[Forensics-changes] [yara] 194/407: Simplify "valid_on" function and remove "valid_before" and "valid_after"
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:25 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit 2f31e8985ec4f2de1ff00a258936af8ab89a5181
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Wed Nov 5 14:26:07 2014 +0100
Simplify "valid_on" function and remove "valid_before" and "valid_after"
---
libyara/modules/pe.c | 95 ++++++++--------------------------------------------
1 file changed, 14 insertions(+), 81 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 1b6feaa..7cb2722 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1051,93 +1051,28 @@ void pe_parse_header(
}
-// Given an integer argument, make sure the not_before comes "after" it.
-// Be inclusive in the search here.
-
-define_function(valid_after)
-{
- int64_t time = integer_argument(1);
-
- YR_STRUCTURE_MEMBER* member = NULL;
- YR_OBJECT* object = NULL;
- YR_OBJECT_STRUCTURE* parent = (YR_OBJECT_STRUCTURE*) parent();
-
- // Walk each member of the structure looking for "not_before".
-
- member = parent->members;
-
- while (member)
- {
- object = member->object;
-
- if (strcmp(object->identifier, "not_before") == 0)
- return_integer(time <= ((YR_OBJECT_INTEGER*)object)->value);
-
- member = member->next;
- }
-
- return_integer(0);
-}
-
-
-// Given an integer argument, make sure the not_after comes "before" it.
-// Be inclusive in the search here.
-
-define_function(valid_before)
-{
- int64_t time = integer_argument(1);
-
- YR_STRUCTURE_MEMBER* member = NULL;
- YR_OBJECT* object = NULL;
- YR_OBJECT_STRUCTURE* parent = (YR_OBJECT_STRUCTURE*) parent();
-
- // Walk each member of the structure looking for "not_before".
-
- member = parent->members;
-
- while (member)
- {
- object = member->object;
-
- if (strcmp(object->identifier, "not_after") == 0)
- return_integer(time >= ((YR_OBJECT_INTEGER*) object)->value);
-
- member = member->next;
- }
-
- return_integer(0);
-}
+//
+// Given a posix timestamp argument, make sure not_before <= arg <= not_after
+//
-// Given an integer argument, make sure not_before <= arg <= not_after
define_function(valid_on)
{
- int64_t time = integer_argument(1);
- int64_t not_before = 0;
- int64_t not_after = 0;
-
- YR_STRUCTURE_MEMBER* member = NULL;
- YR_OBJECT* object = NULL;
- YR_OBJECT_STRUCTURE* parent = (YR_OBJECT_STRUCTURE*) parent();
+ int64_t timestamp = integer_argument(1);
- // Walk each member of the structure looking for "not_before".
+ YR_OBJECT_INTEGER* not_before = (YR_OBJECT_INTEGER*)
+ yr_object_lookup_field(parent(), "not_before");
- member = parent->members;
+ YR_OBJECT_INTEGER* not_after = (YR_OBJECT_INTEGER*)
+ yr_object_lookup_field(parent(), "not_after");
- while (member)
+ if (IS_UNDEFINED(not_before->value) ||
+ IS_UNDEFINED(not_after->value))
{
- object = member->object;
-
- if (strcmp(object->identifier, "not_before") == 0)
- not_before = ((YR_OBJECT_INTEGER*)object)->value;
- else if (strcmp(object->identifier, "not_after") == 0)
- not_after = ((YR_OBJECT_INTEGER*)object)->value;
-
- if (not_before && not_after)
- return_integer((not_before <= time) && (time <= not_after));
-
- member = member->next;
+ return_integer(UNDEFINED);
}
- return_integer(0);
+
+ return_integer(timestamp >= not_before->value &&
+ timestamp <= not_after->value);
}
@@ -1583,8 +1518,6 @@ begin_declarations;
declare_string("serial");
declare_integer("not_before");
declare_integer("not_after");
- declare_function("valid_after", "i", "i", valid_after);
- declare_function("valid_before", "i", "i", valid_before);
declare_function("valid_on", "i", "i", valid_on);
end_struct_array("signatures");
declare_integer("number_of_signatures");
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list