x64dbg/x64dbg
x64dbg
/
x64dbg
1
0
Fork 0
Code Releases 2 Activity

DBG: added yara library

This commit is contained in:
Mr. eXoDia 2015-04-02 12:29:25 +02:00
parent 4798a29660
commit 669190db22
41 changed files with 4093 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
release.bat
View File

@ -31,6 +31,7 @@ copy bin\x32\jansson.dll %RELEASEDIR%\bin_base\x32\jansson.dll
copy bin\x32\lz4.dll %RELEASEDIR%\bin_base\x32\lz4.dll
copy bin\x32\TitanEngine.dll %RELEASEDIR%\bin_base\x32\TitanEngine.dll
copy bin\x32\XEDParse.dll %RELEASEDIR%\bin_base\x32\XEDParse.dll
copy bin\x32\yara.dll %RELEASEDIR%\bin_base\x32\yara.dll
copy bin\x64\BeaEngine.dll %RELEASEDIR%\bin_base\x64\BeaEngine.dll
copy bin\x64\dbghelp.dll %RELEASEDIR%\bin_base\x64\dbghelp.dll
copy bin\x64\symsrv.dll %RELEASEDIR%\bin_base\x64\symsrv.dll
@ -40,6 +41,7 @@ copy bin\x64\jansson.dll %RELEASEDIR%\bin_base\x64\jansson.dll
copy bin\x64\lz4.dll %RELEASEDIR%\bin_base\x64\lz4.dll
copy bin\x64\TitanEngine.dll %RELEASEDIR%\bin_base\x64\TitanEngine.dll
copy bin\x64\XEDParse.dll %RELEASEDIR%\bin_base\x64\XEDParse.dll
copy bin\x64\yara.dll %RELEASEDIR%\bin_base\x64\yara.dll
echo help
@ -57,6 +59,8 @@ mkdir %RELEASEDIR%\pluginsdk\jansson
mkdir %RELEASEDIR%\pluginsdk\lz4
mkdir %RELEASEDIR%\pluginsdk\TitanEngine
mkdir %RELEASEDIR%\pluginsdk\XEDParse
mkdir %RELEASEDIR%\pluginsdk\yara
mkdir %RELEASEDIR%\pluginsdk\yara\yara
xcopy x64_dbg_dbg\BeaEngine %RELEASEDIR%\pluginsdk\BeaEngine /S /Y
xcopy x64_dbg_dbg\dbghelp %RELEASEDIR%\pluginsdk\dbghelp /S /Y
@ -66,6 +70,7 @@ xcopy x64_dbg_dbg\lz4 %RELEASEDIR%\pluginsdk\lz4 /S /Y
xcopy x64_dbg_dbg\TitanEngine %RELEASEDIR%\pluginsdk\TitanEngine /S /Y
del %RELEASEDIR%\pluginsdk\TitanEngine\TitanEngine.txt /F /Q
xcopy x64_dbg_dbg\XEDParse %RELEASEDIR%\pluginsdk\XEDParse /S /Y
xcopy x64_dbg_dbg\yara %RELEASEDIR%\pluginsdk\yara /S /Y
copy x64_dbg_dbg\_plugin_types.h %RELEASEDIR%\pluginsdk\_plugin_types.h
copy x64_dbg_dbg\_plugins.h %RELEASEDIR%\pluginsdk\_plugins.h
copy x64_dbg_dbg\_dbgfunctions.h %RELEASEDIR%\pluginsdk\_dbgfunctions.h

1
x64_dbg_dbg/_global.h
View File

@ -19,6 +19,7 @@
#include <tlhelp32.h>
#include "..\x64_dbg_bridge\bridgemain.h"
#include "jansson\jansson.h"
#include "yara\yara.h"
#include "DeviceNameResolver\DeviceNameResolver.h"
#include "handle.h"
#include "stringutils.h"

5
x64_dbg_dbg/instruction.cpp
View File

@ -1530,3 +1530,8 @@ CMDRESULT cbInstrFindAsm(int argc, char* argv[])
varset("$result", found, false);
return STATUS_CONTINUE;
}
CMDRESULT cbInstrYara(int argc, char* argv[])
{
return STATUS_CONTINUE;
}

1
x64_dbg_dbg/instruction.h
View File

@ -62,5 +62,6 @@ CMDRESULT cbInstrFunctionList(int argc, char* argv[]);
CMDRESULT cbInstrLoopList(int argc, char* argv[]);
CMDRESULT cbInstrSleep(int argc, char* argv[]);
CMDRESULT cbInstrFindAsm(int argc, char* argv[]);
CMDRESULT cbInstrYara(int argc, char* argv[]);
#endif // _INSTRUCTIONS_H

4
x64_dbg_dbg/x64_dbg.cpp
View File

@ -189,6 +189,7 @@ static void registercommands()
dbgcmdnew("getstr\1strget", cbInstrGetstr, false); //get a string variable
dbgcmdnew("copystr\1strcpy", cbInstrCopystr, true); //write a string variable to memory
dbgcmdnew("looplist", cbInstrLoopList, true); //list loops
dbgcmdnew("yara", cbInstrYara, true); //yara test command
}
static bool cbCommandProvider(char* cmd, int maxlen)
@ -239,6 +240,8 @@ extern "C" DLL_EXPORT const char* _dbg_dbginit()
dbginit();
dbgfunctionsinit();
json_set_alloc_funcs(emalloc_json, efree_json);
if(yr_initialize() != ERROR_SUCCESS)
return "Failed to initialize Yara!";
wchar_t wszDir[deflen] = L"";
if(!GetModuleFileNameW(hInst, wszDir, deflen))
return "GetModuleFileNameW failed!";
@ -306,6 +309,7 @@ extern "C" DLL_EXPORT void _dbg_dbgexitsignal()
cmdfree(command_list);
varfree();
msgfreestack(gMsgStack);
yr_finalize();
if(memleaks())
{
char msg[256] = "";

34
x64_dbg_dbg/x64_dbg_dbg.vcxproj
View File

@ -110,6 +110,36 @@
<ClInclude Include="variable.h" />
<ClInclude Include="x64_dbg.h" />
<ClInclude Include="XEDParse\XEDParse.h" />
<ClInclude Include="yara\yara.h" />
<ClInclude Include="yara\yara\ahocorasick.h" />
<ClInclude Include="yara\yara\arena.h" />
<ClInclude Include="yara\yara\atoms.h" />
<ClInclude Include="yara\yara\compiler.h" />
<ClInclude Include="yara\yara\elf.h" />
<ClInclude Include="yara\yara\error.h" />
<ClInclude Include="yara\yara\exec.h" />
<ClInclude Include="yara\yara\exefiles.h" />
<ClInclude Include="yara\yara\filemap.h" />
<ClInclude Include="yara\yara\globals.h" />
<ClInclude Include="yara\yara\hash.h" />
<ClInclude Include="yara\yara\hex_lexer.h" />
<ClInclude Include="yara\yara\lexer.h" />
<ClInclude Include="yara\yara\libyara.h" />
<ClInclude Include="yara\yara\limits.h" />
<ClInclude Include="yara\yara\mem.h" />
<ClInclude Include="yara\yara\modules.h" />
<ClInclude Include="yara\yara\object.h" />
<ClInclude Include="yara\yara\parser.h" />
<ClInclude Include="yara\yara\pe.h" />
<ClInclude Include="yara\yara\proc.h" />
<ClInclude Include="yara\yara\re.h" />
<ClInclude Include="yara\yara\re_lexer.h" />
<ClInclude Include="yara\yara\rules.h" />
<ClInclude Include="yara\yara\scan.h" />
<ClInclude Include="yara\yara\sizedstr.h" />
<ClInclude Include="yara\yara\strutils.h" />
<ClInclude Include="yara\yara\types.h" />
<ClInclude Include="yara\yara\utils.h" />
<ClInclude Include="_exports.h" />
<ClInclude Include="_dbgfunctions.h" />
<ClInclude Include="_global.h" />
@ -163,7 +193,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32\x32_bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;BeaEngine\BeaEngine.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>yara\yara_x86.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32\x32_bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;BeaEngine\BeaEngine.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@ -178,7 +208,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64\x64_bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;BeaEngine\BeaEngine_64.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>yara\yara_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64\x64_bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;BeaEngine\BeaEngine_64.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

96
x64_dbg_dbg/x64_dbg_dbg.vcxproj.filters
View File

@ -67,6 +67,12 @@
<Filter Include="Header Files\Information">
<UniqueIdentifier>{b006b04c-d7ea-49cb-b097-0cac1388f98e}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Third Party\yara">
<UniqueIdentifier>{efe5d058-e77c-49e9-a25b-75b90346dbf2}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Third Party\yara\yara">
<UniqueIdentifier>{f79c5166-e315-44ca-9e93-dabc9f00fa78}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
@ -377,5 +383,95 @@
<ClInclude Include="dbghelp_safe.h">
<Filter>Header Files\Utilities</Filter>
</ClInclude>
<ClInclude Include="yara\yara.h">
<Filter>Header Files\Third Party\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\ahocorasick.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\arena.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\atoms.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\compiler.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\elf.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\error.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\exec.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\exefiles.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\filemap.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\globals.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\hash.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\hex_lexer.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\lexer.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\libyara.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\limits.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\mem.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\modules.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\object.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\parser.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\pe.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\proc.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\re.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\re_lexer.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\rules.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\scan.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\sizedstr.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\strutils.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\types.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\utils.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
</ItemGroup>
</Project>

28
x64_dbg_dbg/yara/yara.h Normal file
View File

@ -0,0 +1,28 @@
/*
Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_YARA_H
#define YR_YARA_H
#include "yara/utils.h"
#include "yara/filemap.h"
#include "yara/compiler.h"
#include "yara/modules.h"
#include "yara/object.h"
#include "yara/libyara.h"
#include "yara/error.h"
#endif

50
x64_dbg_dbg/yara/yara/ahocorasick.h Normal file
View File

@ -0,0 +1,50 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef _AHOCORASICK_H
#define _AHOCORASICK_H
#include "limits.h"
#include "atoms.h"
#include "types.h"
int yr_ac_create_automaton(
YR_ARENA* arena,
YR_AC_AUTOMATON** automaton);
int yr_ac_add_string(
YR_ARENA* arena,
YR_AC_AUTOMATON* automaton,
YR_STRING* string,
YR_ATOM_LIST_ITEM* atom);
YR_AC_STATE* yr_ac_next_state(
YR_AC_STATE* state,
uint8_t input);
int yr_ac_create_failure_links(
YR_ARENA* arena,
YR_AC_AUTOMATON* automaton);
void yr_ac_print_automaton(
YR_AC_AUTOMATON* automaton);
#endif

