[Forensics-changes] [yara] 12/192: Add number_of_imports to PE. (#501)
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:31:41 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.6.0
in repository yara.
commit 3fe2c3737c46f456a2d29ba0dee0285ca3e856c6
Author: Wesley Shields <wxs at atarininja.org>
Date: Thu Aug 18 12:58:38 2016 -0400
Add number_of_imports to PE. (#501)
* Add number_of_imports to PE.
Expose the number of imports parsed by YARA in the PE module. Sometimes this can
be useful to know, especially if there are zero imports as that may be a sign
that something is obfuscated. For example,
f0501b0b3990dab0d8644729da02acb8ea5f39765b820626dc8873f60f787980 has zero
imports because the import table has been nulled out.
* Add number_of_imports docs.
---
docs/modules/pe.rst | 6 ++++++
libyara/modules/pe.c | 3 +++
2 files changed, 9 insertions(+)
diff --git a/docs/modules/pe.rst b/docs/modules/pe.rst
index a32f774..dae2229 100644
--- a/docs/modules/pe.rst
+++ b/docs/modules/pe.rst
@@ -472,6 +472,12 @@ Reference
*Example: pe.exports("CPlApplet")*
+.. c:type:: number_of_imports
+
+ .. versionadded:: 3.6.0
+
+ Number of imports in the PE.
+
.. c:function:: imports(dll_name, function_name)
Function returning true if the PE imports *function_name* from *dll_name*,
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index fac99b7..d2bd381 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -922,6 +922,7 @@ IMPORTED_DLL* pe_parse_imports(
imports++;
}
+ set_integer(num_imports, pe->object, "number_of_imports");
return head;
}
@@ -2007,6 +2008,8 @@ begin_declarations;
declare_function("is_32bit", "", "i", is_32bit);
declare_function("is_64bit", "", "i", is_64bit);
+ declare_integer("number_of_imports");
+
declare_integer("resource_timestamp");
begin_struct("resource_version");
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list