diff --git a/.github/ruff.toml b/.github/ruff.toml index 38927883..2740b0e0 100644 --- a/.github/ruff.toml +++ b/.github/ruff.toml @@ -1,4 +1,8 @@ +# Enable pycodestyle (`E`) codes select = ["E"] + +# E402 module level import not at top of file +# E722 do not use bare 'except' ignore = ["E402", "E722"] exclude = ["*_pb2.py", "*_pb2.pyi"] diff --git a/capa/features/extractors/binja/insn.py b/capa/features/extractors/binja/insn.py index 95b0defe..fe5cd228 100644 --- a/capa/features/extractors/binja/insn.py +++ b/capa/features/extractors/binja/insn.py @@ -439,7 +439,7 @@ def extract_insn_peb_access_characteristic_features( return True value = right.value.value - if not (reg, value) in (("fsbase", 0x30), ("gsbase", 0x60)): # noqa: E713 + if (reg, value) not in (("fsbase", 0x30), ("gsbase", 0x60)): return True results.append((Characteristic("peb access"), ih.address)) diff --git a/tests/test_engine.py b/tests/test_engine.py index 43412764..c070edb8 100644 --- a/tests/test_engine.py +++ b/tests/test_engine.py @@ -17,106 +17,116 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004) def test_number(): - assert Number(1).evaluate({Number(0): {ADDR1}}) is False - assert Number(1).evaluate({Number(1): {ADDR1}}) is True - assert Number(1).evaluate({Number(2): {ADDR1, ADDR2}}) is False + assert bool(Number(1).evaluate({Number(0): {ADDR1}})) is False + assert bool(Number(1).evaluate({Number(1): {ADDR1}})) is True + assert bool(Number(1).evaluate({Number(2): {ADDR1, ADDR2}})) is False def test_and(): - assert And([Number(1)]).evaluate({Number(0): {ADDR1}}) is False - assert And([Number(1)]).evaluate({Number(1): {ADDR1}}) is True - assert And([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) is False - assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is False - assert And([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is False - assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) is True + assert bool(And([Number(1)]).evaluate({Number(0): {ADDR1}})) is False + assert bool(And([Number(1)]).evaluate({Number(1): {ADDR1}})) is True + assert bool(And([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}})) is False + assert bool(And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is False + assert bool(And([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is False + assert bool(And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}})) is True def test_or(): - assert Or([Number(1)]).evaluate({Number(0): {ADDR1}}) is False - assert Or([Number(1)]).evaluate({Number(1): {ADDR1}}) is True - assert Or([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) is False - assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True - assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is True - assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) is True + assert bool(Or([Number(1)]).evaluate({Number(0): {ADDR1}})) is False + assert bool(Or([Number(1)]).evaluate({Number(1): {ADDR1}})) is True + assert bool(Or([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}})) is False + assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True + assert bool(Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is True + assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}})) is True def test_not(): - assert Not(Number(1)).evaluate({Number(0): {ADDR1}}) is True - assert Not(Number(1)).evaluate({Number(1): {ADDR1}}) is False + assert bool(Not(Number(1)).evaluate({Number(0): {ADDR1}})) is True + assert bool(Not(Number(1)).evaluate({Number(1): {ADDR1}})) is False def test_some(): - assert Some(0, [Number(1)]).evaluate({Number(0): {ADDR1}}) is True - assert Some(1, [Number(1)]).evaluate({Number(0): {ADDR1}}) is False + assert bool(Some(0, [Number(1)]).evaluate({Number(0): {ADDR1}})) is True + assert bool(Some(1, [Number(1)]).evaluate({Number(0): {ADDR1}})) is False - assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}}) is False - assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) is False + assert bool(Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}})) is False + assert bool(Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}})) is False assert ( - Some(2, [Number(1), Number(2), Number(3)]).evaluate( - {Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}} + bool( + Some(2, [Number(1), Number(2), Number(3)]).evaluate( + {Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}} + ) ) is True ) assert ( - Some(2, [Number(1), Number(2), Number(3)]).evaluate( - {Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}} + bool( + Some(2, [Number(1), Number(2), Number(3)]).evaluate( + {Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}} + ) ) is True ) assert ( - Some(2, [Number(1), Number(2), Number(3)]).evaluate( - {Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}, Number(4): {ADDR1}} + bool( + Some(2, [Number(1), Number(2), Number(3)]).evaluate( + {Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}, Number(4): {ADDR1}} + ) ) is True ) def test_complex(): - assert True is Or( - [And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5), Number(6)])])] - ).evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) + assert True is bool( + Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5), Number(6)])])]).evaluate( + {Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}} + ) + ) - assert