[Forensics-changes] [yara] 40/407: Merge branch 'master' into richpe
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:07 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit 77082a61afeabf01ade1a4ff8d2b521a848a3791
Merge: 903ba46 86ec8c7
Author: Wesley Shields <wxs at atarininja.org>
Date: Thu Sep 18 09:59:30 2014 -0400
Merge branch 'master' into richpe
Conflicts:
libyara/grammar.c
docs/modules/pe.rst | 40 +++++++++
docs/writingmodules.rst | 52 ++++++++++--
libyara/atoms.c | 4 +-
libyara/compiler.c | 13 ++-
libyara/exec.c | 34 ++++++--
libyara/grammar.c | 174 +++++++++++++++++++--------------------
libyara/grammar.y | 14 ++--
libyara/include/yara/error.h | 5 +-
libyara/include/yara/limits.h | 11 +--
libyara/include/yara/modules.h | 25 ++++++
libyara/include/yara/object.h | 5 ++
libyara/include/yara/types.h | 8 +-
libyara/modules.c | 23 ++++++
libyara/modules/pe.c | 136 +++++++++++++++++++++----------
libyara/modules/tests.c | 28 ++++++-
libyara/object.c | 143 ++++++++++++++++++++++++++++----
libyara/parser.c | 50 +++---------
libyara/rules.c | 4 +
yara-python/tests.py | 3 +-
yara-python/yara-python.c | 180 +++++++++++++++++++++++++++++++++++++++--
20 files changed, 725 insertions(+), 227 deletions(-)
diff --cc libyara/exec.c
index 8e4a7c5,fa7a90c..8573d56
--- a/libyara/exec.c
+++ b/libyara/exec.c
@@@ -87,10 -87,9 +87,11 @@@ int yr_execute_code
YR_MATCH* match;
YR_OBJECT* object;
YR_OBJECT_FUNCTION* function;
+ SIZED_STRING *big;
+ YR_STRING *little;
char* identifier;
+ char* args_fmt;
int i;
int found;
diff --cc libyara/grammar.c
index 234cfaa,0de2769..29d0bc8
--- a/libyara/grammar.c
+++ b/libyara/grammar.c
@@@ -638,14 -637,14 +638,14 @@@ static const yytype_uint16 yyrline[]
244, 272, 276, 304, 309, 310, 315, 316, 322, 325,
343, 356, 393, 394, 399, 415, 428, 441, 458, 459,
464, 478, 477, 494, 511, 512, 517, 518, 519, 520,
- 525, 613, 662, 712, 752, 755, 777, 810, 855, 872,
- 881, 890, 905, 919, 935, 951, 965, 981, 996, 1031,
- 995, 1142, 1141, 1218, 1224, 1230, 1236, 1244, 1253, 1262,
- 1271, 1280, 1307, 1334, 1361, 1365, 1373, 1374, 1379, 1401,
- 1413, 1429, 1428, 1434, 1443, 1444, 1449, 1454, 1463, 1464,
- 1468, 1476, 1480, 1490, 1503, 1515, 1527, 1539, 1551, 1563,
- 1575, 1585, 1608, 1623, 1638, 1660, 1697, 1707, 1717, 1727,
- 1737, 1747, 1757, 1767, 1777, 1787, 1797, 1807
+ 525, 613, 662, 712, 754, 757, 779, 812, 857, 874,
- 883, 892, 907, 921, 935, 951, 966, 1001, 965, 1112,
- 1111, 1188, 1194, 1200, 1206, 1214, 1223, 1232, 1241, 1250,
- 1277, 1304, 1331, 1335, 1343, 1344, 1349, 1371, 1383, 1399,
- 1398, 1404, 1413, 1414, 1419, 1424, 1433, 1434, 1438, 1446,
- 1450, 1460, 1473, 1485, 1497, 1509, 1521, 1533, 1545, 1555,
- 1578, 1593, 1608, 1630, 1667, 1677, 1687, 1697, 1707, 1717,
- 1727, 1737, 1747, 1757, 1767, 1777
++ 883, 892, 907, 921, 937, 953, 967, 983, 998, 1033,
++ 997, 1144, 1143, 1220, 1226, 1232, 1238, 1246, 1255, 1264,
++ 1273, 1282, 1309, 1336, 1363, 1367, 1375, 1376, 1381, 1403,
++ 1415, 1431, 1430, 1436, 1445, 1446, 1451, 1456, 1465, 1466,
++ 1470, 1478, 1482, 1492, 1505, 1517, 1529, 1541, 1553, 1565,
++ 1577, 1587, 1610, 1625, 1640, 1662, 1699, 1709, 1719, 1729,
++ 1739, 1749, 1759, 1769, 1779, 1789, 1799, 1809
};
#endif
@@@ -2585,46 -2578,8 +2587,46 @@@ yyreduce
break;
case 53:
- #line 920 "grammar.y"
+ #line 922 "grammar.y"
{
+ CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_STRING, "contains");
+
+ int result = yr_parser_reduce_string_identifier(
+ yyscanner,
+ (yyvsp[(3) - (3)].c_string),
+ OP_CONTAINS_STR,
+ UNDEFINED); // XXX: UNDEFINED?
