[Forensics-changes] [yara] 210/368: Apply YARA's coding style to tests
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:40 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 2976bacd82020941e1fdef931842d8663394abcc
Author: plusvic <plusvic at gmail.com>
Date: Mon Feb 29 16:37:05 2016 +0100
Apply YARA's coding style to tests
---
tests/test-alignment.c | 16 +-
tests/test-rules.c | 1276 ++++++++++++++++++++++++++++++++++++------------
tests/util.c | 130 +++--
tests/util.h | 41 +-
4 files changed, 1094 insertions(+), 369 deletions(-)
diff --git a/tests/test-alignment.c b/tests/test-alignment.c
index 5df5442..15499a7 100644
--- a/tests/test-alignment.c
+++ b/tests/test-alignment.c
@@ -49,9 +49,11 @@ int err = 0;
} \
} while (0)
-int main (int argc, char **argv) {
- CHECK_SIZE(YR_NAMESPACE, 4*MAX_THREADS + 8);
- CHECK_OFFSET(YR_NAMESPACE, 4*MAX_THREADS, name);
+
+int main (int argc, char **argv)
+{
+ CHECK_SIZE(YR_NAMESPACE, 4 * MAX_THREADS + 8);
+ CHECK_OFFSET(YR_NAMESPACE, 4 * MAX_THREADS, name);
CHECK_SIZE(YR_META, 32);
CHECK_OFFSET(YR_META, 8, integer);
@@ -65,13 +67,13 @@ int main (int argc, char **argv) {
CHECK_OFFSET(YR_MATCH, 24, chain_length);
CHECK_OFFSET(YR_MATCH, 32, prev);
CHECK_OFFSET(YR_MATCH, 40, next);
-
+
CHECK_SIZE(YR_MATCHES, 24);
CHECK_OFFSET(YR_MATCHES, 8, head);
CHECK_OFFSET(YR_MATCHES, 16, tail);
CHECK_SIZE(YR_STRING, 48 + 2 * 24 /* YR_MATCHES */ * MAX_THREADS
-# ifdef PROFILING_ENABLED
+# ifdef PROFILING_ENABLED
+ 8
# endif
);
@@ -84,7 +86,7 @@ int main (int argc, char **argv) {
CHECK_OFFSET(YR_STRING, 40, fixed_offset);
CHECK_SIZE(YR_RULE, 8 + 4*MAX_THREADS + 40
-# ifdef PROFILING_ENABLED
+# ifdef PROFILING_ENABLED
+ 8
# endif
);
@@ -100,7 +102,7 @@ int main (int argc, char **argv) {
CHECK_OFFSET(YR_EXTERNAL_VARIABLE, 8, value.f);
CHECK_OFFSET(YR_EXTERNAL_VARIABLE, 8, value.s);
CHECK_OFFSET(YR_EXTERNAL_VARIABLE, 16, identifier);
-
+
CHECK_SIZE(YR_AC_MATCH, 40);
CHECK_OFFSET(YR_AC_MATCH, 8, string);
CHECK_OFFSET(YR_AC_MATCH, 16, forward_code);
diff --git a/tests/test-rules.c b/tests/test-rules.c
index a5653c4..be2598b 100644
--- a/tests/test-rules.c
+++ b/tests/test-rules.c
@@ -18,305 +18,780 @@ limitations under the License.
#include "blob.h"
#include "util.h"
-static void test_boolean_operators() {
- assert_true_rule("rule test { condition: true }", NULL);
- assert_true_rule("rule test { condition: true or false }", NULL);
- assert_true_rule("rule test { condition: true and true }", NULL);
- assert_true_rule("rule test { condition: 0x1 and 0x2}", NULL);
-
- assert_false_rule("rule test { condition: false }", NULL);
- assert_false_rule("rule test { condition: true and false }", NULL);
- assert_false_rule("rule test { condition: false or false }", NULL);
+
+static void test_boolean_operators()
+{
+ assert_true_rule(
+ "rule test { condition: true }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: true or false }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: true and true }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 0x1 and 0x2}", NULL);
+
+ assert_false_rule(
+ "rule test { condition: false }", NULL);
+
+ assert_false_rule(
+ "rule test { condition: true and false }", NULL);
+
+ assert_false_rule(
+ "rule test { condition: false or false }", NULL);
}
-static void test_comparison_operators() {
- assert_true_rule("rule test { condition: 2 > 1 }", NULL);
- assert_true_rule("rule test { condition: 1 < 2 }", NULL);
- assert_true_rule("rule test { condition: 2 >= 1 }", NULL);
- assert_true_rule("rule test { condition: 1 <= 1 }", NULL);
- assert_true_rule("rule test { condition: 1 == 1 }", NULL);
- assert_true_rule("rule test { condition: 1.5 == 1.5}", NULL);
- assert_true_rule("rule test { condition: 1.0 == 1}", NULL);
- assert_true_rule("rule test { condition: 1.5 >= 1.0}", NULL);
- assert_true_rule("rule test { condition: 1.5 >= 1}", NULL);
- assert_true_rule("rule test { condition: 1.0 >= 1}", NULL);
- assert_true_rule("rule test { condition: 0.5 < 1}", NULL);
- assert_true_rule("rule test { condition: 0.5 <= 1}", NULL);
- assert_true_rule("rule rest { condition: 1.0 <= 1}", NULL);
- assert_true_rule("rule rest { condition: \"abc\" == \"abc\"}", NULL);
- assert_true_rule("rule rest { condition: \"abc\" <= \"abc\"}", NULL);
- assert_true_rule("rule rest { condition: \"abc\" >= \"abc\"}", NULL);
- assert_true_rule("rule rest { condition: \"ab\" < \"abc\"}", NULL);
- assert_true_rule("rule rest { condition: \"abc\" > \"ab\"}", NULL);
- assert_true_rule("rule rest { condition: \"abc\" < \"abd\"}", NULL);
- assert_true_rule("rule rest { condition: \"abd\" > \"abc\"}", NULL);
-
- assert_false_rule("rule test { condition: 1 != 1}", NULL);
- assert_false_rule("rule test { condition: 1 != 1.0}", NULL);
- assert_false_rule("rule test { condition: 2 > 3}", NULL);
- assert_false_rule("rule test { condition: 2.1 < 2}", NULL);
- assert_false_rule("rule test { condition: \"abc\" != \"abc\"}", NULL);
- assert_false_rule("rule test { condition: \"abc\" > \"abc\"}", NULL);
- assert_false_rule("rule test { condition: \"abc\" < \"abc\"}", NULL);
+
+static void test_comparison_operators()
+{
+ assert_true_rule(
+ "rule test { condition: 2 > 1 }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1 < 2 }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 2 >= 1 }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1 <= 1 }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1 == 1 }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1.5 == 1.5}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1.0 == 1}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1.5 >= 1.0}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1.5 >= 1}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1.0 >= 1}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 0.5 < 1}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 0.5 <= 1}", NULL);
+
+ assert_true_rule(
+ "rule rest { condition: 1.0 <= 1}", NULL);
+
+ assert_true_rule(
