409DE8) # (and __spawnvpe at 0x409DE8)
assert pma16_01_extractor.is_library_function(0x405714) == True assert pma16_01_extractor.is_library_function(0x405714) is True
assert pma16_01_extractor.get_function_name(0x405714) == "__spawnlp" assert pma16_01_extractor.get_function_name(0x405714) == "__spawnlp"

136
tests/test_rules.py
View File

@@ -40,8 +40,8 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004)
def test_rule_ctor(): def test_rule_ctor():
r = capa.rules.Rule("test rule", capa.rules.FUNCTION_SCOPE, Or([Number(1)]), {}) r = capa.rules.Rule("test rule", capa.rules.FUNCTION_SCOPE, Or([Number(1)]), {})
assert r.evaluate({Number(0): {ADDR1}}) == False assert bool(r.evaluate({Number(0): {ADDR1}})) is False
assert r.evaluate({Number(1): {ADDR2}}) == True assert bool(r.evaluate({Number(1): {ADDR2}})) is True
def test_rule_yaml(): def test_rule_yaml():
@@ -63,10 +63,10 @@ def test_rule_yaml():
""" """
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(0): {ADDR1}}) == False assert bool(r.evaluate({Number(0): {ADDR1}})) is False
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) == False assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}})) is False
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}) == True assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}})) is True
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}) == True assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}})) is True
def test_rule_yaml_complex(): def test_rule_yaml_complex():
@@ -89,8 +89,8 @@ def test_rule_yaml_complex():
""" """
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) == True assert bool(r.evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})) is True
assert r.evaluate({Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) == False assert bool(r.evaluate({Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})) is False
def test_rule_descriptions(): def test_rule_descriptions():
@@ -167,8 +167,8 @@ def test_rule_yaml_not():
""" """
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(1): {ADDR1}}) == True assert bool(r.evaluate({Number(1): {ADDR1}})) is True
assert r.evaluate({Number(1): {ADDR1}, Number(2): {ADDR1}}) == False assert bool(r.evaluate({Number(1): {ADDR1}, Number(2): {ADDR1}})) is False
def test_rule_yaml_count(): def test_rule_yaml_count():
@@ -182,9 +182,9 @@ def test_rule_yaml_count():
""" """
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(100): set()}) == False assert bool(r.evaluate({Number(100): set()})) is False
assert r.evaluate({Number(100): {ADDR1}}) == True assert bool(r.evaluate({Number(100): {ADDR1}})) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2}}) == False assert bool(r.evaluate({Number(100): {ADDR1, ADDR2}})) is False
def test_rule_yaml_count_range(): def test_rule_yaml_count_range():
@@ -198,10 +198,10 @@ def test_rule_yaml_count_range():
""" """
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(100): set()}) == False assert bool(r.evaluate({Number(100): set()})) is False
assert r.evaluate({Number(100): {ADDR1}}) == True assert bool(r.evaluate({Number(100): {ADDR1}})) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2}}) == True assert bool(r.evaluate({Number(100): {ADDR1, ADDR2}})) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2, ADDR3}}) == False assert bool(r.evaluate({Number(100): {ADDR1, ADDR2, ADDR3}})) is False
def test_rule_yaml_count_string(): def test_rule_yaml_count_string():
@@ -215,10 +215,10 @@ def test_rule_yaml_count_string():
""" """
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({String("foo"): set()}) == False assert bool(r.evaluate({String("foo"): set()})) is False
assert r.evaluate({String("foo"): {ADDR1}}) == False assert bool(r.evaluate({String("foo"): {ADDR1}})) is False
assert r.evaluate({String("foo"): {ADDR1, ADDR2}}) == True assert bool(r.evaluate({String("foo"): {ADDR1, ADDR2}})) is True
assert r.evaluate({String("foo"): {ADDR1, ADDR2, ADDR3}}) == False assert bool(r.evaluate({String("foo"): {ADDR1, ADDR2, ADDR3}})) is False
def test_invalid_rule_feature(): def test_invalid_rule_feature():
@@ -466,12 +466,12 @@ def test_number_symbol():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (Number(1) in children) == True assert (Number(1) in children) is True
assert (Number(0xFFFFFFFF) in children) == True assert (Number(0xFFFFFFFF) in children) is True
assert (Number(2, description="symbol name") in children) == True assert (Number(2, description="symbol name") in children) is True
assert (Number(3, description="symbol name") in children) == True assert (Number(3, description="symbol name") in children) is True
assert (Number(4, description="symbol name = another name") in children) == True assert (Number(4, description="symbol name = another name") in children) is True
assert (Number(0x100, description="symbol name") in children) == True assert (Number(0x100, description="symbol name") in children) is True
def test_count_number_symbol(): def test_count_number_symbol():
@@ -488,11 +488,11 @@ def test_count_number_symbol():
""" """
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(2): set()}) == False assert bool(r.evaluate({Number(2): set()})) is False
assert r.evaluate({Number(2): {ADDR1}}) == True assert bool(r.evaluate({Number(2): {ADDR1}})) is True
assert r.evaluate({Number(2): {ADDR1, ADDR2}}) == False assert bool(r.evaluate({Number(2): {ADDR1, ADDR2}})) is False
assert r.evaluate({Number(0x100, description="symbol name"): {ADDR1}}) == False assert bool(r.evaluate({Number(0x100, description="symbol name"): {ADDR1}})) is False
assert r.evaluate({Number(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) == True assert bool(r.evaluate({Number(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}})) is True
def test_invalid_number(): def test_invalid_number():
