[Forensics-changes] [yara] 194/368: using block iterator every where the block linked list was used had to include null checking everywhere the data was used
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit fa3343c56a166e243e0af06e188fc4c364047d98
Author: Kyle Reed <kallanreed at outlook.com>
Date: Tue Feb 23 09:54:15 2016 -0800
using block iterator every where the block linked list was used
had to include null checking everywhere the data was used
concerns:
If multiple modules read the same data, the data will be refetched from the process multiple times.
Signed-off-by: Kyle Reed <kallanreed at outlook.com>
---
libyara/exec.c | 33 +++---
libyara/include/yara/modules.h | 9 +-
libyara/include/yara/types.h | 26 ++---
libyara/modules/elf.c | 14 ++-
libyara/modules/hash.c | 96 ++++++++++-------
libyara/modules/math.c | 179 +++++++++++++++++-------------
libyara/modules/pe.c | 12 ++-
libyara/proc.c | 240 ++++++++++++++++++++---------------------
libyara/rules.c | 124 ++++++---------------
9 files changed, 370 insertions(+), 363 deletions(-)
diff --git a/libyara/exec.c b/libyara/exec.c
index 45e0a32..5b0c833 100644
--- a/libyara/exec.c
+++ b/libyara/exec.c
@@ -94,19 +94,22 @@ typedef union _STACK_ITEM {
#define function_read(type, endianess) \
- int64_t read_##type##_##endianess(YR_MEMORY_BLOCK* block, size_t offset) \
+ int64_t read_##type##_##endianess(YR_BLOCK_ITERATOR* iterator, size_t offset) \
{ \
+ YR_MEMORY_BLOCK* block = iterator->first(iterator); \
while (block != NULL) \
{ \
if (offset >= block->base && \
block->size >= sizeof(type) && \
offset <= block->base + block->size - sizeof(type)) \
{ \
- type result = *(type *)(block->data + offset - block->base); \
+ uint8_t* data = iterator->fetch_data(iterator); \
+ if(data == NULL) return UNDEFINED; \
+ type result = *(type *)(data + offset - block->base); \
result = endianess##_##type(result); \
return result; \
} \
- block = block->next; \
+ block = iterator->next(iterator); \
} \
return UNDEFINED; \
};
@@ -733,73 +736,73 @@ int yr_execute_code(
case OP_INT8:
pop(r1);
- r1.i = read_int8_t_little_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_int8_t_little_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_INT16:
pop(r1);
- r1.i = read_int16_t_little_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_int16_t_little_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_INT32:
pop(r1);
- r1.i = read_int32_t_little_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_int32_t_little_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_UINT8:
pop(r1);
- r1.i = read_uint8_t_little_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_uint8_t_little_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_UINT16:
pop(r1);
- r1.i = read_uint16_t_little_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_uint16_t_little_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_UINT32:
pop(r1);
- r1.i = read_uint32_t_little_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_uint32_t_little_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_INT8BE:
pop(r1);
- r1.i = read_int8_t_big_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_int8_t_big_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_INT16BE:
pop(r1);
- r1.i = read_int16_t_big_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_int16_t_big_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_INT32BE:
pop(r1);
- r1.i = read_int32_t_big_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_int32_t_big_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_UINT8BE:
pop(r1);
- r1.i = read_uint8_t_big_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_uint8_t_big_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_UINT16BE:
pop(r1);
- r1.i = read_uint16_t_big_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_uint16_t_big_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
case OP_UINT32BE:
pop(r1);
- r1.i = read_uint32_t_big_endian(context->mem_block, (size_t) r1.i);
+ r1.i = read_uint32_t_big_endian(context->iterator, (size_t) r1.i);
push(r1);
break;
diff --git a/libyara/include/yara/modules.h b/libyara/include/yara/modules.h
index 8be1529..0d7235f 100644
--- a/libyara/include/yara/modules.h
+++ b/libyara/include/yara/modules.h
@@ -279,14 +279,15 @@ limitations under the License.
