gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-06-12 11:01:31 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
2c12cbb4854265e013f03c42d1bb1404f198adc6
capa/tests/fixtures/matcher/static/strings.yml
T

275 lines
6.2 KiB
YAML
Raw Blame History

- name: exact-string
description: string feature matches only the exact value
rules:
- name: exact-string-match
scopes:
static: function
features:
- string: hello world
features: |
func: 0x500000
func: 0x500000: string(hello world)
expect:
matches:
exact-string-match:
- 0x500000
- name: substring
description: substring feature matches when the value appears within a string
rules:
- name: substring-match
scopes:
static: function
features:
- substring: abc
features: |
func: 0x500000
func: 0x500000: string(zabczz)
expect:
matches:
substring-match:
- 0x500000
- name: regex-unanchored
description: regex feature matches when the pattern appears anywhere in a string
rules:
- name: regex-match
scopes:
static: function
features:
- string: /bbbb/
features: |
func: 0x500000
func: 0x500000: string(abbbba)
expect:
matches:
regex-match:
- 0x500000
- name: regex-case-insensitive
description: regex /i flag enables case-insensitive matching
rules:
- name: regex-ignorecase-match
scopes:
static: function
features:
- string: /BBBB/i
features: |
func: 0x500000
func: 0x500000: string(abbbba)
expect:
matches:
regex-ignorecase-match:
- 0x500000
- name: regex-anchored-no-match
description: anchored regex does not match when the string does not start with the pattern
rules:
- name: regex-anchor-no-match
scopes:
static: function
features:
- string: /^bbbb/
features: |
func: 0x500000
func: 0x500000: string(abbbba)
expect:
matches: {}
- name: substring-no-match
description: substring does not match when the value is not contained in any string
rules:
- name: substring-no-match
scopes:
static: function
features:
- substring: abc
features: |
func: 0x500000
func: 0x500000: string(aaaa)
expect:
matches: {}
- name: substring-exact
description: substring matches when the string is exactly the substring value
rules:
- name: substring-exact
scopes:
static: function
features:
- substring: abc
features: |
func: 0x500000
func: 0x500000: string(abc)
expect:
matches:
substring-exact:
- 0x500000
- name: substring-prefix
description: substring matches when it appears at the start of a string
rules:
- name: substring-prefix
scopes:
static: function
features:
- substring: abc
features: |
func: 0x500000
func: 0x500000: string(abc222)
expect:
matches:
substring-prefix:
- 0x500000
- name: substring-suffix
description: substring matches when it appears at the end of a string
rules:
- name: substring-suffix
scopes:
static: function
features:
- substring: abc
features: |
func: 0x500000
func: 0x500000: string(111abc)
expect:
matches:
substring-suffix:
- 0x500000
- name: regex-no-match-wrong-type
description: regex does not match when only non-string features are present
rules:
- name: regex-wrong-type
scopes:
static: function
features:
- string: /.*bbbb.*/
features: |
func: 0x500000
bb: 0x500000: basic block
insn: 0x500000: number(100)
expect:
matches: {}
- name: regex-no-match-wrong-value
description: regex does not match when the string does not contain the pattern
rules:
- name: regex-wrong-value
scopes:
static: function
features:
- string: /.*bbbb.*/
features: |
func: 0x500000
func: 0x500000: string(aaaa)
expect:
matches: {}
- name: regex-no-match-case-sensitive
description: regex without /i flag does not match different-case strings
rules:
- name: regex-case-sensitive
scopes:
static: function
features:
- string: /.*bbbb.*/
features: |
func: 0x500000
func: 0x500000: string(aBBBBa)
expect:
matches: {}
- name: regex-explicit-wildcards
description: regex with explicit .* wildcards matches the same as implied wildcards
rules:
- name: regex-explicit
scopes:
static: function
features:
- string: /.*bbbb.*/
- name: regex-implied
scopes:
static: function
features:
- string: /bbbb/
features: |
func: 0x500000
func: 0x500000: string(abbbba)
expect:
matches:
regex-explicit:
- 0x500000
regex-implied:
- 0x500000
- name: regex-complex-backslash
description: regex with escaped backslashes and spaces matches correctly
rules:
- name: regex-backslash
scopes:
static: function
features:
- or:
- string: /.*HARDWARE\\Key\\key with spaces\\.*/i
features: |
func: 0x500000
func: 0x500000: string(Hardware\Key\key with spaces\some value)
expect:
matches:
regex-backslash:
- 0x500000
- name: regex-numeric-string
description: regex matches numeric string values correctly
rules:
- name: regex-numeric
scopes:
static: function
features:
- or:
- string: /123/
- string: /0x123/
features: |
func: 0x500000
func: 0x500000: string(123)
expect:
matches:
regex-numeric:
- 0x500000
- name: regex-hex-numeric-string
description: regex matches hex-prefixed numeric string values
rules:
- name: regex-hex-numeric
scopes:
static: function
features:
- or:
- string: /123/
- string: /0x123/
features: |
func: 0x500000
func: 0x500000: string(0x123)
expect:
matches:
regex-hex-numeric:
- 0x500000
- name: regex-ignorecase-explicit-wildcards
description: regex /i flag with explicit wildcards matches case-insensitively
rules:
- name: regex-ignorecase-explicit
scopes:
static: function
features:
- string: /.*bbbb.*/i
features: |
func: 0x500000
func: 0x500000: string(aBBBBa)
expect:
matches:
regex-ignorecase-explicit:
- 0x500000
Reference in New Issue View Git Blame Copy Permalink