[Forensics-changes] [yara] 172/407: Implement valid_before() and valid_after().

Sat Jul 1 10:28:22 UTC 2017

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit c8f03ac6eaff76a05c03cfaeae1267338fde836a
Author: Wesley Shields <wxs at atarininja.org>
Date:   Fri Oct 31 00:11:48 2014 -0400

    Implement valid_before() and valid_after().
---
 libyara/modules/pe.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 607b118..31ef736 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -2644,6 +2644,49 @@ void pe_parse_header(
   }
 }
 
+
+// Given an integer argument, make sure the not_before comes "after" it.
+// Be inclusive in the search here.
+define_function(valid_after)
+{
+  int64_t time = integer_argument(1);
+  YR_STRUCTURE_MEMBER* member = NULL;
+  YR_OBJECT* object = NULL;
+  YR_OBJECT_STRUCTURE* parent = (YR_OBJECT_STRUCTURE*) parent();
+  // Walk each member of the structure looking for "not_before".
+  member = parent->members;
+  while (member)
+  {
+    object = member->object;
+    if (strcmp(object->identifier, "not_before") == 0)
+      return_integer(time <= ((YR_OBJECT_INTEGER*)object)->value);
+    member = member->next;
+  }
+  return_integer(0);
+}
+
+
+// Given an integer argument, make sure the not_after comes "before" it.
+// Be inclusive in the search here.
+define_function(valid_before)
+{
+  int64_t time = integer_argument(1);
+  YR_STRUCTURE_MEMBER* member = NULL;
+  YR_OBJECT* object = NULL;
+  YR_OBJECT_STRUCTURE* parent = (YR_OBJECT_STRUCTURE*) parent();
+  // Walk each member of the structure looking for "not_before".
+  member = parent->members;
+  while (member)
+  {
+    object = member->object;
+    if (strcmp(object->identifier, "not_after") == 0)
+      return_integer(time >= ((YR_OBJECT_INTEGER*)object)->value);
+    member = member->next;
+  }
+  return_integer(0);
+}
+
+
 define_function(section_index)
 {
   YR_OBJECT* module = module();
@@ -3086,6 +3129,8 @@ begin_declarations;
     declare_string("serial");
     declare_integer("not_before");
     declare_integer("not_after");
+    declare_function("valid_after", "i", "i", valid_after);
+    declare_function("valid_before", "i", "i", valid_before);
   end_struct_array("signatures");
   declare_integer("number_of_signatures");
   #endif

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