+ "rule rest { condition: \"abc\" == \"abc\"}", NULL);
+
+ assert_true_rule(
+ "rule rest { condition: \"abc\" <= \"abc\"}", NULL);
+
+ assert_true_rule(
+ "rule rest { condition: \"abc\" >= \"abc\"}", NULL);
+
+ assert_true_rule(
+ "rule rest { condition: \"ab\" < \"abc\"}", NULL);
+
+ assert_true_rule(
+ "rule rest { condition: \"abc\" > \"ab\"}", NULL);
+
+ assert_true_rule(
+ "rule rest { condition: \"abc\" < \"abd\"}", NULL);
+
+ assert_true_rule(
+ "rule rest { condition: \"abd\" > \"abc\"}", NULL);
+
+ assert_false_rule(
+ "rule test { condition: 1 != 1}", NULL);
+
+ assert_false_rule(
+ "rule test { condition: 1 != 1.0}", NULL);
+
+ assert_false_rule(
+ "rule test { condition: 2 > 3}", NULL);
+
+ assert_false_rule(
+ "rule test { condition: 2.1 < 2}", NULL);
+
+ assert_false_rule(
+ "rule test { condition: \"abc\" != \"abc\"}", NULL);
+
+ assert_false_rule(
+ "rule test { condition: \"abc\" > \"abc\"}", NULL);
+
+ assert_false_rule(
+ "rule test { condition: \"abc\" < \"abc\"}", NULL);
+
}
-static void test_arithmetic_operators() {
- assert_true_rule("rule test { condition: (1 + 1) * 2 == (9 - 1) \\ 2 }", NULL);
- assert_true_rule("rule test { condition: 5 % 2 == 1 }", NULL);
- assert_true_rule("rule test { condition: 1.5 + 1.5 == 3}", NULL);
- assert_true_rule("rule test { condition: 3 \\ 2 == 1}", NULL);
- assert_true_rule("rule test { condition: 3.0 \\ 2 == 1.5}", NULL);
- assert_true_rule("rule test { condition: 1 + -1 == 0}", NULL);
- assert_true_rule("rule test { condition: -1 + -1 == -2}", NULL);
- assert_true_rule("rule test { condition: 4 --2 * 2 == 8}", NULL);
- assert_true_rule("rule test { condition: -1.0 * 1 == -1.0}", NULL);
- assert_true_rule("rule test { condition: 1-1 == 0}", NULL);
- assert_true_rule("rule test { condition: -2.0-3.0 == -5}", NULL);
- assert_true_rule("rule test { condition: --1 == 1}", NULL);
- assert_true_rule("rule test { condition: 1--1 == 2}", NULL);
- assert_true_rule("rule test { condition: -0x01 == -1}", NULL);
+static void test_arithmetic_operators()
+{
+ assert_true_rule(
+ "rule test { condition: (1 + 1) * 2 == (9 - 1) \\ 2 }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 5 % 2 == 1 }", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1.5 + 1.5 == 3}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 3 \\ 2 == 1}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 3.0 \\ 2 == 1.5}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1 + -1 == 0}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: -1 + -1 == -2}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 4 --2 * 2 == 8}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: -1.0 * 1 == -1.0}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1-1 == 0}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: -2.0-3.0 == -5}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: --1 == 1}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1--1 == 2}", NULL);
+
+ assert_true_rule(
+ "rule test { condition: -0x01 == -1}", NULL);
+
}
-static void test_bitwise_operators() {
- assert_true_rule("rule test { condition: 0x55 | 0xAA == 0xFF }", NULL);
- assert_true_rule("rule test { condition: ~0xAA ^ 0x5A & 0xFF == (~0xAA) ^ (0x5A & 0xFF) }", NULL);
- assert_true_rule("rule test { condition: ~0x55 & 0xFF == 0xAA }", NULL);
- assert_true_rule("rule test { condition: 8 >> 2 == 2 }", NULL);
- assert_true_rule("rule test { condition: 1 << 3 == 8 }", NULL);
- assert_true_rule("rule test { condition: 1 | 3 ^ 3 == 1 | (3 ^ 3) }", NULL);
- assert_false_rule("rule test { condition: ~0xAA ^ 0x5A & 0xFF == 0x0F }", NULL);
- assert_false_rule("rule test { condition: 1 | 3 ^ 3 == (1 | 3) ^ 3}", NULL);
+static void test_bitwise_operators()
+{
+ assert_true_rule(
+ "rule test { condition: 0x55 | 0xAA == 0xFF }",
+ NULL);
+
+ assert_true_rule(
+ "rule test { condition: ~0xAA ^ 0x5A & 0xFF == (~0xAA) ^ (0x5A & 0xFF) }",
+ NULL);
+
+ assert_true_rule(
+ "rule test { condition: ~0x55 & 0xFF == 0xAA }",
+ NULL);
+
+ assert_true_rule(
+ "rule test { condition: 8 >> 2 == 2 }",
+ NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1 << 3 == 8 }",
+ NULL);
+
+ assert_true_rule(
+ "rule test { condition: 1 | 3 ^ 3 == 1 | (3 ^ 3) }",
+ NULL);
+
+ assert_false_rule(
+ "rule test { condition: ~0xAA ^ 0x5A & 0xFF == 0x0F }",
+ NULL);
+
+ assert_false_rule(
+ "rule test { condition: 1 | 3 ^ 3 == (1 | 3) ^ 3}",
+ NULL);
+
}
-static void test_syntax() {
- assert_syntax_error("rule test { strings: $a = \"a\" $a = \"a\" condition: all of them }");
+
+static void test_syntax()
+{
+ assert_syntax_error(
+ "rule test { strings: $a = \"a\" $a = \"a\" condition: all of them }");
}
-static void test_anonymous_strings() {
- assert_true_rule("rule test { strings: $ = \"a\" $ = \"b\" condition: all of them }", "ab");
+
+static void test_anonymous_strings()
+{
+ assert_true_rule(
+ "rule test { strings: $ = \"a\" $ = \"b\" condition: all of them }",
+ "ab");
}
-static void test_strings() {
+
+static void test_strings()
+{
char* str = "---- abc ---- xyz";
- assert_true_rule("rule test { strings: $a = \"a\" condition: $a }", str);
- assert_true_rule("rule test { strings: $a = \"ab\" condition: $a }", str);
- assert_true_rule("rule test { strings: $a = \"abc\" condition: $a }", str);
- assert_true_rule("rule test { strings: $a = \"xyz\" condition: $a }", str);
- assert_true_rule("rule test { strings: $a = \"abc\" nocase fullword condition: $a }", str);
- assert_true_rule("rule test { strings: $a = \"aBc\" nocase condition: $a }", str);
- assert_true_rule("rule test { strings: $a = \"abc\" fullword condition: $a }", str);
-
- assert_false_rule("rule test { strings: $a = \"a\" fullword condition: $a }", str);
- assert_false_rule("rule test { strings: $a = \"ab\" fullword condition: $a }", str);
- assert_false_rule("rule test { strings: $a = \"abc\" wide fullword condition: $a }", str);
-
- uint8_t blob[] = "---- a\000b\000c\000 -\000-\000-\000-\000x\000y\000z\000";
- size_t blob_len = sizeof(blob);
