mirror of
https://github.com/mandiant/capa.git
synced 2026-04-28 11:53:20 -07:00
ed7e0cd77d
* lint: replace isort/flake8 with ruff
* update ruff links
* remove stale isort reference
* update CHANGELOG
* address review
* remove unused imports
* remove unnecessary list comprehension
* remove quotes from type annotation
* use dict.get instead of if-else block
* remove unnecessary utf-8 encoding declaration
* Revert "remove unused imports"
This reverts commit 18ba50a22b.
* skip check for unused imports
* fix UP036 Version block is outdated for minimum Python version
* add TODO comment for unused imports
* replace black with ruff
* address review comments
139 lines
4.0 KiB
Python
139 lines
4.0 KiB
Python
# Copyright 2022 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
|
|
import textwrap
|
|
|
|
import pytest
|
|
|
|
import capa.rules
|
|
|
|
|
|
def test_rule_scope_instruction():
|
|
capa.rules.Rule.from_yaml(
|
|
textwrap.dedent("""
|
|
rule:
|
|
meta:
|
|
name: test rule
|
|
scopes:
|
|
static: instruction
|
|
dynamic: unsupported
|
|
features:
|
|
- and:
|
|
- mnemonic: mov
|
|
- arch: i386
|
|
- os: windows
|
|
""")
|
|
)
|
|
|
|
with pytest.raises(capa.rules.InvalidRule):
|
|
capa.rules.Rule.from_yaml(
|
|
textwrap.dedent("""
|
|
rule:
|
|
meta:
|
|
name: test rule
|
|
scopes:
|
|
static: instruction
|
|
dynamic: unsupported
|
|
features:
|
|
- characteristic: embedded pe
|
|
""")
|
|
)
|
|
|
|
|
|
def test_rule_subscope_instruction():
|
|
rules = capa.rules.RuleSet([
|
|
capa.rules.Rule.from_yaml(
|
|
textwrap.dedent("""
|
|
rule:
|
|
meta:
|
|
name: test rule
|
|
scopes:
|
|
static: function
|
|
dynamic: process
|
|
features:
|
|
- and:
|
|
- instruction:
|
|
- and:
|
|
- mnemonic: mov
|
|
- arch: i386
|
|
- os: windows
|
|
""")
|
|
)
|
|
])
|
|
# the function rule scope will have one rules:
|
|
# - `test rule`
|
|
assert len(rules.function_rules) == 1
|
|
|
|
# the insn rule scope have one rule:
|
|
# - the rule on which `test rule` depends
|
|
assert len(rules.instruction_rules) == 1
|
|
|
|
|
|
def test_scope_instruction_implied_and():
|
|
capa.rules.Rule.from_yaml(
|
|
textwrap.dedent("""
|
|
rule:
|
|
meta:
|
|
name: test rule
|
|
scopes:
|
|
static: function
|
|
dynamic: process
|
|
features:
|
|
- and:
|
|
- instruction:
|
|
- mnemonic: mov
|
|
- arch: i386
|
|
- os: windows
|
|
""")
|
|
)
|
|
|
|
|
|
def test_scope_instruction_description():
|
|
capa.rules.Rule.from_yaml(
|
|
textwrap.dedent("""
|
|
rule:
|
|
meta:
|
|
name: test rule
|
|
scopes:
|
|
static: function
|
|
dynamic: process
|
|
features:
|
|
- and:
|
|
- instruction:
|
|
- description: foo
|
|
- mnemonic: mov
|
|
- arch: i386
|
|
- os: windows
|
|
""")
|
|
)
|
|
|
|
capa.rules.Rule.from_yaml(
|
|
textwrap.dedent("""
|
|
rule:
|
|
meta:
|
|
name: test rule
|
|
scopes:
|
|
static: function
|
|
dynamic: process
|
|
features:
|
|
- and:
|
|
- instruction:
|
|
- description: foo
|
|
- mnemonic: mov
|
|
- arch: i386
|
|
- os: windows
|
|
""")
|
|
)
|