[Forensics-changes] [yara] 119/135: Implement "magic" module based on Armin Buescher's original idea.

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:27:38 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.1.0
in repository yara.

commit 61f517d20122c117937f3f544927ca806ba64229
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Fri Aug 22 15:03:20 2014 +0200

    Implement "magic" module based on Armin Buescher's original idea.
---
 configure.ac                |  12 +++-
 libyara/Makefile.am         |   4 ++
 libyara/modules/magic.c     | 151 ++++++++++++++++++++++++++++++++++++++++++++
 libyara/modules/module_list |   4 ++
 4 files changed, 170 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 5130552..d72c8d5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -31,11 +31,21 @@ AC_ARG_ENABLE([cuckoo],
   [if test x$enableval = xyes; then
     cuckoo=true
     AC_CHECK_LIB(jansson, json_loadb,, AC_MSG_ERROR(please install Jansson library))
-    AC_DEFINE([CUCKOO], [1], [enable cuckoo])
+    AC_DEFINE([CUCKOO], [1], [enable cuckoo module])
+  fi])
+
+AC_ARG_ENABLE([magic],
+  [AS_HELP_STRING([--enable-magic], [enable magic module])],
+  [if test x$enableval = xyes; then
+    magic=true
+    AC_CHECK_LIB(magic, magic_open,, AC_MSG_ERROR(please install libmagic library))
+    AC_DEFINE([MAGIC], [1], [enable magic module])
   fi])
 
 AM_CONDITIONAL([CUCKOO], [test x$cuckoo = xtrue])
 
+AM_CONDITIONAL([MAGIC], [test x$magic = xtrue])
+
 AC_CHECK_LIB(pthread, pthread_create)
 
 AC_CONFIG_FILES([Makefile])
diff --git a/libyara/Makefile.am b/libyara/Makefile.am
index 04dce2c..6322cf6 100644
--- a/libyara/Makefile.am
+++ b/libyara/Makefile.am
@@ -6,6 +6,10 @@ if CUCKOO
 MODULES += modules/cuckoo.c
 endif
 
+if MAGIC
+MODULES += modules/magic.c
+endif
+
 #
 # Add your modules here:
 #
diff --git a/libyara/modules/magic.c b/libyara/modules/magic.c
new file mode 100644
index 0000000..086631e
--- /dev/null
+++ b/libyara/modules/magic.c
@@ -0,0 +1,151 @@
+/*
+Copyright (c) 2014. The YARA Authors. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+
+The original idea and inspiration for this module comes from Armin Buescher.
+
+*/
+
+#include <yara/modules.h>
+#include <magic.h>
+
+#define MODULE_NAME magic
+
+magic_t magic_cookie[MAX_THREADS];
+
+const char* cached_types[MAX_THREADS];
+const char* cached_mime_types[MAX_THREADS];
+
+
+define_function(magic_mime_type)
+{
+  YR_MEMORY_BLOCK* block;
+  YR_SCAN_CONTEXT* context = scan_context();
+
+  int tidx = yr_get_tidx();
+
+  if (context->flags & SCAN_FLAGS_PROCESS_MEMORY)
+    return_string(UNDEFINED);
+
+  if (cached_mime_types[tidx] == NULL)
+  {
+    block = first_memory_block(context);
+
+    magic_setflags(magic_cookie[tidx], MAGIC_MIME_TYPE);
+
+    cached_mime_types[tidx] = magic_buffer(
+        magic_cookie[tidx],
+        block->data,
+        block->size);
+  }
+
+  return_string((char*) cached_mime_types[tidx]);
+}
+
+
+define_function(magic_type)
+{
+  YR_MEMORY_BLOCK* block;
+  YR_SCAN_CONTEXT* context = scan_context();
+
+  int tidx = yr_get_tidx();
+
+  if (context->flags & SCAN_FLAGS_PROCESS_MEMORY)
+    return_string(UNDEFINED);
+
+  if (cached_types[tidx] == NULL)
+  {
+    block = first_memory_block(context);
+
+    magic_setflags(magic_cookie[tidx], 0);
+
+    cached_types[tidx] = magic_buffer(
+        magic_cookie[tidx],
+        block->data,
+        block->size);
+  }
+
+  return_string((char*) cached_types[tidx]);
+}
+
+begin_declarations;
+
+  declare_function("mime_type", "", "s", magic_mime_type);
+  declare_function("type", "", "s", magic_type);
+
+end_declarations;
+
+
+int module_initialize(
+    YR_MODULE* module)
+{
+  for (int i = 0; i < MAX_THREADS; i++)
+    magic_cookie[i] = NULL;
+
+  return ERROR_SUCCESS;
+}
+
+
+int module_finalize(
+    YR_MODULE* module)
+{
+  for (int i = 0; i < MAX_THREADS; i++)
+    if (magic_cookie[i] != NULL)
+      magic_close(magic_cookie[i]);
+
+  return ERROR_SUCCESS;
+}
+
+
+int module_load(
+    YR_SCAN_CONTEXT* context,
+    YR_OBJECT* module_object,
+    void* module_data,
+    size_t module_data_size)
+{
+  int tidx = yr_get_tidx();
+
+  cached_types[tidx] = NULL;
+  cached_mime_types[tidx] = NULL;
+
+  if (magic_cookie[tidx] == NULL)
+  {
+    magic_cookie[tidx] = magic_open(0);
+
+    if (magic_cookie[tidx] != NULL)
+    {
+      if (magic_load(magic_cookie[tidx], NULL) != 0)
+      {
+        magic_close(magic_cookie[tidx]);
+        return ERROR_INTERNAL_FATAL_ERROR;
+      }
+    }
+    else
+    {
+      return ERROR_INSUFICIENT_MEMORY;
+    }
+  }
+
+  return ERROR_SUCCESS;
+}
+
+
+int module_unload(
+    YR_OBJECT* module)
+{
+  return ERROR_SUCCESS;
+}
diff --git a/libyara/modules/module_list b/libyara/modules/module_list
index 0d67e28..bf6e536 100644
--- a/libyara/modules/module_list
+++ b/libyara/modules/module_list
@@ -3,4 +3,8 @@ MODULE(pe)
 
 #ifdef CUCKOO
 MODULE(cuckoo)
+#endif
+
+#ifdef MAGIC
+MODULE(magic)
 #endif
\ No newline at end of file

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list