sequence: add test showing multiple sequences overlapping a single event

mandiant · Dec 10, 2024 · d6106ea · d6106ea
1 parent e29a370
commit d6106ea
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/tests/test_dynamic_sequence_scope.py b/tests/test_dynamic_sequence_scope.py
@@ -212,3 +212,45 @@ def test_dynamic_sequence_example():
     matches, features = capa.capabilities.dynamic.find_dynamic_capabilities(ruleset, extractor, disable_progress=True)
     assert r.name in matches
     assert 14 in get_call_ids(matches[r.name])
+
+
+# show how sequences that overlap a single event are handled.
+# TODO(williballenthin): but I think we really just want one match for this, not copies of the same thing.
+#
+#    proc: 0000A65749F5902C4D82.exe (ppid=2456, pid=3052)
+#      thread: 3064
+#        ...
+#        call 10: ...
+#        call 11: LdrGetProcedureAddress(2010595649, 0, AddVectoredExceptionHandler, 1974337536, kernel32.dll)
+#        call 12: ...
+#        call 13: ...
+#        call 14: ...
+#        call 15: ...
+#        ...
+def test_dynamic_sequence_multiple_matches_in_one_sequence():
+    extractor = get_0000a657_thread3064()
+
+    rule = textwrap.dedent(
+        """
+        rule:
+            meta:
+                name: test rule
+                scopes:
+                    static: unsupported
+                    dynamic: sequence
+            features:
+                - and:
+                    - call:
+                        - and:
+                            - api: LdrGetProcedureAddress
+                            - string: "AddVectoredExceptionHandler"
+        """
+    )
+
+    r = capa.rules.Rule.from_yaml(rule)
+    ruleset = capa.rules.RuleSet([r])
+
+    matches, features = capa.capabilities.dynamic.find_dynamic_capabilities(ruleset, extractor, disable_progress=True)
+    assert r.name in matches
+    assert [11, 12, 13, 14, 15] == list(get_call_ids(matches[r.name]))
+