[Forensics-changes] [yara] 134/368: Add is_dll(), is_3bit() and is_64bit() to pe.

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:30:20 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit 3e519e6cff210e9d7e7873fbb87699be5ffdb498
Author: Wesley Shields <wxs at atarininja.org>
Date:   Thu Jan 7 21:27:28 2016 -0500

    Add is_dll(), is_3bit() and is_64bit() to pe.
    
    I've fielded questions from a handful of people on how to do this and while it
    is easy it could be easier if we just provided some convenience functions to do
    this.
---
 libyara/modules/pe.c | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index ea388d1..6584b2c 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1860,6 +1860,43 @@ define_function(language)
 }
 
 
+define_function(is_dll)
+{
+  int64_t characteristics;
+  YR_OBJECT* module = module();
+
+  if (is_undefined(module, "characteristics"))
+    return_integer(UNDEFINED);
+
+  characteristics = get_integer(module, "characteristics");
+  return_integer(characteristics & IMAGE_FILE_DLL);
+}
+
+
+define_function(is_32bit)
+{
+  YR_OBJECT* module = module();
+  PE* pe = module->data;
+
+  if (pe == NULL)
+    return_integer(UNDEFINED);
+
+  return_integer(IS_64BITS_PE(pe) ? 0 : 1);
+}
+
+
+define_function(is_64bit)
+{
+  YR_OBJECT* module = module();
+  PE* pe = module->data;
+
+  if (pe == NULL)
+    return_integer(UNDEFINED);
+
+  return_integer(IS_64BITS_PE(pe) ? 1 : 0);
+}
+
+
 static uint64_t rich_internal(
     YR_OBJECT* module, 
     uint64_t version, 
@@ -2102,6 +2139,9 @@ begin_declarations;
   declare_function("imports", "s", "i", imports_dll);
   declare_function("locale", "i", "i", locale);
   declare_function("language", "i", "i", language);
+  declare_function("is_dll", "", "i", is_dll);
+  declare_function("is_32bit", "", "i", is_32bit);
+  declare_function("is_64bit", "", "i", is_64bit);
 
   declare_integer("resource_timestamp");
   

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list