151
x64_dbg_dbg/yara/yara/arena.h Normal file
View File

@ -0,0 +1,151 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_ARENA_H
#define YR_ARENA_H
#include <stdint.h>
#include <stddef.h>
#define ARENA_FLAGS_FIXED_SIZE 1
#define ARENA_FLAGS_COALESCED 2
#define ARENA_FILE_VERSION 6
#define EOL ((size_t) -1)
typedef struct _YR_RELOC
{
int32_t offset;
struct _YR_RELOC* next;
} YR_RELOC;
typedef struct _YR_ARENA_PAGE
{
uint8_t* new_address;
uint8_t* address;
size_t size;
size_t used;
YR_RELOC* reloc_list_head;
YR_RELOC* reloc_list_tail;
struct _YR_ARENA_PAGE* next;
struct _YR_ARENA_PAGE* prev;
} YR_ARENA_PAGE;
typedef struct _YR_ARENA
{
int flags;
YR_ARENA_PAGE* page_list_head;
YR_ARENA_PAGE* current_page;
} YR_ARENA;
int yr_arena_create(
size_t initial_size,
int flags,
YR_ARENA** arena);
void yr_arena_destroy(
YR_ARENA* arena);
void* yr_arena_base_address(
YR_ARENA* arena);
void* yr_arena_next_address(
YR_ARENA* arena,
void* address,
int offset);
int yr_arena_coalesce(
YR_ARENA* arena);
int yr_arena_reserve_memory(
YR_ARENA* arena,
size_t size);
int yr_arena_allocate_memory(
YR_ARENA* arena,
size_t size,
void** allocated_memory);
int yr_arena_allocate_struct(
YR_ARENA* arena,
size_t size,
void** allocated_memory,
...);
int yr_arena_make_relocatable(
YR_ARENA* arena,
void* base,
...);
int yr_arena_write_data(
YR_ARENA* arena,
void* data,
size_t size,
void** written_data);
int yr_arena_write_string(
YR_ARENA* arena,
const char* string,
char** written_string);
int yr_arena_append(
YR_ARENA* target_arena,
YR_ARENA* source_arena);
int yr_arena_save(
YR_ARENA* arena,
const char* filename);
int yr_arena_load(
const char* filename,
YR_ARENA** arena);
int yr_arena_duplicate(
YR_ARENA* arena,
YR_ARENA** duplicated);
void yr_arena_print(
YR_ARENA* arena);
#endif

89
x64_dbg_dbg/yara/yara/atoms.h Normal file
View File

@ -0,0 +1,89 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_ATOMS_H
#define YR_ATOMS_H
#include "limits.h"
#include "re.h"
#define ATOM_TREE_LEAF 1
#define ATOM_TREE_AND 2
#define ATOM_TREE_OR 3
typedef struct _ATOM_TREE_NODE
{
uint8_t type;
uint8_t atom_length;
uint8_t atom[MAX_ATOM_LENGTH];
uint8_t* forward_code;
uint8_t* backward_code;
RE_NODE* recent_nodes[MAX_ATOM_LENGTH];
struct _ATOM_TREE_NODE* children_head;
struct _ATOM_TREE_NODE* children_tail;
struct _ATOM_TREE_NODE* next_sibling;
} ATOM_TREE_NODE;
typedef struct _ATOM_TREE
{
ATOM_TREE_NODE* current_leaf;
ATOM_TREE_NODE* root_node;
} ATOM_TREE;
typedef struct _YR_ATOM_LIST_ITEM
{
uint8_t atom_length;
uint8_t atom[MAX_ATOM_LENGTH];
uint16_t backtrack;
uint8_t* forward_code;
uint8_t* backward_code;
struct _YR_ATOM_LIST_ITEM* next;
} YR_ATOM_LIST_ITEM;
int yr_atoms_extract_from_re(
RE* re,
int flags,
YR_ATOM_LIST_ITEM** atoms);
int yr_atoms_extract_from_string(
uint8_t* string,
int string_length,
int flags,
YR_ATOM_LIST_ITEM** atoms);
int yr_atoms_min_quality(
YR_ATOM_LIST_ITEM* atom_list);
void yr_atoms_list_destroy(
YR_ATOM_LIST_ITEM* list_head);
#endif

196
x64_dbg_dbg/yara/yara/compiler.h Normal file
View File

@ -0,0 +1,196 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_COMPILER_H
#define YR_COMPILER_H
#include <stdio.h>
#include <setjmp.h>
#include "ahocorasick.h"
#include "arena.h"
#include "hash.h"
#include "utils.h"
#define YARA_ERROR_LEVEL_ERROR 0
#define YARA_ERROR_LEVEL_WARNING 1
typedef void (*YR_COMPILER_CALLBACK_FUNC)(
int error_level,
const char* file_name,
int line_number,
const char* message,
void* user_data);
typedef struct _YR_COMPILER
{
int errors;
int error_line;
int last_error;
int last_error_line;
int last_result;
jmp_buf error_recovery;
YR_ARENA* sz_arena;
YR_ARENA* rules_arena;
YR_ARENA* strings_arena;
YR_ARENA* code_arena;
YR_ARENA* re_code_arena;
YR_ARENA* automaton_arena;
YR_ARENA* compiled_rules_arena;
YR_ARENA* externals_arena;
YR_ARENA* namespaces_arena;
YR_ARENA* metas_arena;
YR_AC_AUTOMATON* automaton;
YR_HASH_TABLE* rules_table;
YR_HASH_TABLE* objects_table;
YR_NAMESPACE* current_namespace;
YR_STRING* current_rule_strings;
int current_rule_flags;
int namespaces_count;
int8_t* loop_address[MAX_LOOP_NESTING];
char* loop_identifier[MAX_LOOP_NESTING];
int loop_depth;
int loop_for_of_mem_offset;
int allow_includes;
char* file_name_stack[MAX_INCLUDE_DEPTH];
int file_name_stack_ptr;
FILE* file_stack[MAX_INCLUDE_DEPTH];
int file_stack_ptr;
char last_error_extra_info[MAX_COMPILER_ERROR_EXTRA_INFO];
char lex_buf[LEX_BUF_SIZE];
char* lex_buf_ptr;
unsigned short lex_buf_len;
char include_base_dir[MAX_PATH];
void* user_data;
YR_COMPILER_CALLBACK_FUNC callback;
} YR_COMPILER;
#define yr_compiler_set_error_extra_info(compiler, info) \
strlcpy( \
compiler->last_error_extra_info, \
info, \
sizeof(compiler->last_error_extra_info)); \
#define yr_compiler_set_error_extra_info_fmt(compiler, fmt, ...) \
snprintf( \
compiler->last_error_extra_info, \
sizeof(compiler->last_error_extra_info), \
fmt, __VA_ARGS__);
int _yr_compiler_push_file(
YR_COMPILER* compiler,
FILE* fh);
FILE* _yr_compiler_pop_file(
YR_COMPILER* compiler);
int _yr_compiler_push_file_name(
YR_COMPILER* compiler,
const char* file_name);
void _yr_compiler_pop_file_name(
YR_COMPILER* compiler);
YR_API int yr_compiler_create(
YR_COMPILER** compiler);
YR_API void yr_compiler_destroy(
YR_COMPILER* compiler);
YR_API void yr_compiler_set_callback(
YR_COMPILER* compiler,
YR_COMPILER_CALLBACK_FUNC callback,
void* user_data);
YR_API int yr_compiler_add_file(
YR_COMPILER* compiler,
FILE* rules_file,
const char* namespace_,
const char* file_name);
YR_API int yr_compiler_add_string(
YR_COMPILER* compiler,
const char* rules_string,
const char* namespace_);
YR_API char* yr_compiler_get_error_message(
YR_COMPILER* compiler,
char* buffer,
int buffer_size);
YR_API char* yr_compiler_get_current_file_name(
YR_COMPILER* context);
YR_API int yr_compiler_define_integer_variable(
YR_COMPILER* compiler,
const char* identifier,
int64_t value);
YR_API int yr_compiler_define_boolean_variable(
YR_COMPILER* compiler,
const char* identifier,
int value);
YR_API int yr_compiler_define_float_variable(
YR_COMPILER* compiler,
const char* identifier,
double value);
YR_API int yr_compiler_define_string_variable(
YR_COMPILER* compiler,
const char* identifier,
const char* value);
YR_API int yr_compiler_get_rules(
YR_COMPILER* compiler,
YR_RULES** rules);
#endif

202
x64_dbg_dbg/yara/yara/elf.h Normal file
View File

@ -0,0 +1,202 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef _ELF_H
#define _ELF_H
#include <stdint.h>
// 32-bit ELF base types
typedef uint32_t elf32_addr_t;
typedef uint16_t elf32_half_t;
typedef uint32_t elf32_off_t;
typedef uint32_t elf32_word_t;
// 64-bit ELF base types
typedef uint64_t elf64_addr_t;
typedef uint16_t elf64_half_t;
typedef uint64_t elf64_off_t;
typedef uint32_t elf64_word_t;
typedef uint64_t elf64_xword_t;
#define ELF_MAGIC 0x464C457F
#define ELF_ET_NONE 0x0000 // no type
#define ELF_ET_REL 0x0001 // relocatable
#define ELF_ET_EXEC 0x0002 // executeable
#define ELF_ET_DYN 0x0003 // Shared-Object-File
#define ELF_ET_CORE 0x0004 // Corefile
#define ELF_ET_LOPROC 0xFF00 // Processor-specific
#define ELF_ET_HIPROC 0x00FF // Processor-specific
#define ELF_EM_NONE 0x0000 // no type
#define ELF_EM_M32 0x0001 // AT&T WE 32100
#define ELF_EM_SPARC 0x0002 // SPARC
#define ELF_EM_386 0x0003 // Intel 80386
#define ELF_EM_68K 0x0004 // Motorola 68000
#define ELF_EM_88K 0x0005 // Motorola 88000
#define ELF_EM_860 0x0007 // Intel 80860
#define ELF_EM_MIPS 0x0008 // MIPS RS3000
#define ELF_EM_ARM 0x0032 // ARM
#define ELF_EM_X86_64 0x003E // AMD/Intel x86_64
#define ELF_CLASS_NONE 0x0000
#define ELF_CLASS_32 0x0001 // 32bit file
#define ELF_CLASS_64 0x0002 // 64bit file
#define ELF_DATA_NONE 0x0000
#define ELF_DATA_2LSB 0x0001
#define ELF_DATA_2MSB 0x002
#define ELF_SHT_NULL 0 // Section header table entry unused
#define ELF_SHT_PROGBITS 1 // Program data
#define ELF_SHT_SYMTAB 2 // Symbol table
#define ELF_SHT_STRTAB 3 // String table
#define ELF_SHT_RELA 4 // Relocation entries with addends
#define ELF_SHT_HASH 5 // Symbol hash table
#define ELF_SHT_DYNAMIC 6 // Dynamic linking information
#define ELF_SHT_NOTE 7 // Notes
#define ELF_SHT_NOBITS 8 // Program space with no data (bss)
#define ELF_SHT_REL 9 // Relocation entries, no addends
#define ELF_SHT_SHLIB 10 // Reserved
#define ELF_SHT_DYNSYM 11 // Dynamic linker symbol table
#define ELF_SHT_NUM 12 // Number of defined types
#define ELF_SHF_WRITE 0x1 // Section is writable
#define ELF_SHF_ALLOC 0x2 // Section is present during execution
#define ELF_SHF_EXECINSTR 0x4 // Section contains executable instructions
#pragma pack(push,1)
typedef struct
{
uint32_t magic;
uint8_t _class;
uint8_t data;
uint8_t version;
uint8_t pad[8];
uint8_t nident;
} elf_ident_t;
typedef struct
{
elf_ident_t ident;
elf32_half_t type;
elf32_half_t machine;
elf32_word_t version;
elf32_addr_t entry;
elf32_off_t ph_offset;
elf32_off_t sh_offset;
elf32_word_t flags;
elf32_half_t header_size;
elf32_half_t ph_entry_size;
elf32_half_t ph_entry_count;
elf32_half_t sh_entry_size;
elf32_half_t sh_entry_count;
elf32_half_t sh_str_table_index;
} elf32_header_t;
typedef struct
{
elf_ident_t ident;
elf64_half_t type;
elf64_half_t machine;
elf64_word_t version;
elf64_addr_t entry;
elf64_off_t ph_offset;
elf64_off_t sh_offset;
elf64_word_t flags;
elf64_half_t header_size;
elf64_half_t ph_entry_size;
elf64_half_t ph_entry_count;
elf64_half_t sh_entry_size;
elf64_half_t sh_entry_count;
elf64_half_t sh_str_table_index;
} elf64_header_t;
typedef struct
{
elf32_word_t type;
elf32_off_t offset;
elf32_addr_t virt_addr;
elf32_addr_t phys_addr;
elf32_word_t file_size;
elf32_word_t mem_size;
elf32_word_t flags;
elf32_word_t alignment;
} elf32_program_header_t;
typedef struct
{
elf64_word_t type;
elf64_word_t flags;
elf64_off_t offset;
elf64_addr_t virt_addr;
elf64_addr_t phys_addr;
elf64_xword_t file_size;
elf64_xword_t mem_size;
elf64_xword_t alignment;
} elf64_program_header_t;
typedef struct
{
elf32_word_t name;
elf32_word_t type;
elf32_word_t flags;
elf32_addr_t addr;
elf32_off_t offset;
elf32_word_t size;
elf32_word_t link;
elf32_word_t info;
elf32_word_t align;
elf32_word_t entry_size;
} elf32_section_header_t;
typedef struct
{
elf64_word_t name;
elf64_word_t type;
elf64_xword_t flags;
elf64_addr_t addr;
elf64_off_t offset;
elf64_xword_t size;
elf64_word_t link;
elf64_word_t info;
elf64_xword_t align;
elf64_xword_t entry_size;
} elf64_section_header_t;
#pragma pack(pop)
#endif