@@ -553,11 +553,11 @@ def test_offset_symbol():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (Offset(1) in children) == True assert (Offset(1) in children) is True
assert (Offset(2, description="symbol name") in children) == True assert (Offset(2, description="symbol name") in children) is True
assert (Offset(3, description="symbol name") in children) == True assert (Offset(3, description="symbol name") in children) is True
assert (Offset(4, description="symbol name = another name") in children) == True assert (Offset(4, description="symbol name = another name") in children) is True
assert (Offset(0x100, description="symbol name") in children) == True assert (Offset(0x100, description="symbol name") in children) is True
def test_count_offset_symbol(): def test_count_offset_symbol():
@@ -574,11 +574,11 @@ def test_count_offset_symbol():
""" """
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Offset(2): set()}) == False assert bool(r.evaluate({Offset(2): set()})) is False
assert r.evaluate({Offset(2): {ADDR1}}) == True assert bool(r.evaluate({Offset(2): {ADDR1}})) is True
assert r.evaluate({Offset(2): {ADDR1, ADDR2}}) == False assert bool(r.evaluate({Offset(2): {ADDR1, ADDR2}})) is False
assert r.evaluate({Offset(0x100, description="symbol name"): {ADDR1}}) == False assert bool(r.evaluate({Offset(0x100, description="symbol name"): {ADDR1}})) is False
assert r.evaluate({Offset(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) == True assert bool(r.evaluate({Offset(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}})) is True
def test_invalid_offset(): def test_invalid_offset():
@@ -664,8 +664,8 @@ def test_explicit_string_values_int():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (String("123") in children) == True assert (String("123") in children) is True
assert (String("0x123") in children) == True assert (String("0x123") in children) is True
def test_string_values_special_characters(): def test_string_values_special_characters():
@@ -683,8 +683,8 @@ def test_string_values_special_characters():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (String("hello\r\nworld") in children) == True assert (String("hello\r\nworld") in children) is True
assert (String("bye\nbye") in children) == True assert (String("bye\nbye") in children) is True
def test_substring_feature(): def test_substring_feature():
@@ -702,9 +702,9 @@ def test_substring_feature():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (Substring("abc") in children) == True assert (Substring("abc") in children) is True
assert (Substring("def") in children) == True assert (Substring("def") in children) is True
assert (Substring("gh\ni") in children) == True assert (Substring("gh\ni") in children) is True
def test_substring_description(): def test_substring_description():
@@ -721,7 +721,7 @@ def test_substring_description():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (Substring("abc") in children) == True assert (Substring("abc") in children) is True
def test_filter_rules(): def test_filter_rules():
@@ -902,9 +902,9 @@ def test_function_name_features():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (FunctionName("strcpy") in children) == True assert (FunctionName("strcpy") in children) is True
assert (FunctionName("strcmp", description="copy from here to there") in children) == True assert (FunctionName("strcmp", description="copy from here to there") in children) is True
assert (FunctionName("strdup", description="duplicate a string") in children) == True assert (FunctionName("strdup", description="duplicate a string") in children) is True
def test_os_features(): def test_os_features():
@@ -921,8 +921,8 @@ def test_os_features():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (OS(OS_WINDOWS) in children) == True assert (OS(OS_WINDOWS) in children) is True
assert (OS(OS_LINUX) not in children) == True assert (OS(OS_LINUX) not in children) is True
def test_format_features(): def test_format_features():
@@ -939,8 +939,8 @@ def test_format_features():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (Format(FORMAT_PE) in children) == True assert (Format(FORMAT_PE) in children) is True
assert (Format(FORMAT_ELF) not in children) == True assert (Format(FORMAT_ELF) not in children) is True
def test_arch_features(): def test_arch_features():
@@ -957,8 +957,8 @@ def test_arch_features():
) )
r = capa.rules.Rule.from_yaml(rule) r = capa.rules.Rule.from_yaml(rule)
children = list(r.statement.get_children()) children = list(r.statement.get_children())
assert (Arch(ARCH_AMD64) in children) == True assert (Arch(ARCH_AMD64) in children) is True
assert (Arch(ARCH_I386) not in children) == True assert (Arch(ARCH_I386) not in children) is True
def test_property_access(): def test_property_access():
@@ -973,10 +973,10 @@ def test_property_access():
""" """
) )
) )
assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ): {ADDR1}}) == True assert bool(r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ): {ADDR1}})) is True
assert r.evaluate({Property("System.IO.FileInfo::Length"): {ADDR1}}) == False assert bool(r.evaluate({Property("System.IO.FileInfo::Length"): {ADDR1}})) is False
assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.WRITE): {ADDR1}}) == False assert bool(r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.WRITE): {ADDR1}})) is False
def test_property_access_symbol(): def test_property_access_symbol():
@@ -992,8 +992,14 @@ def test_property_access_symbol():
) )
) )
assert ( assert (
r.evaluate( bool(
{Property("System.IO.FileInfo::Length", access=FeatureAccess.READ, description="some property"): {ADDR1}} r.evaluate(
{
Property("System.IO.FileInfo::Length", access=FeatureAccess.READ, description="some property"): {
ADDR1
}
}
)
) )
== True is True
) )