#define scan_context() (__context)
-#define foreach_memory_block(context, block) \
- for (block = (context)->mem_block; \
+#define foreach_memory_block(context, block, iterator) \
+ iterator = (context)->iterator; \
+ for (block = iterator->first(iterator); \
block != NULL; \
- block = block->next) \
+ block = iterator->next(iterator)) \
#define first_memory_block(context) \
- (context)->mem_block
+ (context)->iterator->first((context)->iterator)
#define is_undefined(object, ...) \
diff --git a/libyara/include/yara/types.h b/libyara/include/yara/types.h
index 15c32d5..ca4e746 100644
--- a/libyara/include/yara/types.h
+++ b/libyara/include/yara/types.h
@@ -362,10 +362,9 @@ typedef struct _YR_RULES {
} YR_RULES;
-
+// memory block iteration types
typedef struct _YR_MEMORY_BLOCK
{
- uint8_t* data;
size_t size;
size_t base;
@@ -373,8 +372,6 @@ typedef struct _YR_MEMORY_BLOCK
} YR_MEMORY_BLOCK;
-
-// memory block iteration types
typedef struct _YR_BLOCK_ITERATOR YR_BLOCK_ITERATOR;
typedef YR_MEMORY_BLOCK* (*YR_BLOCK_ITERATOR_MOVE)(
@@ -387,25 +384,28 @@ struct _YR_BLOCK_ITERATOR
{
void* context;
+ // TODO: current ptr or fn?
+
YR_BLOCK_ITERATOR_MOVE first;
YR_BLOCK_ITERATOR_MOVE next;
YR_BLOCK_ITERATOR_FETCH fetch_data;
};
-typedef struct _YR_LIST_ITERATOR_CONTEXT
+// a memory block in context with its data
+typedef struct _YR_BLOCK_CONTEXT
{
- YR_MEMORY_BLOCK* head;
- YR_MEMORY_BLOCK* current;
+ uint8_t* data;
+ YR_MEMORY_BLOCK* block;
-} YR_LIST_ITERATOR_CONTEXT;
+} YR_BLOCK_CONTEXT;
-typedef struct _YR_PROCESS_ITERATOR_CONTEXT
+typedef struct _YR_PROCESS_CONTEXT
{
- void* process_context;
- YR_LIST_ITERATOR_CONTEXT list_context;
uint8_t* data;
-} YR_PROCESS_ITERATOR_CONTEXT;
+ void* process_context;
+
+} YR_PROCESS_CONTEXT;
typedef int (*YR_CALLBACK_FUNC)(
@@ -424,7 +424,7 @@ typedef struct _YR_SCAN_CONTEXT
void* user_data;
- YR_MEMORY_BLOCK* mem_block;
+ YR_BLOCK_ITERATOR* iterator;
YR_HASH_TABLE* objects_table;
YR_CALLBACK_FUNC callback;
diff --git a/libyara/modules/elf.c b/libyara/modules/elf.c
index 443958f..afb8464 100644
--- a/libyara/modules/elf.c
+++ b/libyara/modules/elf.c
@@ -311,6 +311,7 @@ int module_load(
size_t module_data_size)
{
YR_MEMORY_BLOCK* block;
+ YR_BLOCK_ITERATOR* iterator;
elf32_header_t* elf_header32;
elf64_header_t* elf_header64;
@@ -368,15 +369,20 @@ int module_load(
set_integer(ELF_PF_W, module_object, "PF_W");
set_integer(ELF_PF_R, module_object, "PF_R");
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
- switch(get_elf_type(block->data, block->size))
+ uint8_t* block_data = iterator->fetch_data(iterator);
+
+ if (block_data == NULL)
+ continue;
+
+ switch(get_elf_type(block_data, block->size))
{
case ELF_CLASS_32:
if (block->size > sizeof(elf32_header_t))
{
- elf_header32 = (elf32_header_t*) block->data;
+ elf_header32 = (elf32_header_t*) block_data;
if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
elf_header32->type == ELF_ET_EXEC)
@@ -396,7 +402,7 @@ int module_load(
if (block->size > sizeof(elf64_header_t))
{
- elf_header64 = (elf64_header_t*) block->data;
+ elf_header64 = (elf64_header_t*) block_data;
if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
elf_header64->type == ELF_ET_EXEC)
diff --git a/libyara/modules/hash.c b/libyara/modules/hash.c
index 5b965e7..2d0ffe6 100644
--- a/libyara/modules/hash.c
+++ b/libyara/modules/hash.c
@@ -121,33 +121,39 @@ define_function(data_md5)
int past_first_block = FALSE;
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
int64_t offset = integer_argument(1); // offset where to start
