From 6d05d3c00f66fc6da0f0b368b63df493905fb2a3 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 10 Dec 2024 12:54:01 +0000 Subject: [PATCH] sequence: add test showing multiple sequences overlapping a single event --- tests/test_dynamic_sequence_scope.py | 42 ++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/tests/test_dynamic_sequence_scope.py b/tests/test_dynamic_sequence_scope.py index 37a306c4c..810dc5b34 100644 --- a/tests/test_dynamic_sequence_scope.py +++ b/tests/test_dynamic_sequence_scope.py @@ -212,3 +212,45 @@ def test_dynamic_sequence_example(): matches, features = capa.capabilities.dynamic.find_dynamic_capabilities(ruleset, extractor, disable_progress=True) assert r.name in matches assert 14 in get_call_ids(matches[r.name]) + + +# show how sequences that overlap a single event are handled. +# TODO(williballenthin): but I think we really just want one match for this, not copies of the same thing. +# +# proc: 0000A65749F5902C4D82.exe (ppid=2456, pid=3052) +# thread: 3064 +# ... +# call 10: ... +# call 11: LdrGetProcedureAddress(2010595649, 0, AddVectoredExceptionHandler, 1974337536, kernel32.dll) +# call 12: ... +# call 13: ... +# call 14: ... +# call 15: ... +# ... +def test_dynamic_sequence_multiple_sequences_overlapping_single_event(): + extractor = get_0000a657_thread3064() + + rule = textwrap.dedent( + """ + rule: + meta: + name: test rule + scopes: + static: unsupported + dynamic: sequence + features: + - and: + - call: + - and: + - api: LdrGetProcedureAddress + - string: "AddVectoredExceptionHandler" + """ + ) + + r = capa.rules.Rule.from_yaml(rule) + ruleset = capa.rules.RuleSet([r]) + + matches, features = capa.capabilities.dynamic.find_dynamic_capabilities(ruleset, extractor, disable_progress=True) + assert r.name in matches + assert [11, 12, 13, 14, 15] == list(get_call_ids(matches[r.name])) +