Tests

Signed-off-by: Peter Tisovčík <peter.tisovcik@avast.com>
avast · Jan 31, 2022 · 3eae5f8 · 3eae5f8
1 parent 70af419
commit 3eae5f8
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 0 deletions.
diff --git a/tests/cpp/parser_tests.cpp b/tests/cpp/parser_tests.cpp
@@ -7354,5 +7354,35 @@ rule test_rule
 	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
 }
 
+TEST_F(ParserTests,
+ParseELFDynsym) {
+	prepareInput(
+		R"(import "elf"
+
+rule test_rule
+{
+	condition:
+		//elf.dynsym_entries == 1 or
+		elf.dynsym[0].name == "name" or
+		elf.dynsym[0].value == "value" or
+		elf.dynsym[0].size == 2 or
+		elf.dynsym[0].type == elf.STT_NOTYPE or
+		elf.dynsym[0].type == elf.STT_OBJECT or
+		elf.dynsym[0].type == elf.STT_FUNC or
+		elf.dynsym[0].type == elf.STT_SECTION or
+		elf.dynsym[0].type == elf.STT_FILE or
+		elf.dynsym[0].type == elf.STT_COMMON or
+		elf.dynsym[0].type == elf.STT_TLS or
+		elf.dynsym[0].bind == 3 or
+		elf.dynsym[0].shndx == 3
+}
+)");
+
+	EXPECT_TRUE(driver.parse(input));
+	ASSERT_EQ(1u, driver.getParsedFile().getRules().size());
+
+	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
+}
+
 }
 }
diff --git a/tests/python/test_parser.py b/tests/python/test_parser.py
@@ -2004,6 +2004,51 @@ def test_parse_pe_signatures_x_algorithm_oid(self):
 	condition:
 		pe.signatures[0].algorithm_oid == "1.2.840.113549.1.1.11"
 }
+'''
+
+        self.assertEqual(expected, yara_file.text_formatted)
+
+    def test_parse_elf_dynsym(self):
+        yara_file = yaramod.Yaramod().parse_string(parser_mode=yaramod.ParserMode.Regular, str=r'''import "elf"
+
+rule test_rule {
+    condition:
+        condition:
+        elf.dynsym_entries == 1 or
+        elf.dynsym[0].name == "name" or
+        elf.dynsym[0].value == "value" or
+        elf.dynsym[0].size == 2 or
+        elf.dynsym[0].type == elf.STT_NOTYPE or
+        elf.dynsym[0].type == elf.STT_OBJECT or
+        elf.dynsym[0].type == elf.STT_FUNC or
+        elf.dynsym[0].type == elf.STT_SECTION or
+        elf.dynsym[0].type == elf.STT_FILE or
+        elf.dynsym[0].type == elf.STT_COMMON or
+        elf.dynsym[0].type == elf.STT_TLS or
+        elf.dynsym[0].bind == 3 or
+        elf.dynsym[0].shndx == 3
+}
+''')
+
+        expected = r'''import "elf"
+
+rule test_rule
+{
+	condition:
+		elf.dynsym_entries == 1 or
+		elf.dynsym[0].name == "name" or
+		elf.dynsym[0].value == "value" or
+		elf.dynsym[0].size == 2 or
+		elf.dynsym[0].type == elf.STT_NOTYPE or
+		elf.dynsym[0].type == elf.STT_OBJECT or
+		elf.dynsym[0].type == elf.STT_FUNC or
+		elf.dynsym[0].type == elf.STT_SECTION or
+		elf.dynsym[0].type == elf.STT_FILE or
+		elf.dynsym[0].type == elf.STT_COMMON or
+		elf.dynsym[0].type == elf.STT_TLS or
+		elf.dynsym[0].bind == 3 or
+		elf.dynsym[0].shndx == 3
+}
 '''
 
         self.assertEqual(expected, yara_file.text_formatted)