int64_t length = integer_argument(2); // length of bytes we want hash on
MD5_Init(&md5_context);
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
{
return ERROR_WRONG_ARGUMENTS;
}
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
// if desired block within current block
if (offset >= block->base &&
offset < block->base + block->size)
{
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(
- length, (size_t) (block->size - data_offset));
+ uint8_t* block_data = iterator->fetch_data(iterator);
- offset += data_len;
- length -= data_len;
+ if (block_data != NULL)
+ {
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(
+ length, (size_t)(block->size - data_offset));
- MD5_Update(&md5_context, block->data + data_offset, data_len);
+ offset += data_len;
+ length -= data_len;
+
+ MD5_Update(&md5_context, block_data + data_offset, data_len);
+ }
past_first_block = TRUE;
}
@@ -190,29 +196,35 @@ define_function(data_sha1)
int64_t length = integer_argument(2); // length of bytes we want hash on
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
SHA1_Init(&sha_context);
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
{
return ERROR_WRONG_ARGUMENTS;
}
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
// if desired block within current block
if (offset >= block->base &&
offset < block->base + block->size)
{
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(
- length, (size_t) block->size - data_offset);
+ uint8_t* block_data = iterator->fetch_data(iterator);
+
+ if (block_data != NULL)
+ {
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(
+ length, (size_t)block->size - data_offset);
- offset += data_len;
- length -= data_len;
+ offset += data_len;
+ length -= data_len;
- SHA1_Update(&sha_context, block->data + data_offset, data_len);
+ SHA1_Update(&sha_context, block_data + data_offset, data_len);
+ }
past_first_block = TRUE;
}
@@ -255,28 +267,34 @@ define_function(data_sha256)
int64_t length = integer_argument(2); // length of bytes we want hash on
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
SHA256_Init(&sha256_context);
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
{
return ERROR_WRONG_ARGUMENTS;
}
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
// if desired block within current block
if (offset >= block->base &&
offset < block->base + block->size)
{
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(length, block->size - data_offset);
+ uint8_t* block_data = iterator->fetch_data(iterator);
- offset += data_len;
- length -= data_len;
+ if (block_data != NULL)
+ {
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(length, block->size - data_offset);
- SHA256_Update(&sha256_context, block->data + data_offset, data_len);
+ offset += data_len;
+ length -= data_len;
+
+ SHA256_Update(&sha256_context, block_data + data_offset, data_len);
+ }
past_first_block = TRUE;
}
@@ -312,31 +330,37 @@ define_function(data_checksum32)
int64_t length = integer_argument(2); // length of bytes we want hash on
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
uint32_t checksum = 0;
int past_first_block = FALSE;
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
{
return ERROR_WRONG_ARGUMENTS;
}
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
if (offset >= block->base &&
offset < block->base + block->size)
{
- size_t i;
+ uint8_t* block_data = iterator->fetch_data(iterator);
+
+ if (block_data != NULL)
+ {
+ size_t i;
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(length, block->size - data_offset);