100
x64_dbg_dbg/yara/yara/error.h Normal file
View File

@ -0,0 +1,100 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_ERROR_H
#define YR_ERROR_H
#include <string.h>
#ifndef ERROR_SUCCESS
#define ERROR_SUCCESS 0
#endif
#define ERROR_INSUFICIENT_MEMORY 1
#define ERROR_COULD_NOT_ATTACH_TO_PROCESS 2
#define ERROR_COULD_NOT_OPEN_FILE 3
#define ERROR_COULD_NOT_MAP_FILE 4
#define ERROR_INVALID_FILE 6
#define ERROR_CORRUPT_FILE 7
#define ERROR_UNSUPPORTED_FILE_VERSION 8
#define ERROR_INVALID_REGULAR_EXPRESSION 9
#define ERROR_INVALID_HEX_STRING 10
#define ERROR_SYNTAX_ERROR 11
#define ERROR_LOOP_NESTING_LIMIT_EXCEEDED 12
#define ERROR_DUPLICATED_LOOP_IDENTIFIER 13
#define ERROR_DUPLICATED_IDENTIFIER 14
#define ERROR_DUPLICATED_TAG_IDENTIFIER 15
#define ERROR_DUPLICATED_META_IDENTIFIER 16
#define ERROR_DUPLICATED_STRING_IDENTIFIER 17
#define ERROR_UNREFERENCED_STRING 18
#define ERROR_UNDEFINED_STRING 19
#define ERROR_UNDEFINED_IDENTIFIER 20
#define ERROR_MISPLACED_ANONYMOUS_STRING 21
#define ERROR_INCLUDES_CIRCULAR_REFERENCE 22
#define ERROR_INCLUDE_DEPTH_EXCEEDED 23
#define ERROR_WRONG_TYPE 24
#define ERROR_EXEC_STACK_OVERFLOW 25
#define ERROR_SCAN_TIMEOUT 26
#define ERROR_TOO_MANY_SCAN_THREADS 27
#define ERROR_CALLBACK_ERROR 28
#define ERROR_INVALID_ARGUMENT 29
#define ERROR_TOO_MANY_MATCHES 30
#define ERROR_INTERNAL_FATAL_ERROR 31
#define ERROR_NESTED_FOR_OF_LOOP 32
#define ERROR_INVALID_FIELD_NAME 33
#define ERROR_UNKNOWN_MODULE 34
#define ERROR_NOT_A_STRUCTURE 35
#define ERROR_NOT_INDEXABLE 36
#define ERROR_NOT_A_FUNCTION 37
#define ERROR_INVALID_FORMAT 38
#define ERROR_TOO_MANY_ARGUMENTS 39
#define ERROR_WRONG_ARGUMENTS 40
#define ERROR_WRONG_RETURN_TYPE 41
#define ERROR_DUPLICATED_STRUCTURE_MEMBER 42
#define FAIL_ON_ERROR(x) { \
int result = (x); \
if (result != ERROR_SUCCESS) \
return result; \
}
#define FAIL_ON_ERROR_WITH_CLEANUP(x, cleanup) { \
int result = (x); \
if (result != ERROR_SUCCESS) { \
cleanup; \
return result; \
} \
}
#define FAIL_ON_COMPILER_ERROR(x) { \
compiler->last_result = (x); \
if (compiler->last_result != ERROR_SUCCESS) \
return compiler->last_result; \
}
#ifdef NDEBUG
#define assertf(expr, msg) ((void)0)
#else
#define assertf(expr, msg, ...) \
if(!(expr)) { \
fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \
abort(); \
}
#endif
#endif

156
x64_dbg_dbg/yara/yara/exec.h Normal file
View File

@ -0,0 +1,156 @@
/*
Copyright (c) 2013-2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_EXEC_H
#define YR_EXEC_H
#include "hash.h"
#include "scan.h"
#include "types.h"
#include "rules.h"
#define UNDEFINED 0xFFFABADAFABADAFFLL
#define IS_UNDEFINED(x) ((size_t)(x) == (size_t) UNDEFINED)
#define OP_ERROR 0
#define OP_HALT 255
#define OP_AND 1
#define OP_OR 2
#define OP_NOT 3
#define OP_BITWISE_NOT 4
#define OP_BITWISE_AND 5
#define OP_BITWISE_OR 6
#define OP_BITWISE_XOR 7
#define OP_SHL 8
#define OP_SHR 9
#define OP_MOD 10
#define OP_INT_TO_DBL 11
#define OP_STR_TO_BOOL 12
#define OP_PUSH 13
#define OP_POP 14
#define OP_CALL 15
#define OP_OBJ_LOAD 16
#define OP_OBJ_VALUE 17
#define OP_OBJ_FIELD 18
#define OP_INDEX_ARRAY 19
#define OP_COUNT 20
#define OP_FOUND 21
#define OP_FOUND_AT 22
#define OP_FOUND_IN 23
#define OP_OFFSET 24
#define OP_OF 25
#define OP_PUSH_RULE 26
#define OP_MATCH_RULE 27
#define OP_INCR_M 28
#define OP_CLEAR_M 29
#define OP_ADD_M 30
#define OP_POP_M 31
#define OP_PUSH_M 32
#define OP_SWAPUNDEF 33
#define OP_JNUNDEF 34
#define OP_JLE 35
#define OP_FILESIZE 36
#define OP_ENTRYPOINT 37
#define OP_CONTAINS 38
#define OP_MATCHES 39
#define OP_IMPORT 40
#define OP_LOOKUP_DICT 41
#define _OP_EQ 0
#define _OP_NEQ 1
#define _OP_LT 2
#define _OP_GT 3
#define _OP_LE 4
#define _OP_GE 5
#define _OP_ADD 6
#define _OP_SUB 7
#define _OP_MUL 8
#define _OP_DIV 9
#define _OP_MINUS 10
#define OP_INT_BEGIN 100
#define OP_INT_EQ (OP_INT_BEGIN + _OP_EQ)
#define OP_INT_NEQ (OP_INT_BEGIN + _OP_NEQ)
#define OP_INT_LT (OP_INT_BEGIN + _OP_LT)
#define OP_INT_GT (OP_INT_BEGIN + _OP_GT)
#define OP_INT_LE (OP_INT_BEGIN + _OP_LE)
#define OP_INT_GE (OP_INT_BEGIN + _OP_GE)
#define OP_INT_ADD (OP_INT_BEGIN + _OP_ADD)
#define OP_INT_SUB (OP_INT_BEGIN + _OP_SUB)
#define OP_INT_MUL (OP_INT_BEGIN + _OP_MUL)
#define OP_INT_DIV (OP_INT_BEGIN + _OP_DIV)
#define OP_INT_MINUS (OP_INT_BEGIN + _OP_MINUS)
#define OP_INT_END OP_INT_MINUS
#define OP_DBL_BEGIN 120
#define OP_DBL_EQ (OP_DBL_BEGIN + _OP_EQ)
#define OP_DBL_NEQ (OP_DBL_BEGIN + _OP_NEQ)
#define OP_DBL_LT (OP_DBL_BEGIN + _OP_LT)
#define OP_DBL_GT (OP_DBL_BEGIN + _OP_GT)
#define OP_DBL_LE (OP_DBL_BEGIN + _OP_LE)
#define OP_DBL_GE (OP_DBL_BEGIN + _OP_GE)
#define OP_DBL_ADD (OP_DBL_BEGIN + _OP_ADD)
#define OP_DBL_SUB (OP_DBL_BEGIN + _OP_SUB)
#define OP_DBL_MUL (OP_DBL_BEGIN + _OP_MUL)
#define OP_DBL_DIV (OP_DBL_BEGIN + _OP_DIV)
#define OP_DBL_MINUS (OP_DBL_BEGIN + _OP_MINUS)
#define OP_DBL_END OP_DBL_MINUS
#define OP_STR_BEGIN 140
#define OP_STR_EQ (OP_STR_BEGIN + _OP_EQ)
#define OP_STR_NEQ (OP_STR_BEGIN + _OP_NEQ)
#define OP_STR_LT (OP_STR_BEGIN + _OP_LT)
#define OP_STR_GT (OP_STR_BEGIN + _OP_GT)
#define OP_STR_LE (OP_STR_BEGIN + _OP_LE)
#define OP_STR_GE (OP_STR_BEGIN + _OP_GE)
#define OP_STR_END OP_STR_GE
#define IS_INT_OP(x) ((x) >= OP_INT_BEGIN && (x) <= OP_INT_END)
#define IS_DBL_OP(x) ((x) >= OP_DBL_BEGIN && (x) <= OP_DBL_END)
#define IS_STR_OP(x) ((x) >= OP_STR_BEGIN && (x) <= OP_STR_END)
#define OP_READ_INT 240
#define OP_INT8 (OP_READ_INT + 0)
#define OP_INT16 (OP_READ_INT + 1)
#define OP_INT32 (OP_READ_INT + 2)
#define OP_UINT8 (OP_READ_INT + 3)
#define OP_UINT16 (OP_READ_INT + 4)
#define OP_UINT32 (OP_READ_INT + 5)
#define OP_INT8BE (OP_READ_INT + 6)
#define OP_INT16BE (OP_READ_INT + 7)
#define OP_INT32BE (OP_READ_INT + 8)
#define OP_UINT8BE (OP_READ_INT + 9)
#define OP_UINT16BE (OP_READ_INT + 10)
#define OP_UINT32BE (OP_READ_INT + 11)
#define OPERATION(operator, op1, op2) \
(IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (UNDEFINED) : (op1 operator op2)
#define COMPARISON(operator, op1, op2) \
(IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (0) : (op1 operator op2)
int yr_execute_code(
YR_RULES* rules,
YR_SCAN_CONTEXT* context,
int timeout,
time_t start_time);
#endif

30
x64_dbg_dbg/yara/yara/exefiles.h Normal file
View File

@ -0,0 +1,30 @@
/*
Copyright (c) 2007. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_EXEFILES_H
#define YR_EXEFILES_H
uint64_t yr_get_entry_point_offset(
uint8_t* buffer,
size_t buffer_length);
uint64_t yr_get_entry_point_address(
uint8_t* buffer,
size_t buffer_length,
size_t base_address);
#endif

