Merge remote-tracking branch 'parentrepo/dynamic-feature-extraction' into sync-1657

2025-12-22 07:10:29 -08:00 · 2023-07-20 09:33:48 +01:00
parent 4eabee7329 ce15a2b01e
commit e38e56ccf6
47 changed files with 1782 additions and 210 deletions
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -39,7 +39,9 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004)


 def test_rule_ctor():
-    r = capa.rules.Rule("test rule", capa.rules.FUNCTION_SCOPE, Or([Number(1)]), {})
+    r = capa.rules.Rule(
+        "test rule", capa.rules.Scopes(capa.rules.FUNCTION_SCOPE, capa.rules.FILE_SCOPE), Or([Number(1)]), {}
+    )
    assert bool(r.evaluate({Number(0): {ADDR1}})) is False
    assert bool(r.evaluate({Number(1): {ADDR2}})) is True

@@ -52,7 +54,9 @@ def test_rule_yaml():
                name: test rule
                authors:
                    - user@domain.com
-                scope: function
+                scopes:
+                    static: function
+                    dynamic: dev
                examples:
                    - foo1234
                    - bar5678
@@ -242,7 +246,9 @@ def test_invalid_rule_feature():
                rule:
                    meta:
                        name: test rule
-                        scope: file
+                        scopes:
+                            static: file
+                            dynamic: dev
                    features:
                        - characteristic: nzxor
                """
@@ -256,7 +262,9 @@ def test_invalid_rule_feature():
                rule:
                    meta:
                        name: test rule
-                        scope: function
+                        scopes:
+                            static: function
+                            dynamic: dev
                    features:
                        - characteristic: embedded pe
                """
@@ -270,13 +278,31 @@ def test_invalid_rule_feature():
                rule:
                    meta:
                        name: test rule
-                        scope: basic block
+                        scopes:
+                            static: basic block
+                            dynamic: dev
                    features:
                        - characteristic: embedded pe
                """
            )
        )

+    with pytest.raises(capa.rules.InvalidRule):
+        capa.rules.Rule.from_yaml(
+            textwrap.dedent(
+                """
+                rule:
+                    meta:
+                        name: test rule
+                        scopes:
+                            static: function
+                            dynamic: process
+                    features:
+                        - mnemonic: xor
+                """
+            )
+        )
+

 def test_lib_rules():
    rules = capa.rules.RuleSet(
@@ -319,8 +345,10 @@ def test_subscope_rules():
                    """
                    rule:
                        meta:
-                            name: test rule
-                            scope: file
+                            name: test function subscope
+                            scopes:
+                                static: file
+                                dynamic: dev
                        features:
                            - and:
                                - characteristic: embedded pe
@@ -330,17 +358,61 @@ def test_subscope_rules():
                                        - characteristic: loop
                    """
                )
-            )
+            ),
+            capa.rules.Rule.from_yaml(
+                textwrap.dedent(
+                    """
+                    rule:
+                        meta:
+                            name: test process subscope
+                            scopes:
+                                static: file
+                                dynamic: file
+                        features:
+                            - and:
+                                - import: WININET.dll.HttpOpenRequestW
+                                - process:
+                                    - and:
+                                        - substring: "http://"
+                    """
+                )
+            ),
+            capa.rules.Rule.from_yaml(
+                textwrap.dedent(
+                    """
+                    rule:
+                        meta:
+                            name: test thread subscope
+                            scopes:
+                                static: file
+                                dynamic: process
+                        features:
+                            - and:
+                                 - string: "explorer.exe"
+                                 - thread:
+                                    - api: HttpOpenRequestW
+                    """
+                )
+            ),
        ]
    )
-    # the file rule scope will have one rules:
-    #  - `test rule`
-    assert len(rules.file_rules) == 1
+    # the file rule scope will have two rules:
+    #  - `test function subscope` and `test process subscope`
+    # plus the dynamic flavor of all rules
+    # assert len(rules.file_rules) == 4

-    # the function rule scope have one rule:
-    #  - the rule on which `test rule` depends
+    # the function rule scope have two rule:
+    # - the rule on which `test function subscope` depends
    assert len(rules.function_rules) == 1

+    # the process rule scope has three rules:
+    # - the rule on which `test process subscope` depends,
+    assert len(rules.process_rules) == 2
+
+    # the thread rule scope has one rule:
+    # - the rule on which `test thread subscope` depends
+    assert len(rules.thread_rules) == 1
+

 def test_duplicate_rules():
    with pytest.raises(capa.rules.InvalidRule):
@@ -445,6 +517,66 @@ def test_invalid_rules():
                """
            )
        )
+    with pytest.raises(capa.rules.InvalidRule):
+        _ = capa.rules.Rule.from_yaml(
+            textwrap.dedent(
+                """
+                rule:
+                    meta:
+                        name: test rule
+                        scopes:
+                            static: basic block
+                            behavior: process
+                    features:
+                        - number: 1
+                """
+            )
+        )
+    with pytest.raises(capa.rules.InvalidRule):
+        _ = capa.rules.Rule.from_yaml(
+            textwrap.dedent(
+                """
+                rule:
+                    meta:
+                        name: test rule
+                        scopes:
+                            legacy: basic block
+                            dynamic: process
+                    features:
+                        - number: 1
+                """
+            )
+        )
+    with pytest.raises(capa.rules.InvalidRule):
+        _ = capa.rules.Rule.from_yaml(
+            textwrap.dedent(
+                """
+                rule:
+                    meta:
+                        name: test rule
+                        scopes:
+                            static: process
+                            dynamic: process
+                    features:
+                        - number: 1
+                """
+            )
+        )
+    with pytest.raises(capa.rules.InvalidRule):
+        _ = capa.rules.Rule.from_yaml(
+            textwrap.dedent(
+                """
+                rule:
+                    meta:
+                        name: test rule
+                        scopes:
+                            static: basic block
+                            dynamic: function
+                    features:
+                        - number: 1
+                """
+            )
+        )


 def test_number_symbol():
@@ -891,7 +1023,9 @@ def test_function_name_features():
        rule:
            meta:
                name: test rule
-                scope: file
+                scopes:
+                    static: file
+                    dynamic: dev
            features:
                - and:
                    - function-name: strcpy
@@ -913,7 +1047,9 @@ def test_os_features():
        rule:
            meta:
                name: test rule
-                scope: file
+                scopes:
+                    static: file
+                    dynamic: dev
            features:
                - and:
                    - os: windows
@@ -931,7 +1067,9 @@ def test_format_features():
        rule:
            meta:
                name: test rule
-                scope: file
+                scopes:
+                    static: file
+                    dynamic: dev
            features:
                - and:
                    - format: pe
@@ -949,7 +1087,9 @@ def test_arch_features():
        rule:
            meta:
                name: test rule
-                scope: file
+                scopes:
+                    static: file
+                    dynamic: dev
            features:
                - and:
                    - arch: amd64