[Forensics-changes] [yara] 40/135: Rename YR_EVALUATION_CONTEXT to YR_SCAN_CONTEXT and some other minor changes
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:27:30 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.1.0
in repository yara.
commit 7690f8484ad36092ecce9d0d13809a302e1afb7c
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Fri Jul 4 10:54:22 2014 +0200
Rename YR_EVALUATION_CONTEXT to YR_SCAN_CONTEXT and some other minor changes
---
libyara/exec.c | 2 +-
libyara/include/yara/exec.h | 17 ++---------
libyara/include/yara/scan.h | 26 +++++++++++++++-
libyara/modules.c | 6 ++--
libyara/modules/cuckoo.c | 67 ++++++++++++++++++++--------------------
libyara/modules/pe.c | 74 +++++++++++++++++++++++++++++++++++++++------
libyara/rules.c | 29 ++++++++----------
libyara/scan.c | 5 +--
8 files changed, 144 insertions(+), 82 deletions(-)
diff --git a/libyara/exec.c b/libyara/exec.c
index 8768778..e6627b5 100644
--- a/libyara/exec.c
+++ b/libyara/exec.c
@@ -76,7 +76,7 @@ function_read(int32_t)
int yr_execute_code(
YR_RULES* rules,
- YR_EVALUATION_CONTEXT* context,
+ YR_SCAN_CONTEXT* context,
int timeout,
time_t start_time)
{
diff --git a/libyara/include/yara/exec.h b/libyara/include/yara/exec.h
index 5739b3e..eac53a1 100644
--- a/libyara/include/yara/exec.h
+++ b/libyara/include/yara/exec.h
@@ -18,6 +18,7 @@ limitations under the License.
#define YR_EXEC_H
#include <yara/hash.h>
+#include <yara/scan.h>
#include <yara/types.h>
#include <yara/rules.h>
@@ -84,23 +85,9 @@ limitations under the License.
#define OP_IMPORT 55
-typedef struct _YR_EVALUATION_CONTEXT
-{
- uint64_t file_size;
- uint64_t entry_point;
-
- void* user_data;
-
- YR_MEMORY_BLOCK* mem_block;
- YR_HASH_TABLE* objects_table;
- YR_CALLBACK_FUNC callback;
-
-} YR_EVALUATION_CONTEXT;
-
-
int yr_execute_code(
YR_RULES* rules,
- YR_EVALUATION_CONTEXT* context,
+ YR_SCAN_CONTEXT* context,
int timeout,
time_t start_time);
diff --git a/libyara/include/yara/scan.h b/libyara/include/yara/scan.h
index 3e5a8ea..45ff5b1 100644
--- a/libyara/include/yara/scan.h
+++ b/libyara/include/yara/scan.h
@@ -17,12 +17,36 @@ limitations under the License.
#ifndef YR_SCAN_H
#define YR_SCAN_H
+#include <yara/types.h>
+#include <yara/hash.h>
+#include <yara/rules.h>
+
+
+#define SCAN_FLAGS_FAST_MODE 1
+#define SCAN_FLAGS_PROCESS_MEMORY 2
+
+
+typedef struct _YR_SCAN_CONTEXT
+{
+ uint64_t file_size;
+ uint64_t entry_point;
+
+ int flags;
+ void* user_data;
+
+ YR_MEMORY_BLOCK* mem_block;
+ YR_HASH_TABLE* objects_table;
+ YR_CALLBACK_FUNC callback;
+
+} YR_SCAN_CONTEXT;
+
+
int yr_scan_verify_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t offset,
YR_ARENA* matches_arena,
- int fast_scan_mode);
+ int flags);
#endif
\ No newline at end of file
diff --git a/libyara/modules.c b/libyara/modules.c
index 9768019..db90cff 100644
--- a/libyara/modules.c
+++ b/libyara/modules.c
@@ -24,7 +24,7 @@ limitations under the License.
