[Forensics-changes] [yara] 193/368: Starting implementation of more generic block_iterator
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 1bbb97d5cec42a9947883605b1fef15de7eca5af
Author: Kyle Reed <kallanreed at outlook.com>
Date: Mon Feb 22 09:30:15 2016 -0800
Starting implementation of more generic block_iterator
Signed-off-by: Kyle Reed <kallanreed at outlook.com>
# Conflicts:
# libyara/include/yara/error.h
---
libyara/include/yara/proc.h | 11 +-
libyara/include/yara/types.h | 42 ++---
libyara/proc.c | 353 ++++++++++++++++++++++---------------------
libyara/rules.c | 151 ++++++++++--------
yara.c | 2 +-
5 files changed, 298 insertions(+), 261 deletions(-)
diff --git a/libyara/include/yara/proc.h b/libyara/include/yara/proc.h
index 1f844b0..8018bef 100644
--- a/libyara/include/yara/proc.h
+++ b/libyara/include/yara/proc.h
@@ -23,14 +23,11 @@ int yr_process_get_memory(
int pid,
YR_MEMORY_BLOCK** first_block);
-int yr_open_section_reader(
+int yr_open_process_iterator(
int pid,
- YR_SECTION_READER** reader);
+ YR_BLOCK_ITERATOR* iterator);
-int yr_read_next_section(
- YR_SECTION_READER* reader);
-
-void yr_close_section_reader(
- YR_SECTION_READER* reader);
+int yr_close_process_iterator(
+ YR_BLOCK_ITERATOR* iterator);
#endif
diff --git a/libyara/include/yara/types.h b/libyara/include/yara/types.h
index 50e9381..15c32d5 100644
--- a/libyara/include/yara/types.h
+++ b/libyara/include/yara/types.h
@@ -373,36 +373,40 @@ typedef struct _YR_MEMORY_BLOCK
} YR_MEMORY_BLOCK;
-typedef struct _YR_BLOCK_READER
-{
- YR_MEMORY_BLOCK* current;
- YR_MEMORY_BLOCK* blocks;
-} YR_BLOCK_READER;
+// memory block iteration types
+typedef struct _YR_BLOCK_ITERATOR YR_BLOCK_ITERATOR;
+typedef YR_MEMORY_BLOCK* (*YR_BLOCK_ITERATOR_MOVE)(
+ YR_BLOCK_ITERATOR* self);
-typedef struct _YR_MEMORY_SECTION
+typedef uint8_t* (*YR_BLOCK_ITERATOR_FETCH)(
+ YR_BLOCK_ITERATOR* self);
+
+struct _YR_BLOCK_ITERATOR
{
- size_t base;
- size_t size;
+ void* context;
- _YR_MEMORY_SECTION* next;
+ YR_BLOCK_ITERATOR_MOVE first;
+ YR_BLOCK_ITERATOR_MOVE next;
+ YR_BLOCK_ITERATOR_FETCH fetch_data;
-} YR_MEMORY_SECTION;
+};
-typedef struct _YR_SECTION_READER
+typedef struct _YR_LIST_ITERATOR_CONTEXT
{
- void* context;
+ YR_MEMORY_BLOCK* head;
+ YR_MEMORY_BLOCK* current;
- YR_MEMORY_SECTION* sections;
- YR_MEMORY_SECTION* current;
- YR_MEMORY_BLOCK* block;
+} YR_LIST_ITERATOR_CONTEXT;
-} YR_SECTION_READER;
+typedef struct _YR_PROCESS_ITERATOR_CONTEXT
+{
+ void* process_context;
+ YR_LIST_ITERATOR_CONTEXT list_context;
+ uint8_t* data;
+} YR_PROCESS_ITERATOR_CONTEXT;
-typedef int (*YR_BLOCK_ITERATOR)(
- void* reader,
- YR_MEMORY_BLOCK** block);
typedef int (*YR_CALLBACK_FUNC)(
int message,
diff --git a/libyara/proc.c b/libyara/proc.c
index a71ed78..b859f34 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -70,99 +70,99 @@ int _yr_detach_process(
return ERROR_SUCCESS;
}
-int _yr_get_sections(
- void* hProcess,
- YR_SECTION_READER* reader)
-{
- PVOID address;
- int result = ERROR_SUCCESS;
- int sections = 0;
-
- YR_MEMORY_SECTION* new_section;
- YR_MEMORY_SECTION* current = NULL;
-
- SYSTEM_INFO si;
- MEMORY_BASIC_INFORMATION mbi;
