gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-22 07:10:29 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'parentrepo/dynamic-feature-extraction' into sync-1657

Browse Source
This commit is contained in:
Yacine Elhamer
2023-07-20 09:33:48 +01:00
parent 4eabee7329 ce15a2b01e
commit e38e56ccf6
47 changed files with 1782 additions and 210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
tests/test_main.py
View File

@@ -9,6 +9,7 @@
import json
import textwrap
import pytest
import fixtures
import capa.main
@@ -17,6 +18,7 @@ import capa.engine
import capa.features
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_main(z9324d_extractor):
# tests rules can be loaded successfully and all output modes
path = z9324d_extractor.path
@@ -34,7 +36,9 @@ def test_main_single_rule(z9324d_extractor, tmpdir):
rule:
meta:
name: test rule
scope: file
scopes:
static: file
dynamic: dev
authors:
- test
features:
@@ -76,6 +80,7 @@ def test_main_non_ascii_filename_nonexistent(tmpdir, caplog):
assert NON_ASCII_FILENAME in caplog.text
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_main_shellcode(z499c2_extractor):
path = z499c2_extractor.path
assert capa.main.main([path, "-vv", "-f", "sc32"]) == 0
@@ -95,7 +100,9 @@ def test_ruleset():
rule:
meta:
name: file rule
scope: file
scopes:
static: file
dynamic: dev
features:
- characteristic: embedded pe
"""
@@ -107,7 +114,9 @@ def test_ruleset():
rule:
meta:
name: function rule
scope: function
scopes:
static: function
dynamic: dev
features:
- characteristic: tight loop
"""
@@ -119,17 +128,49 @@ def test_ruleset():
rule:
meta:
name: basic block rule
scope: basic block
scopes:
static: basic block
dynamic: dev
features:
- characteristic: nzxor
"""
)
),
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: process rule
scopes:
static: file
dynamic: process
features:
- string: "explorer.exe"
"""
)
),
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: thread rule
scopes:
static: function
dynamic: thread
features:
- api: RegDeleteKey
"""
)
),
]
)
assert len(rules.file_rules) == 1
assert len(rules.function_rules) == 1
assert len(rules.file_rules) == 2
assert len(rules.function_rules) == 2
assert len(rules.basic_block_rules) == 1
assert len(rules.process_rules) == 1
assert len(rules.thread_rules) == 1
def test_match_across_scopes_file_function(z9324d_extractor):
@@ -142,7 +183,9 @@ def test_match_across_scopes_file_function(z9324d_extractor):
rule:
meta:
name: install service
scope: function
scopes:
static: function
dynamic: dev
examples:
- 9324d1a8ae37a36ae560c37448c9705a:0x4073F0
features:
@@ -160,7 +203,9 @@ def test_match_across_scopes_file_function(z9324d_extractor):
rule:
meta:
name: .text section
scope: file
scopes:
static: file
dynamic: dev
examples:
- 9324d1a8ae37a36ae560c37448c9705a
features:
@@ -177,7 +222,9 @@ def test_match_across_scopes_file_function(z9324d_extractor):
rule:
meta:
name: .text section and install service
scope: file
scopes:
static: file
dynamic: dev
examples:
- 9324d1a8ae37a36ae560c37448c9705a
features:
@@ -205,7 +252,9 @@ def test_match_across_scopes(z9324d_extractor):
rule:
meta:
name: tight loop
scope: basic block
scopes:
static: basic block
dynamic: dev
examples:
- 9324d1a8ae37a36ae560c37448c9705a:0x403685
features:
@@ -221,7 +270,9 @@ def test_match_across_scopes(z9324d_extractor):
rule:
meta:
name: kill thread loop
scope: function
scopes:
static: function
dynamic: dev
examples:
- 9324d1a8ae37a36ae560c37448c9705a:0x403660
features:
@@ -239,7 +290,9 @@ def test_match_across_scopes(z9324d_extractor):
rule:
meta:
name: kill thread program
scope: file
scopes:
static: file
dynamic: dev
examples:
- 9324d1a8ae37a36ae560c37448c9705a
features:
@@ -266,7 +319,9 @@ def test_subscope_bb_rules(z9324d_extractor):
rule:
meta:
name: test rule
scope: function
scopes:
static: function
dynamic: dev
features:
- and:
- basic block:
@@ -290,7 +345,9 @@ def test_byte_matching(z9324d_extractor):
rule:
meta:
name: byte match test
scope: function
scopes:
static: function
dynamic: dev
features:
- and:
- bytes: ED 24 9E F4 52 A9 07 47 55 8E E1 AB 30 8E 23 61
@@ -313,7 +370,9 @@ def test_count_bb(z9324d_extractor):
meta:
name: count bb
namespace: test
scope: function
scopes:
static: function
dynamic: dev
features:
- and:
- count(basic blocks): 1 or more
@@ -337,7 +396,9 @@ def test_instruction_scope(z9324d_extractor):
meta:
name: push 1000
namespace: test
scope: instruction
scopes:
static: instruction
dynamic: dev
features:
- and:
- mnemonic: push
@@ -365,7 +426,9 @@ def test_instruction_subscope(z9324d_extractor):
meta:
name: push 1000 on i386
namespace: test
scope: function
scopes:
static: function
dynamic: dev
features:
- and:
- arch: i386
@@ -382,6 +445,7 @@ def test_instruction_subscope(z9324d_extractor):
assert 0x406F60 in {result[0] for result in capabilities["push 1000 on i386"]}
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_fix262(pma16_01_extractor, capsys):
path = pma16_01_extractor.path
assert capa.main.main([path, "-vv", "-t", "send HTTP request", "-q"]) == 0
@@ -391,6 +455,7 @@ def test_fix262(pma16_01_extractor, capsys):
assert "www.practicalmalwareanalysis.com" not in std.out
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_not_render_rules_also_matched(z9324d_extractor, capsys):
# rules that are also matched by other rules should not get rendered by default.
# this cuts down on the amount of output while giving approx the same detail.
@@ -417,6 +482,7 @@ def test_not_render_rules_also_matched(z9324d_extractor, capsys):
assert "create TCP socket" in std.out
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_json_meta(capsys):
path = str(fixtures.get_data_path_by_name("pma01-01"))
assert capa.main.main([path, "-j"]) == 0
@@ -432,6 +498,7 @@ def test_json_meta(capsys):
assert {"address": ["absolute", 0x10001179]} in info["matched_basic_blocks"]
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_main_dotnet(_1c444_dotnetfile_extractor):
# tests successful execution and all output modes
path = _1c444_dotnetfile_extractor.path
@@ -442,6 +509,7 @@ def test_main_dotnet(_1c444_dotnetfile_extractor):
assert capa.main.main([path]) == 0
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_main_dotnet2(_692f_dotnetfile_extractor):
# tests successful execution and one rendering
# above covers all output modes
@@ -449,18 +517,21 @@ def test_main_dotnet2(_692f_dotnetfile_extractor):
assert capa.main.main([path, "-vv"]) == 0
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_main_dotnet3(_0953c_dotnetfile_extractor):
# tests successful execution and one rendering
path = _0953c_dotnetfile_extractor.path
assert capa.main.main([path, "-vv"]) == 0
@pytest.mark.xfail(reason="relies on the legeacy ruleset. scopes keyword hasn't been added there")
def test_main_dotnet4(_039a6_dotnetfile_extractor):
# tests successful execution and one rendering
path = _039a6_dotnetfile_extractor.path
assert capa.main.main([path, "-vv"]) == 0
@pytest.mark.xfail(reason="ResultDocument hasn't been updated yet")
def test_main_rd():
path = str(fixtures.get_data_path_by_name("pma01-01-rd"))
assert capa.main.main([path, "-vv"]) == 0