x64dbg/x64dbg
x64dbg
/
x64dbg
1
0
Fork 0
Code Releases 5 Activity

DBG: updated to yara 3.6.0

This commit is contained in:
mrexodia 2017-05-23 19:09:59 +02:00
parent 4f67087e55
commit ad700f9001
No known key found for this signature in database
GPG Key ID: FC89E0AAA0C1AAD8
29 changed files with 924 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/dbg/yara/yara/arena.h
View File

@ -37,7 +37,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define ARENA_FLAGS_FIXED_SIZE 1
#define ARENA_FLAGS_COALESCED 2
#define ARENA_FILE_VERSION 11
#define ARENA_FILE_VERSION ((13 << 16) | MAX_THREADS)
#define EOL ((size_t) -1)

2
src/dbg/yara/yara/atoms.h
View File

@ -80,7 +80,7 @@ typedef struct _YR_ATOM_LIST_ITEM
int yr_atoms_extract_from_re(
RE* re,
RE_AST* re_ast,
int flags,
YR_ATOM_LIST_ITEM** atoms);

12
src/dbg/yara/yara/compiler.h
View File

@ -37,6 +37,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include "arena.h"
#include "hash.h"
#include "utils.h"
#include "filemap.h"
#define YARA_ERROR_LEVEL_ERROR 0
@ -53,7 +54,7 @@ typedef void (*YR_COMPILER_CALLBACK_FUNC)(
typedef struct _YR_FIXUP
{
int64_t* address;
void* address;
struct _YR_FIXUP* next;
} YR_FIXUP;
@ -62,7 +63,7 @@ typedef struct _YR_FIXUP
typedef struct _YR_COMPILER
{
int errors;
int error_line;
int current_line;
int last_error;
int last_error_line;
int last_result;
@ -172,6 +173,13 @@ YR_API int yr_compiler_add_file(
const char* file_name);
YR_API int yr_compiler_add_fd(
YR_COMPILER* compiler,
YR_FILE_DESCRIPTOR rules_fd,
const char* namespace_,
const char* file_name);
YR_API int yr_compiler_add_string(
YR_COMPILER* compiler,
const char* rules_string,