-
- GetSystemInfo(&si);
-
- address = si.lpMinimumApplicationAddress;
-
- while (address < si.lpMaximumApplicationAddress &&
- VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
- {
- if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0))
- {
- YR_MEMORY_SECTION* new_section = (YR_MEMORY_SECTION*)yr_malloc(sizeof(YR_MEMORY_SECTION));
-
- new_section->base = (size_t)mbi.BaseAddress;
- new_section->size = mbi.RegionSize;
-
- if (reader->sections == NULL)
- reader->sections = new_section;
-
- if (current != NULL)
- current->next = new_section;
-
- current = new_section;
-
- ++sections;
- }
-
- address = (uint8_t*)address + mbi.RegionSize;
- }
-
- printf("%lu sections\n", sections);
-
- return result;
-}
-
-int _yr_read_section(
- void* hProcess,
- YR_MEMORY_SECTION* section,
- YR_MEMORY_BLOCK** block)
-{
- SIZE_T read;
- uint8_t* data;
- int result = ERROR_SUCCESS;
- *block = NULL;
-
- data = (uint8_t*)yr_malloc(section->size);
-
- if (data == NULL)
- {
- result = ERROR_INSUFICIENT_MEMORY;
- goto error;
- }
-
- if (ReadProcessMemory(
- (HANDLE)hProcess,
- (LPCVOID)section->base,
- data,
- (SIZE_T)section->size,
- &read))
- {
- *block = (YR_MEMORY_BLOCK*)yr_malloc(sizeof(YR_MEMORY_BLOCK));
-
- if (*block == NULL)
- {
- result = ERROR_INSUFICIENT_MEMORY;
- goto error;
- }
-
- (*block)->base = section->base;
- (*block)->size = (size_t)read;
- (*block)->data = data;
- }
-
- return result;
-
-error:
- if (data != NULL)
- yr_free(data);
-
- return result;
-}
+//int _yr_get_sections(
+// void* hProcess,
+// YR_SECTION_READER* reader)
+//{
+// PVOID address;
+// int result = ERROR_SUCCESS;
+// int sections = 0;
+//
+// YR_MEMORY_SECTION* new_section;
+// YR_MEMORY_SECTION* current = NULL;
+//
+// SYSTEM_INFO si;
+// MEMORY_BASIC_INFORMATION mbi;
+//
+// GetSystemInfo(&si);
+//
+// address = si.lpMinimumApplicationAddress;
+//
+// while (address < si.lpMaximumApplicationAddress &&
+// VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
+// {
+// if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0))
+// {
+// YR_MEMORY_SECTION* new_section = (YR_MEMORY_SECTION*)yr_malloc(sizeof(YR_MEMORY_SECTION));
+//
+// new_section->base = (size_t)mbi.BaseAddress;
+// new_section->size = mbi.RegionSize;
+//
+// if (reader->sections == NULL)
+// reader->sections = new_section;
+//
+// if (current != NULL)
+// current->next = new_section;
+//
+// current = new_section;
+//
+// ++sections;
+// }
+//
+// address = (uint8_t*)address + mbi.RegionSize;
+// }
+//
+// printf("%lu sections\n", sections);
+//
+// return result;
+//}
+//
+//int _yr_read_section(
+// void* hProcess,
+// YR_MEMORY_SECTION* section,
+// YR_MEMORY_BLOCK** block)
+//{
+// SIZE_T read;
+// uint8_t* data;
+// int result = ERROR_SUCCESS;
+// *block = NULL;
+//
+// data = (uint8_t*)yr_malloc(section->size);
+//
+// if (data == NULL)
+// {
+// result = ERROR_INSUFICIENT_MEMORY;
+// goto error;
+// }
+//
+// if (ReadProcessMemory(
+// (HANDLE)hProcess,
+// (LPCVOID)section->base,
+// data,
+// (SIZE_T)section->size,
+// &read))
+// {
+// *block = (YR_MEMORY_BLOCK*)yr_malloc(sizeof(YR_MEMORY_BLOCK));
+//
+// if (*block == NULL)
+// {
