[Forensics-changes] [yara] 251/415: Fix issue 91
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:12 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 0207d9096be1df518d9c059c2b6d00ed8cce536e
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Mon Nov 25 17:29:20 2013 +0100
Fix issue 91
---
libyara/libyara.c | 334 ++++++++++++++++++++++++++++--------------------------
1 file changed, 173 insertions(+), 161 deletions(-)
diff --git a/libyara/libyara.c b/libyara/libyara.c
index bb7bf4f..1ce6dc6 100644
--- a/libyara/libyara.c
+++ b/libyara/libyara.c
@@ -40,7 +40,7 @@ void yr_init()
YARA_CONTEXT* yr_create_context()
{
YARA_CONTEXT* context = (YARA_CONTEXT*) yr_malloc(sizeof(YARA_CONTEXT));
-
+
context->rule_list.head = NULL;
context->rule_list.tail = NULL;
context->hash_table.non_hashed_strings = NULL;
@@ -65,9 +65,9 @@ YARA_CONTEXT* yr_create_context()
memset(context->rule_list.hash_table, 0, sizeof(context->rule_list.hash_table));
memset(context->hash_table.hashed_strings_2b, 0, sizeof(context->hash_table.hashed_strings_2b));
memset(context->hash_table.hashed_strings_1b, 0, sizeof(context->hash_table.hashed_strings_1b));
-
+
return context;
-
+
}
void yr_destroy_context(YARA_CONTEXT* context)
@@ -88,35 +88,35 @@ void yr_destroy_context(YARA_CONTEXT* context)
VARIABLE* next_variable;
RULE_LIST_ENTRY* rule_list_entry;
RULE_LIST_ENTRY* next_rule_list_entry;
-
+
int i;
-
+
rule = context->rule_list.head;
-
+
while (rule != NULL)
- {
+ {
next_rule = rule->next;
-
+
string = rule->string_list_head;
-
+
while (string != NULL)
{
next_string = string->next;
-
+
yr_free(string->identifier);
yr_free(string->string);
-
+
if (IS_HEX(string))
- {
+ {
yr_free(string->mask);
}
else if (IS_REGEXP(string))
{
regex_free(&(string->re));
}
-
+
match = string->matches_head;
-
+
while (match != NULL)
{
next_match = match->next;
@@ -124,7 +124,7 @@ void yr_destroy_context(YARA_CONTEXT* context)
yr_free(match);
match = next_match;
}
-
+
yr_free(string);
string = next_string;
}
@@ -134,83 +134,83 @@ void yr_destroy_context(YARA_CONTEXT* context)
while (tag != NULL)
{
next_tag = tag->next;
-
+
yr_free(tag->identifier);
yr_free(tag);
-
+
tag = next_tag;
}
-
+
meta = rule->meta_list_head;
while (meta != NULL)
{
next_meta = meta->next;
-
+
if (meta->type == META_TYPE_STRING)
{
yr_free(meta->string);
}
-
+
yr_free(meta->identifier);
yr_free(meta);
-
+
meta = next_meta;
}
-
+
free_term(rule->condition);
- yr_free(rule->identifier);
+ yr_free(rule->identifier);
yr_free(rule);
rule = next_rule;
}
-
+
ns = context->namespaces;
while(ns != NULL)
{
next_ns = ns->next;
-
+
yr_free(ns->name);
yr_free(ns);
-
+
ns = next_ns;
}
-
+
variable = context->variables;
while(variable != NULL)
{
next_variable = variable->next;
-/*
+/*
if (->type == VARIABLE_TYPE_STRING)
{
yr_free(->string);
}
- */
+ */
yr_free(variable->identifier);
yr_free(variable);
-
+
variable = next_variable;
}
-
+
while (context->file_name_stack_ptr > 0)
{
yr_pop_file_name(context);
}
-
+
for(i = 0; i < RULE_LIST_HASH_TABLE_SIZE; i++)
{
rule_list_entry = context->rule_list.hash_table[i].next;
-
+
while(rule_list_entry != NULL)
{
next_rule_list_entry = rule_list_entry->next;
yr_free(rule_list_entry);
-
+
rule_list_entry = next_rule_list_entry;
}
}
-
+
clear_hash_table(&context->hash_table);
yr_free(context);
}
@@ -219,7 +219,7 @@ void yr_destroy_context(YARA_CONTEXT* context)
NAMESPACE* yr_create_namespace(YARA_CONTEXT* context, const char* name)
{
NAMESPACE* ns = yr_malloc(sizeof(NAMESPACE));
-
+
if (ns != NULL)
{
ns->name = yr_strdup(name);
@@ -227,7 +227,7 @@ NAMESPACE* yr_create_namespace(YARA_CONTEXT* context, const char* name)
