[Forensics-changes] [yara] 14/407: Return error when declaring duplicated structure members
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:27:59 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit 1bbc215f246b9e8df490f4e9548405c628084b43
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date: Fri Aug 29 17:17:05 2014 +0200
Return error when declaring duplicated structure members
---
libyara/compiler.c | 5 +++++
libyara/include/yara/error.h | 1 +
libyara/modules/pe.c | 28 ++++++++++++++++++++++++++++
libyara/object.c | 5 +++++
4 files changed, 39 insertions(+)
diff --git a/libyara/compiler.c b/libyara/compiler.c
index 7c0de83..27c98e2 100644
--- a/libyara/compiler.c
+++ b/libyara/compiler.c
@@ -776,6 +776,11 @@ char* yr_compiler_get_error_message(
"unknown module \"%s\"",
compiler->last_error_extra_info);
break;
+ case ERROR_DUPLICATE_STRUCTURE_MEMBER:
+ snprintf(buffer,
+ buffer_size,
+ "duplicate structure member");
+ break;
case ERROR_INVALID_HEX_STRING:
case ERROR_INVALID_REGULAR_EXPRESSION:
case ERROR_SYNTAX_ERROR:
diff --git a/libyara/include/yara/error.h b/libyara/include/yara/error.h
index 78261cd..40644d2 100644
--- a/libyara/include/yara/error.h
+++ b/libyara/include/yara/error.h
@@ -62,6 +62,7 @@ limitations under the License.
#define ERROR_INVALID_FORMAT 38
#define ERROR_TOO_MANY_ARGUMENTS 39
#define ERROR_WRONG_NUMBER_OF_ARGUMENTS 40
+#define ERROR_DUPLICATE_STRUCTURE_MEMBER 41
#define FAIL_ON_ERROR(x) { \
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index f4eb13d..65c778d 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -144,6 +144,15 @@ uint64_t rva_to_offset(
return section_offset + (rva - section_rva);
}
+
+void parse_pe_resources(
+ PIMAGE_RESOURCE_DIRECTORY resource_dir,
+ size_t resource_size)
+{
+
+}
+
+
void parse_pe_header(
PIMAGE_NT_HEADERS32 pe,
size_t base_address,
@@ -152,6 +161,9 @@ void parse_pe_header(
YR_OBJECT* pe_obj)
{
PIMAGE_SECTION_HEADER section;
+ PIMAGE_DATA_DIRECTORY directory;
+
+ uint64_t offset;
char section_name[IMAGE_SIZEOF_SHORT_NAME + 1];
int i;
@@ -258,6 +270,22 @@ void parse_pe_header(
section++;
}
+
+ directory = get_data_directory(pe, IMAGE_DIRECTORY_ENTRY_RESOURCE);
+
+ if (directory->VirtualAddress != 0)
+ {
+ offset = rva_to_offset(pe, pe_size, directory->VirtualAddress);
+
+ if (offset != 0 &&
+ offset < pe_size &&
+ directory->Size < pe_size - offset)
+ {
+ parse_pe_resources(
+ (PIMAGE_RESOURCE_DIRECTORY)((uint8_t*) pe + offset),
+ directory->Size);
+ }
+ }
}
diff --git a/libyara/object.c b/libyara/object.c
index e926495..537d287 100644
--- a/libyara/object.c
+++ b/libyara/object.c
@@ -492,6 +492,11 @@ int yr_object_structure_set_member(
assert(object->type == OBJECT_TYPE_STRUCTURE);
+ // Check if the object already have a member with the same identifier
+
+ if (yr_object_lookup_field(object, member->identifier) != NULL)
+ return ERROR_DUPLICATE_STRUCTURE_MEMBER;
+
sm = yr_malloc(sizeof(YR_STRUCTURE_MEMBER));
if (sm == NULL)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list