[Forensics-changes] [yara] 44/135: Calculate pe.entry_point value differently for file and process memory scans

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:27:30 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.1.0
in repository yara.

commit f5c045a45b566fbff2221b125282239aaee7ae65
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Fri Jul 4 10:59:51 2014 +0200

    Calculate pe.entry_point value differently for file and process memory scans
---
 libyara/include/yara/modules.h |  6 ++++++
 libyara/modules/pe.c           | 11 +++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/libyara/include/yara/modules.h b/libyara/include/yara/modules.h
index 27cb097..b80765e 100644
--- a/libyara/include/yara/modules.h
+++ b/libyara/include/yara/modules.h
@@ -153,6 +153,12 @@ limitations under the License.
 #define self()  (function_obj->parent_obj)
 
 
+#define foreach_memory_block(context, block) \
+  for (block = context->mem_block; \
+       block != NULL; \
+       block = block->next) \
+
+
 #define get_object(object, ...) \
     yr_object_lookup(object, 0, __VA_ARGS__)
 
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 4d23dab..f87ac14 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -113,6 +113,7 @@ uint64_t rva_to_offset(
 
 void parse_pe_header(
     PIMAGE_NT_HEADERS pe,
+    size_t base_address,
     size_t buffer_length,
     int flags,
     YR_OBJECT* pe_obj)
@@ -140,7 +141,7 @@ void parse_pe_header(
 
   set_integer(
       flags & SCAN_FLAGS_PROCESS_MEMORY ?
-        pe->OptionalHeader.AddressOfEntryPoint :
+        base_address + pe->OptionalHeader.AddressOfEntryPoint :
         rva_to_offset(
             pe, pe->OptionalHeader.AddressOfEntryPoint, buffer_length),
       pe_obj, "entry_point");
@@ -307,7 +308,13 @@ int module_load(
       if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
           !(header->FileHeader.Characteristics & IMAGE_FILE_DLL))
       {
-        parse_pe_header(header, block->size, context->flags, module);
+        parse_pe_header(
+            header,
+            block->base,
+            block->size,
+            context->flags,
+            module);
+
         break;
       }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list