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(length, block->size - data_offset);
- offset += data_len;
- length -= data_len;
+ offset += data_len;
+ length -= data_len;
- for (i = 0; i < data_len; i++)
- checksum += *(block->data + data_offset + i);
+ for (i = 0; i < data_len; i++)
+ checksum += *(block_data + data_offset + i);
+ }
past_first_block = TRUE;
}
diff --git a/libyara/modules/math.c b/libyara/modules/math.c
index e5ff873..09c1fc3 100644
--- a/libyara/modules/math.c
+++ b/libyara/modules/math.c
@@ -79,9 +79,10 @@ define_function(data_entropy)
int64_t length = integer_argument(2); // length of bytes we want entropy on
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
return_float(UNDEFINED);
data = (uint32_t*) yr_calloc(256, sizeof(uint32_t));
@@ -89,23 +90,28 @@ define_function(data_entropy)
if (data == NULL)
return_float(UNDEFINED);
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
if (offset >= block->base &&
offset < block->base + block->size)
{
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(
- length, (size_t) (block->size - data_offset));
+ uint8_t* block_data = iterator->fetch_data(iterator);
- total_len += data_len;
- offset += data_len;
- length -= data_len;
-
- for (i = 0; i < data_len; i++)
+ if (block_data != NULL)
{
- uint8_t c = *(block->data + data_offset + i);
- data[c] += 1;
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(
+ length, (size_t)(block->size - data_offset));
+
+ total_len += data_len;
+ offset += data_len;
+ length -= data_len;
+
+ for (i = 0; i < data_len; i++)
+ {
+ uint8_t c = *(block_data + data_offset + i);
+ data[c] += 1;
+ }
}
past_first_block = TRUE;
@@ -176,26 +182,32 @@ define_function(data_deviation)
size_t i;
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
return_float(UNDEFINED);
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
if (offset >= block->base &&
offset < block->base + block->size)
{
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(
- length, (size_t) (block->size - data_offset));
+ uint8_t* block_data = iterator->fetch_data(iterator);
+
+ if (block_data != NULL)
+ {
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(
+ length, (size_t)(block->size - data_offset));
- total_len += data_len;
- offset += data_len;
- length -= data_len;
+ total_len += data_len;
+ offset += data_len;
+ length -= data_len;
- for (i = 0; i < data_len; i++)
- sum += fabs(((double) *(block->data + data_offset + i)) - mean);
+ for (i = 0; i < data_len; i++)
+ sum += fabs(((double)*(block_data + data_offset + i)) - mean);
+ }
past_first_block = TRUE;
}
@@ -243,29 +255,35 @@ define_function(data_mean)
int64_t length = integer_argument(2);
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
size_t total_len = 0;
size_t i;
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
return_float(UNDEFINED);
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
if (offset >= block->base &&
offset < block->base + block->size)
{
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(
- length, (size_t) (block->size - data_offset));
+ uint8_t* block_data = iterator->fetch_data(iterator);
+
+ if (block_data != NULL)
+ {
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(
+ length, (size_t)(block->size - data_offset));
- total_len += data_len;
- offset += data_len;
- length -= data_len;
+ total_len += data_len;
+ offset += data_len;
+ length -= data_len;
- for (i = 0; i < data_len; i++)
- sum += (double) *(block->data + data_offset + i);
+ for (i = 0; i < data_len; i++)
+ sum += (double)*(block_data + data_offset + i);
+ }
past_first_block = TRUE;