365
src/dbg/yara/yara/dotnet.h Normal file
View File

@ -0,0 +1,365 @@
#ifndef YR_DOTNET_H
#define YR_DOTNET_H
//
// CLI header.
// ECMA-335 Section II.25.3.3
//
typedef struct _CLI_HEADER
{
DWORD Size; // Called "Cb" in documentation.
WORD MajorRuntimeVersion;
WORD MinorRuntimeVersion;
IMAGE_DATA_DIRECTORY MetaData;
DWORD Flags;
DWORD EntryPointToken;
IMAGE_DATA_DIRECTORY Resources;
IMAGE_DATA_DIRECTORY StrongNameSignature;
ULONGLONG CodeManagerTable;
IMAGE_DATA_DIRECTORY VTableFixups;
ULONGLONG ExportAddressTableJumps;
ULONGLONG ManagedNativeHeader;
} CLI_HEADER, *PCLI_HEADER;
#define NET_METADATA_MAGIC 0x424a5342
//
// CLI MetaData
// ECMA-335 Section II.24.2.1
//
// Note: This is only part of the struct, as the rest of it is variable length.
//
typedef struct _NET_METADATA
{
DWORD Magic;
WORD MajorVersion;
WORD MinorVersion;
DWORD Reserved;
DWORD Length;
char Version[0];
} NET_METADATA, *PNET_METADATA;
#define DOTNET_STREAM_NAME_SIZE 32
//
// CLI Stream Header
// ECMA-335 Section II.24.2.2
//
typedef struct _STREAM_HEADER
{
DWORD Offset;
DWORD Size;
char Name[0];
} STREAM_HEADER, *PSTREAM_HEADER;
//
// CLI #~ Stream Header
// ECMA-335 Section II.24.2.6
//
typedef struct _TILDE_HEADER
{
DWORD Reserved1;
BYTE MajorVersion;
BYTE MinorVersion;
BYTE HeapSizes;
BYTE Reserved2;
ULONGLONG Valid;
ULONGLONG Sorted;
} TILDE_HEADER, *PTILDE_HEADER;
// These are the bit positions in Valid which will be set if the table
// exists.
#define BIT_MODULE 0x00
#define BIT_TYPEREF 0x01
#define BIT_TYPEDEF 0x02
#define BIT_FIELDPTR 0x03 // Not documented in ECMA-335
#define BIT_FIELD 0x04
#define BIT_METHODDEFPTR 0x05 // Not documented in ECMA-335
#define BIT_METHODDEF 0x06
#define BIT_PARAMPTR 0x07 // Not documented in ECMA-335
#define BIT_PARAM 0x08
#define BIT_INTERFACEIMPL 0x09
#define BIT_MEMBERREF 0x0A
#define BIT_CONSTANT 0x0B
#define BIT_CUSTOMATTRIBUTE 0x0C
#define BIT_FIELDMARSHAL 0x0D
#define BIT_DECLSECURITY 0x0E
#define BIT_CLASSLAYOUT 0x0F
#define BIT_FIELDLAYOUT 0x10
#define BIT_STANDALONESIG 0x11
#define BIT_EVENTMAP 0x12
#define BIT_EVENTPTR 0x13 // Not documented in ECMA-335
#define BIT_EVENT 0x14
#define BIT_PROPERTYMAP 0x15
#define BIT_PROPERTYPTR 0x16 // Not documented in ECMA-335
#define BIT_PROPERTY 0x17
#define BIT_METHODSEMANTICS 0x18
#define BIT_METHODIMPL 0x19
#define BIT_MODULEREF 0x1A
#define BIT_TYPESPEC 0x1B
#define BIT_IMPLMAP 0x1C
#define BIT_FIELDRVA 0x1D
#define BIT_ENCLOG 0x1E // Not documented in ECMA-335
#define BIT_ENCMAP 0x1F // Not documented in ECMA-335
#define BIT_ASSEMBLY 0x20
#define BIT_ASSEMBLYPROCESSOR 0x21
#define BIT_ASSEMBLYOS 0x22
#define BIT_ASSEMBLYREF 0x23
#define BIT_ASSEMBLYREFPROCESSOR 0x24
#define BIT_ASSEMBLYREFOS 0x25
#define BIT_FILE 0x26
#define BIT_EXPORTEDTYPE 0x27
#define BIT_MANIFESTRESOURCE 0x28
#define BIT_NESTEDCLASS 0x29
#define BIT_GENERICPARAM 0x2A
#define BIT_METHODSPEC 0x2B
#define BIT_GENERICPARAMCONSTRAINT 0x2C
// These are not documented in ECMA-335 nor is it clear what the format is.
// They are for debugging information as far as I can tell.
//#define BIT_DOCUMENT 0x30
//#define BIT_METHODDEBUGINFORMATION 0x31
//#define BIT_LOCALSCOPE 0x32
//#define BIT_LOCALVARIABLE 0x33
//#define BIT_LOCALCONSTANT 0x34
//#define BIT_IMPORTSCOPE 0x35
//#define BIT_STATEMACHINEMETHOD 0x36
//
// Element types. Note this is not a complete list as we aren't parsing all of
// them. This only includes the ones we care about.
// ECMA-335 Section II.23.1.16
//
#define ELEMENT_TYPE_STRING 0x0E
// The string length of a typelib attribute is at most 0xFF.
#define MAX_TYPELIB_SIZE 0xFF
//
// Module table