+// result = ERROR_INSUFICIENT_MEMORY;
+// goto error;
+// }
+//
+// (*block)->base = section->base;
+// (*block)->size = (size_t)read;
+// (*block)->data = data;
+// }
+//
+// return result;
+//
+//error:
+// if (data != NULL)
+// yr_free(data);
+//
+// return result;
+//}
@@ -528,86 +528,99 @@ _exit:
#endif
#endif
-// section reader abstraction
-
-int yr_open_section_reader(
- int pid,
- YR_SECTION_READER** reader)
-{
- *reader = (YR_SECTION_READER*)yr_malloc(sizeof(YR_SECTION_READER));
+// process iterator abstraction
- (*reader)->block = NULL;
- (*reader)->current = NULL;
-
- int result = _yr_attach_process(pid, &(*reader)->context);
-
- result = _yr_get_sections((*reader)->context, *reader);
-
- return result;
-}
-
-int yr_read_next_section(
- YR_SECTION_READER* reader)
+int yr_open_process_iterator(
+ int pid,
+ YR_BLOCK_ITERATOR* iterator)
{
- int result = ERROR_SUCCESS;
-
- // free the previous memory block
- if (reader->block != NULL)
- {
- yr_free(reader->block->data);
- yr_free(reader->block);
- reader->block = NULL;
- }
-
- do {
- // set current to first or next
- if (reader->current == NULL)
- reader->current = reader->sections;
- else
- reader->current = reader->current->next;
-
- if (reader->current == NULL) break;
-
- result = _yr_read_section(
- reader->context,
- reader->current,
- &reader->block);
-
- if (result != ERROR_SUCCESS) break;
-
- } while (reader->block == NULL);
-
- return result;
+ return 0;
}
-void yr_close_section_reader(
- YR_SECTION_READER* reader)
+int yr_close_process_iterator(
+ YR_BLOCK_ITERATOR* iterator)
{
- YR_MEMORY_SECTION* current;
- YR_MEMORY_SECTION* next;
-
- // NOTE: detach is responsible for freeing any allocated context
- _yr_detach_process(reader->context);
-
- // free the list of sections
- current = reader->sections;
-
- while (current != NULL)
- {
- next = current->next;
-
- yr_free(current);
-
- current = next;
- }
-
- // free the memory block
- if (reader->block != NULL)
- {
- yr_free(reader->block->data);
- yr_free(reader->block);
- }
-
- // free the reader
- yr_free(reader);
+ return 0;
}
+//
+//int yr_open_section_reader(
+// int pid,
+// YR_SECTION_READER** reader)
+//{
+// *reader = (YR_SECTION_READER*)yr_malloc(sizeof(YR_SECTION_READER));
+//
+// (*reader)->block = NULL;
+// (*reader)->current = NULL;
+//
+// int result = _yr_attach_process(pid, &(*reader)->context);
+//
+// result = _yr_get_sections((*reader)->context, *reader);
+//
+// return result;
+//}
+//
+//int yr_read_next_section(
+// YR_SECTION_READER* reader)
+//{
+// int result = ERROR_SUCCESS;
+//
+// // free the previous memory block
+// if (reader->block != NULL)
+// {
+// yr_free(reader->block->data);
+// yr_free(reader->block);
+// reader->block = NULL;
+// }
+//
+// do {
+// // set current to first or next
+// if (reader->current == NULL)
+// reader->current = reader->sections;
+// else
+// reader->current = reader->current->next;
+//
+// if (reader->current == NULL) break;
+//
+// result = _yr_read_section(
+// reader->context,
+// reader->current,
+// &reader->block);
+//
+// if (result != ERROR_SUCCESS) break;
+//
+// } while (reader->block == NULL);
+//
+// return result;