}
@@ -301,7 +319,8 @@ define_function(data_serial_correlation)
int64_t length = integer_argument(2);
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
double sccun = 0;
double scclast = 0;
@@ -310,29 +329,34 @@ define_function(data_serial_correlation)
double scct3 = 0;
double scc = 0;
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
return_float(UNDEFINED);
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
if (offset >= block->base &&
offset < block->base + block->size)
{
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(
- length, (size_t) (block->size - data_offset));
+ uint8_t* block_data = iterator->fetch_data(iterator);
- total_len += data_len;
- offset += data_len;
- length -= data_len;
-
- for (i = 0; i < data_len; i++)
+ if (block_data != NULL)
{
- sccun = (double) *(block->data + data_offset + i);
- scct1 += scclast * sccun;
- scct2 += sccun;
- scct3 += sccun * sccun;
- scclast = sccun;
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(
+ length, (size_t)(block->size - data_offset));
+
+ total_len += data_len;
+ offset += data_len;
+ length -= data_len;
+
+ for (i = 0; i < data_len; i++)
+ {
+ sccun = (double)*(block_data + data_offset + i);
+ scct1 += scclast * sccun;
+ scct2 += sccun;
+ scct3 += sccun * sccun;
+ scclast = sccun;
+ }
}
past_first_block = TRUE;
@@ -419,45 +443,50 @@ define_function(data_monte_carlo_pi)
int64_t length = integer_argument(2);
YR_SCAN_CONTEXT* context = scan_context();
- YR_MEMORY_BLOCK* block = NULL;
+ YR_MEMORY_BLOCK* block = first_memory_block(context);
+ YR_BLOCK_ITERATOR* iterator = NULL;
- if (offset < 0 || length < 0 || offset < context->mem_block->base)
+ if (offset < 0 || length < 0 || offset < block->base)
return_float(UNDEFINED);
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
if (offset >= block->base &&
offset < block->base + block->size)
{
unsigned int monte[6];
+ uint8_t* block_data = iterator->fetch_data(iterator);
- size_t data_offset = (size_t) (offset - block->base);
- size_t data_len = (size_t) yr_min(
- length, (size_t) (block->size - data_offset));
-
- offset += data_len;
- length -= data_len;
-
- for (i = 0; i < data_len; i++)
+ if (block_data != NULL)
{
- monte[i % 6] = (unsigned int) *(block->data + data_offset + i);
+ size_t data_offset = (size_t)(offset - block->base);
+ size_t data_len = (size_t)yr_min(
+ length, (size_t)(block->size - data_offset));
- if (i % 6 == 5)
- {
- double mx = 0;
- double my = 0;
- int j;
+ offset += data_len;
+ length -= data_len;
- mcount++;
+ for (i = 0; i < data_len; i++)
+ {
+ monte[i % 6] = (unsigned int)*(block_data + data_offset + i);
- for (j = 0; j < 3; j++)
+ if (i % 6 == 5)
{
- mx = (mx * 256.0) + monte[j];
- my = (my * 256.0) + monte[j + 3];
- }
+ double mx = 0;
+ double my = 0;
+ int j;
+
+ mcount++;
- if ((mx * mx + my * my) <= INCIRC)
- inmont++;
+ for (j = 0; j < 3; j++)
+ {
+ mx = (mx * 256.0) + monte[j];
+ my = (my * 256.0) + monte[j + 3];
+ }
+
+ if ((mx * mx + my * my) <= INCIRC)
+ inmont++;
+ }
}
}
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 4d8b56e..91b8ed5 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -2206,6 +2206,7 @@ int module_load(
size_t module_data_size)
{
YR_MEMORY_BLOCK* block;
+ YR_BLOCK_ITERATOR* iterator;
set_integer(
IMAGE_FILE_MACHINE_UNKNOWN, module_object,
@@ -2446,9 +2447,14 @@ int module_load(
RESOURCE_TYPE_MANIFEST, module_object,
"RESOURCE_TYPE_MANIFEST");
- foreach_memory_block(context, block)
+ foreach_memory_block(context, block, iterator)
{
- PIMAGE_NT_HEADERS32 pe_header = pe_get_header(block->data, block->size);
