[Forensics-changes] [yara] 53/135: Fix problem with string matches offsets not being treated as virtual addresses while scanning a process
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:27:31 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.1.0
in repository yara.
commit b0b3c7ff7d633f2107526994cf0e79fe05a14404
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Mon Jul 7 14:59:25 2014 +0200
Fix problem with string matches offsets not being treated as virtual addresses while scanning a process
---
libyara/exec.c | 11 ++++++-----
libyara/include/yara/scan.h | 1 +
libyara/include/yara/types.h | 1 +
libyara/rules.c | 26 +++++++++++++-------------
libyara/scan.c | 20 ++++++++++++++++----
yara.c | 6 ++++--
6 files changed, 41 insertions(+), 24 deletions(-)
diff --git a/libyara/exec.c b/libyara/exec.c
index ae26494..c188072 100644
--- a/libyara/exec.c
+++ b/libyara/exec.c
@@ -505,14 +505,14 @@ int yr_execute_code(
while (match != NULL)
{
- if (r1 == match->offset)
+ if (r1 == match->base + match->offset)
{
push(1);
found = 1;
break;
}
- if (r1 < match->offset)
+ if (r1 < match->base + match->offset)
break;
match = match->next;
@@ -540,13 +540,14 @@ int yr_execute_code(
while (match != NULL && !found)
{
- if (match->offset >= r1 && match->offset <= r2)
+ if (match->base + match->offset >= r1 &&
+ match->base + match->offset <= r2)
{
push(1);
found = TRUE;
}
- if (match->offset > r2)
+ if (match->base + match->offset > r2)
break;
match = match->next;
@@ -582,7 +583,7 @@ int yr_execute_code(
{
if (r1 == i)
{
- push(match->offset);
+ push(match->base + match->offset);
found = TRUE;
}
diff --git a/libyara/include/yara/scan.h b/libyara/include/yara/scan.h
index 45ff5b1..026b94c 100644
--- a/libyara/include/yara/scan.h
+++ b/libyara/include/yara/scan.h
@@ -45,6 +45,7 @@ int yr_scan_verify_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
+ size_t data_base,
size_t offset,
YR_ARENA* matches_arena,
int flags);
diff --git a/libyara/include/yara/types.h b/libyara/include/yara/types.h
index d914962..426f5e8 100644
--- a/libyara/include/yara/types.h
+++ b/libyara/include/yara/types.h
@@ -167,6 +167,7 @@ typedef struct _YR_META
typedef struct _YR_MATCH
{
+ int64_t base;
int64_t offset;
int32_t length;
diff --git a/libyara/rules.c b/libyara/rules.c
index 0749c2a..5a727c5 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -215,8 +215,7 @@ void yr_rules_print_profiling_info(
int yr_rules_scan_mem_block(
YR_RULES* rules,
- uint8_t* data,
- size_t data_size,
+ YR_MEMORY_BLOCK* block,
int flags,
int timeout,
time_t start_time,
@@ -231,7 +230,7 @@ int yr_rules_scan_mem_block(
current_state = rules->automaton->root;
i = 0;
- while (i < data_size)
+ while (i < block->size)
{
ac_match = current_state->matches;
@@ -241,8 +240,9 @@ int yr_rules_scan_mem_block(
{
FAIL_ON_ERROR(yr_scan_verify_match(
ac_match,
- data,
- data_size,
+ block->data,
+ block->size,
+ block->base,
i - ac_match->backtrack,
matches_arena,
flags));
@@ -251,12 +251,12 @@ int yr_rules_scan_mem_block(
ac_match = ac_match->next;
}
- next_state = yr_ac_next_state(current_state, data[i]);
+ next_state = yr_ac_next_state(current_state, block->data[i]);
while (next_state == NULL && current_state->depth > 0)
{
current_state = current_state->failure;
- next_state = yr_ac_next_state(current_state, data[i]);
+ next_state = yr_ac_next_state(current_state, block->data[i]);
}
if (next_state != NULL)
@@ -275,13 +275,14 @@ int yr_rules_scan_mem_block(
while (ac_match != NULL)
{
- if (ac_match->backtrack <= data_size)
+ if (ac_match->backtrack <= block->size)
{
FAIL_ON_ERROR(yr_scan_verify_match(
ac_match,
- data,
- data_size,
- data_size - ac_match->backtrack,
+ block->data,
+ block->size,
+ block->base,
