also implement strings method next to string

cuckoosandbox · Sep 6, 2017 · cb41a60 · cb41a60
1 parent d2b0c8e
commit cb41a60
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 3 deletions.
diff --git a/cuckoo/common/objects.py b/cuckoo/common/objects.py
@@ -424,13 +424,19 @@ def __init__(self, match, category=None):
         self.offsets = match["offsets"]
         self.category = category
 
-        self.strings = []
+        self._strings = []
         for s in match["strings"]:
-            self.strings.append(s.decode("base64"))
+            self._strings.append(s.decode("base64"))
 
     def string(self, identifier, index=0):
         off, idx = self.offsets[identifier][index]
-        return self.strings[idx]
+        return self._strings[idx]
+
+    def strings(self, identifier):
+        ret = []
+        for off, idx in self.offsets[identifier]:
+            ret.append(self._strings[idx])
+        return ret
 
 class ExtractedMatch(object):
     def __init__(self, match):

diff --git a/tests/test_objects.py b/tests/test_objects.py
@@ -258,3 +258,28 @@ def test_basics(self):
         })
         assert ym.string("a", 0) == "bar"
         assert ym.string("a") == "bar"
+
+    def test_multiple(self):
+        ym = YaraMatch({
+            "name": "foo",
+            "meta": {},
+            "offsets": {
+                "a": [
+                    (1, 0),
+                    (2, 2),
+                ],
+                "b": [
+                    (3, 1),
+                ],
+            },
+            "strings": [
+                "bar".encode("base64"),
+                "baz".encode("base64"),
+                "foo".encode("base64"),
+            ],
+        })
+        assert ym.string("a", 0) == "bar"
+        assert ym.string("a", 1) == "foo"
+        assert ym.string("b", 0) == "baz"
+        assert ym.strings("a") == ["bar", "foo"]
+        assert ym.strings("b") == ["baz"]