ns->next = context->namespaces;
context->namespaces = ns;
}
-
+
return ns;
}
@@ -237,14 +237,14 @@ int yr_define_integer_variable(YARA_CONTEXT* context, const char* identifier, si
VARIABLE* variable;
variable = lookup_variable(context->variables, identifier);
-
+
if (variable == NULL) /* variable doesn't exists, create it */
{
variable = (VARIABLE*) yr_malloc(sizeof(VARIABLE));
-
+
if (variable != NULL)
{
- variable->identifier = yr_strdup(identifier);
+ variable->identifier = yr_strdup(identifier);
variable->next = context->variables;
context->variables = variable;
}
@@ -256,7 +256,7 @@ int yr_define_integer_variable(YARA_CONTEXT* context, const char* identifier, si
variable->type = VARIABLE_TYPE_INTEGER;
variable->integer = value;
-
+
return ERROR_SUCCESS;
}
@@ -266,14 +266,14 @@ int yr_define_boolean_variable(YARA_CONTEXT* context, const char* identifier, in
VARIABLE* variable;
variable = lookup_variable(context->variables, identifier);
-
+
if (variable == NULL) /* variable doesn't exists, create it */
{
variable = (VARIABLE*) yr_malloc(sizeof(VARIABLE));
-
+
if (variable != NULL)
- {
- variable->identifier = yr_strdup(identifier);
+ {
+ variable->identifier = yr_strdup(identifier);
variable->next = context->variables;
context->variables = variable;
}
@@ -285,7 +285,7 @@ int yr_define_boolean_variable(YARA_CONTEXT* context, const char* identifier, in
variable->type = VARIABLE_TYPE_BOOLEAN;
variable->boolean = value;
-
+
return ERROR_SUCCESS;
}
@@ -295,14 +295,14 @@ int yr_define_string_variable(YARA_CONTEXT* context, const char* identifier, con
VARIABLE* variable;
variable = lookup_variable(context->variables, identifier);
-
+
if (variable == NULL) /* variable doesn't exists, create it */
{
variable = (VARIABLE*) yr_malloc(sizeof(VARIABLE));
-
+
if (variable != NULL)
{
- variable->identifier = yr_strdup(identifier);
+ variable->identifier = yr_strdup(identifier);
variable->next = context->variables;
context->variables = variable;
}
@@ -314,7 +314,7 @@ int yr_define_string_variable(YARA_CONTEXT* context, const char* identifier, con
variable->type = VARIABLE_TYPE_STRING;
variable->string = (char*) value;
-
+
return ERROR_SUCCESS;
}
@@ -322,22 +322,22 @@ int yr_undefine_variable(YARA_CONTEXT* context, const char* identifier)
{
VARIABLE* variable = context->variables;
VARIABLE* previous;
-
+
int found = FALSE;
-
+
if (strcmp(variable->identifier, identifier) == 0)
{
context->variables = variable->next;
yr_free(variable->identifier);
yr_free(variable);
-
+
found = TRUE;
}
else
- {
+ {
previous = variable;
variable = variable->next;
-
+
while (!found && variable != NULL)
{
if (strcmp(variable->identifier, identifier) == 0)
@@ -348,21 +348,21 @@ int yr_undefine_variable(YARA_CONTEXT* context, const char* identifier)
found = TRUE;
}
- else
+ else
{
previous = variable;
variable = variable->next;
}
}
}
-
+
return (found)? ERROR_SUCCESS : ERROR_UNDEFINED_IDENTIFIER;
}
char* yr_get_current_file_name(YARA_CONTEXT* context)
-{
+{
if (context->file_name_stack_ptr > 0)
{
return context->file_name_stack[context->file_name_stack_ptr - 1];
@@ -374,9 +374,9 @@ char* yr_get_current_file_name(YARA_CONTEXT* context)
}
int yr_push_file_name(YARA_CONTEXT* context, const char* file_name)
-{
+{
int i;
-
+
for (i = 0; i < context->file_name_stack_ptr; i++)
{
if (strcmp(file_name, context->file_name_stack[i]) == 0)
@@ -387,7 +387,7 @@ int yr_push_file_name(YARA_CONTEXT* context, const char* file_name)
}
if (context->file_name_stack_ptr < MAX_INCLUDE_DEPTH)
- {
+ {
context->file_name_stack[context->file_name_stack_ptr] = yr_strdup(file_name);