+//}
+//
+//void yr_close_section_reader(
+// YR_SECTION_READER* reader)
+//{
+// YR_MEMORY_SECTION* current;
+// YR_MEMORY_SECTION* next;
+//
+// // NOTE: detach is responsible for freeing any allocated context
+// _yr_detach_process(reader->context);
+//
+// // free the list of sections
+// current = reader->sections;
+//
+// while (current != NULL)
+// {
+// next = current->next;
+//
+// yr_free(current);
+//
+// current = next;
+// }
+//
+// // free the memory block
+// if (reader->block != NULL)
+// {
+// yr_free(reader->block->data);
+// yr_free(reader->block);
+// }
+//
+// // free the reader
+// yr_free(reader);
+//}
diff --git a/libyara/rules.c b/libyara/rules.c
index 51f7a56..1fec171 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -308,43 +308,58 @@ int _yr_rules_scan_mem_block(
return ERROR_SUCCESS;
}
-int _yr_section_reader_next_block(
- void* section_reader,
- YR_MEMORY_BLOCK** block)
+
+YR_MEMORY_BLOCK* _yr_get_first_block(
+ YR_BLOCK_ITERATOR* iterator)
{
- YR_SECTION_READER* reader = (YR_SECTION_READER*)section_reader;
+ YR_LIST_ITERATOR_CONTEXT* ctx = (YR_LIST_ITERATOR_CONTEXT*)iterator->context;
- int result = yr_read_next_section(reader);
+ ctx->current = ctx->head;
+ return ctx->current;
+}
- if (result == ERROR_SUCCESS)
- *block = reader->block;
- else
- *block = NULL;
+YR_MEMORY_BLOCK* _yr_get_next_block(
+ YR_BLOCK_ITERATOR* iterator)
+{
+ YR_LIST_ITERATOR_CONTEXT* ctx = (YR_LIST_ITERATOR_CONTEXT*)iterator->context;
- return result;
+ if (ctx->current != NULL)
+ {
+ ctx->current = ctx->current->next;
+ }
+
+ return ctx->current;
}
-int _yr_block_reader_next_block(
- void* block_reader,
- YR_MEMORY_BLOCK** block)
+uint8_t* _yr_fetch_block_data(
+ YR_BLOCK_ITERATOR* iterator)
{
- YR_BLOCK_READER* reader = (YR_BLOCK_READER*)block_reader;
+ YR_LIST_ITERATOR_CONTEXT* ctx = (YR_LIST_ITERATOR_CONTEXT*)iterator->context;
- if (reader->current == NULL)
- reader->current = reader->blocks;
- else
- reader->current = reader->current->next;
+ if (ctx->current != NULL)
+ return ctx->current->data;
- *block = reader->current;
+ return NULL;
+}
- return ERROR_SUCCESS;
+void _yr_get_list_iterator(
+ YR_BLOCK_ITERATOR* iterator,
+ YR_LIST_ITERATOR_CONTEXT* context,
+ YR_MEMORY_BLOCK* head)
+{
+ context->current = NULL;
+ context->head = head;
+
+ iterator->context = context;
+ iterator->first = _yr_get_first_block;
+ iterator->next = _yr_get_next_block;
+ iterator->fetch_data = _yr_fetch_block_data;
}
YR_API int yr_rules_scan_mem_blocks(
YR_RULES* rules,
- YR_BLOCK_ITERATOR next_block,
- void* block_reader,
+ YR_BLOCK_ITERATOR* iterator,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
@@ -361,12 +376,7 @@ YR_API int yr_rules_scan_mem_blocks(
int tidx = 0;
int result = ERROR_SUCCESS;
- result = next_block(
- block_reader,
- &block);
-
- if (result != ERROR_SUCCESS)
- return result;
+ block = iterator->first(iterator);
if (block == NULL)
return ERROR_SUCCESS;
@@ -444,25 +454,36 @@ YR_API int yr_rules_scan_mem_blocks(
while (block != NULL)
{
+ // value copy so we don't modify the underlying block
+ YR_MEMORY_BLOCK temp_block = *block;
+ temp_block.data = iterator->fetch_data(iterator);