- assert_true_rule_blob("rule test { strings: $a = \"a\" wide condition: $a }", blob, blob_len);
- assert_true_rule_blob("rule test { strings: $a = \"a\" wide ascii condition: $a }", blob, blob_len);
- assert_true_rule_blob("rule test { strings: $a = \"ab\" wide condition: $a }", blob, blob_len);
- assert_true_rule_blob("rule test { strings: $a = \"ab\" wide ascii condition: $a }", blob, blob_len);
- assert_true_rule_blob("rule test { strings: $a = \"abc\" wide condition: $a }", blob, blob_len);
- assert_true_rule_blob("rule test { strings: $a = \"abc\" wide nocase fullword condition: $a }", blob, blob_len);
- assert_true_rule_blob("rule test { strings: $a = \"aBc\" wide nocase condition: $a }", blob, blob_len);
- assert_true_rule_blob("rule test { strings: $a = \"aBc\" wide ascii nocase condition: $a }", blob, blob_len);
- assert_true_rule_blob("rule test { strings: $a = \"---xyz\" wide nocase condition: $a }", blob, blob_len);
-
- assert_true_rule("rule test { strings: $a = \"abc\" fullword condition: $a }", "abc");
-
- assert_false_rule("rule test { strings: $a = \"abc\" fullword condition: $a }", "xabcx");
-
- assert_false_rule("rule test { strings: $a = \"abc\" fullword condition: $a }", "xabc");
-
- assert_false_rule("rule test { strings: $a = \"abc\" fullword condition: $a }", "abcx");
-
- assert_false_rule("rule test { strings: $a = \"abc\" ascii wide fullword condition: $a }", "abcx");
-
- assert_true_rule_blob("rule test { strings: $a = \"abc\" ascii wide fullword condition: $a }",
- (uint8_t*)"a\000abc", 5);
-
- assert_true_rule_blob("rule test { strings: $a = \"abc\" wide fullword condition: $a }",
- (uint8_t*)"a\000b\000c\000", 6);
-
- assert_false_rule_blob("rule test { strings: $a = \"abc\" wide fullword condition: $a }",
- (uint8_t*)"x\000a\000b\000c\000x\000", 10);
-
- assert_false_rule_blob("rule test { strings: $a = \"ab\" wide fullword condition: $a }",
- (uint8_t*)"x\000a\000b\000", 6);
-
- assert_false_rule_blob("rule test { strings: $a = \"abc\" wide fullword condition: $a }",
- (uint8_t*)"x\000a\000b\000c\000", 8);
-
- assert_true_rule_blob("rule test { strings: $a = \"abc\" wide fullword condition: $a }",
- (uint8_t*)"x\001a\000b\000c\000", 8);
-
- assert_true_rule("rule test {\n\
- strings:\n\
- $a = \"abcdef\"\n\
- $b = \"cdef\"\n\
- $c = \"ef\"\n\
- condition:\n\
- all of them\n\
- }", "abcdef");
+ uint8_t blob[] = "---- a\0b\0c\0 -\0-\0-\0-\0x\0y\0z\0";
+
+ assert_true_rule(
+ "rule test { strings: $a = \"a\" condition: $a }",
+ str);
+
+ assert_true_rule(
+ "rule test { strings: $a = \"ab\" condition: $a }",
+ str);
+
+ assert_true_rule(
+ "rule test { strings: $a = \"abc\" condition: $a }",
+ str);
+
+ assert_true_rule(
+ "rule test { strings: $a = \"xyz\" condition: $a }",
+ str);
+
+ assert_true_rule(
+ "rule test { strings: $a = \"abc\" nocase fullword condition: $a }",
+ str);
+
+ assert_true_rule(
+ "rule test { strings: $a = \"aBc\" nocase condition: $a }",
+ str);
+
+ assert_true_rule(
+ "rule test { strings: $a = \"abc\" fullword condition: $a }",
+ str);
+
+ assert_false_rule(
+ "rule test { strings: $a = \"a\" fullword condition: $a }",
+ str);
+
+ assert_false_rule(
+ "rule test { strings: $a = \"ab\" fullword condition: $a }",
+ str);
+
+ assert_false_rule(
+ "rule test { strings: $a = \"abc\" wide fullword condition: $a }",
+ str);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"a\" wide condition: $a }",
+ blob);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"a\" wide ascii condition: $a }",
+ blob);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"ab\" wide condition: $a }",
+ blob);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"ab\" wide ascii condition: $a }",
+ blob);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"abc\" wide condition: $a }",
+ blob);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"abc\" wide nocase fullword condition: $a }",
+ blob);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"aBc\" wide nocase condition: $a }",
+ blob);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"aBc\" wide ascii nocase condition: $a }",
+ blob);
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"---xyz\" wide nocase condition: $a }",
+ blob);
+
+ assert_true_rule(
+ "rule test { strings: $a = \"abc\" fullword condition: $a }",
+ "abc");
+
+ assert_false_rule(
+ "rule test { strings: $a = \"abc\" fullword condition: $a }",
+ "xabcx");
+
+ assert_false_rule(
+ "rule test { strings: $a = \"abc\" fullword condition: $a }",
+ "xabc");
+
+ assert_false_rule(
+ "rule test { strings: $a = \"abc\" fullword condition: $a }",
+ "abcx");
+
+ assert_false_rule(
+ "rule test { strings: $a = \"abc\" ascii wide fullword condition: $a }",
+ "abcx");
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"abc\" ascii wide fullword condition: $a }",
+ "a\0abc");
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"abc\" wide fullword condition: $a }",
+ "a\0b\0c\0");
+
+ assert_false_rule_blob(
+ "rule test { strings: $a = \"abc\" wide fullword condition: $a }",
+ "x\0a\0b\0c\0x\0");
+
+ assert_false_rule_blob(
+ "rule test { strings: $a = \"ab\" wide fullword condition: $a }",
+ "x\0a\0b\0");
+
+ assert_false_rule_blob(
+ "rule test { strings: $a = \"abc\" wide fullword condition: $a }",
+ "x\0a\0b\0c\0");
+
+ assert_true_rule_blob(
+ "rule test { strings: $a = \"abc\" wide fullword condition: $a }",
+ "x\001a\0b\0c\0");
+
+ assert_true_rule(
+ "rule test {\n\
+ strings:\n\
+ $a = \"abcdef\"\n\
+ $b = \"cdef\"\n\
+ $c = \"ef\"\n\
+ condition:\n\
+ all of them\n\
+ }", "abcdef");
}
-static void test_wildcard_strings() {
- uint8_t blob[] = "---- abc ---- A\x00""B\x00""C\x00 ---- xyz";
- size_t blob_len = sizeof(blob);
- assert_true_rule_blob("rule test {\n\
- strings:\n\
- $s1 = \"abc\"\n\
- $s2 = \"xyz\"\n\
- condition:\n\
- for all of ($*) : ($)\n\
- }", blob, blob_len);
-
+
+static void test_wildcard_strings()
+{
+ assert_true_rule_blob(
+ "rule test {\n\
+ strings:\n\
+ $s1 = \"abc\"\n\
+ $s2 = \"xyz\"\n\
+ condition:\n\