+
+ yr_free((yyvsp[(3) - (3)].c_string));
+
+ ERROR_IF(result != ERROR_SUCCESS);
+
+ (yyval.expression).type = EXPRESSION_TYPE_BOOLEAN;
+ }
+ break;
+
+ case 54:
- #line 936 "grammar.y"
++#line 938 "grammar.y"
+ {
+ CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_STRING, "contains");
+
+ int result = yr_parser_reduce_string_identifier(
+ yyscanner,
+ (yyvsp[(3) - (3)].c_string),
+ OP_MATCHES_STR,
+ UNDEFINED); // XXX: UNDEFINED?
+
+ yr_free((yyvsp[(3) - (3)].c_string));
+
+ ERROR_IF(result != ERROR_SUCCESS);
+
+ (yyval.expression).type = EXPRESSION_TYPE_BOOLEAN;
+ }
+ break;
+
+ case 55:
- #line 952 "grammar.y"
++#line 954 "grammar.y"
+ {
int result = yr_parser_reduce_string_identifier(
yyscanner,
(yyvsp[(1) - (1)].c_string),
@@@ -2639,8 -2594,8 +2641,8 @@@
}
break;
- case 54:
-#line 936 "grammar.y"
+ case 56:
- #line 966 "grammar.y"
++#line 968 "grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "at");
@@@ -2658,8 -2613,8 +2660,8 @@@
}
break;
- case 55:
-#line 952 "grammar.y"
+ case 57:
- #line 982 "grammar.y"
++#line 984 "grammar.y"
{
compiler->last_result = yr_parser_reduce_string_identifier(
yyscanner,
@@@ -2675,8 -2630,8 +2677,8 @@@
}
break;
- case 56:
-#line 966 "grammar.y"
+ case 58:
- #line 996 "grammar.y"
++#line 998 "grammar.y"
{
int var_index;
@@@ -2713,8 -2668,8 +2715,8 @@@
}
break;
- case 57:
-#line 1001 "grammar.y"
+ case 59:
- #line 1031 "grammar.y"
++#line 1033 "grammar.y"
{
int mem_offset = LOOP_LOCAL_VARS * compiler->loop_depth;
int8_t* addr;
@@@ -2751,8 -2706,8 +2753,8 @@@
}
break;
- case 58:
-#line 1036 "grammar.y"
+ case 60:
- #line 1066 "grammar.y"
++#line 1068 "grammar.y"
{
int mem_offset;
@@@ -2830,8 -2785,8 +2832,8 @@@
}
break;
- case 59:
-#line 1112 "grammar.y"
+ case 61:
- #line 1142 "grammar.y"
++#line 1144 "grammar.y"
{
int mem_offset = LOOP_LOCAL_VARS * compiler->loop_depth;
int8_t* addr;
@@@ -2863,8 -2818,8 +2865,8 @@@
}
break;
- case 60:
-#line 1142 "grammar.y"
+ case 62:
- #line 1172 "grammar.y"
++#line 1174 "grammar.y"
{
int mem_offset;
@@@ -2913,8 -2868,8 +2915,8 @@@
}
break;
- case 61:
-#line 1189 "grammar.y"
+ case 63:
- #line 1219 "grammar.y"
++#line 1221 "grammar.y"
{
yr_parser_emit(yyscanner, OP_OF, NULL);
@@@ -2922,8 -2877,8 +2924,8 @@@
}
break;
- case 62:
-#line 1195 "grammar.y"
+ case 64:
- #line 1225 "grammar.y"
++#line 1227 "grammar.y"
{
yr_parser_emit(yyscanner, OP_NOT, NULL);
@@@ -2931,8 -2886,8 +2933,8 @@@
}
break;
- case 63:
-#line 1201 "grammar.y"
+ case 65:
- #line 1231 "grammar.y"
++#line 1233 "grammar.y"
{
yr_parser_emit(yyscanner, OP_AND, NULL);
@@@ -2940,8 -2895,8 +2942,8 @@@
}
break;
- case 64:
-#line 1207 "grammar.y"
+ case 66:
- #line 1237 "grammar.y"
++#line 1239 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_BOOLEAN, "or");
@@@ -2951,8 -2906,8 +2953,8 @@@
}
break;
- case 65:
-#line 1215 "grammar.y"
+ case 67:
- #line 1245 "grammar.y"
++#line 1247 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "<");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "<");
@@@ -2963,8 -2918,8 +2965,8 @@@
}
break;
- case 66:
-#line 1224 "grammar.y"
+ case 68:
- #line 1254 "grammar.y"
++#line 1256 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, ">");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, ">");
@@@ -2975,8 -2930,8 +2977,8 @@@
}
break;
- case 67:
-#line 1233 "grammar.y"
+ case 69:
- #line 1263 "grammar.y"
++#line 1265 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "<=");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "<=");
@@@ -2987,8 -2942,8 +2989,8 @@@
}
break;
- case 68:
-#line 1242 "grammar.y"
+ case 70:
- #line 1272 "grammar.y"
++#line 1274 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, ">=");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, ">=");
@@@ -2999,8 -2954,8 +3001,8 @@@
}
break;
- case 69:
-#line 1251 "grammar.y"
+ case 71:
- #line 1281 "grammar.y"
++#line 1283 "grammar.y"
{
if ((yyvsp[(1) - (3)].expression).type != (yyvsp[(3) - (3)].expression).type)
{
@@@ -3029,8 -2984,8 +3031,8 @@@
}
break;
- case 70:
-#line 1278 "grammar.y"
+ case 72:
- #line 1308 "grammar.y"
++#line 1310 "grammar.y"
{
if ((yyvsp[(1) - (3)].expression).type != (yyvsp[(3) - (3)].expression).type)
{
@@@ -3059,8 -3014,8 +3061,8 @@@
}
break;
- case 71:
-#line 1305 "grammar.y"
+ case 73:
- #line 1335 "grammar.y"
++#line 1337 "grammar.y"
{
if ((yyvsp[(1) - (3)].expression).type != (yyvsp[(3) - (3)].expression).type)
{
@@@ -3089,32 -3044,32 +3091,32 @@@
}
break;
- case 72:
-#line 1332 "grammar.y"
+ case 74:
- #line 1362 "grammar.y"
++#line 1364 "grammar.y"
{
(yyval.expression) = (yyvsp[(1) - (1)].expression);
}
break;
- case 73:
-#line 1336 "grammar.y"
+ case 75:
- #line 1366 "grammar.y"
++#line 1368 "grammar.y"
{
(yyval.expression) = (yyvsp[(2) - (3)].expression);
}
break;
- case 74:
-#line 1343 "grammar.y"
+ case 76:
- #line 1373 "grammar.y"
++#line 1375 "grammar.y"
{ (yyval.integer) = INTEGER_SET_ENUMERATION; }
break;
- case 75:
-#line 1344 "grammar.y"
+ case 77:
- #line 1374 "grammar.y"
++#line 1376 "grammar.y"
{ (yyval.integer) = INTEGER_SET_RANGE; }
break;
- case 76:
-#line 1350 "grammar.y"
+ case 78:
- #line 1380 "grammar.y"
++#line 1382 "grammar.y"
{
if ((yyvsp[(2) - (6)].expression).type != EXPRESSION_TYPE_INTEGER)
{
@@@ -3134,8 -3089,8 +3136,8 @@@
}
break;
- case 77:
-#line 1372 "grammar.y"
+ case 79:
- #line 1402 "grammar.y"
++#line 1404 "grammar.y"
{
if ((yyvsp[(1) - (1)].expression).type != EXPRESSION_TYPE_INTEGER)
{
@@@ -3149,8 -3104,8 +3151,8 @@@
}
break;
- case 78:
-#line 1384 "grammar.y"
+ case 80:
- #line 1414 "grammar.y"
++#line 1416 "grammar.y"
{
if ((yyvsp[(3) - (3)].expression).type != EXPRESSION_TYPE_INTEGER)
{
@@@ -3163,61 -3118,61 +3165,61 @@@
}
break;
- case 79:
-#line 1399 "grammar.y"
+ case 81:
- #line 1429 "grammar.y"
++#line 1431 "grammar.y"
{
// Push end-of-list marker
yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);
}
break;
- case 81:
-#line 1405 "grammar.y"
+ case 83:
- #line 1435 "grammar.y"
++#line 1437 "grammar.y"
{
yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);
yr_parser_emit_pushes_for_strings(yyscanner, "$*");
}
break;
