gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

rules: parse instruction subscope with implied AND

Browse Source
This commit is contained in:
Willi Ballenthin
2022-03-28 12:55:09 -06:00
parent 890870bf45
commit 2baf05acdb
2 changed files with 101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
tests/test_rules_insn_scope.py
View File

@@ -43,3 +43,81 @@ def test_rule_scope_instruction():
"""
)
)
def test_rule_subscope_instruction():
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: test rule
scope: function
features:
- and:
- instruction:
- and:
- mnemonic: mov
- arch: i386
- os: windows
"""
)
)
def test_scope_instruction_implied_and():
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: test rule
scope: function
features:
- and:
- instruction:
- mnemonic: mov
- arch: i386
- os: windows
"""
)
)
def test_scope_instruction_description():
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: test rule
scope: function
features:
- and:
- instruction:
- description: foo
- mnemonic: mov
- arch: i386
- os: windows
"""
)
)
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: test rule
scope: function
features:
- and:
- instruction:
- description: foo
- mnemonic: mov
- arch: i386
- os: windows
"""
)
)