+ for all of ($*) : ($)\n\
+ }",
+ "---- abc ---- A\x00""B\x00""C\x00 ---- xyz");
}
-static void test_hex_strings() {
- assert_true_rule_blob("rule test { strings: $a = { 64 01 00 00 60 01 } condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_true_rule_blob("rule test { strings: $a = { 64 0? 00 00 ?0 01 } condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_true_rule_blob("rule test { strings: $a = { 6? 01 00 00 60 0? } condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_true_rule_blob("rule test { strings: $a = { 64 01 [1-3] 60 01 } condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_true_rule_blob("rule test { strings: $a = { 64 01 [1-3] (60|61) 01 } condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_true_rule_blob("rule test { strings: $a = { 4D 5A [-] 6A 2A [-] 58 C3} condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_true_rule_blob("rule test { strings: $a = { 4D 5A [300-] 6A 2A [-] 58 C3} condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_true_rule_blob("rule test { strings: $a = { 2e 7? (65 | ?""?"") 78 } condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
-
- assert_false_rule_blob("rule test { strings: $a = { 4D 5A [0-300] 6A 2A } condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_false_rule_blob("rule test { strings: $a = { 4D 5A [0-128] 45 [0-128] 01 [0-128] C3 } condition: $a }",
- PE32_FILE, sizeof(PE32_FILE));
-
- assert_true_rule("rule test { strings: $a = { 31 32 [-] 38 39 } condition: $a }", "1234567890");
- assert_true_rule("rule test { strings: $a = { 31 32 [-] 33 34 [-] 38 39 } condition: $a }", "1234567890");
- assert_true_rule("rule test { strings: $a = { 31 32 [1] 34 35 [2] 38 39 } condition: $a }", "1234567890");
- assert_true_rule("rule test { strings: $a = { 31 32 [1-] 34 35 [1-] 38 39 } condition: $a }", "1234567890");
- assert_true_rule("rule test { strings: $a = { 31 32 [0-3] 34 35 [1-] 38 39 } condition: $a }", "1234567890");
- assert_true_rule("rule test { strings: $a = { 31 32 [0-2] 35 [1-] 37 38 39 } condition: $a }", "1234567890");
-
- assert_true_rule("rule test { strings: $a = { 31 32 [-] 38 39 } condition: all of them }", "1234567890");
-
- assert_false_rule("rule test { strings: $a = { 31 32 [-] 32 33 } condition: $a }", "1234567890");
- assert_false_rule("rule test { strings: $a = { 35 36 [-] 31 32 } condition: $a }", "1234567890");
- assert_false_rule("rule test { strings: $a = { 31 32 [2-] 34 35 } condition: $a }", "1234567890");
- assert_false_rule("rule test { strings: $a = { 31 32 [0-3] 37 38 } condition: $a }", "1234567890");
-
- assert_syntax_error("rule test { strings: $a = { 01 [0] 02 } condition: $a }");
- assert_syntax_error("rule test { strings: $a = { [-] 01 02 } condition: $a }");
- assert_syntax_error("rule test { strings: $a = { 01 02 [-] } condition: $a }");
- assert_syntax_error("rule test { strings: $a = { 01 02 ([-] 03 | 04) } condition: $a }");
- assert_syntax_error("rule test { strings: $a = { 01 02 (03 [-] | 04) } condition: $a }");
- assert_syntax_error("rule test { strings: $a = { 01 02 (03 | 04 [-]) } condition: $a ");
+
+static void test_hex_strings()
+{
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 64 01 00 00 60 01 } \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 64 0? 00 00 ?0 01 } \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_true_rule_blob(\
+
+ "rule test { \
+ strings: $a = { 6? 01 00 00 60 0? } \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 64 01 [1-3] 60 01 } \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 64 01 [1-3] (60|61) 01 } \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 4D 5A [-] 6A 2A [-] 58 C3} \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 4D 5A [300-] 6A 2A [-] 58 C3} \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 2e 7? (65 | ?""?"") 78 } \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_false_rule_blob(
+ "rule test { \
+ strings: $a = { 4D 5A [0-300] 6A 2A } \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_false_rule_blob(
+ "rule test { \
+ strings: $a = { 4D 5A [0-128] 45 [0-128] 01 [0-128] C3 } \
+ condition: $a }",
+ PE32_FILE);
+
+ assert_true_rule(
+ "rule test { \
+ strings: $a = { 31 32 [-] 38 39 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_true_rule(
+ "rule test { \
+ strings: $a = { 31 32 [-] 33 34 [-] 38 39 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_true_rule(
+ "rule test { \
+ strings: $a = { 31 32 [1] 34 35 [2] 38 39 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_true_rule(
+ "rule test {\
+ strings: $a = { 31 32 [1-] 34 35 [1-] 38 39 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_true_rule(
+ "rule test { \
+ strings: $a = { 31 32 [0-3] 34 35 [1-] 38 39 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_true_rule(
+ "rule test { \
+ strings: $a = { 31 32 [0-2] 35 [1-] 37 38 39 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_true_rule(
+ "rule test { \
+ strings: $a = { 31 32 [-] 38 39 } \
+ condition: all of them }",
+ "1234567890");
+
+ assert_false_rule(
+ "rule test { \
+ strings: $a = { 31 32 [-] 32 33 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_false_rule(
+ "rule test { \
+ strings: $a = { 35 36 [-] 31 32 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_false_rule(
+ "rule test { \
+ strings: $a = { 31 32 [2-] 34 35 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_false_rule(
+ "rule test { \
+ strings: $a = { 31 32 [0-3] 37 38 } \
+ condition: $a }",
+ "1234567890");
+
+ assert_syntax_error(
+ "rule test { \
+ strings: $a = { 01 [0] 02 } \
+ condition: $a }");
+
+ assert_syntax_error(
+ "rule test { \
+ strings: $a = { [-] 01 02 } condition: $a }");
+
+ assert_syntax_error(
+ "rule test { \
+ strings: $a = { 01 02 [-] } \
+ condition: $a }");
+
+ assert_syntax_error(
+ "rule test { \
+ strings: $a = { 01 02 ([-] 03 | 04) } \
+ condition: $a }");
+
+ assert_syntax_error(
+ "rule test { \
+ strings: $a = { 01 02 (03 [-] | 04) } \
+ condition: $a }");
+
