public void TestYaraBasicMatch()
{
string yrRuleSource = Properties.Resources.TestRule1;
using (YaraRules yrRules = LoadYaraRulesFromSource(yrRuleSource, null))
{
using (MemoryStream memStream = new MemoryStream())
using (StreamWriter streamWriter = new StreamWriter(memStream))
{
string testRule1Data = Properties.Resources.TestRule1Data;
streamWriter.Write(testRule1Data);
streamWriter.Flush();
byte[] memStreamData = memStream.ToArray();
List <YaraMatch> matches = yrRules.MatchData(memStreamData, IntPtr.Zero, null, false, 0);
Assert.AreEqual(1, matches.Count);
YaraMatch match = matches[0];
Assert.IsNotNull(match.Rule);
Assert.AreEqual("silent_banker", match.Rule.Name);
Assert.IsTrue(match.ContainsMatches);
TestYaraMatchContainsStringData(match, "$a", 1);
TestYaraMatchContainsStringData(match, "$b", 1);
TestYaraMatchContainsStringData(match, "$c", 3);
}
}
}
private void TestYaraMatchContainsStringData(YaraMatch yaraMatch, string stringIdentifier, int expectedNrOfStringMatches)
{
IEnumerable <YaraString> strings = yaraMatch.MatchData.Where(x => x.IdentifierName == stringIdentifier);
Assert.AreEqual(expectedNrOfStringMatches, strings.Count());
}