[Forensics-changes] [yara] 337/407: Use virtual_address and virtual_size when scanning memory.

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit b3d1df45ee46848b56ad185a3b8b55385d324940
Author: Wesley Shields <wxs at atarininja.org>
Date:   Sat Jan 10 14:21:18 2015 -0500

    Use virtual_address and virtual_size when scanning memory.
---
 libyara/modules/pe.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index e1c95c8..8ee3954 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1164,6 +1164,8 @@ define_function(section_index_addr)
 {
   YR_OBJECT* module = module();
   YR_SCAN_CONTEXT* context = scan_context();
+  int64_t offset;
+  int64_t size;
 
   if (is_undefined(module, "number_of_sections"))
     return_integer(UNDEFINED);
@@ -1173,8 +1175,16 @@ define_function(section_index_addr)
 
   for (int64_t i = 0; i < n; i++)
   {
-    int64_t offset = get_integer(module, "sections[%i].raw_data_offset", i);
-    int64_t size = get_integer(module, "sections[%i].raw_data_size", i);
+    if (context->flags & SCAN_FLAGS_PROCESS_MEMORY)
+    {
+      offset = get_integer(module, "sections[%i].virtual_address", i);
+      size = get_integer(module, "sections[%i].virtual_size", i);
+    }
+    else
+    {
+      offset = get_integer(module, "sections[%i].raw_data_offset", i);
+      size = get_integer(module, "sections[%i].raw_data_size", i);
+    }
 
     if (addr >= offset && addr < offset + size)
       return_integer(i);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git