+ assert_syntax_error(
+ "rule test { \
+ strings: $a = { 01 02 (03 | 04 [-]) } \
+ condition: $a ");
/* TODO: tests.py:551 ff. */
}
-static void test_count() {
- assert_true_rule("rule test { strings: $a = \"ssi\" condition: #a == 2 }", "mississippi");
+
+static void test_count()
+{
+ assert_true_rule(
+ "rule test { strings: $a = \"ssi\" condition: #a == 2 }",
+ "mississippi");
}
-static void test_at() {
- assert_true_rule("rule test { strings: $a = \"ssi\" condition: $a at 2 and $a at 5 }", "mississippi");
- assert_true_rule("rule test { strings: $a = \"mis\" condition: $a at ~0xFF & 0xFF }", "mississippi");
- assert_true_rule_blob("rule test { strings: $a = { 00 00 00 00 ?? 74 65 78 74 } condition: $a at 308}",
- PE32_FILE, sizeof(PE32_FILE));
+static void test_at()
+{
+ assert_true_rule(
+ "rule test { \
+ strings: $a = \"ssi\" \
+ condition: $a at 2 and $a at 5 }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { \
+ strings: $a = \"mis\" \
+ condition: $a at ~0xFF & 0xFF }",
+ "mississippi");
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 00 00 00 00 ?? 74 65 78 74 } \
+ condition: $a at 308}",
+ PE32_FILE);
}
-static void test_in() {
- assert_true_rule_blob("import \"pe\" rule test { strings: $a = { 6a 2a 58 c3 } condition: $a in (pe.entry_point .. pe.entry_point + 1) }",
- PE32_FILE, sizeof(PE32_FILE));
+
+static void test_in()
+{
+ assert_true_rule_blob(
+ "import \"pe\" \
+ rule test { \
+ strings: $a = { 6a 2a 58 c3 } \
+ condition: $a in (pe.entry_point .. pe.entry_point + 1) }",
+ PE32_FILE);
}
-static void test_offset() {
- assert_true_rule("rule test { strings: $a = \"ssi\" condition: @a == 2 }", "mississippi");
- assert_true_rule("rule test { strings: $a = \"ssi\" condition: @a == @a[1] }", "mississippi");
- assert_true_rule("rule test { strings: $a = \"ssi\" condition: @a[2] == 5 }", "mississippi");
+
+static void test_offset()
+{
+ assert_true_rule(
+ "rule test { strings: $a = \"ssi\" condition: @a == 2 }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = \"ssi\" condition: @a == @a[1] }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = \"ssi\" condition: @a[2] == 5 }",
+ "mississippi");
}
-static void test_length() {
- assert_true_rule("rule test { strings: $a = /m.*?ssi/ condition: !a == 5 }", "mississippi");
- assert_true_rule("rule test { strings: $a = /m.*?ssi/ condition: !a[1] == 5 }", "mississippi");
- assert_true_rule("rule test { strings: $a = /m.*ssi/ condition: !a == 8 }", "mississippi");
- assert_true_rule("rule test { strings: $a = /m.*ssi/ condition: !a[1] == 8 }", "mississippi");
- assert_true_rule("rule test { strings: $a = /ssi.*ppi/ condition: !a[1] == 9 }", "mississippi");
- assert_true_rule("rule test { strings: $a = /ssi.*ppi/ condition: !a[2] == 6 }", "mississippi");
- assert_true_rule("rule test { strings: $a = { 6D [1-3] 73 73 69 } condition: !a == 5}", "mississippi");
- assert_true_rule("rule test { strings: $a = { 6D [-] 73 73 69 } condition: !a == 5}", "mississippi");
- assert_true_rule("rule test { strings: $a = { 6D [-] 70 70 69 } condition: !a == 11}", "mississippi");
- assert_true_rule("rule test { strings: $a = { 6D 69 73 73 [-] 70 69 } condition: !a == 11}", "mississippi");
+
+static void test_length()
+{
+ assert_true_rule(
+ "rule test { strings: $a = /m.*?ssi/ condition: !a == 5 }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /m.*?ssi/ condition: !a[1] == 5 }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /m.*ssi/ condition: !a == 8 }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /m.*ssi/ condition: !a[1] == 8 }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /ssi.*ppi/ condition: !a[1] == 9 }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /ssi.*ppi/ condition: !a[2] == 6 }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = { 6D [1-3] 73 73 69 } condition: !a == 5}",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = { 6D [-] 73 73 69 } condition: !a == 5}",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = { 6D [-] 70 70 69 } condition: !a == 11}",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = { 6D 69 73 73 [-] 70 69 } condition: !a == 11}",
+ "mississippi");
}
-static void test_of() {
- assert_true_rule("rule test { strings: $a = \"ssi\" $b = \"mis\" $c = \"oops\" condition: any of them }", "mississippi");
- assert_true_rule("rule test { strings: $a = \"ssi\" $b = \"mis\" $c = \"oops\" condition: 1 of them }", "mississippi");
- assert_true_rule("rule test { strings: $a = \"ssi\" $b = \"mis\" $c = \"oops\" condition: 2 of them }", "mississippi");
- assert_true_rule("rule test { strings: $a1 = \"dummy1\" $b1 = \"dummy1\" $b2 = \"ssi\" condition: any of ($a*, $b*) }", "mississippi");
-
- assert_true_rule_blob("rule test\n\
- {\n\
- strings:\n\
- $ = /abc/\n\
- $ = /def/\n\
- $ = /ghi/\n\
- condition:\n\
- for any of ($*) : ( for any i in (1..#): (uint8(@[i] - 1) == 0x00) )\n\
- }", (uint8_t*)"abc\000def\000ghi", 11);
- assert_false_rule("rule test { strings: $a = \"ssi\" $b = \"mis\" $c = \"oops\" condition: all of them }", "mississippi");
-
- assert_syntax_error("rule test { condition: all of ($a*) }");
- assert_syntax_error("rule test { condition: all of them }");
+
+static void test_of()
+{
+ assert_true_rule(
+ "rule test { strings: $a = \"ssi\" $b = \"mis\" $c = \"oops\" "
+ "condition: any of them }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = \"ssi\" $b = \"mis\" $c = \"oops\" "
+ "condition: 1 of them }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = \"ssi\" $b = \"mis\" $c = \"oops\" "
+ "condition: 2 of them }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a1 = \"dummy1\" $b1 = \"dummy1\" $b2 = \"ssi\""
+ "condition: any of ($a*, $b*) }",
+ "mississippi");
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: \
+ $ = /abc/ \
+ $ = /def/ \
+ $ = /ghi/ \
+ condition: \
+ for any of ($*) : ( for any i in (1..#): (uint8(@[i] - 1) == 0x00) )\
+ }",
+ "abc\000def\000ghi");
+
+ assert_false_rule(
+ "rule test { \
+ strings: \
