[Forensics-changes] [yara] 33/407: Implement module data printing

Sat Jul 1 10:28:06 UTC 2017

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit 80eeb8eb9316204a68e48b4ca10495d36e410490
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date:   Tue Sep 16 14:19:02 2014 +0200

    Implement module data printing
---
 libyara/include/yara/modules.h |  2 +
 libyara/include/yara/object.h  |  5 +++
 libyara/modules.c              | 23 ++++++++++++
 libyara/object.c               | 84 ++++++++++++++++++++++++++++++++++++++++++
 libyara/rules.c                |  4 ++
 5 files changed, 118 insertions(+)

diff --git a/libyara/include/yara/modules.h b/libyara/include/yara/modules.h
index fde28e0..73817c7 100644
--- a/libyara/include/yara/modules.h
+++ b/libyara/include/yara/modules.h
@@ -330,4 +330,6 @@ int yr_modules_unload_all(
     YR_SCAN_CONTEXT* context);
 
 
+void yr_modules_print_data(
+    YR_SCAN_CONTEXT* context);
 #endif
diff --git a/libyara/include/yara/object.h b/libyara/include/yara/object.h
index 508babf..438eb70 100644
--- a/libyara/include/yara/object.h
+++ b/libyara/include/yara/object.h
@@ -127,4 +127,9 @@ YR_OBJECT* yr_object_get_root(
     YR_OBJECT* object);
 
 
+void yr_object_print_data(
+    YR_OBJECT* object,
+    int indent);
+
+
 #endif
diff --git a/libyara/modules.c b/libyara/modules.c
index 1e63201..1c611c8 100644
--- a/libyara/modules.c
+++ b/libyara/modules.c
@@ -199,3 +199,26 @@ int yr_modules_unload_all(
 
   return ERROR_SUCCESS;
 }
+
+
+void yr_modules_print_data(
+    YR_SCAN_CONTEXT* context)
+{
+  YR_OBJECT* module_structure;
+  tidx_mask_t tidx_mask = 1 << yr_get_tidx();
+
+  for (int i = 0; i < sizeof(yr_modules_table) / sizeof(YR_MODULE); i++)
+  {
+    if (yr_modules_table[i].is_loaded & tidx_mask)
+    {
+      module_structure = (YR_OBJECT*) yr_hash_table_lookup(
+          context->objects_table,
+          yr_modules_table[i].name,
+          NULL);
+
+      assert(module_structure != NULL);
+
+      yr_object_print_data(module_structure, 0);
+    }
+  }
+}
diff --git a/libyara/object.c b/libyara/object.c
index 6c9f7dc..9c92c85 100644
--- a/libyara/object.c
+++ b/libyara/object.c
@@ -895,3 +895,87 @@ YR_OBJECT* yr_object_get_root(
 
   return o;
 }
+
+void yr_object_print_data(
+    YR_OBJECT* object,
+    int indent)
+{
+  YR_DICTIONARY_ITEMS* dict_items;
+  YR_ARRAY_ITEMS* array_items;
+
+  char indent_spaces[32];
+
+  indent = min(indent, sizeof(indent_spaces));
+
+  memset(indent_spaces, '\t', indent);
+  indent_spaces[indent] = '\0';
+
+  switch(object->type)
+  {
+    case OBJECT_TYPE_INTEGER:
+      if (((YR_OBJECT_INTEGER*) object)->value != UNDEFINED)
+        printf(
+            "%s%s = %lld\n",
+            indent_spaces,
+            object->identifier,
+            ((YR_OBJECT_INTEGER*) object)->value);
+      break;
+
+    case OBJECT_TYPE_STRING:
+      if (((YR_OBJECT_STRING*) object)->value != NULL)
+        printf(
+            "%s%s = \"%s\"\n",
+            indent_spaces,
+            object->identifier,
+            ((YR_OBJECT_STRING*) object)->value);
+      break;
+
+    case OBJECT_TYPE_STRUCTURE:
+      printf(
+          "%s%s\n",
+          indent_spaces,
+          object->identifier);
+
+      YR_STRUCTURE_MEMBER* member = ((YR_OBJECT_STRUCTURE*) object)->members;
+
+      while (member != NULL)
+      {
+        yr_object_print_data(member->object, indent + 1);
+        member = member->next;
+      }
+
+      break;
+
+    case OBJECT_TYPE_ARRAY:
+      array_items = ((YR_OBJECT_ARRAY*) object)->items;
+
+      if (array_items != NULL)
+      {
+        for (int i = 0; i < array_items->count; i++)
+        {
+          if (array_items->objects[i] != NULL)
+          {
+            printf("%s[%d]\n", indent_spaces, i);
+            yr_object_print_data(array_items->objects[i], indent + 1);
+          }
+        }
+      }
+
+      break;
+
+    case OBJECT_TYPE_DICTIONARY:
+      dict_items = ((YR_OBJECT_DICTIONARY*) object)->items;
+
+      if (dict_items != NULL)
+      {
+        printf("%s%s\n", indent_spaces, object->identifier);
+
+        for (int i = 0; i < dict_items->used; i++)
+        {
+          printf("%s\t%s\n", indent_spaces, dict_items->objects[i].key);
+          yr_object_print_data(dict_items->objects[i].obj, indent + 1);
+        }
+      }
+      break;
+  }
+}
diff --git a/libyara/rules.c b/libyara/rules.c
index c7d4a7e..9d77a60 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -466,6 +466,10 @@ int yr_rules_scan_mem_blocks(
 
 _exit:
 
+  #if PRINT_MODULE_DATA
+  yr_modules_print_data(&context);
+  #endif
+
   yr_modules_unload_all(&context);
 
   _yr_rules_clean_matches(rules);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