- case 84:
-#line 1420 "grammar.y"
+ case 86:
- #line 1450 "grammar.y"
++#line 1452 "grammar.y"
{
yr_parser_emit_pushes_for_strings(yyscanner, (yyvsp[(1) - (1)].c_string));
yr_free((yyvsp[(1) - (1)].c_string));
}
break;
- case 85:
-#line 1425 "grammar.y"
+ case 87:
- #line 1455 "grammar.y"
++#line 1457 "grammar.y"
{
yr_parser_emit_pushes_for_strings(yyscanner, (yyvsp[(1) - (1)].c_string));
yr_free((yyvsp[(1) - (1)].c_string));
}
break;
- case 87:
-#line 1435 "grammar.y"
+ case 89:
- #line 1465 "grammar.y"
++#line 1467 "grammar.y"
{
yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);
}
break;
- case 88:
-#line 1439 "grammar.y"
+ case 90:
- #line 1469 "grammar.y"
++#line 1471 "grammar.y"
{
yr_parser_emit_with_arg(yyscanner, OP_PUSH, 1, NULL);
}
break;
- case 89:
-#line 1447 "grammar.y"
+ case 91:
- #line 1477 "grammar.y"
++#line 1479 "grammar.y"
{
(yyval.expression) = (yyvsp[(2) - (3)].expression);
}
break;
- case 90:
-#line 1451 "grammar.y"
+ case 92:
- #line 1481 "grammar.y"
++#line 1483 "grammar.y"
{
compiler->last_result = yr_parser_emit(
yyscanner, OP_FILESIZE, NULL);
@@@ -3229,8 -3184,8 +3231,8 @@@
}
break;
- case 91:
-#line 1461 "grammar.y"
+ case 93:
- #line 1491 "grammar.y"
++#line 1493 "grammar.y"
{
yywarning(yyscanner,
"Using deprecated \"entrypoint\" keyword. Use the \"entry_point\" " "function from PE module instead.");
@@@ -3245,8 -3200,8 +3247,8 @@@
}
break;
- case 92:
-#line 1474 "grammar.y"
+ case 94:
- #line 1504 "grammar.y"
++#line 1506 "grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression), EXPRESSION_TYPE_INTEGER, "int8");
@@@ -3260,8 -3215,8 +3262,8 @@@
}
break;
- case 93:
-#line 1486 "grammar.y"
+ case 95:
- #line 1516 "grammar.y"
++#line 1518 "grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression), EXPRESSION_TYPE_INTEGER, "int16");
@@@ -3275,8 -3230,8 +3277,8 @@@
}
break;
- case 94:
-#line 1498 "grammar.y"
+ case 96:
- #line 1528 "grammar.y"
++#line 1530 "grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression), EXPRESSION_TYPE_INTEGER, "int32");
@@@ -3290,8 -3245,8 +3292,8 @@@
}
break;
- case 95:
-#line 1510 "grammar.y"
+ case 97:
- #line 1540 "grammar.y"
++#line 1542 "grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression), EXPRESSION_TYPE_INTEGER, "uint8");
@@@ -3305,8 -3260,8 +3307,8 @@@
}
break;
- case 96:
-#line 1522 "grammar.y"
+ case 98:
- #line 1552 "grammar.y"
++#line 1554 "grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression), EXPRESSION_TYPE_INTEGER, "uint16");
@@@ -3320,8 -3275,8 +3322,8 @@@
}
break;
- case 97:
-#line 1534 "grammar.y"
+ case 99:
- #line 1564 "grammar.y"
++#line 1566 "grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression), EXPRESSION_TYPE_INTEGER, "uint32");
@@@ -3335,8 -3290,8 +3337,8 @@@
}
break;
- case 98:
-#line 1546 "grammar.y"
+ case 100:
- #line 1576 "grammar.y"
++#line 1578 "grammar.y"
{
compiler->last_result = yr_parser_emit_with_arg(
yyscanner, OP_PUSH, (yyvsp[(1) - (1)].integer), NULL);
@@@ -3348,8 -3303,8 +3350,8 @@@
}
break;
- case 99:
-#line 1556 "grammar.y"
+ case 101:
- #line 1586 "grammar.y"
++#line 1588 "grammar.y"
{
SIZED_STRING* sized_string = (yyvsp[(1) - (1)].sized_string);
char* string;
@@@ -3374,8 -3329,8 +3376,8 @@@
}
break;
- case 100:
-#line 1579 "grammar.y"
+ case 102:
- #line 1609 "grammar.y"
++#line 1611 "grammar.y"
{
compiler->last_result = yr_parser_reduce_string_identifier(
yyscanner,
@@@ -3392,8 -3347,8 +3394,8 @@@
}
break;
- case 101:
-#line 1594 "grammar.y"
+ case 103:
- #line 1624 "grammar.y"
++#line 1626 "grammar.y"
{
compiler->last_result = yr_parser_reduce_string_identifier(
yyscanner,
@@@ -3410,8 -3365,8 +3412,8 @@@
}
break;
- case 102:
-#line 1609 "grammar.y"
+ case 104:
- #line 1639 "grammar.y"
++#line 1641 "grammar.y"
{
compiler->last_result = yr_parser_emit_with_arg(
yyscanner,
@@@ -3435,8 -3390,8 +3437,8 @@@
}
break;
- case 103:
-#line 1631 "grammar.y"
+ case 105:
- #line 1661 "grammar.y"
++#line 1663 "grammar.y"
{
if ((yyvsp[(1) - (1)].object) == (YR_OBJECT*) -1) // loop identifier
{
@@@ -3475,8 -3430,8 +3477,8 @@@
}
break;
- case 104:
-#line 1668 "grammar.y"
+ case 106:
- #line 1698 "grammar.y"
++#line 1700 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "+");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "+");
@@@ -3488,8 -3443,8 +3490,8 @@@
}
break;
- case 105:
-#line 1678 "grammar.y"
+ case 107:
- #line 1708 "grammar.y"
++#line 1710 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "-");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "-");
@@@ -3501,8 -3456,8 +3503,8 @@@
}
break;
- case 106:
-#line 1688 "grammar.y"
+ case 108:
- #line 1718 "grammar.y"
++#line 1720 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "*");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "*");
@@@ -3514,8 -3469,8 +3516,8 @@@
}
break;
- case 107:
-#line 1698 "grammar.y"
+ case 109:
- #line 1728 "grammar.y"
++#line 1730 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "\\");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "\\");
@@@ -3527,8 -3482,8 +3529,8 @@@
}
break;
- case 108:
-#line 1708 "grammar.y"
+ case 110:
- #line 1738 "grammar.y"
++#line 1740 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "%");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "%");
@@@ -3540,8 -3495,8 +3542,8 @@@
}
break;
- case 109:
-#line 1718 "grammar.y"
+ case 111:
- #line 1748 "grammar.y"
++#line 1750 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "^");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "^");
@@@ -3553,8 -3508,8 +3555,8 @@@
}
break;
- case 110:
-#line 1728 "grammar.y"
+ case 112:
- #line 1758 "grammar.y"
++#line 1760 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "^");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "^");
@@@ -3566,8 -3521,8 +3568,8 @@@
}
break;
- case 111:
-#line 1738 "grammar.y"
+ case 113:
- #line 1768 "grammar.y"
++#line 1770 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "|");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "|");
@@@ -3579,8 -3534,8 +3581,8 @@@
}
break;
- case 112:
-#line 1748 "grammar.y"
+ case 114:
- #line 1778 "grammar.y"
