Skip to content

Commit

Permalink
YARA-1748: Yara42 dex attributes (#201)
Browse files Browse the repository at this point in the history 
* Add dex.has_method function

* Add dex.has_class attribute

* Add test on new dex attributes.
  • Loading branch information
@TadeasKucera
TadeasKucera committed Feb 11, 2022
1 parent 412a744 commit 0a50156
Show file tree
Hide file tree
Showing 2 changed files with 138 additions and 0 deletions.
76 changes: 76 additions & 0 deletions modules/module_dex.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -907,6 +907,82 @@
}
]
}
},
{
"kind": "function",
"name": "has_method",
"return_type": "i",
"overloads": [
{
"arguments": [
{
"type": "s",
"name": "method name"
}
],
"documentation": "Returns true if any method has the specified method name."
},
{
"arguments": [
{
"type": "s",
"name": "class name"
},
{
"type": "s",
"name": "method name"
}
],
"documentation": "Returns true if any class has the specified class name and at the same time there is a method with the specified metod name"
},
{
"arguments": [
{
"type": "r",
"name": "method name"
}
],
"documentation": "Returns true if any method name matches the regex."
},
{
"arguments": [
{
"type": "r",
"name": "class name"
},
{
"type": "r",
"name": "method name"
}
],
"documentation": "Returns true if any class name matching the regex class name and at the same time there is a method with name matching the specified regex metod name"
}
]
},
{
"kind": "function",
"name": "has_class",
"return_type": "i",
"overloads": [
{
"arguments": [
{
"type": "s",
"name": "class name"
}
],
"documentation": "Returns true if any class has the specified name."
},
{
"arguments": [
{
"type": "r",
"name": "class name"
}
],
"documentation": "Returns true if any class name matches the regex."
}
]
}
]
}
62 changes: 62 additions & 0 deletions tests/cpp/parser_tests.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3439,6 +3439,68 @@ rule dotnet_module
EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
}

TEST_F(ParserTests,
DexModuleWorks) {
prepareInput(
R"(
import "dex"
rule dex_module_has_method_1
{
condition:
dex.has_method("<init>")
}
rule dex_module_has_method_2
{
condition:
dex.has_method("Lcom/android/tools/ir/server/AppInfo;", "<clinit>")
}
rule dex_module_has_method_3
{
condition:
dex.has_method(/init/)
}
rule dex_module_has_method_4
{
condition:
dex.has_method(/AppInfo/, /init/)
}
rule dex_module_has_class_1
{
condition:
dex.has_class("Lcom/android/tools/ir/server/AppInfo;")
}
rule dex_module_has_class_2
{
condition:
dex.has_class(/AppInfo/)
}
)");

EXPECT_TRUE(driver.parse(input));
ASSERT_EQ(6u, driver.getParsedFile().getRules().size());

const auto& rule1 = driver.getParsedFile().getRules()[0];
EXPECT_EQ("dex.has_method(\"<init>\")", rule1->getCondition()->getText());
const auto& rule2 = driver.getParsedFile().getRules()[1];
EXPECT_EQ("dex.has_method(\"Lcom/android/tools/ir/server/AppInfo;\", \"<clinit>\")", rule2->getCondition()->getText());
const auto& rule3 = driver.getParsedFile().getRules()[2];
EXPECT_EQ("dex.has_method(/init/)", rule3->getCondition()->getText());
const auto& rule4 = driver.getParsedFile().getRules()[3];
EXPECT_EQ("dex.has_method(/AppInfo/, /init/)", rule4->getCondition()->getText());
const auto& rule5 = driver.getParsedFile().getRules()[4];
EXPECT_EQ("dex.has_class(\"Lcom/android/tools/ir/server/AppInfo;\")", rule5->getCondition()->getText());
const auto& rule6 = driver.getParsedFile().getRules()[5];
EXPECT_EQ("dex.has_class(/AppInfo/)", rule6->getCondition()->getText());

EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
}

TEST_F(ParserTests,
ElfModuleWorks) {
prepareInput(
Expand Down

0 comments on commit 0a50156

Please sign in to comment.