62
x64_dbg_dbg/yara/yara/filemap.h Normal file
View File

@ -0,0 +1,62 @@
/*
Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_FILEMAP_H
#define YR_FILEMAP_H
#ifdef _WIN32
#include <windows.h>
#define FILE_DESCRIPTOR HANDLE
#define off_t int64_t
#else
#include <sys/types.h>
#define FILE_DESCRIPTOR int
#endif
#include <stdlib.h>
#include <stdint.h>
#include "utils.h"
typedef struct _YR_MAPPED_FILE
{
FILE_DESCRIPTOR file;
size_t size;
uint8_t* data;
#ifdef _WIN32
HANDLE mapping;
#endif
} YR_MAPPED_FILE;
YR_API int yr_filemap_map(
const char* file_path,
YR_MAPPED_FILE* pmapped_file);
YR_API int yr_filemap_map_ex(
const char* file_path,
off_t offset,
size_t size,
YR_MAPPED_FILE* pmapped_file);
YR_API void yr_filemap_unmap(
YR_MAPPED_FILE* pmapped_file);
#endif

23
x64_dbg_dbg/yara/yara/globals.h Normal file
View File

@ -0,0 +1,23 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_GLOBALS_H
#define YR_GLOBALS_H
extern char lowercase[256];
extern char altercase[256];
#endif

66
x64_dbg_dbg/yara/yara/hash.h Normal file
View File

@ -0,0 +1,66 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_HASH_H
#define YR_HASH_H
typedef struct _YR_HASH_TABLE_ENTRY
{
char* key;
char* ns;
void* value;
struct _YR_HASH_TABLE_ENTRY* next;
} YR_HASH_TABLE_ENTRY;
typedef struct _YR_HASH_TABLE
{
int size;
YR_HASH_TABLE_ENTRY* buckets[1];
} YR_HASH_TABLE;
typedef int (*YR_HASH_TABLE_FREE_VALUE_FUNC)(void* value);
int yr_hash_table_create(
int size,
YR_HASH_TABLE** table);
void yr_hash_table_destroy(
YR_HASH_TABLE* table,
YR_HASH_TABLE_FREE_VALUE_FUNC free_value);
void* yr_hash_table_lookup(
YR_HASH_TABLE* table,
const char* key,
const char* ns);
int yr_hash_table_add(
YR_HASH_TABLE* table,
const char* key,
const char* ns,
void* value);
#endif

98
x64_dbg_dbg/yara/yara/hex_lexer.h Normal file
View File

@ -0,0 +1,98 @@
/*
Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com].
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "re.h"
#undef yyparse
#undef yylex
#undef yyerror
#undef yyfatal
#undef yychar
#undef yydebug
#undef yynerrs
#undef yyget_extra
#undef yyget_lineno
#undef YY_FATAL_ERROR
#undef YY_DECL
#undef LEX_ENV
#define yyparse hex_yyparse
#define yylex hex_yylex
#define yyerror hex_yyerror
#define yyfatal hex_yyfatal
#define yychar hex_yychar
#define yydebug hex_yydebug
#define yynerrs hex_yynerrs
#define yyget_extra hex_yyget_extra
#define yyget_lineno hex_yyget_lineno
#ifndef YY_TYPEDEF_YY_SCANNER_T
#define YY_TYPEDEF_YY_SCANNER_T
typedef void* yyscan_t;
#endif
#define YY_EXTRA_TYPE RE*
#define YY_USE_CONST
typedef struct _HEX_LEX_ENVIRONMENT
{
int token_count;
int inside_or;
int last_error_code;
char last_error_message[256];
} HEX_LEX_ENVIRONMENT;
#define YY_FATAL_ERROR(msg) hex_yyfatal(yyscanner, msg)
#define LEX_ENV ((HEX_LEX_ENVIRONMENT*) lex_env)
#include <hex_grammar.h>
#define YY_DECL int hex_yylex \
(YYSTYPE * yylval_param , yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env)
YY_EXTRA_TYPE yyget_extra(
yyscan_t yyscanner);
int yylex(
YYSTYPE* yylval_param,
yyscan_t yyscanner,
HEX_LEX_ENVIRONMENT* lex_env);
int yyparse(
void *yyscanner,
HEX_LEX_ENVIRONMENT *lex_env);
void yyerror(
yyscan_t yyscanner,
HEX_LEX_ENVIRONMENT* lex_env,
const char *error_message);
void yyfatal(
yyscan_t yyscanner,
const char *error_message);
int yr_parse_hex_string(
const char* hex_string,
int flags,
RE** re,
RE_ERROR* error);

130
x64_dbg_dbg/yara/yara/lexer.h Normal file
View File

@ -0,0 +1,130 @@
/*
Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com].
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "compiler.h"
#undef yyparse
#undef yylex
#undef yyerror
#undef yyfatal
#undef yychar
#undef yydebug
#undef yynerrs
#undef yyget_extra
#undef yyget_lineno
#undef YY_DECL
#undef YY_FATAL_ERROR
#undef YY_EXTRA_TYPE
#define yyparse yara_yyparse
#define yylex yara_yylex
#define yyerror yara_yyerror
#define yyfatal yara_yyfatal
#define yywarning yara_yywarning
#define yychar yara_yychar
#define yydebug yara_yydebug
#define yynerrs yara_yynerrs
#define yyget_extra yara_yyget_extra
#define yyget_lineno yara_yyget_lineno
#ifndef YY_TYPEDEF_YY_SCANNER_T
#define YY_TYPEDEF_YY_SCANNER_T
typedef void* yyscan_t;
#endif
#ifndef YY_TYPEDEF_EXPRESSION_T
#define YY_TYPEDEF_EXPRESSION_T
// Expression type constants are powers of two because they are used as flags.
// For example:
// CHECK_TYPE(whatever, EXPRESSION_TYPE_INTEGER | EXPRESSION_TYPE_FLOAT)
// The expression above is used to ensure that the type of "whatever" is either
// integer or float.
#define EXPRESSION_TYPE_BOOLEAN 1
#define EXPRESSION_TYPE_INTEGER 2
#define EXPRESSION_TYPE_STRING 4
#define EXPRESSION_TYPE_REGEXP 8
#define EXPRESSION_TYPE_OBJECT 16
#define EXPRESSION_TYPE_FLOAT 32
typedef struct _EXPRESSION
{
int type;
union {
int64_t integer;
YR_OBJECT* object;
} value;
const char* identifier;
} EXPRESSION;
union YYSTYPE;
#endif
#define YY_DECL int yylex( \
union YYSTYPE* yylval_param, yyscan_t yyscanner, YR_COMPILER* compiler)
#define YY_FATAL_ERROR(msg) yara_yyfatal(yyscanner, msg)
#define YY_EXTRA_TYPE YR_COMPILER*
#define YY_USE_CONST
int yyget_lineno(yyscan_t yyscanner);
int yylex(
union YYSTYPE* yylval_param,
yyscan_t yyscanner,
YR_COMPILER* compiler);
int yyparse(
void *yyscanner,
YR_COMPILER* compiler);
void yyerror(
yyscan_t yyscanner,
YR_COMPILER* compiler,
const char *error_message);
void yywarning(
yyscan_t yyscanner,
const char *warning_message);
void yyfatal(
yyscan_t yyscanner,
const char *error_message);
YY_EXTRA_TYPE yyget_extra(
yyscan_t yyscanner);
int yr_lex_parse_rules_string(
const char* rules_string,
YR_COMPILER* compiler);
int yr_lex_parse_rules_file(
FILE* rules_file,
YR_COMPILER* compiler);

49
x64_dbg_dbg/yara/yara/libyara.h Normal file
View File

@ -0,0 +1,49 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_LIBYARA_H
#define YR_LIBYARA_H
#include "utils.h"
#define YR_MAJOR_VERSION 3
#define YR_MINOR_VERSION 3
#define YR_MICRO_VERSION 0
// Version as a string
#define YR_VERSION "3.3.0"
// Version as a single 4-byte hex number, e.g. 0x030401 == 3.4.1.
#define YR_VERSION_HEX ((YR_MAJOR_VERSION << 16) | \
(YR_MINOR_VERSION << 8) | \
(YR_MICRO_VERSION << 0)
YR_API int yr_initialize(void);
YR_API int yr_finalize(void);
YR_API void yr_finalize_thread(void);
YR_API int yr_get_tidx(void);
YR_API void yr_set_tidx(int);
#endif

48
x64_dbg_dbg/yara/yara/limits.h Normal file
View File

@ -0,0 +1,48 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_LIMITS_H
#define YR_LIMITS_H
// MAX_THREADS is the number of threads that can use a YR_RULES
// object simultaneosly. This value is limited by the number of
// bits in tidx_mask.
#define MAX_THREADS 32
#ifndef MAX_PATH
#define MAX_PATH 1024
#endif
#define MAX_COMPILER_ERROR_EXTRA_INFO 256
#define MAX_ATOM_LENGTH 4
#define MAX_LOOP_NESTING 4
#define MAX_ARENA_PAGES 32
#define MAX_INCLUDE_DEPTH 16
#define MAX_STRING_MATCHES 1000000
#define MAX_FUNCTION_ARGS 128
#define MAX_FAST_HEX_RE_STACK 300
#define MAX_OVERLOADED_FUNCTIONS 10
#define MAX_HEX_STRING_TOKENS 10000
#define LOOP_LOCAL_VARS 4
#define STRING_CHAINING_THRESHOLD 200
#define LEX_BUF_SIZE 1024
#endif

63
x64_dbg_dbg/yara/yara/mem.h Normal file
View File

@ -0,0 +1,63 @@
/*
Copyright (c) 2007. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_MEM_H
#define YR_MEM_H
#include <stdio.h>
#include "config.h"
#ifdef DMALLOC
#define yr_malloc malloc
#define yr_calloc calloc
#define yr_realloc realloc
#define yr_free free
#define yr_strdup strdup
#define yr_strndup strndup
#include <dmalloc.h>
#else
void* yr_calloc(
size_t count,
size_t size);
void* yr_malloc(
size_t size);
void* yr_realloc(
void* ptr,
size_t size);
void yr_free(
void *ptr);
char* yr_strdup(
const char *str);
char* yr_strndup(
const char *str, size_t n);
#endif
int yr_heap_alloc();
int yr_heap_free();
#endif