+ block->size - ac_match->backtrack,
matches_arena,
flags));
}
@@ -397,8 +398,7 @@ int yr_rules_scan_mem_blocks(
result = yr_rules_scan_mem_block(
rules,
- block->data,
- block->size,
+ block,
flags,
timeout,
start_time,
diff --git a/libyara/scan.c b/libyara/scan.c
index c396f14..3be2221 100644
--- a/libyara/scan.c
+++ b/libyara/scan.c
@@ -32,9 +32,12 @@ typedef struct _CALLBACK_ARGS
{
YR_STRING* string;
YR_ARENA* matches_arena;
- int forward_matches;
+
uint8_t* data;
- int data_size;
+ size_t data_size;
+ size_t data_base;
+
+ int forward_matches;
int full_word;
int tidx;
@@ -408,6 +411,7 @@ int _yr_scan_verify_chained_string_match(
YR_ARENA* matches_arena,
YR_STRING* matching_string,
uint8_t* match_data,
+ size_t match_base,
size_t match_offset,
int32_t match_length,
int tidx)
@@ -521,6 +525,7 @@ int _yr_scan_verify_chained_string_match(
sizeof(YR_MATCH),
(void**) &new_match));
+ new_match->base = match_base;
new_match->offset = match_offset;
new_match->length = match_length;
new_match->data = match_data;
@@ -588,6 +593,7 @@ int _yr_scan_match_callback(
callback_args->matches_arena,
string,
match_data,
+ callback_args->data_base,
match_offset,
match_length,
tidx);
@@ -601,6 +607,7 @@ int _yr_scan_match_callback(
if (result == ERROR_SUCCESS)
{
+ new_match->base = callback_args->data_base;
new_match->offset = match_offset;
new_match->length = match_length;
new_match->data = match_data;
@@ -630,6 +637,7 @@ int _yr_scan_verify_re_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
+ size_t data_base,
size_t offset,
YR_ARENA* matches_arena)
{
@@ -684,6 +692,7 @@ int _yr_scan_verify_re_match(
callback_args.string = ac_match->string;
callback_args.data = data;
callback_args.data_size = data_size;
+ callback_args.data_base = data_base;
callback_args.matches_arena = matches_arena;
callback_args.forward_matches = forward_matches;
callback_args.full_word = STRING_IS_FULL_WORD(ac_match->string);
@@ -719,6 +728,7 @@ int _yr_scan_verify_literal_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
+ size_t data_base,
size_t offset,
YR_ARENA* matches_arena)
{
@@ -811,6 +821,7 @@ int _yr_scan_verify_literal_match(
callback_args.string = string;
callback_args.data = data;
callback_args.data_size = data_size;
+ callback_args.data_base = data_base;
callback_args.matches_arena = matches_arena;
callback_args.forward_matches = forward_matches;
callback_args.full_word = STRING_IS_FULL_WORD(string);
@@ -828,6 +839,7 @@ int yr_scan_verify_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
+ size_t data_base,
size_t offset,
YR_ARENA* matches_arena,
int flags)
@@ -849,12 +861,12 @@ int yr_scan_verify_match(
if (STRING_IS_LITERAL(string))
{
FAIL_ON_ERROR(_yr_scan_verify_literal_match(
- ac_match, data, data_size, offset, matches_arena));
+ ac_match, data, data_size, data_base, offset, matches_arena));
}
else
{
FAIL_ON_ERROR(_yr_scan_verify_re_match(
- ac_match, data, data_size, offset, matches_arena));
+ ac_match, data, data_size, data_base, offset, matches_arena));
}
#ifdef PROFILING_ENABLED
diff --git a/yara.c b/yara.c
index f40a42e..b1fc760 100644
--- a/yara.c
+++ b/yara.c
@@ -251,7 +251,7 @@ int is_directory(
{
DWORD attributes = GetFileAttributes(path);
- if (attributes != INVALID_FILE_ATTRIBUTES &&
+ if (attributes != INVALID_FILE_ATTRIBUTES &&
attributes & FILE_ATTRIBUTE_DIRECTORY)
return TRUE;
else
@@ -574,7 +574,9 @@ int handle_message(int message, YR_RULE* rule, void* data)
while (match != NULL)
{
- printf("0x%" PRIx64 ":%s: ", match->offset, string->identifier);
+ printf("0x%" PRIx64 ":%s: ",
+ match->base + match->offset,
+ string->identifier);
if (STRING_IS_HEX(string))
print_hex_string(match->data, match->length);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list