context->file_name_stack_ptr++;
return ERROR_SUCCESS;
@@ -401,22 +401,22 @@ int yr_push_file_name(YARA_CONTEXT* context, const char* file_name)
void yr_pop_file_name(YARA_CONTEXT* context)
-{
+{
if (context->file_name_stack_ptr > 0)
{
context->file_name_stack_ptr--;
yr_free(context->file_name_stack[context->file_name_stack_ptr]);
- context->file_name_stack[context->file_name_stack_ptr] = NULL;
+ context->file_name_stack[context->file_name_stack_ptr] = NULL;
}
}
int yr_push_file(YARA_CONTEXT* context, FILE* fh)
-{
+{
int i;
if (context->file_stack_ptr < MAX_INCLUDE_DEPTH)
- {
+ {
context->file_stack[context->file_stack_ptr] = fh;
context->file_stack_ptr++;
return ERROR_SUCCESS;
@@ -430,25 +430,25 @@ int yr_push_file(YARA_CONTEXT* context, FILE* fh)
FILE* yr_pop_file(YARA_CONTEXT* context)
-{
+{
FILE* result = NULL;
-
+
if (context->file_stack_ptr > 0)
{
context->file_stack_ptr--;
result = context->file_stack[context->file_stack_ptr];
}
-
+
return result;
}
int yr_compile_file(FILE* rules_file, YARA_CONTEXT* context)
-{
+{
return parse_rules_file(rules_file, context);
}
int yr_compile_string(const char* rules_string, YARA_CONTEXT* context)
-{
+{
return parse_rules_string(rules_string, context);
}
@@ -457,31 +457,31 @@ int yr_scan_mem_blocks(MEMORY_BLOCK* block, YARA_CONTEXT* context, YARACALLBACK
{
int error;
int global_rules_satisfied;
- unsigned int i;
+ unsigned int i;
int is_executable;
int is_file;
-
+
RULE* rule;
NAMESPACE* ns;
EVALUATION_CONTEXT eval_context;
-
+
if (block->size < 2)
return ERROR_SUCCESS;
-
+
if (!context->hash_table.populated)
{
populate_hash_table(&context->hash_table, &context->rule_list);
}
-
+
eval_context.file_size = block->size;
eval_context.mem_block = block;
eval_context.entry_point = 0;
-
+
is_executable = is_pe(block->data, block->size) || is_elf(block->data, block->size) || context->scanning_process_memory;
is_file = !context->scanning_process_memory;
clear_marks(&context->rule_list);
-
+
while (block != NULL)
{
if (eval_context.entry_point == 0)
@@ -495,62 +495,74 @@ int yr_scan_mem_blocks(MEMORY_BLOCK* block, YARA_CONTEXT* context, YARACALLBACK
eval_context.entry_point = get_entry_point_offset(block->data, block->size);
}
}
-
+
for (i = 0; i < block->size - 1; i++)
- {
- /* search for normal strings */
- error = find_matches( block->data[i],
- block->data[i + 1],
- block->data + i,
- block->size - i,
- block->base + i,
- STRING_FLAGS_HEXADECIMAL | STRING_FLAGS_ASCII,
- i,
+ {
+ /* search for normal strings */
+ error = find_matches( block->data[i],
+ block->data[i + 1],
+ block->data + i,
+ block->size - i,
+ block->base + i,
+ STRING_FLAGS_HEXADECIMAL | STRING_FLAGS_ASCII,
+ i,
context);
-
+
if (error != ERROR_SUCCESS)
return error;
-
+
/* search for wide strings */
if ((block->data[i + 1] == 0) && (block->size > 3) && (i < block->size - 3) && (block->data[i + 3] == 0))
{
- error = find_matches( block->data[i],
- block->data[i + 2],
- block->data + i,
- block->size - i,
- block->base + i,
- STRING_FLAGS_WIDE,
- i,
+ error = find_matches( block->data[i],
+ block->data[i + 2],
+ block->data + i,
+ block->size - i,
+ block->base + i,
+ STRING_FLAGS_WIDE,
+ i,
context);
-
+
if (error != ERROR_SUCCESS)
return error;
- }
+ }
}
-
+
+ error = find_matches( block->data[block->size - 1],
+ 0,
+ block->data + block->size - 1,
+ 1,
+ block->base + block->size - 1,
+ STRING_FLAGS_HEXADECIMAL | STRING_FLAGS_ASCII,
+ block->size - 1,
+ context);
+
+ if (error != ERROR_SUCCESS)
+ return error;
+
block = block->next;
}
-
+
rule = context->rule_list.head;
-
+
/* initialize global rules flag for all namespaces */
-
+
ns = context->namespaces;
