[Forensics-changes] [yara] 80/407: hash module
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:12 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit ce4357399e17c3ccd5337ba79891b5959d92e7d5
Author: Karl Hiramoto <karl.hiramoto at virustotal.com>
Date: Tue Oct 7 14:19:16 2014 +0200
hash module
---
CONTRIBUTORS | 1 +
configure.ac | 10 +++
libyara/Makefile.am | 3 +
libyara/modules/hash.c | 158 ++++++++++++++++++++++++++++++++++++++++++++
libyara/modules/module_list | 4 ++
5 files changed, 176 insertions(+)
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
index d958137..5897825 100644
--- a/CONTRIBUTORS
+++ b/CONTRIBUTORS
@@ -31,3 +31,4 @@ Mike Wiacek <mjwiacek at google.com>
Shane Huntley <shuntley at google.com>
Stefan Buehlmann <stefan.buehlmann at joebox.org>
Victor M. Alvarez <plusvic at gmail.com>;<vmalvarez at virustotal.com>
+Karl Hiramoto <karl.hiramoto at virustotal.com>
diff --git a/configure.ac b/configure.ac
index 5bb5677..2d6cff7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,6 +42,15 @@ AC_ARG_ENABLE([magic],
AC_DEFINE([MAGIC], [1], [enable magic module])
fi])
+AC_ARG_ENABLE([hash],
+ [AS_HELP_STRING([--enable-hash], [enable hash module for files and memory blocks])],
+ [if test x$enableval = xyes; then
+ hash=true
+ AC_CHECK_HEADERS([openssl/md5.h])
+ AC_CHECK_LIB(crypto, MD5_Update,, AC_MSG_ERROR(please install openssl libcrypto library))
+ AC_DEFINE([HASH], [1], [enable hash module])
+ fi])
+
ACX_PTHREAD(
[LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
@@ -52,6 +61,7 @@ AC_CHECK_FUNCS_ONCE(strlcpy strlcat)
AM_CONDITIONAL([CUCKOO], [test x$cuckoo = xtrue])
AM_CONDITIONAL([MAGIC], [test x$magic = xtrue])
+AM_CONDITIONAL([HASH], [test x$hash = xtrue])
AC_CONFIG_FILES([Makefile])
AC_CONFIG_FILES([libyara/Makefile])
diff --git a/libyara/Makefile.am b/libyara/Makefile.am
index eced228..a9c00f6 100644
--- a/libyara/Makefile.am
+++ b/libyara/Makefile.am
@@ -11,6 +11,9 @@ if MAGIC
MODULES += modules/magic.c
endif
+if HASH
+MODULES += modules/hash.c
+endif
#
# Add your modules here:
#
diff --git a/libyara/modules/hash.c b/libyara/modules/hash.c
new file mode 100644
index 0000000..fd78714
--- /dev/null
+++ b/libyara/modules/hash.c
@@ -0,0 +1,158 @@
+/*
+Copyright (c) 2014. The YARA Authors. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+MD5 Modules usage acepts two agurments offset and length
+
+mdh.hash(offset, length)
+
+# to hash the entire file
+mdh.hash(0, filesize)
+
+
+#example below checking empty hash
+import "hash"
+
+rule hash_test
+{
+ condition:
+ hash.md5(0,0) == "d41d8cd98f00b204e9800998ecf8427e"
+}
+
+*/
+
+#include <stdbool.h>
+#include <openssl/md5.h>
+#include <yara/modules.h>
+
+#define MODULE_NAME hash
+#define MODULE_NAME_STR "hash"
+#define MIN(X,Y) ((X) < (Y) ? (X) : (Y))
+
+
+#ifdef HASH_DEBUG
+#define DBG(FMT, ...) \
+ fprintf(stderr, "%s:%d: " FMT, __FUNCTION__, __LINE__, __VA_ARGS__); \
+
+#else
+#define DBG(FMT, ... )
+#endif
+
+#define MD5_DIGEST_LENGTH 16
+
+define_function(md5_hash)
+{
+
+ YR_SCAN_CONTEXT* context = scan_context();
+ YR_MEMORY_BLOCK* block = NULL;
+ unsigned char digest[MD5_DIGEST_LENGTH]; /* message digest */
+ char digest_ascii[MD5_DIGEST_LENGTH*2 + 1] = { 0,}; // (16*2) +1
+ MD5_CTX md5_context;
+ int i;
+ int64_t offset = integer_argument(1);
+ int64_t length = integer_argument(2); // length of bytes we want hash on
+ uint64_t data_offset = 0;
+ uint64_t data_len = 0;
+ bool md5_updated = false;
+
+ DBG("offset=%llx, length=%lld \n", (long long) offset, (long long) length);
+ MD5_Init(&md5_context);
+
+ if (offset < 0 || length < 0 || offset < context->mem_block->base) {
+ return ERROR_WRONG_ARGUMENTS;
+ }
+
+ foreach_memory_block(context, block) {
+
+ // if desired block within current block
+ if (offset >= block->base &&
+ offset < block->base + block->size)
+ {
+ data_offset = offset - block->base;
+ data_len = MIN(length, block->size - data_offset);
+
+ offset += data_len;
+ length -= data_len;
+
+ DBG("update =0x%llx =%lld\n", (long long) block->data + data_offset,
+ (long long) data_len);
+ MD5_Update(&md5_context, block->data + data_offset, data_len);
+
+ md5_updated = true;
+ }
+ else if (md5_updated)
+ {
+ // non contigous block
+ DBG("undefined =%llx\n", (long long) block->base);
+ return_string(UNDEFINED);
+ }
+
+ if (block->base + block->size > offset + length)
+ break;
+ }
+
+ if (!md5_updated)
+ return_string(UNDEFINED);
+
+ MD5_Final(digest, &md5_context);
+
+ // transform the binary digest to ascii
+ for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
+ sprintf(digest_ascii+(i*2), "%02x", digest[i]);
+ }
+ DBG("md5 hash result=%s\n", digest_ascii);
+ return_string(digest_ascii);
+}
+
+
+begin_declarations;
+
+declare_function("md5", "ii", "s", md5_hash)
+
+end_declarations;
+
+
+int module_initialize(
+ YR_MODULE* module)
+{
+ return ERROR_SUCCESS;
+}
+
+
+int module_finalize(
+ YR_MODULE* module)
+{
+ return ERROR_SUCCESS;
+}
+
+
+int module_load(
+ YR_SCAN_CONTEXT* context,
+ YR_OBJECT* module_object,
+ void* module_data,
+ size_t module_data_size)
+{
+
+ return ERROR_SUCCESS;
+}
+
+
+
+int module_unload(
+ YR_OBJECT* module_object)
+{
+ return ERROR_SUCCESS;
+}
diff --git a/libyara/modules/module_list b/libyara/modules/module_list
index c27a21e..1c28b02 100644
--- a/libyara/modules/module_list
+++ b/libyara/modules/module_list
@@ -9,3 +9,7 @@ MODULE(cuckoo)
#ifdef MAGIC
MODULE(magic)
#endif
+
+#ifdef HASH
+MODULE(hash)
+#endif
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list