[Forensics-changes] [yara] 148/415: Fix issue 77
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:42:57 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit efe72e136908c5cc9559ba687d7da9c1e2997ed1
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Fri Mar 22 13:31:40 2013 +0000
Fix issue 77
---
libyara/eval.c | 241 +++++++++++++++++++++++++++++----------------------------
1 file changed, 123 insertions(+), 118 deletions(-)
diff --git a/libyara/eval.c b/libyara/eval.c
index 846c744..2f4cfe6 100644
--- a/libyara/eval.c
+++ b/libyara/eval.c
@@ -53,7 +53,7 @@ typedef int int32;
return FALSE; \
else \
return op1 operator op2;\
-
+
#define ARITHMETIC_OPERATOR(operator, term, context) \
op1 = evaluate(term->op1, context); \
op2 = evaluate(term->op2, context); \
@@ -61,7 +61,7 @@ typedef int int32;
return UNDEFINED; \
else \
return op1 operator op2;\
-
+
function_read(uint, 8)
function_read(uint, 16)
@@ -83,10 +83,10 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
unsigned int satisfied;
int ovector[3];
int rc;
-
+
STRING* string;
STRING* saved_anonymous_string;
-
+
TERM_CONST* term_const = ((TERM_CONST*) term);
TERM_UNARY_OPERATION* term_unary = ((TERM_UNARY_OPERATION*) term);
TERM_BINARY_OPERATION* term_binary = ((TERM_BINARY_OPERATION*) term);
@@ -94,31 +94,31 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
TERM_STRING* term_string = ((TERM_STRING*) term);
TERM_VARIABLE* term_variable = ((TERM_VARIABLE*) term);
TERM_STRING_OPERATION* term_string_operation = ((TERM_STRING_OPERATION*) term);
-
+
TERM_INTEGER_FOR* term_integer_for;
-
+
MATCH* match;
TERM* item;
TERM_RANGE* range;
TERM_ITERABLE* items;
TERM_STRING* t;
-
+
switch(term->type)
{
case TERM_TYPE_CONST:
return term_const->value;
-
+
case TERM_TYPE_FILESIZE:
return context->file_size;
-
+
case TERM_TYPE_ENTRYPOINT:
return context->entry_point;
-
+
case TERM_TYPE_RULE:
return evaluate(term_binary->op1, context);
-
+
case TERM_TYPE_STRING:
-
+
if (term_string->string == NULL) /* it's an anonymous string */
{
string = context->current_string;
@@ -127,11 +127,11 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
{
string = term_string->string;
}
-
+
return string->flags & STRING_FLAGS_FOUND;
-
+
case TERM_TYPE_STRING_AT:
-
+
if (term_string->string == NULL) /* it's an anonymous string */
{
string = context->current_string;
@@ -140,27 +140,27 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
{
string = term_string->string;
}
-
+
if (string->flags & STRING_FLAGS_FOUND)
- {
+ {
offs = evaluate(term_string->offset, context);
-
+
match = string->matches_head;
-
+
while (match != NULL)
{
if (match->offset == offs)
return 1;
-
+
match = match->next;
}
-
- return 0;
+
+ return 0;
}
else return 0;
-
+
case TERM_TYPE_STRING_IN_RANGE:
-
+
if (term_string->string == NULL) /* it's an anonymous string */
{
string = context->current_string;
@@ -169,14 +169,19 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
{
string = term_string->string;
}
-
+
if (string->flags & STRING_FLAGS_FOUND)
- {
+ {
range = (TERM_RANGE*) term_string->range;
-
+
lo_bound = evaluate(range->min, context);