// ECMA-335 Section II.22.30
//
typedef struct _MODULE_TABLE
{
WORD Generation;
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
union
{
WORD Mvid_Short;
DWORD Mvid_Long;
} Mvid;
union
{
WORD EncId_Short;
DWORD EncId_Long;
} EncId;
union
{
WORD EncBaseId_Short;
DWORD EncBaseId_Long;
} EncBaseId;
} MODULE_TABLE, *PMODULE_TABLE;
//
// Assembly Table
// ECMA-335 Section II.22.2
//
typedef struct _ASSEMBLY_TABLE
{
DWORD HashAlgId;
WORD MajorVersion;
WORD MinorVersion;
WORD BuildNumber;
WORD RevisionNumber;
DWORD Flags;
union
{
WORD PublicKey_Short;
DWORD PublicKey_Long;
} PublicKey;
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
} ASSEMBLY_TABLE, *PASSEMBLY_TABLE;
//
// Assembly Reference Table
// ECMA-335 Section II.22.5
//
typedef struct _ASSEMBLYREF_TABLE
{
WORD MajorVersion;
WORD MinorVersion;
WORD BuildNumber;
WORD RevisionNumber;
DWORD Flags;
union
{
WORD PublicKeyOrToken_Short;
DWORD PublicKeyOrToken_Long;
} PublicKeyOrToken;
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
} ASSEMBLYREF_TABLE, *PASSEMBLYREF_TABLE;
//
// Manifest Resource Table
// ECMA-335 Section II.22.24
//
typedef struct _MANIFESTRESOURCE_TABLE
{
DWORD Offset;
DWORD Flags;
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
union
{
WORD Implementation_Short;
DWORD Implementation_Long;
} Implementation;
} MANIFESTRESOURCE_TABLE, *PMANIFESTRESOURCE_TABLE;
//
// ModuleRef Table
// ECMA-335 Section II.22.31
//
// This is a short table, but necessary because the field size can change.
//
typedef struct _MODULEREF_TABLE
{
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
} MODULEREF_TABLE, *PMODULEREF_TABLE;
//
// CustomAttribute Table
// ECMA-335 Section II.22.10
//
typedef struct _CUSTOMATTRIBUTE_TABLE
{
union
{
WORD Parent_Short;
DWORD Parent_Long;
} Parent;
union
{
WORD Type_Short;
DWORD Type_Long;
} Type;
union
{
WORD Value_Short;
DWORD Value_Long;
} Value;
} CUSTOMATTRIBUTE_TABLE, *PCUSTOMATTRIBUTE_TABLE;
//
// Constant TAble
// ECMA-335 Section II.22.9
//
typedef struct _CONSTANT_TABLE
{
WORD Type;
union
{
WORD Parent_Short;
DWORD Parent_Long;
} Parent;
union
{
WORD Value_Short;
DWORD Value_Long;
} Value;
} CONSTANT_TABLE, *PCONSTANT_TABLE;
// Used to return offsets to the various headers.
typedef struct _STREAMS
{
PSTREAM_HEADER guid;
PSTREAM_HEADER tilde;
PSTREAM_HEADER string;
PSTREAM_HEADER blob;
PSTREAM_HEADER us;
} STREAMS, *PSTREAMS;
// Used to return the value of parsing a #US or #Blob entry.
// ECMA-335 Section II.24.2.4
typedef struct _BLOB_PARSE_RESULT
{
uint8_t size; // Number of bytes parsed. This is the new offset.
DWORD length; // Value of the bytes parsed. This is the blob length.
} BLOB_PARSE_RESULT, *PBLOB_PARSE_RESULT;
// Used to store the number of rows of each table.
typedef struct _ROWS
{
uint32_t module;
uint32_t moduleref;
uint32_t assemblyref;
uint32_t typeref;
uint32_t methoddef;
uint32_t memberref;
uint32_t typedef_;
uint32_t typespec;
uint32_t field;
uint32_t param;
uint32_t property;
uint32_t interfaceimpl;
uint32_t event;
uint32_t standalonesig;
uint32_t assembly;
uint32_t file;
uint32_t exportedtype;
uint32_t manifestresource;
uint32_t genericparam;
uint32_t genericparamconstraint;
uint32_t methodspec;
uint32_t assemblyrefprocessor;
} ROWS, *PROWS;
// Used to store the index sizes for the various tables.
typedef struct _INDEX_SIZES
{
uint8_t string;
uint8_t guid;
uint8_t blob;
uint8_t field;
uint8_t methoddef;
uint8_t memberref;
uint8_t param;
uint8_t event;
uint8_t typedef_;
uint8_t property;
uint8_t moduleref;
uint8_t assemblyrefprocessor;
uint8_t assemblyref;
uint8_t genericparam;
} INDEX_SIZES, *PINDEX_SIZES;
#endif

