[Forensics-changes] [yara] 20/192: Remove files used for testing purposes that were being detected by antivirus programs. Remove .exe extension from some other files. (#512)
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:31:42 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.6.0
in repository yara.
commit eeeb703f1049796274197b4a831da84ccfbf3f63
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Tue Sep 6 22:20:27 2016 +0200
Remove files used for testing purposes that were being detected by antivirus programs. Remove .exe extension from some other files. (#512)
---
tests/data/cdak_1024x768.exe | Bin 4095 -> 0 bytes
tests/data/old_ArmaFP.exe | Bin 20464 -> 0 bytes
tests/data/{tiny.exe => tiny} | Bin
.../data/{tiny-idata-51ff.exe => tiny-idata-51ff} | Bin
.../data/{tiny-idata-5200.exe => tiny-idata-5200} | Bin
tests/test-pe.c | 6 ++---
tests/test-rules.c | 29 ---------------------
7 files changed, 3 insertions(+), 32 deletions(-)
diff --git a/tests/data/cdak_1024x768.exe b/tests/data/cdak_1024x768.exe
deleted file mode 100644
index 0ff731a..0000000
Binary files a/tests/data/cdak_1024x768.exe and /dev/null differ
diff --git a/tests/data/old_ArmaFP.exe b/tests/data/old_ArmaFP.exe
deleted file mode 100644
index 1568c67..0000000
Binary files a/tests/data/old_ArmaFP.exe and /dev/null differ
diff --git a/tests/data/tiny.exe b/tests/data/tiny
old mode 100755
new mode 100644
similarity index 100%
rename from tests/data/tiny.exe
rename to tests/data/tiny
diff --git a/tests/data/tiny-idata-51ff.exe b/tests/data/tiny-idata-51ff
similarity index 100%
rename from tests/data/tiny-idata-51ff.exe
rename to tests/data/tiny-idata-51ff
diff --git a/tests/data/tiny-idata-5200.exe b/tests/data/tiny-idata-5200
old mode 100755
new mode 100644
similarity index 100%
rename from tests/data/tiny-idata-5200.exe
rename to tests/data/tiny-idata-5200
diff --git a/tests/test-pe.c b/tests/test-pe.c
index 6b2b60b..c2c6270 100644
--- a/tests/test-pe.c
+++ b/tests/test-pe.c
@@ -6,13 +6,13 @@ int main(int argc, char** argv)
yr_initialize();
assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
- "tests/data/tiny.exe");
+ "tests/data/tiny");
assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
- "tests/data/tiny-idata-51ff.exe");
+ "tests/data/tiny-idata-51ff");
assert_false_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
- "tests/data/tiny-idata-5200.exe");
+ "tests/data/tiny-idata-5200");
yr_finalize();
return 0;
diff --git a/tests/test-rules.c b/tests/test-rules.c
index 9072c09..a305f06 100644
--- a/tests/test-rules.c
+++ b/tests/test-rules.c
@@ -1040,35 +1040,6 @@ static void test_entrypoint()
assert_false_rule(
"rule test { condition: entrypoint >= 0 }",
NULL);
-
- /* https://github.com/VirusTotal/yara/issues/373 */
- assert_true_rule_file(
- "import \"pe\" \
- rule test { \
- condition: pe.entry_point == 0x18 }",
- "tests/data/old_ArmaFP.exe");
-
- assert_true_rule_file(
- "import \"pe\" \
- rule test { \
- strings: $right = { BE B0 11 40 00 } \
- condition: $right at pe.entry_point }",
- "tests/data/old_ArmaFP.exe");
- /* $wrong = { 0B 01 4C 6F 61 64 4C } */
-
- /* https://github.com/VirusTotal/yara/issues/399 */
- assert_true_rule_file(
- "import \"pe\" \
- rule test { \
- condition: pe.entry_point == 2 }",
- "tests/data/cdak_1024x768.exe");
-
- assert_true_rule_file(
- "import \"pe\" \
- rule test { \
- strings: $a0 = { 68 00 00 42 00 31 C0 40 EB 58 } \
- condition: $a0 at pe.entry_point }",
- "tests/data/cdak_1024x768.exe");
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list