public void TestYaraBasicMatch()
{
string yrRuleSource = Properties.Resources.TestRule1;
using (YaraRules yrRules = LoadYaraRulesFromSource(yrRuleSource, null))
{
using (MemoryStream memStream = new MemoryStream())
using (StreamWriter streamWriter = new StreamWriter(memStream))
{
string testRule1Data = Properties.Resources.TestRule1Data;
streamWriter.Write(testRule1Data);
streamWriter.Flush();
byte[] memStreamData = memStream.ToArray();
List <YaraMatch> matches = yrRules.MatchData(memStreamData, IntPtr.Zero, null, false, 0);
Assert.AreEqual(1, matches.Count);
YaraMatch match = matches[0];
Assert.IsNotNull(match.Rule);
Assert.AreEqual("silent_banker", match.Rule.Name);
Assert.IsTrue(match.ContainsMatches);
TestYaraMatchContainsStringData(match, "$a", 1);
TestYaraMatchContainsStringData(match, "$b", 1);
TestYaraMatchContainsStringData(match, "$c", 3);
}
}
}
public void TestHashRule()
{
List <YaraCompilationError> errors;
using (YaraRules yrRules = YaraNET.Yara.Instance.CompileFromSource(Properties.Resources.TestRuleHash, null, false, null, out errors))
{
yrRules.MatchData(new byte[1], IntPtr.Zero, null, false, 0);
}
}
private YaraRules LoadYaraRulesFromSource(string ruleSrc, string namespaceName)
{
List <YaraCompilationError> errors;
YaraRules yrRules = YaraNET.Yara.Instance.CompileFromSource(ruleSrc, namespaceName, false, null, out errors);
Assert.IsNotNull(yrRules);
Assert.IsNotNull(errors);
Assert.IsTrue(errors.Count == 0);
return(yrRules);
}
public void TestYaraCompiledRulesSaveLoad()
{
string tempFile = Path.GetTempFileName();
string yrRuleSource = Properties.Resources.TestRule1;
using (YaraRules yrRules = LoadYaraRulesFromSource(yrRuleSource, null))
{
yrRules.SaveCompiledRules(tempFile);
}
using (YaraRules yrRules = YaraNET.Yara.Instance.LoadCompiledRules(tempFile))
{
}
}
public void TestYaraLoadFaultyRule()
{
try
{
string yrRuleSource = Properties.Resources.FaultyRule;
using (YaraRules yrRules = LoadYaraRulesFromSource(yrRuleSource, null))
{
}
Assert.Fail("Exptected a Yara exception!");
}
catch (YaraCompilationException ex)
{
Assert.AreEqual(1, ex.YaraCompileErrors.Count);
YaraCompilationError compileErr = ex.YaraCompileErrors[0];
Assert.AreEqual(YaraErrorLevel.Error, compileErr.ErrorLevel);
Assert.AreEqual("syntax error, unexpected $end, expecting '}'", compileErr.Message);
}
}
public void TestYaraLoadFromSource()
{
string yrRuleSource = Properties.Resources.TestRule1;
using (YaraRules yrRules = LoadYaraRulesFromSource(yrRuleSource, null))
{
Assert.AreEqual(yrRules.Rules.Count, 1);
YaraRule rule = yrRules.Rules[0];
Assert.AreEqual("silent_banker", rule.Name);
Assert.AreEqual("default", rule.Namespace);
Assert.AreEqual(3, rule.Metas.Count);
TestExtractMeta(rule, "description", "This is just an example");
TestExtractMeta(rule, "thread_level", 3);
TestExtractMeta(rule, "in_the_wild", true);
TestRuleContainsStringIdentifier(rule, "$a");
TestRuleContainsStringIdentifier(rule, "$b");
TestRuleContainsStringIdentifier(rule, "$c");
Assert.AreEqual(yrRules.Rules[0].StringIdentifiers.Count, 3);
}
}