87
src/dbg/yara/yara/elf.h
View File

@ -52,7 +52,7 @@ typedef uint64_t elf64_xword_t;
#define ELF_ET_NONE 0x0000 // no type
#define ELF_ET_REL 0x0001 // relocatable
#define ELF_ET_EXEC 0x0002 // executeable
#define ELF_ET_EXEC 0x0002 // executable
#define ELF_ET_DYN 0x0003 // Shared-Object-File
#define ELF_ET_CORE 0x0004 // Corefile
#define ELF_ET_LOPROC 0xFF00 // Processor-specific
@ -113,6 +113,51 @@ typedef uint64_t elf64_xword_t;
#define ELF_PT_GNU_EH_FRAME 0x6474e550
#define ELF_PT_GNU_STACK 0x6474e551
#define ELF_DT_NULL 0 // End of the dynamic entries
#define ELF_DT_NEEDED 1 // Name of needed library
#define ELF_DT_PLTRELSZ 2 // Size in bytes of PLT relocs
#define ELF_DT_PLTGOT 3 // Processor defined value */
#define ELF_DT_HASH 4 // Address of symbol hash table
#define ELF_DT_STRTAB 5 // Address of string table
#define ELF_DT_SYMTAB 6 // Address of symbol table
#define ELF_DT_RELA 7 // Address of Rela relocs
#define ELF_DT_RELASZ 8 // Total size of Rela relocs
#define ELF_DT_RELAENT 9 // Size of one Rela reloc
#define ELF_DT_STRSZ 10 // Size of string table
#define ELF_DT_SYMENT 11 // Size of one symbol table entry
#define ELF_DT_INIT 12 // Address of init function
#define ELF_DT_FINI 13 // Address of termination function
#define ELF_DT_SONAME 14 // Name of shared object
#define ELF_DT_RPATH 15 // Library search path (deprecated)
#define ELF_DT_SYMBOLIC 16 // Start symbol search here
#define ELF_DT_REL 17 // Address of Rel relocs
#define ELF_DT_RELSZ 18 // Total size of Rel relocs
#define ELF_DT_RELENT 19 // Size of one Rel reloc
#define ELF_DT_PLTREL 20 // Type of reloc in PLT
#define ELF_DT_DEBUG 21 // For debugging; unspecified
#define ELF_DT_TEXTREL 22 // Reloc might modify .text
#define ELF_DT_JMPREL 23 // Address of PLT relocs
#define ELF_DT_BIND_NOW 24 // Process relocations of object
#define ELF_DT_INIT_ARRAY 25 // Array with addresses of init fct
#define ELF_DT_FINI_ARRAY 26 // Array with addresses of fini fct
#define ELF_DT_INIT_ARRAYSZ 27 // Size in bytes of DT_INIT_ARRAY
#define ELF_DT_FINI_ARRAYSZ 28 // Size in bytes of DT_FINI_ARRAY
#define ELF_DT_RUNPATH 29 // Library search path
#define ELF_DT_FLAGS 30 // Flags for the object being loaded
#define ELF_DT_ENCODING 32 // Start of encoded range
#define ELF_STT_NOTYPE 0 // Symbol type is unspecified
#define ELF_STT_OBJECT 1 // Symbol is a data object
#define ELF_STT_FUNC 2 // Symbol is a code object
#define ELF_STT_SECTION 3 // Symbol associated with a section
#define ELF_STT_FILE 4 // Symbol's name is file name
#define ELF_STT_COMMON 5 // Symbol is a common data object
#define ELF_STT_TLS 6 // Symbol is thread-local data object
#define ELF_STB_LOCAL 0 // Local symbol
#define ELF_STB_GLOBAL 1 // Global symbol
#define ELF_STB_WEAK 2 // Weak symbol
#define ELF_PF_X 0x1 // Segment is executable
#define ELF_PF_W 0x2 // Segment is writable
#define ELF_PF_R 0x4 // Segment is readable
@ -233,6 +278,46 @@ typedef struct
} elf64_section_header_t;
typedef struct
{
elf32_word_t tag;
elf32_word_t val;
} elf32_dyn_t;
typedef struct
{
elf64_xword_t tag;
elf64_xword_t val;
} elf64_dyn_t;
typedef struct
{
elf32_word_t name;
elf32_addr_t value;
elf32_word_t size;
unsigned char info;
unsigned char other;
elf32_half_t shndx;
} elf32_sym_t;
typedef struct
{
elf32_word_t name;
unsigned char info;
unsigned char other;
elf32_half_t shndx;
elf64_addr_t value;
elf64_xword_t size;
} elf64_sym_t;
#pragma pack(pop)
#endif

