[Forensics-changes] [yara] 334/407: Implement section_index_addr().

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:28:42 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit 3b872821f5b639eefca4b36abef99953af8f7c7c
Author: Wesley Shields <wxs at atarininja.org>
Date:   Fri Jan 9 16:44:15 2015 -0500

    Implement section_index_addr().
    
    This takes an integer and will return the section index where that
    offset lives. For example:
    
    // Entry point in .data section and that section is RW and contains
    // initalized data.
    rule section_test {
      condition:
        pe.sections[pe.section_index(pe.entry_point)].name == ".data" and
        pe.sections[pe.section_index(pe.entry_point)].characteristics & (pe.SECTION_CNT_INITIALIZED_DATA | pe.SECTION_MEM_READ | pe.SECTION_MEM_WRITE) == (pe.SECTION_CNT_INITIALIZED_DATA | pe.SECTION_MEM_READ | pe.SECTION_MEM_WRITE)
    }
    
    I still need to test this against scanning a process.
---
 libyara/modules/pe.c | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index c9b566d..ac1530a 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1160,7 +1160,38 @@ define_function(valid_on)
 }
 
 
-define_function(section_index)
+define_function(section_index_addr)
+{
+  YR_OBJECT* module = module();
+  YR_SCAN_CONTEXT* context = scan_context();
+
+  if (is_undefined(module, "number_of_sections"))
+    return_integer(UNDEFINED);
+
+  int64_t addr = integer_argument(1);
+  int64_t n = get_integer(module, "number_of_sections");
+
+  if (context->flags & SCAN_FLAGS_PROCESS_MEMORY)
+  {
+    int64_t base_address = get_integer(module, "image_base");
+    addr += base_address;
+  }
+
+  for (int64_t i = 0; i < n; i++)
+  {
+    int64_t offset = get_integer(module, "sections[%i].raw_data_offset", i);
+    int64_t size = get_integer(module, "sections[%i].raw_data_size", i);
+
+    SIZED_STRING* sect = get_string(module, "sections[%i].name", i);
+    if (addr >= offset && addr < offset + size)
+      return_integer(i);
+  }
+
+  return_integer(UNDEFINED);
+}
+
+
+define_function(section_index_name)
 {
   YR_OBJECT* module = module();
 
@@ -1556,7 +1587,8 @@ begin_declarations;
   declare_function("imphash", "", "s", imphash);
   #endif
 
-  declare_function("section_index", "s", "i", section_index);
+  declare_function("section_index", "s", "i", section_index_name);
+  declare_function("section_index", "i", "i", section_index_addr);
   declare_function("exports", "s", "i", exports);
   declare_function("imports", "ss", "i", imports);
   declare_function("locale", "i", "i", locale);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list