+ $a = \"ssi\" \
+ $b = \"mis\" \
+ $c = \"oops\" \
+ condition: \
+ all of them \
+ }",
+ "mississippi");
+
+ assert_syntax_error(
+ "rule test { condition: all of ($a*) }");
+
+ assert_syntax_error(
+ "rule test { condition: all of them }");
}
-void test_for() {
- assert_true_rule("rule test { strings: $a = \"ssi\" condition: for all i in (1..#a) : (@a[i] >= 2 and @a[i] <= 5) }", "mississippi");
- assert_true_rule("rule test { strings: $a = \"ssi\" $b = \"mi\" condition: for all i in (1..#a) : ( for all j in (1..#b) : (@a[i] >= @b[j])) }", "mississippi");
-
- assert_false_rule("rule test { strings: $a = \"ssi\" condition: for all i in (1..#a) : (@a[i] == 5) }", "mississippi");
+
+void test_for()
+{
+ assert_true_rule(
+ "rule test { \
+ strings: \
+ $a = \"ssi\" \
+ condition: \
+ for all i in (1..#a) : (@a[i] >= 2 and @a[i] <= 5) \
+ }",
+ "mississippi");
+
+ assert_true_rule(
+ "rule test { \
+ strings: \
+ $a = \"ssi\" \
+ $b = \"mi\" \
+ condition: \
+ for all i in (1..#a) : ( for all j in (1..#b) : (@a[i] >= @b[j])) \
+ }",
+ "mississippi");
+
+ assert_false_rule(
+ "rule test { \
+ strings: \
+ $a = \"ssi\" \
+ condition: \
+ for all i in (1..#a) : (@a[i] == 5) \
+ }",
+ "mississippi");
}
-void test_re() {
- assert_true_rule("rule test { strings: $a = /ssi/ condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /ssi(s|p)/ condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /ssim*/ condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /ssa?/ condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /Miss/ nocase condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /(M|N)iss/ nocase condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /[M-N]iss/ nocase condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /(Mi|ssi)ssippi/ nocase condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /ppi\\tmi/ condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /ppi\\.mi/ condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /^mississippi/ fullword condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
- assert_true_rule("rule test { strings: $a = /mississippi.*mississippi$/s condition: $a }",
- "mississippi\tmississippi.mississippi\nmississippi");
-
- assert_false_rule("rule test { strings: $a = /^ssi/ condition: $a }", "mississippi");
- assert_false_rule("rule test { strings: $a = /ssi$/ condition: $a }", "mississippi");
- assert_false_rule("rule test { strings: $a = /ssissi/ fullword condition: $a }", "mississippi");
- assert_false_rule("rule test { strings: $a = /^[isp]+/ condition: $a }", "mississippi");
-
- /* tests.py:670 ff. */
+
+void test_re()
+{
+ assert_true_rule(
+ "rule test { strings: $a = /ssi/ condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /ssi(s|p)/ condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /ssim*/ condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /ssa?/ condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /Miss/ nocase condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /(M|N)iss/ nocase condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /[M-N]iss/ nocase condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /(Mi|ssi)ssippi/ nocase condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /ppi\\tmi/ condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /ppi\\.mi/ condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /^mississippi/ fullword condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_true_rule(
+ "rule test { strings: $a = /mississippi.*mississippi$/s condition: $a }",
+ "mississippi\tmississippi.mississippi\nmississippi");
+
+ assert_false_rule(
+ "rule test { strings: $a = /^ssi/ condition: $a }",
+ "mississippi");
+
+ assert_false_rule(
+ "rule test { strings: $a = /ssi$/ condition: $a }",
+ "mississippi");
+
+ assert_false_rule(
+ "rule test { strings: $a = /ssissi/ fullword condition: $a }",
+ "mississippi");
+
+ assert_false_rule(
+ "rule test { strings: $a = /^[isp]+/ condition: $a }",
+ "mississippi");
+
assert_regexp_syntax_error(")");
assert_true_regexp("abc", "abc", "abc");
assert_false_regexp("abc", "xbc");
@@ -465,9 +940,9 @@ void test_re() {
assert_true_regexp("\\B\\w\\w\\w", "abcd", "bcd");
assert_false_regexp("\\B\\w\\w\\w\\B", "abcd");
- /* This is allowed in most regexp engines but in order to keep the
- grammar free of shift/reduce conflicts I've decided not supporting
- it. Users can use the (abc|) form instead. */
+ // This is allowed in most regexp engines but in order to keep the
+ // grammar free of shift/reduce conflicts I've decided not supporting
+ // it. Users can use the (abc|) form instead.
assert_regexp_syntax_error("(|abc)ef");
assert_true_regexp("((a)(b)c)(d)", "abcd", "abcd");
@@ -498,77 +973,243 @@ void test_re() {
assert_false_regexp("(bc+d$|ef*g.|h?i(j|k))", "bcdd");
assert_true_regexp("(bc+d$|ef*g.|h?i(j|k))", "reffgz", "effgz");
- /* Test case for issue #324 */
+ // Test case for issue #324
assert_true_regexp("whatever| x. x", " xy x", " xy x");
}
-static void test_entrypoint() {
- assert_true_rule_blob("rule test { strings: $a = { 6a 2a 58 c3 } condition: $a at entrypoint }",
- PE32_FILE, sizeof(PE32_FILE));
- assert_true_rule_blob("rule test { strings: $a = { b8 01 00 00 00 bb 2a } condition: $a at entrypoint }",
- ELF32_FILE, sizeof(ELF32_FILE));
+static void test_entrypoint()
+{
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { 6a 2a 58 c3 } \
+ condition: $a at entrypoint }",
+ PE32_FILE);
+
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { b8 01 00 00 00 bb 2a } \
+ condition: $a at entrypoint }",
+ ELF32_FILE);
- assert_true_rule_blob("rule test { strings: $a = { b8 01 00 00 00 bb 2a } condition: $a at entrypoint }",
- ELF64_FILE, sizeof(ELF64_FILE));
+ assert_true_rule_blob(
+ "rule test { \
+ strings: $a = { b8 01 00 00 00 bb 2a } \
+ condition: $a at entrypoint }",
+ ELF64_FILE);
- assert_false_rule("rule test { condition: entrypoint >= 0 }", NULL);
+ assert_false_rule(
+ "rule test { condition: entrypoint >= 0 }",