#define MODULE(name) \
int name ## _declarations(); \
- int name ## _load(YR_EVALUATION_CONTEXT* context, \
+ int name ## _load(YR_SCAN_CONTEXT* context, \
YR_OBJECT* main_structure, \
void* module_data, \
size_t module_data_size); \
@@ -64,7 +64,7 @@ int yr_modules_do_declarations(
int yr_modules_load(
const char* module_name,
- YR_EVALUATION_CONTEXT* context)
+ YR_SCAN_CONTEXT* context)
{
YR_MODULE_IMPORT mi;
YR_OBJECT* module_structure;
@@ -133,7 +133,7 @@ int yr_modules_load(
int yr_modules_unload_all(
- YR_EVALUATION_CONTEXT* context)
+ YR_SCAN_CONTEXT* context)
{
YR_OBJECT* module_structure;
tidx_mask_t tidx_mask = 1 << yr_get_tidx();
diff --git a/libyara/modules/cuckoo.c b/libyara/modules/cuckoo.c
index 34d87a2..515ca83 100644
--- a/libyara/modules/cuckoo.c
+++ b/libyara/modules/cuckoo.c
@@ -190,9 +190,33 @@ define_function(sync_mutex)
}
+begin_declarations;
+
+ begin_struct("network");
+ function("dns_lookup", "s", "i", network_dns_lookup);
+ function("http_get", "r", "i", network_http_get);
+ function("http_post", "r", "i", network_http_post);
+ function("http_request", "r", "i", network_http_request);
+ end_struct("network");
+
+ begin_struct("registry");
+ function("key_access", "r", "i", registry_key_access);
+ end_struct("registry");
+
+ begin_struct("filesystem");
+ function("file_access", "r", "i", filesystem_file_access);
+ end_struct("filesystem");
+
+ begin_struct("sync");
+ function("mutex", "r", "i", sync_mutex);
+ end_struct("sync");
+
+end_declarations;
+
+
int module_load(
- YR_EVALUATION_CONTEXT* context,
- YR_OBJECT* main_struct,
+ YR_SCAN_CONTEXT* context,
+ YR_OBJECT* module,
void* module_data,
size_t module_data_size)
{
@@ -218,12 +242,12 @@ int module_load(
if (json == NULL)
return ERROR_INVALID_FILE;
- main_struct->data = (void*) json;
+ module->data = (void*) json;
- network_obj = get_object(main_struct, "network");
- registry_obj = get_object(main_struct, "registry");
- filesystem_obj = get_object(main_struct, "filesystem");
- sync_obj = get_object(main_struct, "sync");
+ network_obj = get_object(module, "network");
+ registry_obj = get_object(module, "registry");
+ filesystem_obj = get_object(module, "filesystem");
+ sync_obj = get_object(module, "sync");
network_obj->data = (void*) json_object_get(json, "network");
@@ -238,38 +262,15 @@ int module_load(
}
-int module_unload(YR_OBJECT* main_struct)
+int module_unload(YR_OBJECT* module)
{
- if (main_struct->data != NULL)
- json_decref((json_t*) main_struct->data);
+ if (module->data != NULL)
+ json_decref((json_t*) module->data);
return ERROR_SUCCESS;
}
-begin_declarations;
-
- begin_struct("network");
- function("dns_lookup", "s", "i", network_dns_lookup);
- function("http_get", "r", "i", network_http_get);
- function("http_post", "r", "i", network_http_post);
- function("http_request", "r", "i", network_http_request);
- end_struct("network");
-
- begin_struct("registry");
- function("key_access", "r", "i", registry_key_access);
- end_struct("registry");
-
- begin_struct("filesystem");
- function("file_access", "r", "i", filesystem_file_access);
- end_struct("filesystem");
-
- begin_struct("sync");
- function("mutex", "r", "i", sync_mutex);
- end_struct("sync");
-
-end_declarations;
-
#undef MODULE_NAME
\ No newline at end of file
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index c03b4e8..4d23dab 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -21,6 +21,11 @@ limitations under the License.
#define MODULE_NAME pe
+#ifndef MIN
+#define MIN(x,y) ((x < y)?(x):(y))
+#endif
+
+
PIMAGE_NT_HEADERS get_pe_header(
uint8_t* buffer,
size_t buffer_length)
@@ -66,9 +71,50 @@ PIMAGE_NT_HEADERS get_pe_header(
}
+uint64_t rva_to_offset(
+ PIMAGE_NT_HEADERS pe_header,
+ uint64_t rva,
+ size_t buffer_length)
+{
+ PIMAGE_SECTION_HEADER section;
+ DWORD section_rva;
+ DWORD section_offset;
+
+ section = IMAGE_FIRST_SECTION(pe_header);
+ section_rva = 0;
+ section_offset = 0;
+
+ int i = 0;
+
+ while(i < MIN(pe_header->FileHeader.NumberOfSections, 60))
+ {
+ if ((uint8_t*) section - \
+ (uint8_t*) pe_header + sizeof(IMAGE_SECTION_HEADER) < buffer_length)
+ {
+ if (rva >= section->VirtualAddress &&
+ section_rva <= section->VirtualAddress)
+ {
+ section_rva = section->VirtualAddress;
+ section_offset = section->PointerToRawData;
+ }
+
+ section++;
+ i++;
+ }
+ else
+ {
+ return 0;
+ }
+ }
+
+ return section_offset + (rva - section_rva);
+}
+
+
void parse_pe_header(
PIMAGE_NT_HEADERS pe,
size_t buffer_length,
+ int flags,
YR_OBJECT* pe_obj)
{
PIMAGE_SECTION_HEADER section;
@@ -93,7 +139,10 @@ void parse_pe_header(
pe_obj, "characteristics");
set_integer(
- pe->OptionalHeader.AddressOfEntryPoint,
+ flags & SCAN_FLAGS_PROCESS_MEMORY ?
