[Forensics-changes] [yara] 129/192: Add test cases for PE module
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:31:56 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.6.0
in repository yara.
commit 3c68cf0429c3576a9ae64b40b0b3296d57d408a3
Author: plusvic <plusvic at gmail.com>
Date: Thu Mar 16 17:13:21 2017 +0100
Add test cases for PE module
---
tests/test-pe.c | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 117 insertions(+), 6 deletions(-)
diff --git a/tests/test-pe.c b/tests/test-pe.c
index a1129d0..2991210 100644
--- a/tests/test-pe.c
+++ b/tests/test-pe.c
@@ -7,22 +7,133 @@ int main(int argc, char** argv)
{
yr_initialize();
- assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") \
+ }",
"tests/data/tiny");
- assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") \
+ }",
"tests/data/tiny-idata-51ff");
- assert_false_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
+ assert_false_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") \
+ }",
"tests/data/tiny-idata-5200");
- assert_true_rule_file("import \"pe\" rule test { condition: pe.checksum == 0xA8DC }",
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.number_of_imports == 2 \
+ }",
"tests/data/tiny");
- assert_true_rule_file("import \"pe\" rule test { condition: pe.checksum == pe.calculate_checksum() }",
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.number_of_sections == 7 \
+ }",
"tests/data/tiny");
- assert_false_rule_file("import \"pe\" rule test { condition: pe.checksum == pe.calculate_checksum() }",
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.entry_point == 0x14E0 \
+ }",
+ "tests/data/tiny");
+
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.linker_version.major == 2 and \
+ pe.linker_version.minor == 26 \
+ }",
+ "tests/data/tiny");
+
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.sections[0].name == \".text\" and \
+ pe.sections[1].name == \".data\" and \
+ pe.sections[2].name == \".rdata\" and \
+ pe.sections[3].name == \".bss\" and \
+ pe.sections[4].name == \".idata\" and \
+ pe.sections[5].name == \".CRT\" and \
+ pe.sections[6].name == \".tls\" \
+ }",
+ "tests/data/tiny");
+
+ #if defined(HAVE_LIBCRYPTO)
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.imphash() == \"1720bf764274b7a4052bbef0a71adc0d\" \
+ }",
+ "tests/data/tiny");
+ #endif
+
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.section_index(\".text\") == 0 \
+ }",
+ "tests/data/tiny");
+
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.section_index(pe.entry_point) == 0 \
+ }",
+ "tests/data/tiny");
+
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.is_32bit() and not pe.is_64bit() \
+ }",
+ "tests/data/tiny");
+
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.checksum == 0xA8DC \
+ }",
+ "tests/data/tiny");
+
+ assert_true_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.checksum == pe.calculate_checksum() \
+ }",
+ "tests/data/tiny");
+
+ assert_false_rule_file(
+ "import \"pe\" \
+ rule test { \
+ condition: \
+ pe.checksum == pe.calculate_checksum() \
+ }",
"tests/data/tiny-idata-51ff");
yr_finalize();
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list