[Forensics-changes] [yara] 201/368: Adding Linux block iterator
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 0fd32d574859ff275f874e6df4e7d93d0fd2b852
Author: Kyle Reed <kallanreed at outlook.com>
Date: Sun Feb 28 12:08:13 2016 -0800
Adding Linux block iterator
Signed-off-by: Kyle Reed <kallanreed at outlook.com>
---
libyara/proc.c | 203 +++++++++++++++++++++++++++++++++++----------------------
1 file changed, 126 insertions(+), 77 deletions(-)
diff --git a/libyara/proc.c b/libyara/proc.c
index cbabe6c..ffa6099 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -182,6 +182,34 @@ int _yr_read_process_block(
#include <mach/vm_region.h>
#include <mach/vm_statistics.h>
+int _yr_attach_process(
+ int pid,
+ void** hProcess)
+{
+ return ERROR_SUCCESS;
+}
+
+int _yr_detach_process(
+ void* hProcess)
+{
+ return ERROR_SUCCESS;
+}
+
+int _yr_get_process_blocks(
+ void* hProcess,
+ YR_MEMORY_BLOCK** head)
+{
+ return ERROR_SUCCESS;
+}
+
+int _yr_read_process_block(
+ void* hProcess,
+ YR_MEMORY_BLOCK* block,
+ uint8_t** data)
+{
+ return ERROR_SUCCESS;
+}
+
int yr_process_get_memory(
pid_t pid,
YR_MEMORY_BLOCK** first_block)
@@ -275,116 +303,137 @@ int yr_process_get_memory(
#include <errno.h>
-int yr_process_get_memory(
- pid_t pid,
- YR_MEMORY_BLOCK** first_block)
+struct _YR_PROCESS_CONTEXT
{
- char buffer[256];
- unsigned char* data = NULL;
- size_t begin, end, length;
+ int pid;
+ int mem_fd;
+ FILE* maps;
+ int attached;
+};
- YR_MEMORY_BLOCK* new_block;
- YR_MEMORY_BLOCK* current_block = NULL;
+int _yr_attach_process(
+ int pid,
+ void** context)
+{
+ char buffer[256];
- FILE *maps = NULL;
+ _YR_PROCESS_CONTEXT* ctx = (_YR_PROCESS_CONTEXT*)yr_malloc(sizeof(_YR_PROCESS_CONTEXT));
+ *context = ctx;
- int mem = -1;
- int result;
- int attached = 0;
+ if (ctx == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
- *first_block = NULL;
+ ctx->pid = pid;
+ ctx->maps = NULL;
+ ctx->mem_fd = -1;
+ ctx->attached = 0;
snprintf(buffer, sizeof(buffer), "/proc/%u/maps", pid);
+ ctx->maps = fopen(buffer, "r");
- maps = fopen(buffer, "r");
-
- if (maps == NULL)
- {
- result = ERROR_COULD_NOT_ATTACH_TO_PROCESS;
- goto _exit;
- }
+ if (ctx->maps == NULL)
+ return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
snprintf(buffer, sizeof(buffer), "/proc/%u/mem", pid);
+ ctx->mem_fd = open(buffer, O_RDONLY);
- mem = open(buffer, O_RDONLY);
-
- if (mem == -1)
- {
- result = ERROR_COULD_NOT_ATTACH_TO_PROCESS;
- goto _exit;
- }
+ if (ctx->mem_fd != -1)
+ return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
if (ptrace(PTRACE_ATTACH, pid, NULL, 0) != -1)
- {
- attached = 1;
- }
+ ctx->attached = 1;
else
- {
- result = ERROR_COULD_NOT_ATTACH_TO_PROCESS;
- goto _exit;
- }
+ return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
wait(NULL);
- while (fgets(buffer, sizeof(buffer), maps) != NULL)
- {
- sscanf(buffer, "%zx-%zx", &begin, &end);
+ return ERROR_SUCCESS;
+}
- length = end - begin;
+int _yr_detach_process(
+ void* context)
+{
+ if (context == NULL)
+ return ERROR_SUCCESS;
- data = yr_malloc(length);
+ _YR_PROCESS_CONTEXT* ctx = (_YR_PROCESS_CONTEXT*)context;
- if (data == NULL)
- {
- result = ERROR_INSUFICIENT_MEMORY;
- goto _exit;
- }
+ if(ctx->attached)
+ ptrace(PTRACE_DETACH, ctx->pid, NULL, 0);
- if (pread(mem, data, length, begin) != -1)
- {
- new_block = (YR_MEMORY_BLOCK*) yr_malloc(sizeof(YR_MEMORY_BLOCK));
+ if (ctx->mem_fd != -1)
+ close(context->mem_fd);
- if (new_block == NULL)
- {
- result = ERROR_INSUFICIENT_MEMORY;
- goto _exit;
- }
+ if (ctx->maps != NULL)
+ fclose(ctx->maps);
- if (*first_block == NULL)
- *first_block = new_block;
+ yr_free(ctx);
+}
- new_block->base = begin;
- new_block->size = length;
- new_block->data = data;
- new_block->next = NULL;
+int _yr_get_process_blocks(
+ void* context,
+ YR_MEMORY_BLOCK** head)
+{
+ char buffer[256];
+ size_t begin, end;
- if (current_block != NULL)
- current_block->next = new_block;
+ YR_MEMORY_BLOCK* new_block;
+ YR_MEMORY_BLOCK* current = NULL;
- current_block = new_block;
- }
- else
- {
- yr_free(data);
- data = NULL;
- }
+ _YR_PROCESS_CONTEXT* ctx = (_YR_PROCESS_CONTEXT*)context;
+
+ while (fgets(buffer, sizeof(buffer), ctx->maps) != NULL)
+ {
+ sscanf(buffer, "%zx-%zx", &begin, &end);
+
+ new_block = (YR_MEMORY_BLOCK*)yr_malloc(sizeof(YR_MEMORY_BLOCK));
+
+ if (new_block == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
+
+ new_block->base = begin;
+ new_block->size = end - begin;
+
+ if (*head == NULL)
+ *head = new_block;
+
+ if (current != NULL)
+ current->next = new_block;
+
+ current = new_block;
}
- result = ERROR_SUCCESS;
+ return ERROR_SUCCESS;
+}
+
+int _yr_read_process_block(
+ void* context,
+ YR_MEMORY_BLOCK* block,
+ uint8_t** data)
+{
+ uint8_t* buffer = NULL;
+ int result = ERROR_SUCCESS;
+ *data = NULL;
+
+ _YR_PROCESS_CONTEXT* ctx = (_YR_PROCESS_CONTEXT*)context;
-_exit:
+ buffer = (uint8_t*)yr_malloc(block->size);
- if (attached)
- ptrace(PTRACE_DETACH, pid, NULL, 0);
+ if (buffer == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
- if (mem != -1)
- close(mem);
+ if (pread(ctx->mem_fd, data, block->size, block->base) == -1)
+ {
+ result = ERROR_COULD_NOT_READ_PROCESS_MEMORY;
- if (maps != NULL)
- fclose(maps);
+ if (buffer != NULL)
+ {
+ yr_free(buffer);
+ buffer = NULL;
+ }
+ }
- if (data != NULL)
- yr_free(data);
+ *data = buffer;
return result;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list