439
x64_dbg_dbg/yara/yara/modules.h Normal file
View File

@ -0,0 +1,439 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_MODULES_H
#define YR_MODULES_H
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <math.h>
#include "utils.h"
#include "limits.h"
#include "error.h"
#include "exec.h"
#include "types.h"
#include "object.h"
#include "libyara.h"
// Concatenation that macro-expands its arguments.
#define CONCAT(arg1, arg2) _CONCAT(arg1, arg2) // expands the arguments.
#define _CONCAT(arg1, arg2) arg1 ## arg2 // do the actual concatenation.
#define module_declarations CONCAT(MODULE_NAME, __declarations)
#define module_load CONCAT(MODULE_NAME, __load)
#define module_unload CONCAT(MODULE_NAME, __unload)
#define module_initialize CONCAT(MODULE_NAME, __initialize)
#define module_finalize CONCAT(MODULE_NAME, __finalize)
#define begin_declarations \
int module_declarations(YR_OBJECT* module) { \
YR_OBJECT* stack[64]; \
int stack_top = 0; \
stack[stack_top] = module;
#define end_declarations \
return ERROR_SUCCESS; }
#define begin_struct(name) { \
YR_OBJECT* structure; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRUCTURE, \
name, \
stack[stack_top], \
&structure)); \
assertf( \
stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \
"too many nested structures"); \
stack[++stack_top] = structure; \
}
#define begin_struct_array(name) { \
YR_OBJECT* structure; \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_ARRAY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRUCTURE, \
name, \
array, \
&structure)); \
assertf( \
stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \
"too many nested structures"); \
stack[++stack_top] = structure; \
}
#define begin_struct_dictionary(name) { \
YR_OBJECT* structure; \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_DICTIONARY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRUCTURE, \
name, \
array, \
&structure)); \
assertf( \
stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \
"too many nested structures"); \
stack[++stack_top] = structure; \
}
#define end_struct(name) { \
assert(stack[stack_top]->type == OBJECT_TYPE_STRUCTURE); \
assertf( \
strcmp(stack[stack_top]->identifier, name) == 0, \
"unbalanced begin_struct/end_struct"); \
stack_top--; \
}
#define end_struct_array(name) end_struct(name)
#define end_struct_dictionary(name) end_struct(name)
#define declare_integer(name) { \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_INTEGER, \
name, \
stack[stack_top], \
NULL)); \
}
#define declare_integer_array(name) { \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_ARRAY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_INTEGER, \
name, \
array, \
NULL)); \
}
#define declare_integer_dictionary(name) { \
YR_OBJECT* dict; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_DICTIONARY, \
name, \
stack[stack_top], \
&dict)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_INTEGER, \
name, \
dict, \
NULL)); \
}
#define declare_float(name) { \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_FLOAT, \
name, \
stack[stack_top], \
NULL)); \
}
#define declare_float_array(name) { \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_ARRAY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_FLOAT, \
name, \
array, \
NULL)); \
}
#define declare_float_dictionary(name) { \
YR_OBJECT* dict; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_DICTIONARY, \
name, \
stack[stack_top], \
&dict)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_FLOAT, \
name, \
dict, \
NULL)); \
}
#define declare_string(name) { \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRING, \
name, \
stack[stack_top], \
NULL)); \
}
#define declare_string_array(name) { \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_ARRAY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRING, \
name, \
array, \
NULL)); \
}
#define declare_string_dictionary(name) { \
YR_OBJECT* dict; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_DICTIONARY, \
name, \
stack[stack_top], \
&dict)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRING, \
name, \
dict, \
NULL)); \
}
#define declare_function(name, args_fmt, ret_fmt, func) { \
YR_OBJECT* function; \
FAIL_ON_ERROR(yr_object_function_create( \
name, \
args_fmt, \
ret_fmt, \
func, \
stack[stack_top], \
&function)); \
}
#define define_function(func) \
int func ( \
void* __args, \
YR_SCAN_CONTEXT* __context, \
YR_OBJECT_FUNCTION* __function_obj)
#define sized_string_argument(n) \
((SIZED_STRING*)(size_t)((int64_t*) __args)[n-1])
#define string_argument(n) \
(sized_string_argument(n)->c_string)
#define integer_argument(n) \
(((int64_t*) __args)[n-1])
#define float_argument(n) \
(((double*) __args)[n-1])
#define regexp_argument(n) \
((RE_CODE)((int64_t*) __args)[n-1])
#define module() yr_object_get_root((YR_OBJECT*) __function_obj)
#define parent() (__function_obj->parent)
#define scan_context() (__context)
#define foreach_memory_block(context, block) \
for (block = (context)->mem_block; \
block != NULL; \
block = block->next) \
#define first_memory_block(context) \
(context)->mem_block
#define is_undefined(object, ...) \
yr_object_has_undefined_value(object, __VA_ARGS__)
#define get_object(object, ...) \
yr_object_lookup(object, 0, __VA_ARGS__)
#define get_integer(object, ...) \
yr_object_get_integer(object, __VA_ARGS__)
#define get_float(object, ...) \
yr_object_get_float(object, __VA_ARGS__)
#define get_string(object, ...) \
yr_object_get_string(object, __VA_ARGS__)
#define set_integer(value, object, ...) \
yr_object_set_integer(value, object, __VA_ARGS__)
#define set_float(value, object, ...) \
yr_object_set_float(value, object, __VA_ARGS__)
#define set_sized_string(value, len, object, ...) \
yr_object_set_string(value, len, object, __VA_ARGS__)
#define set_string(value, object, ...) \
set_sized_string(value, strlen(value), object, __VA_ARGS__)
#define return_integer(integer) { \
assertf( \
__function_obj->return_obj->type == OBJECT_TYPE_INTEGER, \
"return type differs from function declaration"); \
yr_object_set_integer( \
(integer), \
__function_obj->return_obj, \
NULL); \
return ERROR_SUCCESS; \
}
#define return_float(double_) { \
assertf( \
__function_obj->return_obj->type == OBJECT_TYPE_FLOAT, \
"return type differs from function declaration"); \
double d = (double) (double_); \
yr_object_set_float( \
(d != (double) UNDEFINED) ? d : NAN, \
__function_obj->return_obj, \
NULL); \
return ERROR_SUCCESS; \
}
#define return_string(string) { \
assertf( \
__function_obj->return_obj->type == OBJECT_TYPE_STRING, \
"return type differs from function declaration"); \
char* s = (char*) (string); \
yr_object_set_string( \
(s != (char*) UNDEFINED) ? s : NULL, \
(s != (char*) UNDEFINED) ? strlen(s) : 0, \
__function_obj->return_obj, \
NULL); \
return ERROR_SUCCESS; \
}
struct _YR_MODULE;
typedef int (*YR_EXT_INITIALIZE_FUNC)(
struct _YR_MODULE* module);
typedef int (*YR_EXT_FINALIZE_FUNC)(
struct _YR_MODULE* module);
typedef int (*YR_EXT_DECLARATIONS_FUNC)(
YR_OBJECT* module_object);
typedef int (*YR_EXT_LOAD_FUNC)(
YR_SCAN_CONTEXT* context,
YR_OBJECT* module_object,
void* module_data,
size_t module_data_size);
typedef int (*YR_EXT_UNLOAD_FUNC)(
YR_OBJECT* module_object);
typedef struct _YR_MODULE
{
tidx_mask_t is_loaded;
char* name;
YR_EXT_DECLARATIONS_FUNC declarations;
YR_EXT_LOAD_FUNC load;
YR_EXT_UNLOAD_FUNC unload;
YR_EXT_INITIALIZE_FUNC initialize;
YR_EXT_FINALIZE_FUNC finalize;
} YR_MODULE;
typedef struct _YR_MODULE_IMPORT
{
const char* module_name;
void* module_data;
size_t module_data_size;
} YR_MODULE_IMPORT;
int yr_modules_initialize(void);
int yr_modules_finalize(void);
int yr_modules_do_declarations(
const char* module_name,
YR_OBJECT* main_structure);
int yr_modules_load(
const char* module_name,
YR_SCAN_CONTEXT* context);
int yr_modules_unload_all(
YR_SCAN_CONTEXT* context);
void yr_modules_print_data(
YR_SCAN_CONTEXT* context);
#endif

156
x64_dbg_dbg/yara/yara/object.h Normal file
View File

@ -0,0 +1,156 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_OBJECT_H
#define YR_OBJECT_H
#ifdef _MSC_VER
#include <float.h>
#define isnan _isnan
#define INFINITY (DBL_MAX + DBL_MAX)
#define NAN (INFINITY-INFINITY)
#endif
#include "types.h"
#define OBJECT_CREATE 1
#define OBJECT_TYPE_INTEGER 1
#define OBJECT_TYPE_STRING 2
#define OBJECT_TYPE_STRUCTURE 3
#define OBJECT_TYPE_ARRAY 4
#define OBJECT_TYPE_FUNCTION 5
#define OBJECT_TYPE_REGEXP 6
#define OBJECT_TYPE_DICTIONARY 7
#define OBJECT_TYPE_FLOAT 8
int yr_object_create(
int8_t type,
const char* identifier,
YR_OBJECT* parent,
YR_OBJECT** object);
int yr_object_function_create(
const char* identifier,
const char* arguments_fmt,
const char* return_fmt,
YR_MODULE_FUNC func,
YR_OBJECT* parent,
YR_OBJECT** function);
int yr_object_from_external_variable(
YR_EXTERNAL_VARIABLE* external,
YR_OBJECT** object);
void yr_object_destroy(
YR_OBJECT* object);
YR_OBJECT* yr_object_lookup_field(
YR_OBJECT* object,
const char* field_name);
YR_OBJECT* yr_object_lookup(
YR_OBJECT* root,
int flags,
const char* pattern,
...);
int yr_object_has_undefined_value(
YR_OBJECT* object,
const char* field,
...);
int64_t yr_object_get_integer(
YR_OBJECT* object,
const char* field,
...);
SIZED_STRING* yr_object_get_string(
YR_OBJECT* object,
const char* field,
...);
int yr_object_set_integer(
int64_t value,
YR_OBJECT* object,
const char* field,
...);
int yr_object_set_float(
double value,
YR_OBJECT* object,
const char* field,
...);
int yr_object_set_string(
const char* value,
size_t len,
YR_OBJECT* object,
const char* field,
...);
YR_OBJECT* yr_object_array_get_item(
YR_OBJECT* object,
int flags,
int index);
int yr_object_array_set_item(
YR_OBJECT* object,
YR_OBJECT* item,
int index);
YR_OBJECT* yr_object_dict_get_item(
YR_OBJECT* object,
int flags,
const char* key);
int yr_object_dict_set_item(
YR_OBJECT* object,
YR_OBJECT* item,
const char* key);
int yr_object_structure_set_member(
YR_OBJECT* object,
YR_OBJECT* member);
YR_OBJECT* yr_object_get_root(
YR_OBJECT* object);
void yr_object_print_data(
YR_OBJECT* object,
int indent);
#endif

120
x64_dbg_dbg/yara/yara/parser.h Normal file
View File

@ -0,0 +1,120 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_PARSER_H
#define YR_PARSER_H
#include "lexer.h"
int yr_parser_emit(
yyscan_t yyscanner,
int8_t instruction,
int8_t** instruction_address);
int yr_parser_emit_with_arg(
yyscan_t yyscanner,
int8_t instruction,
int64_t argument,
int8_t** instruction_address);
int yr_parser_emit_with_arg_double(
yyscan_t yyscanner,
int8_t instruction,
double argument,
int8_t** instruction_address);
int yr_parser_emit_with_arg_reloc(
yyscan_t yyscanner,
int8_t instruction,
int64_t argument,
int8_t** instruction_address);
int yr_parser_check_types(
YR_COMPILER* compiler,
YR_OBJECT_FUNCTION* function,
const char* actual_args_fmt);
YR_STRING* yr_parser_lookup_string(
yyscan_t yyscanner,
const char* identifier);
int yr_parser_lookup_loop_variable(
yyscan_t yyscanner,
const char* identifier);
int yr_parser_reduce_rule_declaration(
yyscan_t yyscanner,
int flags,
const char* identifier,
char* tags,
YR_STRING* strings,
YR_META* metas);
YR_STRING* yr_parser_reduce_string_declaration(
yyscan_t yyscanner,
int flags,
const char* identifier,
SIZED_STRING* str);
YR_META* yr_parser_reduce_meta_declaration(
yyscan_t yyscanner,
int32_t type,
const char* identifier,
const char* string,
int32_t integer);
int yr_parser_reduce_string_identifier(
yyscan_t yyscanner,
const char* identifier,
int8_t instruction,
uint64_t at_offset);
int yr_parser_emit_pushes_for_strings(
yyscan_t yyscanner,
const char* identifier);
int yr_parser_reduce_external(
yyscan_t yyscanner,
const char* identifier,
int8_t intruction);
int yr_parser_reduce_import(
yyscan_t yyscanner,
SIZED_STRING* module_name);
int yr_parser_reduce_operation(
yyscan_t yyscanner,
const char* operation,
EXPRESSION left_operand,
EXPRESSION right_operand);
#endif

