tests/analysis/scan/examples.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70


from common import RostTestClass
from pychrysalide.analysis.contents import MemoryContent


class TestRostExamples(RostTestClass):
    """TestCases for the examples provides in the ROST documentation."""

    def testComments(self):
        """Ensure comments do not bother rule definitions."""

        rule = '''
/*
    Multi-line header...
*/

rule test {    // comment

   /*
    * Some context
    */

   condition:  /* List of condition(s) */
      true     // Dummy condition

}
'''

        self.check_rule_success(rule)


    def testArithmeticPrecedence(self):
        """Take care of arithmetic operators precedence."""

        rule = '''
rule test {  // MulFirst

   condition:
      1 + 4 * (3 + 2) == 21
      and
      (1 + 4) * (3 + 2) == 25

}
'''

        self.check_rule_success(rule)


    def testUintCast(self):
        """Process nested integer values from binary content."""

        cnt = MemoryContent(b'\x4d\x5a\x00\x00' + b'\x50\x45\x00\x00' + 52 * b'\x00' + b'\x04\x00\x00\x00')

        rule = '''
rule test {  // IsPE

    condition:

        // MZ signature at offset 0 and ...

        uint16(0) == 0x5a4d and

        // ... PE signature at offset stored in the MZ header at offset 0x3c

        uint32(uint32(0x3c)) == 0x00004550

}
'''

        self.check_rule_success(rule, cnt)