From dc8870861b5e4eaaf94b37dc318b4e07a8d7ea6b Mon Sep 17 00:00:00 2001 From: Michael Hunhoff Date: Wed, 26 Aug 2020 16:31:07 -0600 Subject: [PATCH] fixes 249 --- capa/rules.py | 2 +- tests/test_rules.py | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/capa/rules.py b/capa/rules.py index eb9cc318..6b9eba58 100644 --- a/capa/rules.py +++ b/capa/rules.py @@ -262,7 +262,7 @@ def parse_description(s, value_type, description=None): raise InvalidRule( "unexpected bytes value: byte sequences must be no larger than %s bytes" % MAX_BYTES_FEATURE_SIZE ) - elif value_type in {"number", "offset"}: + elif value_type in ("number", "offset") or value_type.startswith(("number/", "offset/")): try: value = parse_int(value) except ValueError: diff --git a/tests/test_rules.py b/tests/test_rules.py index 98b06949..ccc81425 100644 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -483,6 +483,21 @@ def test_number_arch(): assert r.evaluate({Number(2, arch=ARCH_X64): {1}}) == False +def test_number_arch_symbol(): + r = capa.rules.Rule.from_yaml( + textwrap.dedent( + """ + rule: + meta: + name: test rule + features: + - number/x32: 2 = some constant + """ + ) + ) + assert r.evaluate({Number(2, arch=ARCH_X32, description="some constant"): {1}}) == True + + def test_offset_symbol(): rule = textwrap.dedent( """ @@ -546,6 +561,21 @@ def test_offset_arch(): assert r.evaluate({Offset(2, arch=ARCH_X64): {1}}) == False +def test_offset_arch_symbol(): + r = capa.rules.Rule.from_yaml( + textwrap.dedent( + """ + rule: + meta: + name: test rule + features: + - offset/x32: 2 = some constant + """ + ) + ) + assert r.evaluate({Offset(2, arch=ARCH_X32, description="some constant"): {1}}) == True + + def test_invalid_offset(): with pytest.raises(capa.rules.InvalidRule): r = capa.rules.Rule.from_yaml(