test_capabilities.py: add missing test_com_feature_matching() test

mandiant · Oct 20, 2023 · 3572b51 · 3572b51
1 parent ab06c94
commit 3572b51
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/tests/test_capabilities.py b/tests/test_capabilities.py
@@ -198,6 +198,32 @@ def test_byte_matching(z9324d_extractor):
     assert "byte match test" in capabilities
 
 
+def test_com_feature_matching(z395eb_extractor):
+    rules = capa.rules.RuleSet(
+        [
+            capa.rules.Rule.from_yaml(
+                textwrap.dedent(
+                    """
+                    rule:
+                        meta:
+                            name: initialize IWebBrowser2
+                            scopes:
+                              static: basic block
+                              dynamic: unsupported
+                        features:
+                            - and:
+                                - api: ole32.CoCreateInstance
+                                - com/class: InternetExplorer #bytes: 01 DF 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = CLSID_InternetExplorer
+                                - com/interface: IWebBrowser2 #bytes: 61 16 0C D3 AF CD D0 11 8A 3E 00 C0 4F C9 E2 6E = IID_IWebBrowser2
+                    """
+                )
+            )
+        ]
+    )
+    capabilities, meta = capa.main.find_capabilities(rules, z395eb_extractor)
+    assert "initialize IWebBrowser2" in capabilities
+
+
 def test_count_bb(z9324d_extractor):
     rules = capa.rules.RuleSet(
         [