100
src/dbg/yara/yara/endian.h Normal file
View File

@ -0,0 +1,100 @@
/*
Copyright (c) 2016. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_ENDIAN_H
#define YR_ENDIAN_H
#include <yara/integers.h>
#if defined(__has_builtin)
# if __has_builtin(__builtin_bswap16)
# define yr_bswap16(x) __builtin_bswap16(x)
# endif
#endif
#if !defined(yr_bswap16) && defined(_MSC_VER)
# define yr_bswap16(x) _byteswap_ushort(x)
#endif
#if !defined(yr_bswap16)
uint16_t _yr_bswap16(uint16_t x);
# define yr_bswap16(x) _yr_bswap16(x)
#endif
#if defined(__has_builtin)
# if __has_builtin(__builtin_bswap32)
# define yr_bswap32(x) __builtin_bswap32(x)
# endif
#endif
#if !defined(yr_bswap32) && defined(_MSC_VER)
# define yr_bswap32(x) _byteswap_ulong(x)
#endif
#if !defined(yr_bswap32)
uint32_t _yr_bswap32(uint32_t x);
#define yr_bswap32(x) _yr_bswap32(x)
#endif
#if defined(__has_builtin)
# if __has_builtin(__builtin_bswap64)
# define yr_bswap64(x) __builtin_bswap64(x)
# endif
#endif
#if !defined(yr_bswap64) && defined(_MSC_VER)
# define yr_bswap64(x) _byteswap_uint64(x)
#endif
#if !defined(yr_bswap64)
uint64_t _yr_bswap64(uint64_t x);
#define yr_bswap64(x) _yr_bswap64(x)
#endif
#if defined(WORDS_BIGENDIAN)
#define yr_le16toh(x) yr_bswap16(x)
#define yr_le32toh(x) yr_bswap32(x)
#define yr_le64toh(x) yr_bswap64(x)
#define yr_be16toh(x) (x)
#define yr_be32toh(x) (x)
#define yr_be64toh(x) (x)
#else
#define yr_le16toh(x) (x)
#define yr_le32toh(x) (x)
#define yr_le64toh(x) (x)
#define yr_be16toh(x) yr_bswap16(x)
#define yr_be32toh(x) yr_bswap32(x)
#define yr_be64toh(x) yr_bswap64(x)
#endif
#endif

