[Forensics-changes] [yara] 192/368: Adding a block iterator concept to yr_rules_scan_mem_blocks Abstraction to fetch blocks from a linked list of blocks or a section reader Needed new type YR_BLOCK_READER to keep state in the case of the linked list
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 08f6ccb0265c5a9fbf7bf89b968f3bbe76b49f0f
Author: Kyle Reed <kallanreed at outlook.com>
Date: Sun Feb 21 21:13:52 2016 -0800
Adding a block iterator concept to yr_rules_scan_mem_blocks
Abstraction to fetch blocks from a linked list of blocks or a section reader
Needed new type YR_BLOCK_READER to keep state in the case of the linked list
Signed-off-by: Kyle Reed <kallanreed at outlook.com>
---
libyara/include/yara/types.h | 11 +++
libyara/proc.c | 166 +++++++++++++++++++++++--------------------
libyara/rules.c | 93 +++++++++++++++++-------
3 files changed, 169 insertions(+), 101 deletions(-)
diff --git a/libyara/include/yara/types.h b/libyara/include/yara/types.h
index c33d370..50e9381 100644
--- a/libyara/include/yara/types.h
+++ b/libyara/include/yara/types.h
@@ -373,6 +373,13 @@ typedef struct _YR_MEMORY_BLOCK
} YR_MEMORY_BLOCK;
+typedef struct _YR_BLOCK_READER
+{
+ YR_MEMORY_BLOCK* current;
+ YR_MEMORY_BLOCK* blocks;
+
+} YR_BLOCK_READER;
+
typedef struct _YR_MEMORY_SECTION
{
@@ -393,6 +400,10 @@ typedef struct _YR_SECTION_READER
} YR_SECTION_READER;
+typedef int (*YR_BLOCK_ITERATOR)(
+ void* reader,
+ YR_MEMORY_BLOCK** block);
+
typedef int (*YR_CALLBACK_FUNC)(
int message,
void* message_data,
diff --git a/libyara/proc.c b/libyara/proc.c
index ad7a548..a71ed78 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -23,7 +23,7 @@ limitations under the License.
#include <yara/proc.h>
-int _attach_process(
+int _yr_attach_process(
int pid,
void** hProcess)
{
@@ -61,7 +61,7 @@ int _attach_process(
return ERROR_SUCCESS;
}
-int _detach_process(
+int _yr_detach_process(
void* hProcess)
{
if (hProcess != NULL)
@@ -70,7 +70,7 @@ int _detach_process(
return ERROR_SUCCESS;
}
-int _get_sections(
+int _yr_get_sections(
void* hProcess,
YR_SECTION_READER* reader)
{
@@ -116,7 +116,8 @@ int _get_sections(
return result;
}
-int _read_section(
+
+int _yr_read_section(
void* hProcess,
YR_MEMORY_SECTION* section,
YR_MEMORY_BLOCK** block)
@@ -163,79 +164,6 @@ error:
return result;
}
-int yr_open_section_reader(
- int pid,
- YR_SECTION_READER** reader)
-{
- *reader = (YR_SECTION_READER*)yr_malloc(sizeof(YR_SECTION_READER));
-
- int result = _attach_process(pid, &(*reader)->context);
-
- result = _get_sections((*reader)->context, *reader);
-
- return result;
-}
-
-int yr_read_next_section(
- YR_SECTION_READER* reader)
-{
- int result = ERROR_SUCCESS;
-
- // free the previous memory block
- if (reader->block != NULL)
- {
- yr_free(reader->block->data);
- yr_free(reader->block);
- reader->block = NULL;
- }
-
- // set current to first or next
- if(reader->current == NULL)
- reader->current = reader->sections;
- else
- reader->current = reader->current->next;
-
- if (reader->current == NULL)
- return ERROR_SECTION_READER_COMPLETE;
-
- result = _read_section(
- reader->context,
- reader->current,
- &reader->block);
-
- return result;
-}
-
-void yr_close_section_reader(
- YR_SECTION_READER* reader)
-{
- YR_MEMORY_SECTION* current;
- YR_MEMORY_SECTION* next;
-
- _detach_process(reader->context);
-
- // free the list of sections
- current = reader->sections;
-
- while (current != NULL)
- {
- next = current->next;
-
- yr_free(current);
-
- current = next;
- }
-
- // free the memory block
- if (reader->block != NULL)
- {
- yr_free(reader->block->data);
- yr_free(reader->block);
- }
-
- // free the reader
- yr_free(reader);
-}
int yr_process_get_memory(
@@ -599,3 +527,87 @@ _exit:
#endif
#endif
+
+// section reader abstraction
+
+int yr_open_section_reader(
+ int pid,
+ YR_SECTION_READER** reader)
+{
+ *reader = (YR_SECTION_READER*)yr_malloc(sizeof(YR_SECTION_READER));
+
+ (*reader)->block = NULL;
+ (*reader)->current = NULL;
+
+ int result = _yr_attach_process(pid, &(*reader)->context);
+
+ result = _yr_get_sections((*reader)->context, *reader);
+
+ return result;
+}
+
+int yr_read_next_section(
+ YR_SECTION_READER* reader)
+{
+ int result = ERROR_SUCCESS;
+
+ // free the previous memory block
+ if (reader->block != NULL)
+ {
+ yr_free(reader->block->data);
+ yr_free(reader->block);
