[Forensics-changes] [yara] 197/407: Implement functions sha1 and sha256 in "hash" module

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:28:25 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit 0cd95ae4cdecb8b0f14f5991a7ad5cbc1414bfad
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Wed Nov 5 16:36:31 2014 +0100

    Implement functions sha1 and sha256 in "hash" module
---
 configure.ac           |   1 +
 libyara/modules/hash.c | 178 +++++++++++++++++++++++++++++++++++++------------
 2 files changed, 138 insertions(+), 41 deletions(-)

diff --git a/configure.ac b/configure.ac
index e9e00cf..32a26e8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -72,6 +72,7 @@ AC_ARG_WITH([crypto],
     ],
     [
       build_hash_module=true
+      AC_DEFINE([HASH], [1], [enable hash module])
     ])
 
 ACX_PTHREAD(
diff --git a/libyara/modules/hash.c b/libyara/modules/hash.c
index bfe1fd7..2a24f61 100644
--- a/libyara/modules/hash.c
+++ b/libyara/modules/hash.c
@@ -12,30 +12,11 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-
-
-
-MD5 Modules usage acepts two agurments offset and length
-
-mdh.hash(offset, length)
-
-# to hash the entire file
-mdh.hash(0, filesize)
-
-
-#example below checking empty hash
-import "hash"
-
-rule hash_test
-{
-    condition:
-        hash.md5(0,0) == "d41d8cd98f00b204e9800998ecf8427e"
-}
-
 */
 
 #include <stdbool.h>
 #include <openssl/md5.h>
+#include <openssl/sha.h>
 
 #if _WIN32
 #define PRIu64 "%I64d"
@@ -48,16 +29,6 @@ rule hash_test
 
 #define MODULE_NAME hash
 
-#ifdef HASH_DEBUG
-#define DBG(FMT, ...) \
-    fprintf(stderr, "%s:%d: " FMT, __FUNCTION__, __LINE__, __VA_ARGS__); \
-
-#else
-#define DBG(FMT, ... )
-#endif
-
-#define MD5_DIGEST_LENGTH 16
-
 
 define_function(md5_hash)
 {
@@ -73,8 +44,6 @@ define_function(md5_hash)
   char digest_ascii[MD5_DIGEST_LENGTH * 2 + 1];
   bool md5_updated = false;
 
-  DBG("offset=%" PRIx64 ", length=%" PRIu64 "\n", offset, length);
-
   MD5_Init(&md5_context);
 
   if (offset < 0 || length < 0 || offset < context->mem_block->base)
@@ -85,6 +54,7 @@ define_function(md5_hash)
   foreach_memory_block(context, block)
   {
     // if desired block within current block
+
     if (offset >= block->base &&
         offset < block->base + block->size)
     {
@@ -94,10 +64,6 @@ define_function(md5_hash)
       offset += data_len;
       length -= data_len;
 
-      DBG("update data=%p length=%" PRIu64 "\n",
-          block->data + data_offset,
-          data_len);
-
       MD5_Update(&md5_context, block->data + data_offset, data_len);
 
       md5_updated = true;
@@ -105,8 +71,6 @@ define_function(md5_hash)
     else if (md5_updated)
     {
       // non contigous block
-      DBG("undefined =%zu\n", block->base);
-
       return_string(UNDEFINED);
     }
 
@@ -120,21 +84,153 @@ define_function(md5_hash)
   MD5_Final(digest, &md5_context);
 
   // transform the binary digest to ascii
+
   for (int i = 0; i < MD5_DIGEST_LENGTH; i++)
   {
     sprintf(digest_ascii + (i * 2), "%02x", digest[i]);
   }
 
