[Forensics-changes] [yara] 43/368: Override pe.imports().

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit a0134eaf406daa92afbdcc6900af104aaa554754
Author: Wesley Shields <wxs at atarininja.org>
Date:   Thu Sep 10 15:49:46 2015 -0400

    Override pe.imports().
    
    Sometimes you only care if a DLL is used, not a specific function from
    it. In this case you can use the new version of pe.imports() which takes
    a single string which is the DLL name.
---
 libyara/modules/pe.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 4dcc13c..cef5dd3 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1615,6 +1615,30 @@ define_function(imports)
   return_integer(0);
 }
 
+define_function(imports_dll)
+{
+  char* dll_name = string_argument(1);
+
+  YR_OBJECT* module = module();
+  PE* pe = (PE*) module->data;
+
+  if (!pe)
+    return_integer(UNDEFINED);
+
+  IMPORTED_DLL* imported_dll = pe->imported_dlls;
+
+  while (imported_dll != NULL)
+  {
+    if (strcasecmp(imported_dll->name, dll_name) == 0)
+    {
+      return_integer(1);
+    }
+
+    imported_dll = imported_dll->next;
+  }
+
+  return_integer(0);
+}
 
 define_function(locale)
 {
@@ -1816,6 +1840,7 @@ begin_declarations;
   declare_function("section_index", "i", "i", section_index_addr);
   declare_function("exports", "s", "i", exports);
   declare_function("imports", "ss", "i", imports);
+  declare_function("imports", "s", "i", imports_dll);
   declare_function("locale", "i", "i", locale);
   declare_function("language", "i", "i", language);
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git