gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-23 15:37:37 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Pratham Chauhan
2023-04-05 22:16:00 +05:30
parent eedd885683
commit efb07fafb3
4 changed files with 111 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/ruff.toml vendored
View File

@@ -1,4 +1,8 @@
# Enable pycodestyle (`E`) codes
select = ["E"]
# E402 module level import not at top of file
# E722 do not use bare 'except'
ignore = ["E402", "E722"]
exclude = ["*_pb2.py", "*_pb2.pyi"]

2
capa/features/extractors/binja/insn.py
View File

@@ -439,7 +439,7 @@ def extract_insn_peb_access_characteristic_features(
return True
value = right.value.value
if not (reg, value) in (("fsbase", 0x30), ("gsbase", 0x60)): # noqa: E713
if (reg, value) not in (("fsbase", 0x30), ("gsbase", 0x60)):
return True
results.append((Characteristic("peb access"), ih.address))

118
tests/test_engine.py
View File

@@ -17,106 +17,116 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004)
def test_number():
assert Number(1).evaluate({Number(0): {ADDR1}}) is False
assert Number(1).evaluate({Number(1): {ADDR1}}) is True
assert Number(1).evaluate({Number(2): {ADDR1, ADDR2}}) is False
assert bool(Number(1).evaluate({Number(0): {ADDR1}})) is False
assert bool(Number(1).evaluate({Number(1): {ADDR1}})) is True
assert bool(Number(1).evaluate({Number(2): {ADDR1, ADDR2}})) is False
def test_and():
assert And([Number(1)]).evaluate({Number(0): {ADDR1}}) is False
assert And([Number(1)]).evaluate({Number(1): {ADDR1}}) is True
assert And([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) is False
assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is False
assert And([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is False
assert And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) is True
assert bool(And([Number(1)]).evaluate({Number(0): {ADDR1}})) is False
assert bool(And([Number(1)]).evaluate({Number(1): {ADDR1}})) is True
assert bool(And([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}})) is False
assert bool(And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is False
assert bool(And([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is False
assert bool(And([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}})) is True
def test_or():
assert Or([Number(1)]).evaluate({Number(0): {ADDR1}}) is False
assert Or([Number(1)]).evaluate({Number(1): {ADDR1}}) is True
assert Or([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}}) is False
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True
assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is True
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}}) is True
assert bool(Or([Number(1)]).evaluate({Number(0): {ADDR1}})) is False
assert bool(Or([Number(1)]).evaluate({Number(1): {ADDR1}})) is True
assert bool(Or([Number(1), Number(2)]).evaluate({Number(0): {ADDR1}})) is False
assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True
assert bool(Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is True
assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}, Number(2): {ADDR2}})) is True
def test_not():
assert Not(Number(1)).evaluate({Number(0): {ADDR1}}) is True
assert Not(Number(1)).evaluate({Number(1): {ADDR1}}) is False
assert bool(Not(Number(1)).evaluate({Number(0): {ADDR1}})) is True
assert bool(Not(Number(1)).evaluate({Number(1): {ADDR1}})) is False
def test_some():
assert Some(0, [Number(1)]).evaluate({Number(0): {ADDR1}}) is True
assert Some(1, [Number(1)]).evaluate({Number(0): {ADDR1}}) is False
assert bool(Some(0, [Number(1)]).evaluate({Number(0): {ADDR1}})) is True
assert bool(Some(1, [Number(1)]).evaluate({Number(0): {ADDR1}})) is False
assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}}) is False
assert Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) is False
assert bool(Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}})) is False
assert bool(Some(2, [Number(1), Number(2), Number(3)]).evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}})) is False
assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}
bool(
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}
)
)
is True
)
assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}
bool(
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}
)
)
is True
)
assert (
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}, Number(4): {ADDR1}}
bool(
Some(2, [Number(1), Number(2), Number(3)]).evaluate(
{Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}, Number(4): {ADDR1}}
)
)
is True
)
def test_complex():
assert True is Or(
[And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5), Number(6)])])]
).evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})
assert True is bool(
Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5), Number(6)])])]).evaluate(
{Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}
)
)
assert False is Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5)])])]).evaluate(
{Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}
assert False is bool(
Or([And([Number(1), Number(2)]), Or([Number(3), Some(2, [Number(4), Number(5)])])]).evaluate(
{Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}
)
)
def test_range():
# unbounded range, but no matching feature
# since the lower bound is zero, and there are zero matches, ok
assert Range(Number(1)).evaluate({Number(2): {}}) is True
assert bool(Range(Number(1)).evaluate({Number(2): {}})) is True
# unbounded range with matching feature should always match
assert Range(Number(1)).evaluate({Number(1): {}}) is True
assert Range(Number(1)).evaluate({Number(1): {ADDR1}}) is True
assert bool(Range(Number(1)).evaluate({Number(1): {}})) is True
assert bool(Range(Number(1)).evaluate({Number(1): {ADDR1}})) is True
# unbounded max
assert Range(Number(1), min=1).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1}}) is False
assert Range(Number(1), min=2).evaluate({Number(1): {ADDR1, ADDR2}}) is True
assert bool(Range(Number(1), min=1).evaluate({Number(1): {ADDR1}})) is True
assert bool(Range(Number(1), min=2).evaluate({Number(1): {ADDR1}})) is False
assert bool(Range(Number(1), min=2).evaluate({Number(1): {ADDR1, ADDR2}})) is True
# unbounded min
assert Range(Number(1), max=0).evaluate({Number(1): {ADDR1}}) is False
assert Range(Number(1), max=1).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2}}) is True
assert Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) is False
assert bool(Range(Number(1), max=0).evaluate({Number(1): {ADDR1}})) is False
assert bool(Range(Number(1), max=1).evaluate({Number(1): {ADDR1}})) is True
assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1}})) is True
assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2}})) is True
assert bool(Range(Number(1), max=2).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}})) is False
# we can do an exact match by setting min==max
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {}}) is False
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1, ADDR2}}) is False
assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {}})) is False
assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1}})) is True
assert bool(Range(Number(1), min=1, max=1).evaluate({Number(1): {ADDR1, ADDR2}})) is False
# bounded range
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {}}) is False
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1}}) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2}}) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}}) is True
assert Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3, ADDR4}}) is False
assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {}})) is False
assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1}})) is True
assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2}})) is True
assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3}})) is True
assert bool(Range(Number(1), min=1, max=3).evaluate({Number(1): {ADDR1, ADDR2, ADDR3, ADDR4}})) is False
def test_short_circuit():
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True
assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True
# with short circuiting, only the children up until the first satisfied child are captured.
assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}, short_circuit=True).children) == 1
@@ -125,8 +135,8 @@ def test_short_circuit():
def test_eval_order():
# base cases.
assert Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}) is True
assert Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}}) is True
assert bool(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}})) is True
assert bool(Or([Number(1), Number(2)]).evaluate({Number(2): {ADDR1}})) is True
# with short circuiting, only the children up until the first satisfied child are captured.
assert len(Or([Number(1), Number(2)]).evaluate({Number(1): {ADDR1}}).children) == 1