+ uint8_t* data = iterator->fetch_data(iterator);
+
+ if (data == NULL)
+ continue;
+
+ PIMAGE_NT_HEADERS32 pe_header = pe_get_header(data, block->size);
if (pe_header != NULL)
{
@@ -2462,7 +2468,7 @@ int module_load(
if (pe == NULL)
return ERROR_INSUFICIENT_MEMORY;
- pe->data = block->data;
+ pe->data = data;
pe->data_size = block->size;
pe->header = pe_header;
pe->object = module_object;
diff --git a/libyara/proc.c b/libyara/proc.c
index b859f34..87e1e62 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -166,126 +166,126 @@ int _yr_detach_process(
-int yr_process_get_memory(
- int pid,
- YR_MEMORY_BLOCK** first_block)
-{
- PVOID address;
- SIZE_T read;
-
- unsigned char* data;
- int result = ERROR_SUCCESS;
-
- SYSTEM_INFO si;
- MEMORY_BASIC_INFORMATION mbi;
-
- YR_MEMORY_BLOCK* new_block;
- YR_MEMORY_BLOCK* current_block = NULL;
-
- TOKEN_PRIVILEGES tokenPriv;
- LUID luidDebug;
- HANDLE hProcess = NULL;
- HANDLE hToken = NULL;
-
- if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) &&
- LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidDebug))
- {
- tokenPriv.PrivilegeCount = 1;
- tokenPriv.Privileges[0].Luid = luidDebug;
- tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-
- AdjustTokenPrivileges(
- hToken,
- FALSE,
- &tokenPriv,
- sizeof(tokenPriv),
- NULL,
- NULL);
- }
-
- hProcess = OpenProcess(
- PROCESS_VM_READ | PROCESS_QUERY_INFORMATION,
- FALSE,
- pid);
-
- *first_block = NULL;
-
- if (hProcess == NULL)
- {
- if (hToken != NULL)
- CloseHandle(hToken);
-
- return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
- }
-
- GetSystemInfo(&si);
-
- address = si.lpMinimumApplicationAddress;
- size_t allocated = 0;
-
- while (address < si.lpMaximumApplicationAddress &&
- VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
- {
- if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0))
- {
- data = (unsigned char*) yr_malloc(mbi.RegionSize);
-
- if (data == NULL)
- {
- result = ERROR_INSUFICIENT_MEMORY;
- break;
- }
-
- allocated += mbi.RegionSize;
-
- if (ReadProcessMemory(
- hProcess,
- mbi.BaseAddress,
- data,
- mbi.RegionSize,
- &read))
- {
- new_block = (YR_MEMORY_BLOCK*) yr_malloc(sizeof(YR_MEMORY_BLOCK));
-
- if (new_block == NULL)
- {
- yr_free(data);
- result = ERROR_INSUFICIENT_MEMORY;
- break;
- }
-
- if (*first_block == NULL)
- *first_block = new_block;
-
- new_block->base = (size_t) mbi.BaseAddress;
- new_block->size = mbi.RegionSize;
- new_block->data = data;
- new_block->next = NULL;
-
- if (current_block != NULL)
- current_block->next = new_block;
-
- current_block = new_block;
- }
- else
- {
- yr_free(data);
- }
- }
-
- address = (PVOID)((ULONG_PTR) mbi.BaseAddress + mbi.RegionSize);
- }
-
- printf("Allocated %lu bytes\n", allocated);
-
- if (hToken != NULL)
- CloseHandle(hToken);
-
- if (hProcess != NULL)
- CloseHandle(hProcess);
-
- return result;
-}
+//int yr_process_get_memory(
+// int pid,
+// YR_MEMORY_BLOCK** first_block)
+//{
+// PVOID address;
+// SIZE_T read;
+//
+// unsigned char* data;
+// int result = ERROR_SUCCESS;
+//
+// SYSTEM_INFO si;
+// MEMORY_BASIC_INFORMATION mbi;
+//
+// YR_MEMORY_BLOCK* new_block;
+// YR_MEMORY_BLOCK* current_block = NULL;
+//
+// TOKEN_PRIVILEGES tokenPriv;
+// LUID luidDebug;
+// HANDLE hProcess = NULL;
+// HANDLE hToken = NULL;
+//
+// if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) &&
+// LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidDebug))
+// {
+// tokenPriv.PrivilegeCount = 1;
+// tokenPriv.Privileges[0].Luid = luidDebug;
+// tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+//
+// AdjustTokenPrivileges(
+// hToken,
+// FALSE,
+// &tokenPriv,
+// sizeof(tokenPriv),
+// NULL,
+// NULL);
+// }
+//
+// hProcess = OpenProcess(
+// PROCESS_VM_READ | PROCESS_QUERY_INFORMATION,
+// FALSE,
+// pid);
+//
+// *first_block = NULL;
+//
+// if (hProcess == NULL)
+// {
+// if (hToken != NULL)
+// CloseHandle(hToken);
+//
+// return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
+// }
+//
+// GetSystemInfo(&si);
+//
+// address = si.lpMinimumApplicationAddress;
+// size_t allocated = 0;
+//
+// while (address < si.lpMaximumApplicationAddress &&
+// VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
+// {
+// if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0))
+// {
+// data = (unsigned char*) yr_malloc(mbi.RegionSize);
+//
+// if (data == NULL)
+// {
+// result = ERROR_INSUFICIENT_MEMORY;
+// break;
+// }
+//
+// allocated += mbi.RegionSize;
+//
+// if (ReadProcessMemory(
+// hProcess,
+// mbi.BaseAddress,
+// data,
+// mbi.RegionSize,
+// &read))
+// {
+// new_block = (YR_MEMORY_BLOCK*) yr_malloc(sizeof(YR_MEMORY_BLOCK));
+//
+// if (new_block == NULL)
+// {
+// yr_free(data);
+// result = ERROR_INSUFICIENT_MEMORY;
+// break;
+// }
+//
+// if (*first_block == NULL)
+// *first_block = new_block;
+//
+// new_block->base = (size_t) mbi.BaseAddress;
+// new_block->size = mbi.RegionSize;
+// new_block->data = data;
+// new_block->next = NULL;
+//
+// if (current_block != NULL)
+// current_block->next = new_block;
+//
+// current_block = new_block;
+// }
+// else
+// {
+// yr_free(data);
+// }
+// }
+//
+// address = (PVOID)((ULONG_PTR) mbi.BaseAddress + mbi.RegionSize);
+// }
+//
+// printf("Allocated %lu bytes\n", allocated);
+//
+// if (hToken != NULL)
+// CloseHandle(hToken);
+//
+// if (hProcess != NULL)
+// CloseHandle(hProcess);
+//
+// return result;
+//}
#else
diff --git a/libyara/rules.c b/libyara/rules.c
index 1fec171..59f8fc0 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -236,6 +236,7 @@ void yr_rules_print_profiling_info(
int _yr_rules_scan_mem_block(
YR_RULES* rules,
+ uint8_t* block_data,
YR_MEMORY_BLOCK* block,
YR_SCAN_CONTEXT* context,
int timeout,
@@ -258,7 +259,7 @@ int _yr_rules_scan_mem_block(
FAIL_ON_ERROR(yr_scan_verify_match(
context,
ac_match,
- block->data,
+ block_data,
block->size,
block->base,
i - ac_match->backtrack));
@@ -267,12 +268,12 @@ int _yr_rules_scan_mem_block(
ac_match = ac_match->next;
}
- next_state = yr_ac_next_state(current_state, block->data[i]);
+ next_state = yr_ac_next_state(current_state, block_data[i]);
while (next_state == NULL && current_state->depth > 0)
{
current_state = current_state->failure;
- next_state = yr_ac_next_state(current_state, block->data[i]);
+ next_state = yr_ac_next_state(current_state, block_data[i]);
}
if (next_state != NULL)
@@ -296,7 +297,7 @@ int _yr_rules_scan_mem_block(
FAIL_ON_ERROR(yr_scan_verify_match(
context,
ac_match,
- block->data,
+ block_data,
block->size,
block->base,
block->size - ac_match->backtrack));
@@ -308,48 +309,31 @@ int _yr_rules_scan_mem_block(
return ERROR_SUCCESS;
}
-
+// Single block iterator impl TODO: belongs in this file?
YR_MEMORY_BLOCK* _yr_get_first_block(
YR_BLOCK_ITERATOR* iterator)
{
- YR_LIST_ITERATOR_CONTEXT* ctx = (YR_LIST_ITERATOR_CONTEXT*)iterator->context;
-
- ctx->current = ctx->head;
- return ctx->current;
+ YR_BLOCK_CONTEXT* ctx = (YR_BLOCK_CONTEXT*)iterator->context;
+ return ctx->block;
}
YR_MEMORY_BLOCK* _yr_get_next_block(
- YR_BLOCK_ITERATOR* iterator)
+ YR_BLOCK_ITERATOR*)
{