-
+
while(ns != NULL)
{
ns->global_rules_satisfied = TRUE;
ns = ns->next;
}
-
+
/* evaluate global rules */
-
+
while (rule != NULL)
- {
+ {
if (rule->flags & RULE_FLAGS_GLOBAL)
{
eval_context.rule = rule;
-
+
if (evaluate(rule->condition, &eval_context))
{
rule->flags |= RULE_FLAGS_MATCH;
@@ -559,7 +571,7 @@ int yr_scan_mem_blocks(MEMORY_BLOCK* block, YARA_CONTEXT* context, YARACALLBACK
{
rule->ns->global_rules_satisfied = FALSE;
}
-
+
if (!(rule->flags & RULE_FLAGS_PRIVATE))
{
if (callback(rule, user_data) != 0)
@@ -568,51 +580,51 @@ int yr_scan_mem_blocks(MEMORY_BLOCK* block, YARA_CONTEXT* context, YARACALLBACK
}
}
}
-
+
rule = rule->next;
}
-
+
/* evaluate the rest of the rules rules */
rule = context->rule_list.head;
-
+
while (rule != NULL)
{
- /*
+ /*
skip global rules, privates rules, and rules that don't need to be
evaluated due to some global rule unsatisfied in it's namespace
*/
-
- if (rule->flags & RULE_FLAGS_GLOBAL || rule->flags & RULE_FLAGS_PRIVATE || !rule->ns->global_rules_satisfied)
+
+ if (rule->flags & RULE_FLAGS_GLOBAL || rule->flags & RULE_FLAGS_PRIVATE || !rule->ns->global_rules_satisfied)
{
rule = rule->next;
continue;
}
-
+
if ((is_executable || !(rule->flags & RULE_FLAGS_REQUIRE_EXECUTABLE)) &&
(is_file || !(rule->flags & RULE_FLAGS_REQUIRE_FILE)))
{
eval_context.rule = rule;
-
+
if (evaluate(rule->condition, &eval_context))
{
rule->flags |= RULE_FLAGS_MATCH;
}
}
-
+
switch (callback(rule, user_data))
{
case CALLBACK_ABORT:
return ERROR_SUCCESS;
-
+
case CALLBACK_ERROR:
return ERROR_CALLBACK_ERROR;
}
-
+
rule = rule->next;
}
-
+
return ERROR_SUCCESS;
}
@@ -620,12 +632,12 @@ int yr_scan_mem_blocks(MEMORY_BLOCK* block, YARA_CONTEXT* context, YARACALLBACK
int yr_scan_mem(unsigned char* buffer, size_t buffer_size, YARA_CONTEXT* context, YARACALLBACK callback, void* user_data)
{
MEMORY_BLOCK block;
-
+
block.data = buffer;
block.size = buffer_size;
block.base = 0;
block.next = NULL;
-
+
return yr_scan_mem_blocks(&block, context, callback, user_data);
}
@@ -636,24 +648,24 @@ int yr_scan_file(const char* file_path, YARA_CONTEXT* context, YARACALLBACK call
int result;
result = map_file(file_path, &mfile);
-
+
if (result == ERROR_SUCCESS)
{
- result = yr_scan_mem(mfile.data, mfile.size, context, callback, user_data);
+ result = yr_scan_mem(mfile.data, mfile.size, context, callback, user_data);
unmap_file(&mfile);
}
-
+
return result;
}
int yr_scan_proc(int pid, YARA_CONTEXT* context, YARACALLBACK callback, void* user_data)
{
-
+
MEMORY_BLOCK* first_block;
MEMORY_BLOCK* next_block;
MEMORY_BLOCK* block;
-
+
int result = get_process_memory(pid, &first_block);
if (result == ERROR_SUCCESS)
@@ -661,19 +673,19 @@ int yr_scan_proc(int pid, YARA_CONTEXT* context, YARACALLBACK callback, void* us
context->scanning_process_memory = TRUE;
result = yr_scan_mem_blocks(first_block, context, callback, user_data);
}
-
+
if (result == ERROR_SUCCESS)
- {
+ {
block = first_block;
-
+
while (block != NULL)
{
next_block = block->next;
-
+
yr_free(block->data);
- yr_free(block);
-
- block = next_block;
+ yr_free(block);
+
+ block = next_block;
}
}
@@ -695,19 +707,19 @@ char* yr_get_error_message(YARA_CONTEXT* context, char* buffer, int buffer_size)
snprintf(buffer, buffer_size, "duplicate string identifier \"%s\"", context->last_error_extra_info);
break;
case ERROR_DUPLICATE_TAG_IDENTIFIER:
- snprintf(buffer, buffer_size, "duplicate tag identifier \"%s\"", context->last_error_extra_info);
- break;
+ snprintf(buffer, buffer_size, "duplicate tag identifier \"%s\"", context->last_error_extra_info);
+ break;
case ERROR_DUPLICATE_META_IDENTIFIER:
- snprintf(buffer, buffer_size, "duplicate metadata identifier \"%s\"", context->last_error_extra_info);
- break;
+ snprintf(buffer, buffer_size, "duplicate metadata identifier \"%s\"", context->last_error_extra_info);
+ break;
case ERROR_INVALID_CHAR_IN_HEX_STRING:
snprintf(buffer, buffer_size, "invalid char in hex string \"%s\"", context->last_error_extra_info);
break;
case ERROR_MISMATCHED_BRACKET:
snprintf(buffer, buffer_size, "mismatched bracket in string \"%s\"", context->last_error_extra_info);
break;
- case ERROR_SKIP_AT_END:
- snprintf(buffer, buffer_size, "skip at the end of string \"%s\"", context->last_error_extra_info);
+ case ERROR_SKIP_AT_END:
+ snprintf(buffer, buffer_size, "skip at the end of string \"%s\"", context->last_error_extra_info);
break;
case ERROR_INVALID_SKIP_VALUE:
snprintf(buffer, buffer_size, "invalid skip in string \"%s\"", context->last_error_extra_info);
@@ -716,7 +728,7 @@ char* yr_get_error_message(YARA_CONTEXT* context, char* buffer, int buffer_size)
snprintf(buffer, buffer_size, "unpaired nibble in string \"%s\"", context->last_error_extra_info);
break;
case ERROR_CONSECUTIVE_SKIPS:
- snprintf(buffer, buffer_size, "two consecutive skips in string \"%s\"", context->last_error_extra_info);
+ snprintf(buffer, buffer_size, "two consecutive skips in string \"%s\"", context->last_error_extra_info);
break;
case ERROR_MISPLACED_WILDCARD_OR_SKIP:
snprintf(buffer, buffer_size, "misplaced wildcard or skip at string \"%s\", wildcards and skips are only allowed after the first byte of the string", context->last_error_extra_info);
@@ -726,7 +738,7 @@ char* yr_get_error_message(YARA_CONTEXT* context, char* buffer, int buffer_size)
break;
case ERROR_NESTED_OR_OPERATION:
snprintf(buffer, buffer_size, "nested OR (|) operator at string \"%s\"", context->last_error_extra_info);
- break;
+ break;
case ERROR_INVALID_OR_OPERATION_SYNTAX:
snprintf(buffer, buffer_size, "invalid syntax at hex string \"%s\"", context->last_error_extra_info);
break;
@@ -747,7 +759,7 @@ char* yr_get_error_message(YARA_CONTEXT* context, char* buffer, int buffer_size)
break;
case ERROR_MISPLACED_ANONYMOUS_STRING:
snprintf(buffer, buffer_size, "wrong use of anonymous string");
- break;
+ break;
case ERROR_INVALID_REGULAR_EXPRESSION:
case ERROR_SYNTAX_ERROR:
snprintf(buffer, buffer_size, "%s", context->last_error_extra_info);
@@ -756,9 +768,9 @@ char* yr_get_error_message(YARA_CONTEXT* context, char* buffer, int buffer_size)
snprintf(buffer, buffer_size, "include circular reference");
case ERROR_INCLUDE_DEPTH_EXCEEDED:
snprintf(buffer, buffer_size, "too many levels of included rules");
- break;
+ break;
}
-
+
return buffer;
}
@@ -770,47 +782,47 @@ int yr_calculate_rules_weight(YARA_CONTEXT* context)
int i,j, count, weight = 0;
if (!context->hash_table.populated)
- {
+ {
populate_hash_table(&context->hash_table, &context->rule_list);
}
-
+
for (i = 0; i < 256; i++)
- {
+ {
for (j = 0; j < 256; j++)
{
entry = context->hash_table.hashed_strings_2b[i][j];
-
+
count = 0;
-
+
while (entry != NULL)
- {
- weight += string_weight(entry->string, 1);
+ {
+ weight += string_weight(entry->string, 1);
entry = entry->next;
count++;
}
-
+
weight += count;
}
-
+
entry = context->hash_table.hashed_strings_1b[i];
-
+
count = 0;
-
+
while (entry != NULL)
- {
- weight += string_weight(entry->string, 2);
+ {
+ weight += string_weight(entry->string, 2);
entry = entry->next;
count++;
}
}
-
+
entry = context->hash_table.non_hashed_strings;
-
+
while (entry != NULL)
{
weight += string_weight(entry->string, 4);
}
-
+
return weight;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list