+
+ // fetch_data can fail
+ if (temp_block.data == NULL)
+ {
+ block = iterator->next(iterator);
+ continue;
+ }
+
if (context.entry_point == UNDEFINED)
{
YR_TRYCATCH({
if (flags & SCAN_FLAGS_PROCESS_MEMORY)
context.entry_point = yr_get_entry_point_address(
- block->data,
- block->size,
- block->base);
+ temp_block.data,
+ temp_block.size,
+ temp_block.base);
else
context.entry_point = yr_get_entry_point_offset(
- block->data,
- block->size);
+ temp_block.data,
+ temp_block.size);
},{});
}
YR_TRYCATCH({
result = _yr_rules_scan_mem_block(
rules,
- block,
+ &temp_block,
&context,
timeout,
start_time);
@@ -473,12 +494,7 @@ YR_API int yr_rules_scan_mem_blocks(
if (result != ERROR_SUCCESS)
goto _exit;
- result = next_block(
- block_reader,
- &block);
-
- if (result != ERROR_SUCCESS)
- goto _exit;
+ block = iterator->next(iterator);
}
YR_TRYCATCH({
@@ -570,20 +586,22 @@ YR_API int yr_rules_scan_mem(
int timeout)
{
YR_MEMORY_BLOCK block;
- YR_BLOCK_READER reader;
+ YR_BLOCK_ITERATOR iterator;
+ YR_LIST_ITERATOR_CONTEXT list_context;
block.data = buffer;
block.size = buffer_size;
block.base = 0;
block.next = NULL;
- reader.current = NULL;
- reader.blocks = █
+ _yr_get_list_iterator(
+ &iterator,
+ &list_context,
+ &block);
return yr_rules_scan_mem_blocks(
rules,
- &_yr_block_reader_next_block,
- &reader,
+ &iterator,
flags,
callback,
user_data,
@@ -660,18 +678,21 @@ YR_API int yr_rules_scan_proc(
YR_MEMORY_BLOCK* first_block;
YR_MEMORY_BLOCK* next_block;
YR_MEMORY_BLOCK* block;
- YR_BLOCK_READER reader;
+
+ YR_BLOCK_ITERATOR iterator;
+ YR_LIST_ITERATOR_CONTEXT list_context;
int result = yr_process_get_memory(pid, &first_block);
- reader.current = NULL;
- reader.blocks = first_block;
+ _yr_get_list_iterator(
+ &iterator,
+ &list_context,
+ first_block);
if (result == ERROR_SUCCESS)
result = yr_rules_scan_mem_blocks(
rules,
- &_yr_block_reader_next_block,
- &reader,
+ &iterator,
flags | SCAN_FLAGS_PROCESS_MEMORY,
callback,
user_data,
@@ -700,24 +721,26 @@ YR_API int yr_rules_scan_proc2(
void* user_data,
int timeout)
{
- YR_SECTION_READER* reader;
+ //YR_SECTION_READER* reader;
- int result = yr_open_section_reader(pid, &reader);
+ //int result = yr_open_section_reader(pid, &reader);
- if (result == ERROR_SUCCESS)
- result = yr_rules_scan_mem_blocks(
- rules,
- &_yr_section_reader_next_block,
- reader,
- flags | SCAN_FLAGS_PROCESS_MEMORY,
- callback,
- user_data,
- timeout);
+ //if (result == ERROR_SUCCESS)
+ // result = yr_rules_scan_mem_blocks(
+ // rules,
+ // &_yr_section_reader_next_block,
+ // reader,
+ // flags | SCAN_FLAGS_PROCESS_MEMORY,
+ // callback,
+ // user_data,
+ // timeout);
- if (reader != NULL)
- yr_close_section_reader(reader);
+ //if (reader != NULL)
+ // yr_close_section_reader(reader);
- return result;
+ //return result;
+
+ return 0;
}
YR_API int yr_rules_load_stream(
diff --git a/yara.c b/yara.c
index 79022e1..5fc8f4a 100644
--- a/yara.c
+++ b/yara.c
@@ -1076,7 +1076,7 @@ int main(
if (fast_scan)
flags |= SCAN_FLAGS_FAST_MODE;
- result = yr_rules_scan_proc2(
+ result = yr_rules_scan_proc(
rules,
pid,
flags,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list