[Forensics-changes] [yara] 55/368: Implement imports_ordinal().
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:11 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit e301fbcef4a50a962b247c6281e5bc67b76c8f46
Author: Wesley Shields <wxs at atarininja.org>
Date: Thu Sep 17 11:38:20 2015 -0400
Implement imports_ordinal().
In pe_parse_import_descriptor() track the ordinal number used when
importing by ordinal. Store this to be used later in imports_ordinal().
Add an imports_ordinal() which takes a string (DLL name) and integer
(ordinal number). It will then walk the parsed imports looking for a
match.
This allows you to do things like:
import "pe"
rule import_test {
condition:
pe.imports("WS2_32.DLL", 3) and
pe.imports("WS2_32.DLL", "htonl") and
pe.imports("ntdll.dll") and
pe.imports("KERNEL32.DLL", "HeapAlloc")
}
Previously you would need to use pe.imports("FOO.DLL", "ord1") to check
for an import by ordinal, but it would only work for those which are not
resolved by ord_lookup(). With this change you can look by either the
resolved name (as is done in the second line above) or by the ordinal
number (as is done in the first line above).
---
libyara/modules/pe.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 56 insertions(+), 3 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 13093a8..c683d23 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -133,6 +133,9 @@ typedef struct _IMPORTED_DLL
typedef struct _IMPORTED_FUNCTION
{
char *name;
+ uint8_t has_ordinal;
+ uint16_t ordinal;
+
struct _IMPORTED_FUNCTION *next;
} IMPORTED_FUNCTION, *PIMPORTED_FUNCTION;
@@ -846,6 +849,8 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
thunks64->u1.Ordinal != 0 && num_functions < MAX_PE_IMPORTS)
{
char* name = NULL;
+ uint16_t ordinal = 0;
+ uint8_t has_ordinal = 0;
if (!(thunks64->u1.Ordinal & IMAGE_ORDINAL_FLAG64))
{
@@ -869,9 +874,12 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
{
// If imported by ordinal. Lookup the ordinal.
name = ord_lookup(dll_name, thunks64->u1.Ordinal & 0xFFFF);
+ // Also store the ordinal.
+ ordinal = thunks64->u1.Ordinal & 0xFFFF;
+ has_ordinal = 1;
}
- if (name != NULL)
+ if (name != NULL || has_ordinal == 1)
{
IMPORTED_FUNCTION* imported_func = (IMPORTED_FUNCTION*)
yr_calloc(1, sizeof(IMPORTED_FUNCTION));
@@ -880,6 +888,8 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
continue;
imported_func->name = name;
+ imported_func->ordinal = ordinal;
+ imported_func->has_ordinal = has_ordinal;
imported_func->next = NULL;
if (head == NULL)
@@ -903,6 +913,8 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
thunks32->u1.Ordinal != 0 && num_functions < MAX_PE_IMPORTS)
{
char* name = NULL;
+ uint16_t ordinal = 0;
+ uint8_t has_ordinal = 0;
if (!(thunks32->u1.Ordinal & IMAGE_ORDINAL_FLAG32))
{
@@ -926,9 +938,12 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
{
// If imported by ordinal. Lookup the ordinal.
name = ord_lookup(dll_name, thunks32->u1.Ordinal & 0xFFFF);
+ // Also store the ordinal.
+ ordinal = thunks32->u1.Ordinal & 0xFFFF;
+ has_ordinal = 1;
}
- if (name != NULL)
+ if (name != NULL || has_ordinal == 1)
{
IMPORTED_FUNCTION* imported_func = (IMPORTED_FUNCTION*)
yr_calloc(1, sizeof(IMPORTED_FUNCTION));
@@ -937,6 +952,8 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
continue;
imported_func->name = name;
+ imported_func->ordinal = ordinal;
+ imported_func->has_ordinal = has_ordinal;
imported_func->next = NULL;
if (head == NULL)
@@ -1602,7 +1619,42 @@ define_function(imports)
while (imported_func != NULL)
{
- if (strcasecmp(imported_func->name, function_name) == 0)
+ if (imported_func->name &&
+ strcasecmp(imported_func->name, function_name) == 0)
+ return_integer(1);
+
+ imported_func = imported_func->next;
+ }
+ }
+
+ imported_dll = imported_dll->next;
+ }
+
+ return_integer(0);
+}
+
+define_function(imports_ordinal)
+{
+ char* dll_name = string_argument(1);
+ uint64_t ordinal = integer_argument(2);
+
+ YR_OBJECT* module = module();
+ PE* pe = (PE*) module->data;
+
+ if (!pe)
+ return_integer(UNDEFINED);
+
+ IMPORTED_DLL* imported_dll = pe->imported_dlls;
+
+ while (imported_dll != NULL)
+ {
+ if (strcasecmp(imported_dll->name, dll_name) == 0)
+ {
+ IMPORTED_FUNCTION* imported_func = imported_dll->functions;
+
+ while (imported_func != NULL)
+ {
+ if (imported_func->has_ordinal && imported_func->ordinal == ordinal)
return_integer(1);
imported_func = imported_func->next;
@@ -1840,6 +1892,7 @@ begin_declarations;
declare_function("section_index", "i", "i", section_index_addr);
declare_function("exports", "s", "i", exports);
declare_function("imports", "ss", "i", imports);
+ declare_function("imports", "si", "i", imports_ordinal);
declare_function("imports", "s", "i", imports_dll);
declare_function("locale", "i", "i", locale);
declare_function("language", "i", "i", language);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list