+ NULL);
}
-static void test_filesize() {
+
+static void test_filesize()
+{
char rule[80];
- snprintf(rule, sizeof(rule), "rule test { condition: filesize == %zd }", sizeof(PE32_FILE));
- assert_true_rule_blob(rule, PE32_FILE, sizeof(PE32_FILE));
+
+ snprintf(
+ rule,
+ sizeof(rule),
+ "rule test { condition: filesize == %zd }",
+ sizeof(PE32_FILE));
+
+ assert_true_rule_blob(
+ rule,
+ PE32_FILE);
}
-static void test_comments() {
- assert_true_rule("rule test {\n\
- condition:\n\
- // this is a comment\n\
- /*** this is a comment ***/\n\
- /* /* /*\n\
- this is a comment\n\
- */\n\
- true\n\
- }", NULL);
+
+static void test_comments()
+{
+ assert_true_rule(
+ "rule test {\n\
+ condition:\n\
+ // this is a comment\n\
+ /*** this is a comment ***/\n\
+ /* /* /*\n\
+ this is a comment\n\
+ */\n\
+ true\n\
+ }",
+ NULL);
}
-static void test_modules() {
- assert_true_rule("import \"tests\" rule test { condition: tests.constants.one + 1 == tests.constants.two }", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.constants.foo == \"foo\" }", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.constants.empty == \"\" }", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.empty() == \"\" }", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.struct_array[1].i == 1 }", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.struct_array[0].i == 1 or true}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.integer_array[0] == 0}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.integer_array[1] == 1}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.string_array[0] == \"foo\"}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.string_array[2] == \"baz\"}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.string_dict[\"foo\"] == \"foo\"}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.string_dict[\"bar\"] == \"bar\"}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.isum(1,2) == 3}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.isum(1,2,3) == 6}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.fsum(1.0,2.0) == 3.0}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.fsum(1.0,2.0,3.0) == 6.0}", NULL);
- assert_true_rule("import \"tests\" rule test { condition: tests.length(\"dummy\") == 5}", NULL);
-
- assert_false_rule("import \"tests\" rule test { condition: tests.struct_array[0].i == 1 }", NULL);
- assert_false_rule("import \"tests\" rule test { condition: tests.isum(1,1) == 3}", NULL);
- assert_false_rule("import \"tests\" rule test { condition: tests.fsum(1.0,1.0) == 3.0}", NULL);
+
+static void test_modules()
+{
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.constants.one + 1 == tests.constants.two \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.constants.foo == \"foo\" \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.constants.empty == \"\" \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.empty() == \"\" \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.struct_array[1].i == 1 \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.struct_array[0].i == 1 or true \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.integer_array[0] == 0 \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.integer_array[1] == 1 \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.string_array[0] == \"foo\" \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.string_array[2] == \"baz\" \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.string_dict[\"foo\"] == \"foo\" \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.string_dict[\"bar\"] == \"bar\" \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.isum(1,2) == 3 \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.isum(1,2,3) == 6 \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.fsum(1.0,2.0) == 3.0 \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.fsum(1.0,2.0,3.0) == 6.0 \
+ }",
+ NULL);
+
+ assert_true_rule(
+ "import \"tests\" \
+ rule test { \
+ condition: tests.length(\"dummy\") == 5 \
+ }",
+ NULL);
+
+
+ assert_false_rule(
+ "import \"tests\" \
+ rule test { condition: tests.struct_array[0].i == 1 \
+ }",
+ NULL);
+
+ assert_false_rule(
+ "import \"tests\" \
+ rule test { condition: tests.isum(1,1) == 3 \
+ }",
+ NULL);
+
+ assert_false_rule(
+ "import \"tests\" \
+ rule test { condition: tests.fsum(1.0,1.0) == 3.0 \
+ }",
+ NULL);
}
-void test_integer_functions() {
- assert_true_rule("rule test { condition: uint8(0) == 0xAA}", "\xaa\xbb\xcc\xdd");
- assert_true_rule("rule test { condition: uint16(0) == 0xBBAA}", "\xaa\xbb\xcc\xdd");
- assert_true_rule("rule test { condition: uint32(0) == 0xDDCCBBAA}", "\xaa\xbb\xcc\xdd");
- assert_true_rule("rule test { condition: uint8be(0) == 0xAA}", "\xaa\xbb\xcc\xdd");
- assert_true_rule("rule test { condition: uint16be(0) == 0xAABB}", "\xaa\xbb\xcc\xdd");
- assert_true_rule("rule test { condition: uint32be(0) == 0xAABBCCDD}", "\xaa\xbb\xcc\xdd");
+
+void test_integer_functions()
+{
+ assert_true_rule(
+ "rule test { condition: uint8(0) == 0xAA}",
+ "\xaa\xbb\xcc\xdd");
+
+ assert_true_rule(
+ "rule test { condition: uint16(0) == 0xBBAA}",
+ "\xaa\xbb\xcc\xdd");
+
+ assert_true_rule(
+ "rule test { condition: uint32(0) == 0xDDCCBBAA}",
+ "\xaa\xbb\xcc\xdd");
+
+ assert_true_rule(
+ "rule test { condition: uint8be(0) == 0xAA}",
+ "\xaa\xbb\xcc\xdd");
+
+ assert_true_rule(
+ "rule test { condition: uint16be(0) == 0xAABB}",
+ "\xaa\xbb\xcc\xdd");
+
+ assert_true_rule(
+ "rule test { condition: uint32be(0) == 0xAABBCCDD}",
+ "\xaa\xbb\xcc\xdd");
}
+
int main(int argc, char** argv)
{
yr_initialize();
+
test_boolean_operators();
test_comparison_operators();
test_arithmetic_operators();
@@ -598,5 +1239,8 @@ int main(int argc, char** argv)
test_modules();
test_integer_functions();
// test_string_io();
+
+ yr_finalize();
+
return 0;
}
diff --git a/tests/util.c b/tests/util.c
index 77e7d5a..1a2e69a 100644
--- a/tests/util.c
+++ b/tests/util.c
@@ -15,98 +15,160 @@ limitations under the License.