++#line 1780 "grammar.y"
{
CHECK_TYPE((yyvsp[(2) - (2)].expression), EXPRESSION_TYPE_INTEGER, "~");
@@@ -3592,8 -3547,8 +3594,8 @@@
}
break;
- case 113:
-#line 1758 "grammar.y"
+ case 115:
- #line 1788 "grammar.y"
++#line 1790 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, "<<");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, "<<");
@@@ -3605,8 -3560,8 +3607,8 @@@
}
break;
- case 114:
-#line 1768 "grammar.y"
+ case 116:
- #line 1798 "grammar.y"
++#line 1800 "grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression), EXPRESSION_TYPE_INTEGER, ">>");
CHECK_TYPE((yyvsp[(3) - (3)].expression), EXPRESSION_TYPE_INTEGER, ">>");
@@@ -3618,8 -3573,8 +3620,8 @@@
}
break;
- case 115:
-#line 1778 "grammar.y"
+ case 117:
- #line 1808 "grammar.y"
++#line 1810 "grammar.y"
{
(yyval.expression) = (yyvsp[(1) - (1)].expression);
}
@@@ -3627,7 -3582,7 +3629,7 @@@
/* Line 1267 of yacc.c. */
- #line 3631 "grammar.c"
-#line 3586 "grammar.c"
++#line 3633 "grammar.c"
default: break;
}
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@@ -3841,6 -3796,6 +3843,6 @@@ yyreturn
}
- #line 1813 "grammar.y"
-#line 1783 "grammar.y"
++#line 1815 "grammar.y"
diff --cc libyara/modules/pe.c
index 67dc974,8a81f2c..a935309
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@@ -557,16 -491,13 +588,13 @@@ void pe_parse
for (int i = 0; i < scount; i++)
{
- if ((uint8_t*) section -
- (uint8_t*) pe + sizeof(IMAGE_SECTION_HEADER) >= pe->data_size)
- {
+ if (!struct_fits_in_pe(pe, section, IMAGE_SECTION_HEADER))
break;
- }
- strlcpy(section_name, (char*) section->Name, IMAGE_SIZEOF_SHORT_NAME + 1);
+ str_size = strlcpy(section_name, (char*) section->Name, IMAGE_SIZEOF_SHORT_NAME + 1);
set_string(
- section_name,
+ section_name, str_size,
pe->object, "sections[%i].name", i);
set_integer(
@@@ -679,14 -603,11 +707,11 @@@ define_function(exports
}
- #define check_bounds(pointer, struct_type, limit) \
- ((uint8_t*)(pointer) + sizeof(struct_type) <= limit)
-
define_function(imports)
{
- char* dll_name = string_argument(1);
- char* function_name = string_argument(2);
- int function_name_len = strlen(function_name);
+ SIZED_STRING* dll_name = string_argument(1);
+ SIZED_STRING* function_name = string_argument(2);
+ int function_name_len = function_name->length;
YR_OBJECT* module = module();
PE* pe = (PE*) module->data;
@@@ -753,10 -671,10 +775,10 @@@
{
import = (PIMAGE_IMPORT_BY_NAME)(pe->data + offset);
- if (pe_end - import->Name >= function_name_len)
+ if (fits_in_pe(pe, import->Name, function_name_len))
{
if (strncmp((char*) import->Name,
- function_name,
+ function_name->c_string,
function_name_len) == 0)
{
return_integer(1);
@@@ -785,10 -703,10 +807,10 @@@
{
import = (PIMAGE_IMPORT_BY_NAME)(pe->data + offset);
- if (pe_end - import->Name >= function_name_len)
+ if (fits_in_pe(pe, import->Name, function_name_len))
{
if (strncmp((char*) import->Name,
- function_name,
+ function_name->c_string,
function_name_len) == 0)
{
return_integer(1);
diff --cc libyara/modules/tests.c
index 70e4988,4a370b8..fa6ea01
--- a/libyara/modules/tests.c