-  digest_ascii[32] = '\0';
+  digest_ascii[MD5_DIGEST_LENGTH * 2] = '\0';
+
+  return_string(digest_ascii);
+}
+
+
+define_function(sha1_hash)
+{
+  int64_t offset = integer_argument(1);   // offset where to start
+  int64_t length = integer_argument(2);   // length of bytes we want hash on
+
+  YR_SCAN_CONTEXT*  context = scan_context();
+  YR_MEMORY_BLOCK* block = NULL;
+
+  SHA_CTX sha_context;
+
+  unsigned char digest[SHA_DIGEST_LENGTH];
+  char digest_ascii[SHA_DIGEST_LENGTH * 2 + 1];
+  bool sha_updated = false;
+
+  SHA1_Init(&sha_context);
+
+  if (offset < 0 || length < 0 || offset < context->mem_block->base)
+  {
+    return ERROR_WRONG_ARGUMENTS;
+  }
+
+  foreach_memory_block(context, block)
+  {
+    // if desired block within current block
+    if (offset >= block->base &&
+        offset < block->base + block->size)
+    {
+      uint64_t data_offset = offset - block->base;
+      uint64_t data_len = min(length, block->size - data_offset);
+
+      offset += data_len;
+      length -= data_len;
+
+      SHA1_Update(&sha_context, block->data + data_offset, data_len);
+
+      sha_updated = true;
+    }
+    else if (sha_updated)
+    {
+      // non-contigous
+      return_string(UNDEFINED);
+    }
+
+    if (block->base + block->size > offset + length)
+      break;
+  }
+
+  if (!sha_updated)
+    return_string(UNDEFINED);
+
+  SHA1_Final(digest, &sha_context);
+
+  // transform the binary digest to ascii
+
+  for (int i = 0; i < SHA_DIGEST_LENGTH; i++)
+  {
+    sprintf(digest_ascii + (i * 2), "%02x", digest[i]);
+  }
+
+  digest_ascii[SHA_DIGEST_LENGTH * 2] = '\0';
+
+  return_string(digest_ascii);
+}
+
+
+define_function(sha256_hash)
+{
+  int64_t offset = integer_argument(1);   // offset where to start
+  int64_t length = integer_argument(2);   // length of bytes we want hash on
+
+  YR_SCAN_CONTEXT*  context = scan_context();
+  YR_MEMORY_BLOCK* block = NULL;
+
+  SHA256_CTX sha256_context;
+
+  unsigned char digest[SHA256_DIGEST_LENGTH];
+  char digest_ascii[SHA256_DIGEST_LENGTH * 2 + 1];
+  bool sha256_updated = false;
+
+  SHA256_Init(&sha256_context);
+
+  if (offset < 0 || length < 0 || offset < context->mem_block->base)
+  {
+    return ERROR_WRONG_ARGUMENTS;
+  }
+
+  foreach_memory_block(context, block)
+  {
+    // if desired block within current block
+    if (offset >= block->base &&
+        offset < block->base + block->size)
+    {
+      uint64_t data_offset = offset - block->base;
+      uint64_t data_len = min(length, block->size - data_offset);
+
+      offset += data_len;
+      length -= data_len;
+
+      SHA256_Update(&sha256_context, block->data + data_offset, data_len);
+
+      sha256_updated = true;
+    }
+    else if (sha256_updated)
+    {
+      // non-contigous
+      return_string(UNDEFINED);
+    }
+
+    if (block->base + block->size > offset + length)
+      break;
+  }
+
+  if (!sha256_updated)
+    return_string(UNDEFINED);
+
+  SHA256_Final(digest, &sha256_context);
+
+  // transform the binary digest to ascii
+
+  for (int i = 0; i < SHA256_DIGEST_LENGTH; i++)
+  {
+    sprintf(digest_ascii + (i * 2), "%02x", digest[i]);
+  }
+
+  digest_ascii[SHA256_DIGEST_LENGTH * 2] = '\0';
 
-  DBG("md5 hash result=%s\n", digest_ascii);
   return_string(digest_ascii);
 }
 
 
 begin_declarations;
 
-  declare_function("md5", "ii", "s", md5_hash)
+  declare_function("md5", "ii", "s", md5_hash);
+  declare_function("sha1", "ii", "s", sha1_hash);
+  declare_function("sha256", "ii", "s", sha256_hash)
 
 end_declarations;
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list