*/
#include <stdio.h>
-#include <error.h>
#include <unistd.h>
#include <yara.h>
-YR_RULES* rule_of_string(char* string) {
+
+YR_RULES* compile_rule(
+ char* string)
+{
YR_COMPILER* compiler = NULL;
YR_RULES* rules = NULL;
- if (yr_compiler_create(&compiler) != ERROR_SUCCESS) {
+
+ if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
+ {
perror("yr_compiler_create");
- goto out;
+ goto _exit;
}
- if (yr_compiler_add_string(compiler, string, NULL) != 0) {
- goto out;
+
+ if (yr_compiler_add_string(compiler, string, NULL) != 0)
+ {
+ goto _exit;
}
- if (yr_compiler_get_rules(compiler, &rules) != ERROR_SUCCESS) {
- goto out;
+
+ if (yr_compiler_get_rules(compiler, &rules) != ERROR_SUCCESS)
+ {
+ goto _exit;
}
- out:
+
+ _exit:
yr_compiler_destroy(compiler);
return rules;
}
-static int count_matches(int message, void* message_data, void* user_data) {
- if (message == CALLBACK_MSG_RULE_MATCHING) {
- (*(int*)user_data)++;
+
+static int count_matches(
+ int message,
+ void* message_data,
+ void* user_data)
+{
+ if (message == CALLBACK_MSG_RULE_MATCHING)
+ {
+ (*(int*) user_data)++;
}
+
return CALLBACK_CONTINUE;
}
-int matches_blob(char* rule, uint8_t* blob, size_t len) {
- if (blob == NULL) {
- blob = (uint8_t*)"dummy";
+
+int matches_blob(
+ char* rule,
+ uint8_t* blob,
+ size_t len)
+{
+ if (blob == NULL)
+ {
+ blob = (uint8_t*) "dummy";
len = 5;
}
- YR_RULES* rules = rule_of_string(rule);
- if (rules == NULL) {
+
+ YR_RULES* rules = compile_rule(rule);
+
+ if (rules == NULL)
+ {
fprintf(stderr, "failed to compile rule << %s >>\n", rule);
exit(EXIT_FAILURE);
}
+
int matches = 0;
- if (yr_rules_scan_mem(rules, blob, len, 0, count_matches, &matches, 0) != ERROR_SUCCESS) {
+ int scan_result = yr_rules_scan_mem(
+ rules, blob, len, 0, count_matches, &matches, 0);
+
+ if (scan_result != ERROR_SUCCESS)
+ {
fprintf(stderr, "yr_rules_scan_mem: error\n");
exit(EXIT_FAILURE);
}
+
yr_rules_destroy(rules);
+
return matches;
}
-int matches_string(char* rule, char* string) {
+
+int matches_string(
+ char* rule,
+ char* string)
+{
size_t len = 0;
- if (string != NULL) {
+
+ if (string != NULL)
len = strlen(string);
- }
+
return matches_blob(rule, (uint8_t*)string, len);
}
-typedef struct {
+typedef struct
+{
char* expected;
int found;
+
} find_string_t;
-static int capture_matches(int message, void* message_data, void* user_data) {
- if (message == CALLBACK_MSG_RULE_MATCHING) {
- find_string_t* f = (find_string_t*)user_data;
- YR_RULE* rule = (YR_RULE*)message_data;
+
+static int capture_matches(
+ int message,
+ void* message_data,
+ void* user_data)
+{
+ if (message == CALLBACK_MSG_RULE_MATCHING)
+ {
+ find_string_t* f = (find_string_t*) user_data;
+
+ YR_RULE* rule = (YR_RULE*) message_data;
YR_STRING* string;
- yr_rule_strings_foreach(rule, string) {
+
+ yr_rule_strings_foreach(rule, string)
+ {
YR_MATCH* match;
- yr_string_matches_foreach(string, match) {
- if (strncmp(f->expected, (char*)(match->data), match->length) == 0) {
+
+ yr_string_matches_foreach(string, match)
+ {
+ if (strncmp(f->expected, (char*)(match->data), match->length) == 0)
f->found++;
- }
}
}
}
+
return CALLBACK_CONTINUE;
}
-int capture_string(char* rule, char* string, char* expected_string) {
- YR_RULES* rules = rule_of_string(rule);
- if (rules == NULL) {
+
+int capture_string(
+ char* rule,
+ char* string,
+ char* expected_string)
+{
+ YR_RULES* rules = compile_rule(rule);
+
+ if (rules == NULL)
+ {
fprintf(stderr, "failed to compile rule << %s >>\n", rule);
exit(EXIT_FAILURE);
}
+
find_string_t f;
+
f.found = 0;
f.expected = expected_string;
+
if (yr_rules_scan_mem(rules, (uint8_t*)string, strlen(string), 0,
- capture_matches, &f, 0) != ERROR_SUCCESS) {
+ capture_matches, &f, 0) != ERROR_SUCCESS)
+ {
fprintf(stderr, "yr_rules_scan_mem: error\n");
exit(EXIT_FAILURE);
}
+
return f.found;
}
diff --git a/tests/util.h b/tests/util.h
index 3e5c315..0e4c67a 100644
--- a/tests/util.h
+++ b/tests/util.h
@@ -17,12 +17,29 @@ limitations under the License.
#ifndef _UTIL_H
#define _UTIL_H
-YR_RULES* rule_of_string(char* string);
-int matches_blob(char* rule, uint8_t* blob, size_t len);
-int matches_string(char* rule, char* string);
-int capture_string(char* rule, char* string, char* expected_string);
-#define assert_true_rule(rule,string) \
+YR_RULES* compile_rule(
+ char* string);
+
+
+int matches_blob(
+ char* rule,
+ uint8_t* blob,
+ size_t len);
+
+
+int matches_string(
+ char* rule,
+ char* string);
+
+
+int capture_string(
+ char* rule,
+ char* string,
+ char* expected_string);
+
+
+#define assert_true_rule(rule, string) \
do { \
if (!matches_string(rule, string)) { \
fprintf(stderr, "%s:%d: rule does not match (but should)\n", \
@@ -31,16 +48,16 @@ int capture_string(char* rule, char* string, char* expected_string);
} \
} while (0);
-#define assert_true_rule_blob(rule,blob,len) \
+#define assert_true_rule_blob(rule, blob) \
do { \
- if (!matches_blob(rule, blob, len)) { \
+ if (!matches_blob(rule, (uint8_t*) (blob), sizeof(blob))) { \
fprintf(stderr, "%s:%d: rule does not match (but should)\n", \
__FILE__, __LINE__ ); \
exit(EXIT_FAILURE); \
} \
} while (0);
-#define assert_false_rule(rule,string) \
+#define assert_false_rule(rule, string) \
do { \
if (matches_string(rule, string)) { \
fprintf(stderr, "%s:%d: rule matches (but shouldn't)\n", \
@@ -49,9 +66,9 @@ int capture_string(char* rule, char* string, char* expected_string);
} \
} while (0);
-#define assert_false_rule_blob(rule,blob,len) \
+#define assert_false_rule_blob(rule, blob) \
do { \
- if (matches_blob(rule, blob, len)) { \
+ if (matches_blob(rule, (uint8_t*) (blob), sizeof(blob))) { \
fprintf(stderr, "%s:%d: rule matches (but shouldn't)\n", \
__FILE__, __LINE__ ); \
exit(EXIT_FAILURE); \
@@ -59,7 +76,7 @@ int capture_string(char* rule, char* string, char* expected_string);
} while (0);
#define assert_syntax_correct(rule) do { \
- if (rule_of_string(rule) == NULL) { \
+ if (compile_rule(rule) == NULL) { \
fprintf(stderr, "%s:%d: rule can't be compiled (but should)\n", \
__FILE__, __LINE__); \
exit(EXIT_FAILURE); \
@@ -67,7 +84,7 @@ int capture_string(char* rule, char* string, char* expected_string);
} while(0);
#define assert_syntax_error(rule) do { \
- if (rule_of_string(rule) != NULL) { \
+ if (compile_rule(rule) != NULL) { \
fprintf(stderr, "%s:%d: rule can be compiled (but shouldn't)\n", \
__FILE__, __LINE__); \
exit(EXIT_FAILURE); \
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list