6
src/dbg/yara/yara/error.h
View File

@ -40,7 +40,11 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define ERROR_SUCCESS 0
#endif
// ERROR_INSUFICIENT_MEMORY is misspelled but it's kept for backward
// compatibility, as some other programs can be using it in this form.
#define ERROR_INSUFICIENT_MEMORY 1
#define ERROR_INSUFFICIENT_MEMORY 1
#define ERROR_COULD_NOT_ATTACH_TO_PROCESS 2
#define ERROR_COULD_NOT_OPEN_FILE 3
#define ERROR_COULD_NOT_MAP_FILE 4
@ -87,6 +91,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define ERROR_TOO_MANY_RE_FIBERS 46
#define ERROR_COULD_NOT_READ_PROCESS_MEMORY 47
#define ERROR_INVALID_EXTERNAL_VARIABLE_TYPE 48
#define ERROR_REGULAR_EXPRESSION_TOO_COMPLEX 49
#define ERROR_INVALID_MODULE_NAME 50
#define FAIL_ON_ERROR(x) { \

1
src/dbg/yara/yara/exec.h
View File

@ -41,6 +41,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define OP_ERROR 0
#define OP_HALT 255
#define OP_NOP 254
#define OP_AND 1
#define OP_OR 2

9
src/dbg/yara/yara/globals.h
View File

@ -30,7 +30,12 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#ifndef YR_GLOBALS_H
#define YR_GLOBALS_H
extern char lowercase[256];
extern char altercase[256];
#include "threading.h"
extern char yr_lowercase[256];
extern char yr_altercase[256];
extern YR_THREAD_STORAGE_KEY yr_tidx_key;
extern YR_THREAD_STORAGE_KEY yr_recovery_state_key;
#endif

5
src/dbg/yara/yara/hex_lexer.h
View File

@ -59,7 +59,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typedef void* yyscan_t;
#endif
#define YY_EXTRA_TYPE RE*
#define YY_EXTRA_TYPE RE_AST*
#define YY_USE_CONST
@ -106,6 +106,5 @@ void yyfatal(
int yr_parse_hex_string(
const char* hex_string,
int flags,
RE** re,
RE_AST** re_ast,
RE_ERROR* error);

2
src/dbg/yara/yara/integers.h
View File

@ -39,7 +39,7 @@ extern "C" {
#endif
/* Microsoft Visual Studio C++ before Visual Studio 2010 or earlier versions of the Borland C++ Builder
* do not support the (u)int#_t type definitions but have __int# defintions instead
* do not support the (u)int#_t type definitions but have __int# definitions instead
*/
typedef __int8 int8_t;
typedef unsigned __int8 uint8_t;

4
src/dbg/yara/yara/lexer.h
View File

@ -144,3 +144,7 @@ int yr_lex_parse_rules_string(
int yr_lex_parse_rules_file(
FILE* rules_file,
YR_COMPILER* compiler);
int yr_lex_parse_rules_fd(
YR_FILE_DESCRIPTOR rules_fd,
YR_COMPILER* compiler);

10
src/dbg/yara/yara/libyara.h
View File

@ -33,12 +33,16 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include "utils.h"
#define YR_MAJOR_VERSION 3
#define YR_MINOR_VERSION 5
#define YR_MINOR_VERSION 6
#define YR_MICRO_VERSION 0
// Version as a string
#define YR_VERSION "3.5.0"
#define version_str(s) _version_str(s)
#define _version_str(s) #s
// Version as a string
#define YR_VERSION version_str(YR_MAJOR_VERSION) \
"." version_str(YR_MINOR_VERSION) \
"." version_str(YR_MICRO_VERSION)
// Version as a single 4-byte hex number, e.g. 0x030401 == 3.4.1.
#define YR_VERSION_HEX ((YR_MAJOR_VERSION << 16) | \