467
x64_dbg_dbg/yara/yara/pe.h Normal file
View File

@ -0,0 +1,467 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#pragma pack(push, 1)
#ifdef _WIN32
#include <windows.h>
// These definitions are not present in older Windows headers.
#ifndef IMAGE_FILE_MACHINE_ARMNT
#define IMAGE_FILE_MACHINE_ARMNT 0x01c4
#endif
#ifndef IMAGE_FILE_MACHINE_ARM64
#define IMAGE_FILE_MACHINE_ARM64 0xaa64
#endif
#else
#include <stdint.h>
#include <stdlib.h>
typedef uint8_t BYTE;
typedef uint16_t WORD;
typedef uint32_t DWORD;
typedef int32_t LONG;
typedef uint32_t ULONG;
typedef uint64_t ULONGLONG;
#define FIELD_OFFSET(type, field) ((size_t)&(((type *)0)->field))
#ifndef _MAC
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_OS2_SIGNATURE 0x454E // NE
#define IMAGE_OS2_SIGNATURE_LE 0x454C // LE
#define IMAGE_VXD_SIGNATURE 0x454C // LE
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
#else
#define IMAGE_DOS_SIGNATURE 0x4D5A // MZ
#define IMAGE_OS2_SIGNATURE 0x4E45 // NE
#define IMAGE_OS2_SIGNATURE_LE 0x4C45 // LE
#define IMAGE_NT_SIGNATURE 0x50450000 // PE00
#endif
#pragma pack(push, 2)
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
#pragma pack(pop)
//
// File header format.
//
#pragma pack(push,4)
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
#define IMAGE_SIZEOF_FILE_HEADER 20
#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
#define IMAGE_FILE_MACHINE_UNKNOWN 0x0000
#define IMAGE_FILE_MACHINE_AM33 0x01d3
#define IMAGE_FILE_MACHINE_AMD64 0x8664
#define IMAGE_FILE_MACHINE_ARM 0x01c0
#define IMAGE_FILE_MACHINE_ARMNT 0x01c4
#define IMAGE_FILE_MACHINE_ARM64 0xaa64
#define IMAGE_FILE_MACHINE_EBC 0x0ebc
#define IMAGE_FILE_MACHINE_I386 0x014c
#define IMAGE_FILE_MACHINE_IA64 0x0200
#define IMAGE_FILE_MACHINE_M32R 0x9041
#define IMAGE_FILE_MACHINE_MIPS16 0x0266
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466
#define IMAGE_FILE_MACHINE_POWERPC 0x01f0
#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
#define IMAGE_FILE_MACHINE_R4000 0x0166
#define IMAGE_FILE_MACHINE_SH3 0x01a2
#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
#define IMAGE_FILE_MACHINE_SH4 0x01a6
#define IMAGE_FILE_MACHINE_SH5 0x01a8
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169
// Section characteristics
#define IMAGE_SCN_CNT_CODE 0x00000020
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080
#define IMAGE_SCN_GPREL 0x00008000
#define IMAGE_SCN_MEM_16BIT 0x00020000
#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000
#define IMAGE_SCN_MEM_SHARED 0x10000000
#define IMAGE_SCN_MEM_EXECUTE 0x20000000
#define IMAGE_SCN_MEM_READ 0x40000000
#define IMAGE_SCN_MEM_WRITE 0x80000000
//
// Directory format.
//
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
#define IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
//
// Optional header format.
//
typedef struct _IMAGE_OPTIONAL_HEADER32 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
typedef struct _IMAGE_NT_HEADERS32 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
// IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is
// the same either way.
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((BYTE*)ntheader + \
FIELD_OFFSET( IMAGE_NT_HEADERS32, OptionalHeader ) + \
((PIMAGE_NT_HEADERS32)(ntheader))->FileHeader.SizeOfOptionalHeader \
))
// Subsystem Values
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
//
// Section header format.
//
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
#define IMAGE_SIZEOF_SECTION_HEADER 40
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions;
DWORD AddressOfNames;
DWORD AddressOfNameOrdinals;
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics;
DWORD OriginalFirstThunk;
} ;
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR, *PIMAGE_IMPORT_DESCRIPTOR;
typedef struct _IMAGE_IMPORT_BY_NAME {
WORD Hint;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
typedef struct _IMAGE_THUNK_DATA32 {
union {
DWORD ForwarderString;
DWORD Function;
DWORD Ordinal;
DWORD AddressOfData;
} u1;
} IMAGE_THUNK_DATA32, *PIMAGE_THUNK_DATA32;
#define IMAGE_ORDINAL_FLAG32 0x80000000
#define IMAGE_ORDINAL_FLAG64 0x8000000000000000L
typedef struct _IMAGE_THUNK_DATA64 {
union {
ULONGLONG ForwarderString;
ULONGLONG Function;
ULONGLONG Ordinal;
ULONGLONG AddressOfData;
} u1;
} IMAGE_THUNK_DATA64, *PIMAGE_THUNK_DATA64;
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
DWORD Name;
DWORD OffsetToData;
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
DWORD OffsetToData;
DWORD Size;
DWORD CodePage;
DWORD Reserved;
} IMAGE_RESOURCE_DATA_ENTRY,*PIMAGE_RESOURCE_DATA_ENTRY;
typedef struct _IMAGE_RESOURCE_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
WORD NumberOfNamedEntries;
WORD NumberOfIdEntries;
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
#pragma pack(pop)
#endif // _WIN32
typedef struct _VERSION_INFO {
WORD Length;
WORD ValueLength;
WORD Type;
char Key[0];
} VERSION_INFO, *PVERSION_INFO;
#define WIN_CERT_REVISION_1_0 0x0100
#define WIN_CERT_REVISION_2_0 0x0200
#define WIN_CERT_TYPE_X509 0x0001
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
#define WIN_CERT_TYPE_RESERVED_1 0x0003
#define WIN_CERT_TYPE_TS_STACK_SIGNED 0x0004
typedef struct _WIN_CERTIFICATE {
DWORD Length;
WORD Revision;
WORD CertificateType;
BYTE Certificate[1];
} WIN_CERTIFICATE, *PWIN_CERTIFICATE;
//
// Rich signature.
// http://www.ntcore.com/files/richsign.htm
//
typedef struct _RICH_SIGNATURE {
DWORD dans;
DWORD key1;
DWORD key2;
DWORD key3;
} RICH_SIGNATURE, *PRICH_SIGNATURE;
#define RICH_DANS 0x536e6144 // "DanS"
#define RICH_RICH 0x68636952 // "Rich"
typedef struct _RICH_DATA {
size_t len;
BYTE* raw_data;
BYTE* clear_data;
} RICH_DATA, *PRICH_DATA;
#pragma pack(pop)

26
x64_dbg_dbg/yara/yara/proc.h Normal file
View File

@ -0,0 +1,26 @@
/*
Copyright (c) 2007. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_PROC_H
#define YR_PROC_H
#include "types.h"
int yr_process_get_memory(
int pid,
YR_MEMORY_BLOCK** first_block);
#endif

236
x64_dbg_dbg/yara/yara/re.h Normal file
View File

@ -0,0 +1,236 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_RE_H
#define YR_RE_H
#include <ctype.h>
#include "arena.h"
#include "sizedstr.h"
#define RE_NODE_LITERAL 1
#define RE_NODE_MASKED_LITERAL 2
#define RE_NODE_ANY 3
#define RE_NODE_CONCAT 4
#define RE_NODE_ALT 5
#define RE_NODE_RANGE 6
#define RE_NODE_STAR 7
#define RE_NODE_PLUS 8
#define RE_NODE_CLASS 9
#define RE_NODE_WORD_CHAR 10
#define RE_NODE_NON_WORD_CHAR 11
#define RE_NODE_SPACE 12
#define RE_NODE_NON_SPACE 13
#define RE_NODE_DIGIT 14
#define RE_NODE_NON_DIGIT 15
#define RE_NODE_EMPTY 16
#define RE_NODE_ANCHOR_START 17
#define RE_NODE_ANCHOR_END 18
#define RE_NODE_WORD_BOUNDARY 19
#define RE_NODE_NON_WORD_BOUNDARY 20
#define RE_OPCODE_ANY 0xA0
#define RE_OPCODE_ANY_EXCEPT_NEW_LINE 0xA1
#define RE_OPCODE_LITERAL 0xA2
#define RE_OPCODE_LITERAL_NO_CASE 0xA3
#define RE_OPCODE_MASKED_LITERAL 0xA4
#define RE_OPCODE_CLASS 0xA5
#define RE_OPCODE_CLASS_NO_CASE 0xA6
#define RE_OPCODE_WORD_CHAR 0xA7
#define RE_OPCODE_NON_WORD_CHAR 0xA8
#define RE_OPCODE_SPACE 0xA9
#define RE_OPCODE_NON_SPACE 0xAA
#define RE_OPCODE_DIGIT 0xAB
#define RE_OPCODE_NON_DIGIT 0xAC
#define RE_OPCODE_MATCH 0xAD
#define RE_OPCODE_MATCH_AT_END 0xB0
#define RE_OPCODE_MATCH_AT_START 0xB1
#define RE_OPCODE_WORD_BOUNDARY 0xB2
#define RE_OPCODE_NON_WORD_BOUNDARY 0xB3
#define RE_OPCODE_SPLIT_A 0xC0
#define RE_OPCODE_SPLIT_B 0xC1
#define RE_OPCODE_PUSH 0xC2
#define RE_OPCODE_POP 0xC3
#define RE_OPCODE_JNZ 0xC4
#define RE_OPCODE_JUMP 0xC5
#define RE_FLAGS_FAST_HEX_REGEXP 0x02
#define RE_FLAGS_BACKWARDS 0x04
#define RE_FLAGS_EXHAUSTIVE 0x08
#define RE_FLAGS_WIDE 0x10
#define RE_FLAGS_NO_CASE 0x20
#define RE_FLAGS_SCAN 0x40
#define RE_FLAGS_DOT_ALL 0x80
#define RE_FLAGS_NOT_AT_START 0x100
typedef struct RE RE;
typedef struct RE_NODE RE_NODE;
typedef struct RE_ERROR RE_ERROR;
typedef uint8_t* RE_CODE;
#define CHAR_IN_CLASS(chr, cls) \
((cls)[(chr) / 8] & 1 << ((chr) % 8))
#define IS_WORD_CHAR(chr) \
(isalnum(chr) || (chr) == '_')
struct RE_NODE
{
int type;
union {
int value;
int count;
int start;
};
union {
int mask;
int end;
};
int greedy;
uint8_t* class_vector;
RE_NODE* left;
RE_NODE* right;
RE_CODE forward_code;
RE_CODE backward_code;
};
struct RE {
uint32_t flags;
RE_NODE* root_node;
YR_ARENA* code_arena;
RE_CODE code;
};
struct RE_ERROR {
char message[512];
};
typedef int RE_MATCH_CALLBACK_FUNC(
uint8_t* match,
int match_length,
int flags,
void* args);
int yr_re_create(
RE** re);
int yr_re_parse(
const char* re_string,
int flags,
RE** re,
RE_ERROR* error);
int yr_re_parse_hex(
const char* hex_string,
int flags,
RE** re,
RE_ERROR* error);
int yr_re_compile(
const char* re_string,
int flags,
YR_ARENA* code_arena,
RE** re,
RE_ERROR* error);
void yr_re_destroy(
RE* re);
void yr_re_print(
RE* re);
RE_NODE* yr_re_node_create(
int type,
RE_NODE* left,
RE_NODE* right);
void yr_re_node_destroy(
RE_NODE* node);
SIZED_STRING* yr_re_extract_literal(
RE* re);
int yr_re_contains_dot_star(
RE* re);
int yr_re_split_at_chaining_point(
RE* re,
RE** result_re,
RE** remainder_re,
int32_t* min_gap,
int32_t* max_gap);
int yr_re_emit_code(
RE* re,
YR_ARENA* arena);
int yr_re_exec(
RE_CODE re_code,
uint8_t* input,
size_t input_size,
int flags,
RE_MATCH_CALLBACK_FUNC callback,
void* callback_args);
int yr_re_match(
RE_CODE re_code,
const char* target);
int yr_re_initialize(void);
int yr_re_finalize(void);
int yr_re_finalize_thread(void);
#endif