hi_bound = evaluate(range->max, context);
-
+
+ if (IS_UNDEFINED(lo_bound) || IS_UNDEFINED(hi_bound))
+ {
+ return 0;
+ }
+
match = string->matches_head;
while (match != NULL)
@@ -187,17 +192,17 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
match = match->next;
}
- return 0;
+ return 0;
}
else return 0;
-
+
case TERM_TYPE_STRING_IN_SECTION_BY_NAME:
return 0; /*TODO: Implementar section by name*/
-
+
case TERM_TYPE_STRING_COUNT:
-
+
i = 0;
-
+
if (term_string->string == NULL) /* it's an anonymous string */
{
string = context->current_string;
@@ -206,22 +211,22 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
{
string = term_string->string;
}
-
+
match = string->matches_head;
-
+
while (match != NULL)
{
i++;
match = match->next;
}
-
+
return i;
-
+
case TERM_TYPE_STRING_OFFSET:
-
+
i = 1;
index = evaluate(term_string->index, context);
-
+
if (term_string->string == NULL) /* it's an anonymous string */
{
string = context->current_string;
@@ -230,124 +235,124 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
{
string = term_string->string;
}
-
+
match = string->matches_head;
-
+
while (match != NULL && i < index)
{
match = match->next;
i++;
}
-
+
if (match != NULL && i == index)
{
- return match->offset;
- }
+ return match->offset;
+ }
return UNDEFINED;
case TERM_TYPE_AND:
-
+
if (evaluate(term_binary->op1, context))
return evaluate(term_binary->op2, context);
else
return 0;
-
+
case TERM_TYPE_OR:
-
+
if (evaluate(term_binary->op1, context))
return 1;
else
return evaluate(term_binary->op2, context);
-
+
case TERM_TYPE_NOT:
return !evaluate(term_unary->op, context);
-
+
case TERM_TYPE_ADD:
ARITHMETIC_OPERATOR(+, term_binary, context);
-
- case TERM_TYPE_SUB:
+
+ case TERM_TYPE_SUB:
ARITHMETIC_OPERATOR(-, term_binary, context);
-
- case TERM_TYPE_MUL:
+
+ case TERM_TYPE_MUL:
ARITHMETIC_OPERATOR(*, term_binary, context);
-
- case TERM_TYPE_DIV:
+
+ case TERM_TYPE_DIV:
ARITHMETIC_OPERATOR(/, term_binary, context);
case TERM_TYPE_MOD:
ARITHMETIC_OPERATOR(%, term_binary, context);
-
+
case TERM_TYPE_BITWISE_XOR:
ARITHMETIC_OPERATOR(^, term_binary, context);
case TERM_TYPE_BITWISE_AND:
ARITHMETIC_OPERATOR(&, term_binary, context);
-
+
case TERM_TYPE_BITWISE_OR:
ARITHMETIC_OPERATOR(|, term_binary, context);
-
+
case TERM_TYPE_SHIFT_LEFT:
- ARITHMETIC_OPERATOR(<<, term_binary, context);
-
+ ARITHMETIC_OPERATOR(<<, term_binary, context);
+
case TERM_TYPE_SHIFT_RIGHT:
ARITHMETIC_OPERATOR(>>, term_binary, context);
-
+
case TERM_TYPE_BITWISE_NOT:
-
+
op1 = evaluate(term_unary->op, context);
if (IS_UNDEFINED(op1))
return UNDEFINED;
else
return ~op1;
-
+
case TERM_TYPE_GT:
COMPARISON_OPERATOR(>, term_binary, context);
-
+
case TERM_TYPE_LT:
COMPARISON_OPERATOR(<, term_binary, context);
-
- case TERM_TYPE_GE:
+
+ case TERM_TYPE_GE:
COMPARISON_OPERATOR(>=, term_binary, context);
-
- case TERM_TYPE_LE:
- COMPARISON_OPERATOR(<=, term_binary, context);
-
- case TERM_TYPE_EQ:
+
+ case TERM_TYPE_LE:
+ COMPARISON_OPERATOR(<=, term_binary, context);
+
+ case TERM_TYPE_EQ:
COMPARISON_OPERATOR(==, term_binary, context);
-
- case TERM_TYPE_NOT_EQ:
+
+ case TERM_TYPE_NOT_EQ:
COMPARISON_OPERATOR(!=, term_binary, context);
-
+
case TERM_TYPE_OF:
-
+
t = (TERM_STRING*) term_binary->op2;
needed = evaluate(term_binary->op1, context);
satisfied = 0;
- i = 0;
-
+ i = 0;
+
while (t != NULL)
{
- if (evaluate((TERM*) t, context))
+ if (evaluate((TERM*) t, context))
{
satisfied++;
- }
-
+ }
+
t = t->next;
i++;
- }
-
+ }
+
if (needed == 0) /* needed == 0 means ALL*/
needed = i;
-
+
return (satisfied >= needed);
-
+
case TERM_TYPE_STRING_FOR:
t = (TERM_STRING*) term_ternary->op2;
-
- needed = evaluate(term_ternary->op1, context);
+
+ needed = evaluate(term_ternary->op1, context);
satisfied = 0;
i = 0;
@@ -355,64 +360,64 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
{
saved_anonymous_string = context->current_string;
context->current_string = t->string;
-
- if (evaluate(term_ternary->op3, context))
+
+ if (evaluate(term_ternary->op3, context))
{
satisfied++;
- }
-
+ }
+
context->current_string = saved_anonymous_string;
-
- t = t->next;
+
+ t = t->next;
i++;
- }
-
+ }
+
if (needed == 0) /* needed == 0 means ALL*/
needed = i;
-
+
return (satisfied >= needed);
-
+
case TERM_TYPE_INTEGER_FOR:
-
+
term_integer_for = (TERM_INTEGER_FOR*) term;
items = term_integer_for->items;
-
+
needed = evaluate(term_integer_for->count, context);
satisfied = 0;
- i = 0;
-
+ i = 0;
+
item = items->first(items, evaluate, context);
-
+
while (item != NULL)
- {
+ {
term_integer_for->variable->integer = evaluate(item, context);
-
- if (evaluate(term_integer_for->expression, context))
+
+ if (evaluate(term_integer_for->expression, context))
{
satisfied++;
}
-
+
item = items->next(items, evaluate, context);
- i++;
+ i++;
}
-
+
if (needed == 0) /* needed == 0 means ALL*/
needed = i;
-
+
return (satisfied >= needed);
-
+
case TERM_TYPE_UINT8_AT_OFFSET:
return read_uint8(context->mem_block, evaluate(term_unary->op, context));
case TERM_TYPE_UINT16_AT_OFFSET:
-
+
return read_uint16(context->mem_block, evaluate(term_unary->op, context));
-
+
case TERM_TYPE_UINT32_AT_OFFSET:
return read_uint32(context->mem_block, evaluate(term_unary->op, context));
-
+
case TERM_TYPE_INT8_AT_OFFSET:
return read_int8(context->mem_block, evaluate(term_unary->op, context));
@@ -423,10 +428,10 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
case TERM_TYPE_INT32_AT_OFFSET:
- return read_int32(context->mem_block, evaluate(term_unary->op, context));
-
+ return read_int32(context->mem_block, evaluate(term_unary->op, context));
+
case TERM_TYPE_VARIABLE:
-
+
if (term_variable->variable->type == VARIABLE_TYPE_STRING)
{
return ( term_variable->variable->string != NULL && *term_variable->variable->string != '\0');
@@ -439,7 +444,7 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
{
return term_variable->variable->integer;
}
-
+
case TERM_TYPE_STRING_MATCH:
rc = regex_exec(&(term_string_operation->re),
FALSE,
@@ -448,9 +453,9 @@ long long evaluate(TERM* term, EVALUATION_CONTEXT* context)
return (rc >= 0);
case TERM_TYPE_STRING_CONTAINS:
-
+
return (strstr(term_string_operation->variable->string, term_string_operation->string) != NULL);
-
+
default:
return 0;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list