+ reader->block = NULL;
+ }
+
+ do {
+ // set current to first or next
+ if (reader->current == NULL)
+ reader->current = reader->sections;
+ else
+ reader->current = reader->current->next;
+
+ if (reader->current == NULL) break;
+
+ result = _yr_read_section(
+ reader->context,
+ reader->current,
+ &reader->block);
+
+ if (result != ERROR_SUCCESS) break;
+
+ } while (reader->block == NULL);
+
+ return result;
+}
+
+void yr_close_section_reader(
+ YR_SECTION_READER* reader)
+{
+ YR_MEMORY_SECTION* current;
+ YR_MEMORY_SECTION* next;
+
+ // NOTE: detach is responsible for freeing any allocated context
+ _yr_detach_process(reader->context);
+
+ // free the list of sections
+ current = reader->sections;
+
+ while (current != NULL)
+ {
+ next = current->next;
+
+ yr_free(current);
+
+ current = next;
+ }
+
+ // free the memory block
+ if (reader->block != NULL)
+ {
+ yr_free(reader->block->data);
+ yr_free(reader->block);
+ }
+
+ // free the reader
+ yr_free(reader);
+}
diff --git a/libyara/rules.c b/libyara/rules.c
index 8ba94f3..51f7a56 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -308,12 +308,43 @@ int _yr_rules_scan_mem_block(
return ERROR_SUCCESS;
}
-// TODO: break up this function
-// into one that take a context
+int _yr_section_reader_next_block(
+ void* section_reader,
+ YR_MEMORY_BLOCK** block)
+{
+ YR_SECTION_READER* reader = (YR_SECTION_READER*)section_reader;
+
+ int result = yr_read_next_section(reader);
+
+ if (result == ERROR_SUCCESS)
+ *block = reader->block;
+ else
+ *block = NULL;
+
+ return result;
+}
+
+int _yr_block_reader_next_block(
+ void* block_reader,
+ YR_MEMORY_BLOCK** block)
+{
+ YR_BLOCK_READER* reader = (YR_BLOCK_READER*)block_reader;
+
+ if (reader->current == NULL)
+ reader->current = reader->blocks;
+ else
+ reader->current = reader->current->next;
+
+ *block = reader->current;
+
+ return ERROR_SUCCESS;
+}
+
YR_API int yr_rules_scan_mem_blocks(
YR_RULES* rules,
- YR_MEMORY_BLOCK* block,
+ YR_BLOCK_ITERATOR next_block,
+ void* block_reader,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
@@ -322,6 +353,7 @@ YR_API int yr_rules_scan_mem_blocks(
YR_EXTERNAL_VARIABLE* external;
YR_RULE* rule;
YR_SCAN_CONTEXT context;
+ YR_MEMORY_BLOCK* block;
time_t start_time;
tidx_mask_t bit = 1;
@@ -329,6 +361,13 @@ YR_API int yr_rules_scan_mem_blocks(
int tidx = 0;
int result = ERROR_SUCCESS;
+ result = next_block(
+ block_reader,
+ &block);
+
+ if (result != ERROR_SUCCESS)
+ return result;
+
if (block == NULL)
return ERROR_SUCCESS;
@@ -434,7 +473,12 @@ YR_API int yr_rules_scan_mem_blocks(
if (result != ERROR_SUCCESS)
goto _exit;
- block = block->next;
+ result = next_block(
+ block_reader,
+ &block);
+
+ if (result != ERROR_SUCCESS)
+ goto _exit;
}
YR_TRYCATCH({
@@ -526,15 +570,20 @@ YR_API int yr_rules_scan_mem(
int timeout)
{
YR_MEMORY_BLOCK block;
+ YR_BLOCK_READER reader;
block.data = buffer;
block.size = buffer_size;
block.base = 0;
block.next = NULL;
+ reader.current = NULL;
+ reader.blocks = █
+
return yr_rules_scan_mem_blocks(
rules,
- &block,
+ &_yr_block_reader_next_block,
+ &reader,
flags,
callback,
user_data,
@@ -611,13 +660,18 @@ YR_API int yr_rules_scan_proc(
YR_MEMORY_BLOCK* first_block;
YR_MEMORY_BLOCK* next_block;
YR_MEMORY_BLOCK* block;
+ YR_BLOCK_READER reader;
int result = yr_process_get_memory(pid, &first_block);
+ reader.current = NULL;
+ reader.blocks = first_block;
+
if (result == ERROR_SUCCESS)
result = yr_rules_scan_mem_blocks(
rules,
- first_block,
+ &_yr_block_reader_next_block,
+ &reader,
flags | SCAN_FLAGS_PROCESS_MEMORY,
callback,
user_data,
@@ -650,25 +704,16 @@ YR_API int yr_rules_scan_proc2(
int result = yr_open_section_reader(pid, &reader);
- if (result != ERROR_SUCCESS)
- goto _exit;
-
- while ((result = yr_read_next_section(reader)) == ERROR_SUCCESS)
- {
- if(reader->block != NULL)
- result = yr_rules_scan_mem_blocks(
- rules,
- reader->block,
- flags | SCAN_FLAGS_PROCESS_MEMORY,
- callback,
- user_data,
- timeout);
- }
-
- if (result == ERROR_SECTION_READER_COMPLETE)
- result = ERROR_SUCCESS;
+ if (result == ERROR_SUCCESS)
+ result = yr_rules_scan_mem_blocks(
+ rules,
+ &_yr_section_reader_next_block,
+ reader,
+ flags | SCAN_FLAGS_PROCESS_MEMORY,
+ callback,
+ user_data,
+ timeout);
-_exit:
if (reader != NULL)
yr_close_section_reader(reader);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list