97
x64_dbg_dbg/yara/yara/re_lexer.h Normal file
View File

@ -0,0 +1,97 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#undef yyparse
#undef yylex
#undef yyerror
#undef yyfatal
#undef yychar
#undef yydebug
#undef yynerrs
#undef yyget_extra
#undef yyget_lineno
#undef YY_FATAL_ERROR
#undef YY_DECL
#undef LEX_ENV
#define yyparse re_yyparse
#define yylex re_yylex
#define yyerror re_yyerror
#define yyfatal re_yyfatal
#define yychar re_yychar
#define yydebug re_yydebug
#define yynerrs re_yynerrs
#define yyget_extra re_yyget_extra
#define yyget_lineno re_yyget_lineno
#ifndef YY_TYPEDEF_YY_SCANNER_T
#define YY_TYPEDEF_YY_SCANNER_T
typedef void* yyscan_t;
#endif
#define YY_EXTRA_TYPE RE*
#define YY_USE_CONST
typedef struct _RE_LEX_ENVIRONMENT
{
int negated_class;
uint8_t class_vector[32];
int last_error_code;
char last_error_message[256];
} RE_LEX_ENVIRONMENT;
#define LEX_ENV ((RE_LEX_ENVIRONMENT*) lex_env)
#define YY_FATAL_ERROR(msg) re_yyfatal(yyscanner, msg)
#include <re_grammar.h>
#define YY_DECL int re_yylex \
(YYSTYPE * yylval_param , yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env)
YY_EXTRA_TYPE yyget_extra(
yyscan_t yyscanner);
int yylex(
YYSTYPE* yylval_param,
yyscan_t yyscanner,
RE_LEX_ENVIRONMENT* lex_env);
int yyparse(
void *yyscanner,
RE_LEX_ENVIRONMENT *lex_env);
void yyerror(
yyscan_t yyscanner,
RE_LEX_ENVIRONMENT* lex_env,
const char *error_message);
void yyfatal(
yyscan_t yyscanner,
const char *error_message);
int yr_parse_re_string(
const char* re_string,
int flags,
RE** re,
RE_ERROR* error);

127
x64_dbg_dbg/yara/yara/rules.h Normal file
View File

@ -0,0 +1,127 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_RULES_H
#define YR_RULES_H
#include "types.h"
#include "utils.h"
#define CALLBACK_MSG_RULE_MATCHING 1
#define CALLBACK_MSG_RULE_NOT_MATCHING 2
#define CALLBACK_MSG_SCAN_FINISHED 3
#define CALLBACK_MSG_IMPORT_MODULE 4
#define CALLBACK_CONTINUE 0
#define CALLBACK_ABORT 1
#define CALLBACK_ERROR 2
#define yr_rule_tags_foreach(rule, tag_name) \
for (tag_name = rule->tags; \
tag_name != NULL && *tag_name != '\0'; \
tag_name += strlen(tag_name) + 1)
#define yr_rule_metas_foreach(rule, meta) \
for (meta = rule->metas; !META_IS_NULL(meta); meta++)
#define yr_rule_strings_foreach(rule, string) \
for (string = rule->strings; !STRING_IS_NULL(string); string++)
#define yr_string_matches_foreach(string, match) \
for (match = STRING_MATCHES(string).head; match != NULL; match = match->next)
#define yr_rules_foreach(rules, rule) \
for (rule = rules->rules_list_head; !RULE_IS_NULL(rule); rule++)
YR_API int yr_rules_scan_mem(
YR_RULES* rules,
uint8_t* buffer,
size_t buffer_size,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
int timeout);
YR_API int yr_rules_scan_file(
YR_RULES* rules,
const char* filename,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
int timeout);
YR_API int yr_rules_scan_proc(
YR_RULES* rules,
int pid,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
int timeout);
YR_API int yr_rules_save(
YR_RULES* rules,
const char* filename);
YR_API int yr_rules_load(
const char* filename,
YR_RULES** rules);
YR_API int yr_rules_destroy(
YR_RULES* rules);
YR_API int yr_rules_define_integer_variable(
YR_RULES* rules,
const char* identifier,
int64_t value);
YR_API int yr_rules_define_boolean_variable(
YR_RULES* rules,
const char* identifier,
int value);
YR_API int yr_rules_define_float_variable(
YR_RULES* rules,
const char* identifier,
double value);
YR_API int yr_rules_define_string_variable(
YR_RULES* rules,
const char* identifier,
const char* value);
YR_API void yr_rules_print_profiling_info(
YR_RULES* rules);
#endif

35
x64_dbg_dbg/yara/yara/scan.h Normal file
View File

@ -0,0 +1,35 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_SCAN_H
#define YR_SCAN_H
#include "types.h"
#define SCAN_FLAGS_FAST_MODE 1
#define SCAN_FLAGS_PROCESS_MEMORY 2
int yr_scan_verify_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t data_base,
size_t offset,
YR_ARENA* matches_arena,
int flags);
#endif

42
x64_dbg_dbg/yara/yara/sizedstr.h Normal file
View File

@ -0,0 +1,42 @@
/*
Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef _SIZEDSTR_H
#define _SIZEDSTR_H
//
// This struct is used to support strings containing null chars. The length of
// the string is stored along the string data. However the string data is also
// terminated with a null char.
//
#define SIZED_STRING_FLAGS_NO_CASE 1
#define SIZED_STRING_FLAGS_DOT_ALL 2
typedef struct _SIZED_STRING
{
int length;
int flags;
char c_string[1];
} SIZED_STRING;
int sized_string_cmp(
SIZED_STRING* s1,
SIZED_STRING* s2);
#endif

77
x64_dbg_dbg/yara/yara/strutils.h Normal file
View File

@ -0,0 +1,77 @@
/*
Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_STRUTILS_H
#define YR_STRUTILS_H
#include <assert.h>
#include <stdlib.h>
#include <stdint.h>
#include "config.h"
#ifdef _WIN32
#define snprintf _snprintf
#define strcasecmp _stricmp
#define strncasecmp _strnicmp
#endif
uint64_t xtoi(
const char* hexstr);
#if !HAVE_STRLCPY
size_t strlcpy(
char *dst,
const char *src,
size_t size);
#endif
#if !HAVE_STRLCAT
size_t strlcat(
char *dst,
const char *src,
size_t size);
#endif
#if !HAVE_MEMMEM
void* memmem(
const void *haystack,
size_t haystack_size,
const void *needle,
size_t needle_size);
#endif
int strlen_w(
const char* w_str);
int strcmp_w(
const char* w_str,
const char* str);
size_t strlcpy_w(
char* dst,
const char* w_src,
size_t n);
#endif