78
tests/test_rules.py
View File

@@ -40,8 +40,8 @@ ADDR4 = capa.features.address.AbsoluteVirtualAddress(0x401004)
def test_rule_ctor():
r = capa.rules.Rule("test rule", capa.rules.FUNCTION_SCOPE, Or([Number(1)]), {})
assert r.evaluate({Number(0): {ADDR1}}) is False
assert r.evaluate({Number(1): {ADDR2}}) is True
assert bool(r.evaluate({Number(0): {ADDR1}})) is False
assert bool(r.evaluate({Number(1): {ADDR2}})) is True
def test_rule_yaml():
@@ -63,10 +63,10 @@ def test_rule_yaml():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(0): {ADDR1}}) is False
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}}) is False
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}}) is True
assert r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}}) is True
assert bool(r.evaluate({Number(0): {ADDR1}})) is False
assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}})) is False
assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}})) is True
assert bool(r.evaluate({Number(0): {ADDR1}, Number(1): {ADDR1}, Number(2): {ADDR1}, Number(3): {ADDR1}})) is True
def test_rule_yaml_complex():
@@ -89,8 +89,8 @@ def test_rule_yaml_complex():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) is True
assert r.evaluate({Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}}) is False
assert bool(r.evaluate({Number(5): {ADDR1}, Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})) is True
assert bool(r.evaluate({Number(6): {ADDR1}, Number(7): {ADDR1}, Number(8): {ADDR1}})) is False
def test_rule_descriptions():
@@ -167,8 +167,8 @@ def test_rule_yaml_not():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(1): {ADDR1}}) is True
assert r.evaluate({Number(1): {ADDR1}, Number(2): {ADDR1}}) is False
assert bool(r.evaluate({Number(1): {ADDR1}})) is True
assert bool(r.evaluate({Number(1): {ADDR1}, Number(2): {ADDR1}})) is False
def test_rule_yaml_count():
@@ -182,9 +182,9 @@ def test_rule_yaml_count():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(100): set()}) is False
assert r.evaluate({Number(100): {ADDR1}}) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2}}) is False
assert bool(r.evaluate({Number(100): set()})) is False
assert bool(r.evaluate({Number(100): {ADDR1}})) is True
assert bool(r.evaluate({Number(100): {ADDR1, ADDR2}})) is False
def test_rule_yaml_count_range():
@@ -198,10 +198,10 @@ def test_rule_yaml_count_range():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(100): set()}) is False
assert r.evaluate({Number(100): {ADDR1}}) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2}}) is True
assert r.evaluate({Number(100): {ADDR1, ADDR2, ADDR3}}) is False
assert bool(r.evaluate({Number(100): set()})) is False
assert bool(r.evaluate({Number(100): {ADDR1}})) is True
assert bool(r.evaluate({Number(100): {ADDR1, ADDR2}})) is True
assert bool(r.evaluate({Number(100): {ADDR1, ADDR2, ADDR3}})) is False
def test_rule_yaml_count_string():
@@ -215,10 +215,10 @@ def test_rule_yaml_count_string():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({String("foo"): set()}) is False
assert r.evaluate({String("foo"): {ADDR1}}) is False
assert r.evaluate({String("foo"): {ADDR1, ADDR2}}) is True
assert r.evaluate({String("foo"): {ADDR1, ADDR2, ADDR3}}) is False
assert bool(r.evaluate({String("foo"): set()})) is False
assert bool(r.evaluate({String("foo"): {ADDR1}})) is False
assert bool(r.evaluate({String("foo"): {ADDR1, ADDR2}})) is True
assert bool(r.evaluate({String("foo"): {ADDR1, ADDR2, ADDR3}})) is False
def test_invalid_rule_feature():
@@ -488,11 +488,11 @@ def test_count_number_symbol():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Number(2): set()}) is False
assert r.evaluate({Number(2): {ADDR1}}) is True
assert r.evaluate({Number(2): {ADDR1, ADDR2}}) is False
assert r.evaluate({Number(0x100, description="symbol name"): {ADDR1}}) is False
assert r.evaluate({Number(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) is True
assert bool(r.evaluate({Number(2): set()})) is False
assert bool(r.evaluate({Number(2): {ADDR1}})) is True
assert bool(r.evaluate({Number(2): {ADDR1, ADDR2}})) is False
assert bool(r.evaluate({Number(0x100, description="symbol name"): {ADDR1}})) is False
assert bool(r.evaluate({Number(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}})) is True
def test_invalid_number():
@@ -574,11 +574,11 @@ def test_count_offset_symbol():
"""
)
r = capa.rules.Rule.from_yaml(rule)
assert r.evaluate({Offset(2): set()}) is False
assert r.evaluate({Offset(2): {ADDR1}}) is True
assert r.evaluate({Offset(2): {ADDR1, ADDR2}}) is False
assert r.evaluate({Offset(0x100, description="symbol name"): {ADDR1}}) is False
assert r.evaluate({Offset(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}}) is True
assert bool(r.evaluate({Offset(2): set()})) is False
assert bool(r.evaluate({Offset(2): {ADDR1}})) is True
assert bool(r.evaluate({Offset(2): {ADDR1, ADDR2}})) is False
assert bool(r.evaluate({Offset(0x100, description="symbol name"): {ADDR1}})) is False
assert bool(r.evaluate({Offset(0x100, description="symbol name"): {ADDR1, ADDR2, ADDR3}})) is True
def test_invalid_offset():
@@ -973,10 +973,10 @@ def test_property_access():
"""
)
)
assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ): {ADDR1}}) is True
assert bool(r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.READ): {ADDR1}})) is True
assert r.evaluate({Property("System.IO.FileInfo::Length"): {ADDR1}}) is False
assert r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.WRITE): {ADDR1}}) is False
assert bool(r.evaluate({Property("System.IO.FileInfo::Length"): {ADDR1}})) is False
assert bool(r.evaluate({Property("System.IO.FileInfo::Length", access=FeatureAccess.WRITE): {ADDR1}})) is False
def test_property_access_symbol():
@@ -992,8 +992,14 @@ def test_property_access_symbol():
)
)
assert (
r.evaluate(
{Property("System.IO.FileInfo::Length", access=FeatureAccess.READ, description="some property"): {ADDR1}}
bool(
r.evaluate(
{
Property("System.IO.FileInfo::Length", access=FeatureAccess.READ, description="some property"): {
ADDR1
}
}
)
)
is True
)