+++ b/libyara/modules/tests.c
@@@ -83,13 -102,16 +102,16 @@@ int module_load
set_integer(1, module_object, "integer_array[%i]", 1);
set_integer(2, module_object, "integer_array[%i]", 2);
- set_string("foo", module_object, "string_array[%i]", 0);
- set_string("bar", module_object, "string_array[%i]", 1);
- set_string("baz", module_object, "string_array[%i]", 2);
+ set_string("foo", 3, module_object, "string_array[%i]", 0);
+ set_string("bar", 3, module_object, "string_array[%i]", 1);
+ set_string("baz", 3, module_object, "string_array[%i]", 2);
- set_string("foo", module_object, "string_dict[%s]", "foo");
- set_string("bar", module_object, "string_dict[\"bar\"]");
+ set_string("foo", 3, module_object, "string_dict[%s]", "foo");
+ set_string("bar", 3, module_object, "string_dict[\"bar\"]");
- set_string("foo", module_object, "struct_dict[%s].s", "foo");
++ set_string("foo", 3, module_object, "struct_dict[%s].s", "foo");
+ set_integer(1, module_object, "struct_dict[%s].i", "foo");
+
return ERROR_SUCCESS;
}
diff --cc libyara/object.c
index 60fbe54,dd4f9c8..20875ff
--- a/libyara/object.c
+++ b/libyara/object.c
@@@ -872,3 -897,87 +901,87 @@@ YR_OBJECT* yr_object_get_root
return o;
}
+
+ void yr_object_print_data(
+ YR_OBJECT* object,
+ int indent)
+ {
+ YR_DICTIONARY_ITEMS* dict_items;
+ YR_ARRAY_ITEMS* array_items;
+
+ char indent_spaces[32];
+
+ indent = min(indent, sizeof(indent_spaces));
+
+ memset(indent_spaces, '\t', indent);
+ indent_spaces[indent] = '\0';
+
+ switch(object->type)
+ {
+ case OBJECT_TYPE_INTEGER:
+ if (((YR_OBJECT_INTEGER*) object)->value != UNDEFINED)
+ printf(
+ "%s%s = %lld\n",
+ indent_spaces,
+ object->identifier,
+ ((YR_OBJECT_INTEGER*) object)->value);
+ break;
+
+ case OBJECT_TYPE_STRING:
+ if (((YR_OBJECT_STRING*) object)->value != NULL)
+ printf(
+ "%s%s = \"%s\"\n",
+ indent_spaces,
+ object->identifier,
- ((YR_OBJECT_STRING*) object)->value);
++ ((YR_OBJECT_STRING*) object)->value->c_string);
+ break;
+
+ case OBJECT_TYPE_STRUCTURE:
+ printf(
+ "%s%s\n",
+ indent_spaces,
+ object->identifier);
+
+ YR_STRUCTURE_MEMBER* member = ((YR_OBJECT_STRUCTURE*) object)->members;
+
+ while (member != NULL)
+ {
+ yr_object_print_data(member->object, indent + 1);
+ member = member->next;
+ }
+
+ break;
+
+ case OBJECT_TYPE_ARRAY:
+ array_items = ((YR_OBJECT_ARRAY*) object)->items;
+
+ if (array_items != NULL)
+ {
+ for (int i = 0; i < array_items->count; i++)
+ {
+ if (array_items->objects[i] != NULL)
+ {
+ printf("%s[%d]\n", indent_spaces, i);
+ yr_object_print_data(array_items->objects[i], indent + 1);
+ }
+ }
+ }
+
+ break;
+
+ case OBJECT_TYPE_DICTIONARY:
+ dict_items = ((YR_OBJECT_DICTIONARY*) object)->items;
+
+ if (dict_items != NULL)
+ {
+ printf("%s%s\n", indent_spaces, object->identifier);
+
+ for (int i = 0; i < dict_items->used; i++)
+ {
+ printf("%s\t%s\n", indent_spaces, dict_items->objects[i].key);
+ yr_object_print_data(dict_items->objects[i].obj, indent + 1);
+ }
+ }
+ break;
+ }
+ }
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list