fixes 249

2025-12-23 07:28:34 -08:00 · 2020-08-26 16:31:07 -06:00
parent 8be1c84fd2
commit dc8870861b
2 changed files with 31 additions and 1 deletions
--- a/capa/rules.py
+++ b/capa/rules.py
@@ -262,7 +262,7 @@ def parse_description(s, value_type, description=None):
                raise InvalidRule(
                    "unexpected bytes value: byte sequences must be no larger than %s bytes" % MAX_BYTES_FEATURE_SIZE
                )
-        elif value_type in {"number", "offset"}:
+        elif value_type in ("number", "offset") or value_type.startswith(("number/", "offset/")):
            try:
                value = parse_int(value)
            except ValueError:
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -483,6 +483,21 @@ def test_number_arch():
    assert r.evaluate({Number(2, arch=ARCH_X64): {1}}) == False


+def test_number_arch_symbol():
+    r = capa.rules.Rule.from_yaml(
+        textwrap.dedent(
+            """
+            rule:
+                meta:
+                    name: test rule
+                features:
+                    - number/x32: 2 = some constant
+            """
+        )
+    )
+    assert r.evaluate({Number(2, arch=ARCH_X32, description="some constant"): {1}}) == True
+
+
 def test_offset_symbol():
    rule = textwrap.dedent(
        """
@@ -546,6 +561,21 @@ def test_offset_arch():
    assert r.evaluate({Offset(2, arch=ARCH_X64): {1}}) == False


+def test_offset_arch_symbol():
+    r = capa.rules.Rule.from_yaml(
+        textwrap.dedent(
+            """
+            rule:
+                meta:
+                    name: test rule
+                features:
+                    - offset/x32: 2 = some constant
+            """
+        )
+    )
+    assert r.evaluate({Offset(2, arch=ARCH_X32, description="some constant"): {1}}) == True
+
+
 def test_invalid_offset():
    with pytest.raises(capa.rules.InvalidRule):
        r = capa.rules.Rule.from_yaml(