519
x64_dbg_dbg/yara/yara/types.h Normal file
View File

@ -0,0 +1,519 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_TYPES_H
#define YR_TYPES_H
#include "arena.h"
#include "re.h"
#include "limits.h"
#include "hash.h"
#ifdef _WIN32
#include <windows.h>
typedef HANDLE mutex_t;
#else
#include <pthread.h>
typedef pthread_mutex_t mutex_t;
#endif
typedef int32_t tidx_mask_t;
#define DECLARE_REFERENCE(type, name) \
union { type name; int64_t name##_; }
#pragma pack(push)
#pragma pack(1)
#define NAMESPACE_TFLAGS_UNSATISFIED_GLOBAL 0x01
#define NAMESPACE_HAS_UNSATISFIED_GLOBAL(x) \
((x)->t_flags[yr_get_tidx()] & NAMESPACE_TFLAGS_UNSATISFIED_GLOBAL)
typedef struct _YR_NAMESPACE
{
int32_t t_flags[MAX_THREADS]; // Thread-specific flags
DECLARE_REFERENCE(char*, name);
} YR_NAMESPACE;
#define META_TYPE_NULL 0
#define META_TYPE_INTEGER 1
#define META_TYPE_STRING 2
#define META_TYPE_BOOLEAN 3
#define META_IS_NULL(x) \
((x) != NULL ? (x)->type == META_TYPE_NULL : TRUE)
typedef struct _YR_META
{
int32_t type;
int32_t integer;
DECLARE_REFERENCE(const char*, identifier);
DECLARE_REFERENCE(char*, string);
} YR_META;
typedef struct _YR_MATCH
{
int64_t base;
int64_t offset;
int32_t length;
union {
uint8_t* data; // Confirmed matches use "data",
int32_t chain_length; // unconfirmed ones use "chain_length"
};
struct _YR_MATCH* prev;
struct _YR_MATCH* next;
} YR_MATCH;
typedef struct _YR_MATCHES
{
int32_t count;
DECLARE_REFERENCE(YR_MATCH*, head);
DECLARE_REFERENCE(YR_MATCH*, tail);
} YR_MATCHES;
#define STRING_GFLAGS_REFERENCED 0x01
#define STRING_GFLAGS_HEXADECIMAL 0x02
#define STRING_GFLAGS_NO_CASE 0x04
#define STRING_GFLAGS_ASCII 0x08
#define STRING_GFLAGS_WIDE 0x10
#define STRING_GFLAGS_REGEXP 0x20
#define STRING_GFLAGS_FAST_HEX_REGEXP 0x40
#define STRING_GFLAGS_FULL_WORD 0x80
#define STRING_GFLAGS_ANONYMOUS 0x100
#define STRING_GFLAGS_SINGLE_MATCH 0x200
#define STRING_GFLAGS_LITERAL 0x400
#define STRING_GFLAGS_FITS_IN_ATOM 0x800
#define STRING_GFLAGS_NULL 0x1000
#define STRING_GFLAGS_CHAIN_PART 0x2000
#define STRING_GFLAGS_CHAIN_TAIL 0x4000
#define STRING_GFLAGS_FIXED_OFFSET 0x8000
#define STRING_IS_HEX(x) \
(((x)->g_flags) & STRING_GFLAGS_HEXADECIMAL)
#define STRING_IS_NO_CASE(x) \
(((x)->g_flags) & STRING_GFLAGS_NO_CASE)
#define STRING_IS_ASCII(x) \
(((x)->g_flags) & STRING_GFLAGS_ASCII)
#define STRING_IS_WIDE(x) \
(((x)->g_flags) & STRING_GFLAGS_WIDE)
#define STRING_IS_REGEXP(x) \
(((x)->g_flags) & STRING_GFLAGS_REGEXP)
#define STRING_IS_FULL_WORD(x) \
(((x)->g_flags) & STRING_GFLAGS_FULL_WORD)
#define STRING_IS_ANONYMOUS(x) \
(((x)->g_flags) & STRING_GFLAGS_ANONYMOUS)
#define STRING_IS_REFERENCED(x) \
(((x)->g_flags) & STRING_GFLAGS_REFERENCED)
#define STRING_IS_SINGLE_MATCH(x) \
(((x)->g_flags) & STRING_GFLAGS_SINGLE_MATCH)
#define STRING_IS_FIXED_OFFSET(x) \
(((x)->g_flags) & STRING_GFLAGS_FIXED_OFFSET)
#define STRING_IS_LITERAL(x) \
(((x)->g_flags) & STRING_GFLAGS_LITERAL)
#define STRING_IS_FAST_HEX_REGEXP(x) \
(((x)->g_flags) & STRING_GFLAGS_FAST_HEX_REGEXP)
#define STRING_IS_CHAIN_PART(x) \
(((x)->g_flags) & STRING_GFLAGS_CHAIN_PART)
#define STRING_IS_CHAIN_TAIL(x) \
(((x)->g_flags) & STRING_GFLAGS_CHAIN_TAIL)
#define STRING_IS_NULL(x) \
((x) == NULL || ((x)->g_flags) & STRING_GFLAGS_NULL)
#define STRING_FITS_IN_ATOM(x) \
(((x)->g_flags) & STRING_GFLAGS_FITS_IN_ATOM)
#define STRING_FOUND(x) \
((x)->matches[yr_get_tidx()].tail != NULL)
#define STRING_MATCHES(x) \
((x)->matches[yr_get_tidx()])
typedef struct _YR_STRING
{
int32_t g_flags;
int32_t length;
DECLARE_REFERENCE(char*, identifier);
DECLARE_REFERENCE(uint8_t*, string);
DECLARE_REFERENCE(struct _YR_STRING*, chained_to);
int32_t chain_gap_min;
int32_t chain_gap_max;
int64_t fixed_offset;
YR_MATCHES matches[MAX_THREADS];
YR_MATCHES unconfirmed_matches[MAX_THREADS];
#ifdef PROFILING_ENABLED
uint64_t clock_ticks;
#endif
} YR_STRING;
#define RULE_TFLAGS_MATCH 0x01
#define RULE_GFLAGS_PRIVATE 0x01
#define RULE_GFLAGS_GLOBAL 0x02
#define RULE_GFLAGS_REQUIRE_EXECUTABLE 0x04
#define RULE_GFLAGS_REQUIRE_FILE 0x08
#define RULE_GFLAGS_NULL 0x1000
#define RULE_IS_PRIVATE(x) \
(((x)->g_flags) & RULE_GFLAGS_PRIVATE)
#define RULE_IS_GLOBAL(x) \
(((x)->g_flags) & RULE_GFLAGS_GLOBAL)
#define RULE_IS_NULL(x) \
(((x)->g_flags) & RULE_GFLAGS_NULL)
#define RULE_MATCHES(x) \
((x)->t_flags[yr_get_tidx()] & RULE_TFLAGS_MATCH)
typedef struct _YR_RULE
{
int32_t g_flags; // Global flags
int32_t t_flags[MAX_THREADS]; // Thread-specific flags
DECLARE_REFERENCE(const char*, identifier);
DECLARE_REFERENCE(const char*, tags);
DECLARE_REFERENCE(YR_META*, metas);
DECLARE_REFERENCE(YR_STRING*, strings);
DECLARE_REFERENCE(YR_NAMESPACE*, ns);
#ifdef PROFILING_ENABLED
uint64_t clock_ticks;
#endif
} YR_RULE;
#define EXTERNAL_VARIABLE_TYPE_NULL 0
#define EXTERNAL_VARIABLE_TYPE_FLOAT 1
#define EXTERNAL_VARIABLE_TYPE_INTEGER 2
#define EXTERNAL_VARIABLE_TYPE_BOOLEAN 3
#define EXTERNAL_VARIABLE_TYPE_STRING 4
#define EXTERNAL_VARIABLE_TYPE_MALLOC_STRING 5
#define EXTERNAL_VARIABLE_IS_NULL(x) \
((x) != NULL ? (x)->type == EXTERNAL_VARIABLE_TYPE_NULL : TRUE)
typedef struct _YR_EXTERNAL_VARIABLE
{
int32_t type;
union {
int64_t i;
double f;
char* s;
} value;
DECLARE_REFERENCE(char*, identifier);
} YR_EXTERNAL_VARIABLE;
typedef struct _YR_AC_MATCH
{
uint16_t backtrack;
DECLARE_REFERENCE(YR_STRING*, string);
DECLARE_REFERENCE(uint8_t*, forward_code);
DECLARE_REFERENCE(uint8_t*, backward_code);
DECLARE_REFERENCE(struct _YR_AC_MATCH*, next);
} YR_AC_MATCH;
typedef struct _YR_AC_STATE
{
int8_t depth;
DECLARE_REFERENCE(struct _YR_AC_STATE*, failure);
DECLARE_REFERENCE(YR_AC_MATCH*, matches);
} YR_AC_STATE;
typedef struct _YR_AC_STATE_TRANSITION
{
uint8_t input;
DECLARE_REFERENCE(YR_AC_STATE*, state);
DECLARE_REFERENCE(struct _YR_AC_STATE_TRANSITION*, next);
} YR_AC_STATE_TRANSITION;
typedef struct _YR_AC_TABLE_BASED_STATE
{
int8_t depth;
DECLARE_REFERENCE(YR_AC_STATE*, failure);
DECLARE_REFERENCE(YR_AC_MATCH*, matches);
DECLARE_REFERENCE(YR_AC_STATE*, state) transitions[256];
} YR_AC_TABLE_BASED_STATE;
typedef struct _YR_AC_LIST_BASED_STATE
{
int8_t depth;
DECLARE_REFERENCE(YR_AC_STATE*, failure);
DECLARE_REFERENCE(YR_AC_MATCH*, matches);
DECLARE_REFERENCE(YR_AC_STATE_TRANSITION*, transitions);
} YR_AC_LIST_BASED_STATE;
typedef struct _YR_AC_AUTOMATON
{
DECLARE_REFERENCE(YR_AC_STATE*, root);
} YR_AC_AUTOMATON;
typedef struct _YARA_RULES_FILE_HEADER
{
uint32_t version;
DECLARE_REFERENCE(YR_RULE*, rules_list_head);
DECLARE_REFERENCE(YR_EXTERNAL_VARIABLE*, externals_list_head);
DECLARE_REFERENCE(uint8_t*, code_start);
DECLARE_REFERENCE(YR_AC_AUTOMATON*, automaton);
} YARA_RULES_FILE_HEADER;
#pragma pack(pop)
typedef struct _YR_RULES {
tidx_mask_t tidx_mask;
uint8_t* code_start;
mutex_t mutex;
YR_ARENA* arena;
YR_RULE* rules_list_head;
YR_EXTERNAL_VARIABLE* externals_list_head;
YR_AC_AUTOMATON* automaton;
} YR_RULES;
typedef struct _YR_MEMORY_BLOCK
{
uint8_t* data;
size_t size;
size_t base;
struct _YR_MEMORY_BLOCK* next;
} YR_MEMORY_BLOCK;
typedef int (*YR_CALLBACK_FUNC)(
int message,
void* message_data,
void* user_data);
typedef struct _YR_SCAN_CONTEXT
{
uint64_t file_size;
uint64_t entry_point;
int flags;
void* user_data;
YR_MEMORY_BLOCK* mem_block;
YR_HASH_TABLE* objects_table;
YR_CALLBACK_FUNC callback;
} YR_SCAN_CONTEXT;
#define OBJECT_COMMON_FIELDS \
int8_t type; \
const char* identifier; \
void* data; \
struct _YR_OBJECT* parent;
typedef struct _YR_OBJECT
{
OBJECT_COMMON_FIELDS
} YR_OBJECT;
typedef struct _YR_OBJECT_INTEGER
{
OBJECT_COMMON_FIELDS
int64_t value;
} YR_OBJECT_INTEGER;
typedef struct _YR_OBJECT_DOUBLE
{
OBJECT_COMMON_FIELDS
double value;
} YR_OBJECT_DOUBLE;
typedef struct _YR_OBJECT_STRING
{
OBJECT_COMMON_FIELDS
SIZED_STRING* value;
} YR_OBJECT_STRING;
typedef struct _YR_OBJECT_REGEXP
{
OBJECT_COMMON_FIELDS
RE* value;
} YR_OBJECT_REGEXP;
typedef struct _YR_OBJECT_STRUCTURE
{
OBJECT_COMMON_FIELDS
struct _YR_STRUCTURE_MEMBER* members;
} YR_OBJECT_STRUCTURE;
typedef struct _YR_OBJECT_ARRAY
{
OBJECT_COMMON_FIELDS
YR_OBJECT* prototype_item;
struct _YR_ARRAY_ITEMS* items;
} YR_OBJECT_ARRAY;
typedef struct _YR_OBJECT_DICTIONARY
{
OBJECT_COMMON_FIELDS
YR_OBJECT* prototype_item;
struct _YR_DICTIONARY_ITEMS* items;
} YR_OBJECT_DICTIONARY;
struct _YR_OBJECT_FUNCTION;
typedef int (*YR_MODULE_FUNC)(
void* args,
YR_SCAN_CONTEXT* context,
struct _YR_OBJECT_FUNCTION* function_obj);
typedef struct _YR_OBJECT_FUNCTION
{
OBJECT_COMMON_FIELDS
YR_OBJECT* return_obj;
struct {
const char* arguments_fmt;
YR_MODULE_FUNC code;
} prototypes[MAX_OVERLOADED_FUNCTIONS];
} YR_OBJECT_FUNCTION;
typedef struct _YR_STRUCTURE_MEMBER
{
YR_OBJECT* object;
struct _YR_STRUCTURE_MEMBER* next;
} YR_STRUCTURE_MEMBER;
typedef struct _YR_ARRAY_ITEMS
{
int count;
YR_OBJECT* objects[1];
} YR_ARRAY_ITEMS;
typedef struct _YR_DICTIONARY_ITEMS
{
int used;
int free;
struct {
char* key;
YR_OBJECT* obj;
} objects[1];
} YR_DICTIONARY_ITEMS;
#endif

67
x64_dbg_dbg/yara/yara/utils.h Normal file
View File

@ -0,0 +1,67 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef YR_UTILS_H
#define YR_UTILS_H
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
#ifndef NULL
#define NULL 0
#endif
#ifdef __cplusplus
#define YR_API extern "C" __declspec(dllimport)
#else
#define YR_API
#endif
#ifndef min
#define min(x, y) ((x < y) ? (x) : (y))
#endif
#ifndef max
#define max(x, y) ((x > y) ? (x) : (y))
#endif
#define PTR_TO_UINT64(x) ((uint64_t) (size_t) x)
#ifdef NDEBUG
#define assertf(expr, msg) ((void)0)
#else
#include <stdlib.h>
#define assertf(expr, msg, ...) \
if(!(expr)) { \
fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \
abort(); \
}
#endif
#endif

BIN
x64_dbg_dbg/yara/yara_x64.a Normal file
View File

Binary file not shown.

BIN
x64_dbg_dbg/yara/yara_x64.lib Normal file
View File

Binary file not shown.

BIN
x64_dbg_dbg/yara/yara_x86.a Normal file
View File

Binary file not shown.

BIN
x64_dbg_dbg/yara/yara_x86.lib Normal file
View File

Binary file not shown.