[Forensics-changes] [yara] 113/192: Expose rva_to_offset in PE module

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.6.0
in repository yara.

commit a432736c5e093bd07c205a05a2cc6384e7892210
Author: Wesley Shields <wxs at atarininja.org>
Date:   Wed Mar 15 11:13:38 2017 -0400

    Expose rva_to_offset in PE module
---
 docs/modules/pe.rst  |  8 ++++++++
 libyara/modules/pe.c | 21 +++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/docs/modules/pe.rst b/docs/modules/pe.rst
index 0d0b5d8..4b0e19b 100644
--- a/docs/modules/pe.rst
+++ b/docs/modules/pe.rst
@@ -627,3 +627,11 @@ Reference
     Function returning true if the PE is 64bits.
 
     *Example: pe.is_64bit()*
+
+.. c:function:: rva_to_offset(addr)
+
+ .. versionadded:: 3.6.0
+
+  Function returning the file offset for RVA *addr*.
+
+  *Example: pe.rva_to_offset(pe.entry_point)*
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 9d141b9..b409c11 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1916,6 +1916,25 @@ define_function(calculate_checksum)
 }
 
 
+define_function(rva_to_offset)
+{
+  YR_OBJECT* module = module();
+  PE* pe = (PE*) module->data;
+
+  uint64_t rva, offset;
+
+  if (pe == NULL)
+    return_integer(UNDEFINED);
+
+  rva = integer_argument(1);
+  offset = pe_rva_to_offset(pe, rva);
+  if (offset == -1)
+    return_integer(UNDEFINED);
+
+  return_integer(offset);
+}
+
+
 begin_declarations;
 
   declare_integer("MACHINE_UNKNOWN");
@@ -2131,6 +2150,8 @@ begin_declarations;
   declare_integer("number_of_signatures");
   #endif
 
+  declare_function("rva_to_offset", "i", "i", rva_to_offset);
+
 end_declarations;
 
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git