[Forensics-changes] [yara] 230/368: tests: Add checks for #373, #399

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:30:42 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit 6757bcd40cb50fcc3a4318838a10d1b671978497
Author: Hilko Bengen <bengen at hilluzination.de>
Date:   Tue Mar 15 22:30:28 2016 +0100

    tests: Add checks for #373, #399
---
 tests/data/cdak_1024x768.exe | Bin 0 -> 4095 bytes
 tests/data/old_ArmaFP.exe    | Bin 0 -> 20464 bytes
 tests/test-rules.c           |  24 ++++++++++++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/tests/data/cdak_1024x768.exe b/tests/data/cdak_1024x768.exe
new file mode 100644
index 0000000..0ff731a
Binary files /dev/null and b/tests/data/cdak_1024x768.exe differ
diff --git a/tests/data/old_ArmaFP.exe b/tests/data/old_ArmaFP.exe
new file mode 100644
index 0000000..1568c67
Binary files /dev/null and b/tests/data/old_ArmaFP.exe differ
diff --git a/tests/test-rules.c b/tests/test-rules.c
index be2598b..0a0f5a2 100644
--- a/tests/test-rules.c
+++ b/tests/test-rules.c
@@ -1206,6 +1206,29 @@ void test_integer_functions()
 }
 
 
+void test_file_examples()
+{
+  /* https://github.com/plusvic/yara/issues/373 */
+  assert_true_rule_file(
+      "import \"pe\" rule test { condition: pe.entry_point == 0x18 }",
+      "tests/data/old_ArmaFP.exe");
+
+  assert_true_rule_file(
+      "import \"pe\" rule test { strings: $right = { BE B0 11 40 00 } condition: $right at pe.entry_point }",
+      "tests/data/old_ArmaFP.exe");
+  /* $wrong = { 0B 01 4C 6F 61 64 4C } */
+
+  /* https://github.com/plusvic/yara/issues/399 */
+  assert_true_rule_file(
+      "import \"pe\" rule test { condition: pe.entry_point == 2 }",
+      "tests/data/cdak_1024x768.exe");
+
+  assert_true_rule_file(
+      "import \"pe\" rule test { strings: $a0 = { 68 00 00 42 00 31 C0 40 EB 58 } condition: $a0 at pe.entry_point }",
+      "tests/data/cdak_1024x768.exe");
+}
+
+
 int main(int argc, char** argv)
 {
   yr_initialize();
@@ -1239,6 +1262,7 @@ int main(int argc, char** argv)
   test_modules();
   test_integer_functions();
   // test_string_io();
+  test_file_examples();
 
   yr_finalize();
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list