False is Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5)])])]).evaluate( - {Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}} + assert False is bool( + Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5)])])]).evaluate( + {Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}} + ) ) def test_range(): # unbounded range, but no matching feature # since the lower bound is zero, and there are zero matches, ok - assert Range(Number(1)).evaluate({Number(2): {}}) is True + assert bool(Range(Number(1)).evaluate({Number(2): {}})) is True # unbounded range with matching feature should always match - assert Range(Number(1)).evaluate({Number(1): {}}) is True - assert Range(Number(1)).evaluate({Number(1): {ADDR1}}) is True + assert bool(Range(Number(1)).evaluate({Number(1): {}})) is True + assert bool(Range(Number(1)).evaluate({Number(1): {ADDR1}})) is True # unbounded max - assert Range(Number(1), min=1).evaluate({Number(1): {ADDR1}}) is True - assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1}}) is False - assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1, ADDR2}}) is True + assert bool(Range(Number(1), min=1).evaluate({Number(1): {ADDR1}})) is True + assert bool(Range(Number(1), min=2).evaluate({Number(1): {ADDR1}})) is False + assert bool(Range(Number(1), min=2).evaluate({Number(1): {ADDR1, ADDR2}})) is True # unbounded min - assert Range(Number(1), max=0).evaluate({Number(1): {ADDR1}}) is False - assert Range(Number(1), max=1).evaluate({Number(1): {ADDR1}}) is True - assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1}}) is True - assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2}}) is True - assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) is False + assert bool(Range(Number(1), max=0).evaluate({Number(1): {ADDR1}})) is False + assert bool(Range(Number(1), max=1).evaluate({Number(1): {ADDR1}})) is True + assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1}})) is True + assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2}})) is True + assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}})) is False # we can do an exact match by setting min==max - assert Range(Number(1), min=1, max=1).evaluate({Number(1): {}}) is False - assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1}}) is True - assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1, ADDR2}}) is False + assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {}})) is False + assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1}})) is True + assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1, ADDR2}})) is False # bounded range - assert Range(Number(1), min=1, max=3).evaluate({Number(1): {}}) is False - assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1}}) is True - assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2}}) is True - assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) is True - assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3, ADDR4}}) is False + assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {}})) is False + assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1}})) is True + assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2}})) is True + assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}})) is True + assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3, ADDR4}})) is False def test_short_circuit(): - assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True + assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True # with short circuiting, only the children up until the first satisfied child are captured. assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}, short_circuit=True).children) == 1 @@ -125,8 +135,8 @@ def test_short_circuit(): def test_eval_order(): # base cases. - assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True - assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is True + assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True + assert bool(Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is True # with short circuiting, only the children up until the first satisfied child are captured. assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}).children) == 1 diff --git a/tests/test_rules.py b/tests/test_rules.py index b5eab288..9f07f31d 100644 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -40,8 +40,8 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004) def test_rule_ctor(): r = capa.rules.Rule("test rule", capa.rules.FUNCTION_SCOPE, Or([Number(1)]), {}) - assert r.evaluate({Number(0): {ADDR1}}) is False - assert r.evaluate({Number(1): {ADDR2}}) is True + assert bool(r.evaluate({Number(0): {ADDR1}})) is False + assert bool(r.evaluate({Number(1): {ADDR2}})) is True def test_rule_yaml(): @@ -63,10 +63,10 @@ def test_rule_yaml(): """ ) r = capa.rules.Rule.from_yaml(rule) - assert r.evaluate({Number(0): {ADDR1}}) is False - assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) is False - assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}) is True - assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}) is True + assert bool(r.evaluate({Number(0): {ADDR1}})) is False + assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}})) is False + assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}})) is True + assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}})) is True def test_rule_yaml_complex(): @@ -89,8 +89,8 @@ def test_rule_yaml_complex(): """ ) r = capa.rules.Rule.from_yaml(rule) - assert r.evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) is True - assert r.evaluate({Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) is False + assert bool(r.evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})) is True + assert bool(r.evaluate({Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})) is False def test_rule_descriptions(): @@ -167,8 +167,8 @@ def test_rule_yaml_not(): """ ) r = capa.rules.Rule.from_yaml(rule) - assert r.evaluate({Number(1): {ADDR1}}) is True - assert r.evaluate({Number(1): {ADDR1}, Number(2): {ADDR1}}) is False + assert bool(r.evaluate({Number(1): {ADDR1}})) is True + assert bool(r.evaluate({Number(1): {ADDR1}, Number(2): {ADDR1}})) is False def test_rule_yaml_count(): @@ -182,9 +182,9 @@ def test_rule_yaml_count(): """ ) r = capa.rules.Rule.from_yaml(rule) - assert r.evaluate({Number(100): set()}) is False - assert r.evaluate({Number(100): {ADDR1}}) is True - assert r.evaluate({Number(100): {ADDR1, ADDR2}}) is False + assert bool(r.evaluate({Number(100): set()})) is False + assert bool(r.evaluate({Number(100): {ADDR1}})) is True + assert bool(r.evaluate({Number(100): {ADDR1, ADDR2}})) is False def test_rule_yaml_count_range(): @@ -198,10 +198,10 @@ def test_rule_yaml_count_range(): """ ) r = capa.rules.Rule.from_yaml(rule) - assert r.evaluate({Number(100): set()}) is False - assert r.evaluate({Number(100): {ADDR1}}) is True - assert r.evaluate({Number(100): {ADDR1, ADDR2}}) is True - assert r.evaluate({Number(100): {ADDR1, ADDR2, ADDR3}}) is False + assert bool(r.evaluate({Number(100): set()})) is False + assert bool(r.evaluate({Number(100): {ADDR1}})) is True + assert bool(r.evaluate({Number(100): {ADDR1, ADDR2}})) is True + assert bool(r.evaluate({Number(100): {ADDR1, ADDR2, ADDR3}})) is False def test_rule_yaml_count_string(): @@ -215,10 +215,10 @@ def test_rule_yaml_count_string(): """ ) r = capa.rules.Rule.from_yaml(rule) - assert r.evaluate({String("foo"): set()}) is False - assert r.evaluate({String("foo"): {ADDR1}}) is False - assert r.evaluate({String("foo"): {ADDR1, ADDR2}}) is True - assert r.evaluate({String("foo"): {ADDR1, ADDR2, ADDR3}}) is False + assert bool(r.evaluate({String("foo"): set()})) is False + assert bool(r.evaluate({String("foo"): {ADDR1}})) is False + assert bool(r.evaluate({String("foo"): {ADDR1, ADDR2}})) is True + assert bool(r.evaluate({String("foo"): {ADDR1, ADDR2, ADDR3}})) is False def test_invalid_rule_feature(): @@ -488,11 +488,11 @@ def test_count_number_symbol(): """ ) r = capa.rules.Rule.from_yaml(rule) - assert r.evaluate({Number(2): set()}) is False - assert r.evaluate({Number(2): {ADDR1}}) is True - assert r.evaluate({Number(2): {ADDR1, ADDR2}}) is False - assert r.evaluate({Number(0x100, description="symbol name"): {ADDR1}}) is False - assert r.evaluate({Number(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) is True + assert bool(r.evaluate({Number(2): set()})) is False + assert bool(r.evaluate({Number(2): {ADDR1}})) is True + assert bool(r.evaluate({Number(2): {ADDR1, ADDR2}})) is False + assert bool(r.evaluate({Number(0x100, description="symbol name"): {ADDR1}})) is False + assert bool(r.evaluate({Number(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}})) is True def test_invalid_number(): @@ -574,11 +574,11 @@ def test_count_offset_symbol(): """ ) r = capa.rules.Rule.from_yaml(rule) - assert r.evaluate({Offset(2): set()}) is False - assert r.evaluate({Offset(2): {ADDR1}}) is True - assert r.evaluate({Offset(2): {ADDR1, ADDR2}}) is False - assert r.evaluate({Offset(0x100, description="symbol name"): {ADDR1}}) is False - assert r.evaluate({Offset(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) is True + assert bool(r.evaluate({Offset(2): set()})) is False + assert bool(r.evaluate({Offset(2): {ADDR1}})) is True + assert bool(r.evaluate({Offset(2): {ADDR1, ADDR2}})) is False + assert bool(r.evaluate({Offset(0x100, description="symbol name"): {ADDR1}})) is False + assert bool(r.evaluate({Offset(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}})) is True def test_invalid_offset(): @@ -973,10 +973,10 @@ def test_property_access(): """ ) ) - assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ): {ADDR1}}) is True + assert bool(r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ): {ADDR1}})) is True - assert r.evaluate({Property("System.IO.FileInfo::Length"): {ADDR1}}) is False - assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.WRITE): {ADDR1}}) is False + assert bool(r.evaluate({Property("System.IO.FileInfo::Length"): {ADDR1}})) is False + assert bool(r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.WRITE): {ADDR1}})) is False def test_property_access_symbol(): @@ -992,8 +992,14 @@ def test_property_access_symbol(): ) ) assert ( - r.evaluate( - {Property("System.IO.FileInfo::Length", access=FeatureAccess.READ, description="some property"): {ADDR1}} + bool( + r.evaluate( + { + Property("System.IO.FileInfo::Length", access=FeatureAccess.READ, description="some property"): { + ADDR1 + } + } + ) ) is True )