- YR_LIST_ITERATOR_CONTEXT* ctx = (YR_LIST_ITERATOR_CONTEXT*)iterator->context;
-
- if (ctx->current != NULL)
- {
- ctx->current = ctx->current->next;
- }
-
- return ctx->current;
+ return NULL;
}
uint8_t* _yr_fetch_block_data(
YR_BLOCK_ITERATOR* iterator)
{
- YR_LIST_ITERATOR_CONTEXT* ctx = (YR_LIST_ITERATOR_CONTEXT*)iterator->context;
-
- if (ctx->current != NULL)
- return ctx->current->data;
-
- return NULL;
+ YR_BLOCK_CONTEXT* ctx = (YR_BLOCK_CONTEXT*)iterator->context;
+ return ctx->data;
}
-void _yr_get_list_iterator(
+void _yr_init_single_block_iterator(
YR_BLOCK_ITERATOR* iterator,
- YR_LIST_ITERATOR_CONTEXT* context,
- YR_MEMORY_BLOCK* head)
+ YR_BLOCK_CONTEXT* context)
{
- context->current = NULL;
- context->head = head;
-
iterator->context = context;
iterator->first = _yr_get_first_block;
iterator->next = _yr_get_next_block;
@@ -404,7 +388,7 @@ YR_API int yr_rules_scan_mem_blocks(
context.callback = callback;
context.user_data = user_data;
context.file_size = block->size;
- context.mem_block = block;
+ context.iterator = iterator;
context.entry_point = UNDEFINED;
context.objects_table = NULL;
context.matches_arena = NULL;
@@ -454,12 +438,10 @@ YR_API int yr_rules_scan_mem_blocks(
while (block != NULL)
{
- // value copy so we don't modify the underlying block
- YR_MEMORY_BLOCK temp_block = *block;
- temp_block.data = iterator->fetch_data(iterator);
+ uint8_t* data = iterator->fetch_data(iterator);
- // fetch_data can fail
- if (temp_block.data == NULL)
+ // fetch may fail
+ if (data == NULL)
{
block = iterator->next(iterator);
continue;
@@ -470,20 +452,21 @@ YR_API int yr_rules_scan_mem_blocks(
YR_TRYCATCH({
if (flags & SCAN_FLAGS_PROCESS_MEMORY)
context.entry_point = yr_get_entry_point_address(
- temp_block.data,
- temp_block.size,
- temp_block.base);
+ data,
+ block->size,
+ block->base);
else
context.entry_point = yr_get_entry_point_offset(
- temp_block.data,
- temp_block.size);
+ data,
+ block->size);
},{});
}
YR_TRYCATCH({
result = _yr_rules_scan_mem_block(
rules,
- &temp_block,
+ data,
+ block,
&context,
timeout,
start_time);
@@ -586,18 +569,19 @@ YR_API int yr_rules_scan_mem(
int timeout)
{
YR_MEMORY_BLOCK block;
+ YR_BLOCK_CONTEXT context;
YR_BLOCK_ITERATOR iterator;
- YR_LIST_ITERATOR_CONTEXT list_context;
- block.data = buffer;
block.size = buffer_size;
block.base = 0;
block.next = NULL;
- _yr_get_list_iterator(
+ context.block = █
+ context.data = buffer;
+
+ _yr_init_single_block_iterator(
&iterator,
- &list_context,
- &block);
+ &context);
return yr_rules_scan_mem_blocks(
rules,
@@ -675,52 +659,6 @@ YR_API int yr_rules_scan_proc(
void* user_data,
int timeout)
{
- YR_MEMORY_BLOCK* first_block;
- YR_MEMORY_BLOCK* next_block;
- YR_MEMORY_BLOCK* block;
-
- YR_BLOCK_ITERATOR iterator;
- YR_LIST_ITERATOR_CONTEXT list_context;
-
- int result = yr_process_get_memory(pid, &first_block);
-
- _yr_get_list_iterator(
- &iterator,
- &list_context,
- first_block);
-
- if (result == ERROR_SUCCESS)
- result = yr_rules_scan_mem_blocks(
- rules,
- &iterator,
- flags | SCAN_FLAGS_PROCESS_MEMORY,
- callback,
- user_data,
- timeout);
-
- block = first_block;
-
- while (block != NULL)
- {
- next_block = block->next;
-
- yr_free(block->data);
- yr_free(block);
-
- block = next_block;
- }
-
- return result;
-}
-
-YR_API int yr_rules_scan_proc2(
- YR_RULES* rules,
- int pid,
- int flags,
- YR_CALLBACK_FUNC callback,
- void* user_data,
- int timeout)
-{
//YR_SECTION_READER* reader;
//int result = yr_open_section_reader(pid, &reader);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list