+ pe->OptionalHeader.AddressOfEntryPoint :
+ rva_to_offset(
+ pe, pe->OptionalHeader.AddressOfEntryPoint, buffer_length),
pe_obj, "entry_point");
set_integer(
@@ -239,33 +288,38 @@ end_declarations;
int module_load(
- YR_EVALUATION_CONTEXT* context,
- YR_OBJECT* main_struct,
+ YR_SCAN_CONTEXT* context,
+ YR_OBJECT* module,
void* module_data,
size_t module_data_size)
{
-
- YR_MEMORY_BLOCK* block = context->mem_block;
+ YR_MEMORY_BLOCK* block;
PIMAGE_NT_HEADERS header;
- while (block != NULL)
+ foreach_memory_block(context, block)
{
header = get_pe_header(block->data, block->size);
if (header != NULL)
{
- parse_pe_header(header, block->size, main_struct);
+ // ignore DLLs while scanning a process
+
+ if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
+ !(header->FileHeader.Characteristics & IMAGE_FILE_DLL))
+ {
+ parse_pe_header(header, block->size, context->flags, module);
+ break;
+ }
+
break;
}
-
- block = block->next;
}
return ERROR_SUCCESS;
}
-int module_unload(YR_OBJECT* main_struct)
+int module_unload(YR_OBJECT* module)
{
return ERROR_SUCCESS;
}
diff --git a/libyara/rules.c b/libyara/rules.c
index a13a381..0749c2a 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -38,11 +38,6 @@ limitations under the License.
-
-
-
-
-
void _yr_rules_lock(
YR_RULES* rules)
{
@@ -222,7 +217,7 @@ int yr_rules_scan_mem_block(
YR_RULES* rules,
uint8_t* data,
size_t data_size,
- int fast_scan_mode,
+ int flags,
int timeout,
time_t start_time,
YR_ARENA* matches_arena)
@@ -250,7 +245,7 @@ int yr_rules_scan_mem_block(
data_size,
i - ac_match->backtrack,
matches_arena,
- fast_scan_mode));
+ flags));
}
ac_match = ac_match->next;
@@ -288,7 +283,7 @@ int yr_rules_scan_mem_block(
data_size,
data_size - ac_match->backtrack,
matches_arena,
- fast_scan_mode));
+ flags));
}
ac_match = ac_match->next;
@@ -301,13 +296,12 @@ int yr_rules_scan_mem_block(
int yr_rules_scan_mem_blocks(
YR_RULES* rules,
YR_MEMORY_BLOCK* block,
- int scanning_process_memory,
YR_CALLBACK_FUNC callback,
void* user_data,
- int fast_scan_mode,
+ int flags,
int timeout)
{
- YR_EVALUATION_CONTEXT context;
+ YR_SCAN_CONTEXT context;
YR_RULE* rule;
YR_OBJECT* object;
YR_EXTERNAL_VARIABLE* external;
@@ -323,6 +317,7 @@ int yr_rules_scan_mem_blocks(
if (block == NULL)
return ERROR_SUCCESS;
+ context.flags = flags;
context.callback = callback;
context.user_data = user_data;
context.file_size = block->size;
@@ -389,7 +384,7 @@ int yr_rules_scan_mem_blocks(
{
if (context.entry_point == UNDEFINED)
{
- if (scanning_process_memory)
+ if (flags & SCAN_FLAGS_PROCESS_MEMORY)
context.entry_point = yr_get_entry_point_address(
block->data,
block->size,
@@ -404,7 +399,7 @@ int yr_rules_scan_mem_blocks(
rules,
block->data,
block->size,
- fast_scan_mode,
+ flags,
timeout,
start_time,
matches_arena);
@@ -512,10 +507,9 @@ int yr_rules_scan_mem(
return yr_rules_scan_mem_blocks(
rules,
&block,
- FALSE,
callback,
user_data,
- fast_scan_mode,
+ fast_scan_mode ? SCAN_FLAGS_FAST_MODE : 0,
timeout);
}
@@ -571,10 +565,11 @@ int yr_rules_scan_proc(
result = yr_rules_scan_mem_blocks(
rules,
first_block,
- TRUE,
callback,
user_data,
- fast_scan_mode,
+ fast_scan_mode ?
+ SCAN_FLAGS_FAST_MODE | SCAN_FLAGS_PROCESS_MEMORY :
+ SCAN_FLAGS_PROCESS_MEMORY,
timeout);
block = first_block;
diff --git a/libyara/scan.c b/libyara/scan.c
index 3b7ff50..c396f14 100644
--- a/libyara/scan.c
+++ b/libyara/scan.c
@@ -25,6 +25,7 @@ limitations under the License.
#include <yara/types.h>
#include <yara/error.h>
#include <yara/libyara.h>
+#include <yara/scan.h>
typedef struct _CALLBACK_ARGS
@@ -829,7 +830,7 @@ int yr_scan_verify_match(
size_t data_size,
size_t offset,
YR_ARENA* matches_arena,
- int fast_scan_mode)
+ int flags)
{
YR_STRING* string = ac_match->string;
@@ -840,7 +841,7 @@ int yr_scan_verify_match(
if (data_size - offset <= 0)
return ERROR_SUCCESS;
- if (fast_scan_mode &&
+ if (flags & SCAN_FLAGS_FAST_MODE &&
STRING_IS_SINGLE_MATCH(string) &&
STRING_FOUND(string))
return ERROR_SUCCESS;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list