8
src/dbg/yara/yara/limits.h
View File

@ -34,12 +34,14 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include <windows.h>
#endif
#include "utils.h"
// MAX_THREADS is the number of threads that can use a YR_RULES
// object simultaneosly. This value is limited by the number of
// bits in tidx_mask.
// object simultaneously.
#ifndef MAX_THREADS
#define MAX_THREADS 32
#endif
#ifndef MAX_PATH
@ -53,7 +55,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define MAX_INCLUDE_DEPTH 16
#define MAX_STRING_MATCHES 1000000
#define MAX_FUNCTION_ARGS 128
#define MAX_FAST_HEX_RE_STACK 300
#define MAX_FAST_RE_STACK 300
#define MAX_OVERLOADED_FUNCTIONS 10
#define MAX_HEX_STRING_TOKENS 10000
#define MAX_MATCH_DATA 4096

2
src/dbg/yara/yara/mem.h
View File

@ -32,8 +32,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include <stdio.h>
#include "config.h"
#ifdef DMALLOC
#define yr_malloc malloc

25
src/dbg/yara/yara/modules.h
View File

@ -37,6 +37,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include "utils.h"
#include "limits.h"
#include "error.h"
#include "exec.h"
#include "types.h"
#include "object.h"
@ -44,15 +45,15 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Concatenation that macro-expands its arguments.
#define CONCAT(arg1, arg2) YARA_CONCAT(arg1, arg2) // expands the arguments.
#define YARA_CONCAT(arg1, arg2) arg1 ## arg2 // do the actual concatenation.
#define YR_CONCAT(arg1, arg2) _YR_CONCAT(arg1, arg2) // expands the arguments.
#define _YR_CONCAT(arg1, arg2) arg1 ## arg2 // do the actual concatenation.
#define module_declarations CONCAT(MODULE_NAME, __declarations)
#define module_load CONCAT(MODULE_NAME, __load)
#define module_unload CONCAT(MODULE_NAME, __unload)
#define module_initialize CONCAT(MODULE_NAME, __initialize)
#define module_finalize CONCAT(MODULE_NAME, __finalize)
#define module_declarations YR_CONCAT(MODULE_NAME, __declarations)
#define module_load YR_CONCAT(MODULE_NAME, __load)
#define module_unload YR_CONCAT(MODULE_NAME, __unload)
#define module_initialize YR_CONCAT(MODULE_NAME, __initialize)
#define module_finalize YR_CONCAT(MODULE_NAME, __finalize)
#define begin_declarations \
int module_declarations(YR_OBJECT* module) { \
@ -265,25 +266,25 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define define_function(func) \
int func ( \
void* __args, \
YR_VALUE* __args, \
YR_SCAN_CONTEXT* __context, \
YR_OBJECT_FUNCTION* __function_obj)
#define sized_string_argument(n) \
((SIZED_STRING*)(size_t)((int64_t*) __args)[n-1])
(__args[n-1].ss)
#define string_argument(n) \
(sized_string_argument(n)->c_string)
#define integer_argument(n) \
(((int64_t*) __args)[n-1])
(__args[n-1].i)
#define float_argument(n) \
(((double*) __args)[n-1])
(__args[n-1].d)
#define regexp_argument(n) \
((RE_CODE)((int64_t*) __args)[n-1])
((RE*)(__args[n-1].re))
#define module() yr_object_get_root((YR_OBJECT*) __function_obj)

12
src/dbg/yara/yara/object.h
View File

@ -33,7 +33,9 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#ifdef _MSC_VER
#include <float.h>
#ifndef isnan
#define isnan _isnan
#endif
#ifndef INFINITY
#define INFINITY (DBL_MAX + DBL_MAX)
@ -55,9 +57,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define OBJECT_TYPE_STRUCTURE 3
#define OBJECT_TYPE_ARRAY 4
#define OBJECT_TYPE_FUNCTION 5
#define OBJECT_TYPE_REGEXP 6
#define OBJECT_TYPE_DICTIONARY 7
#define OBJECT_TYPE_FLOAT 8
#define OBJECT_TYPE_DICTIONARY 6
#define OBJECT_TYPE_FLOAT 7
int yr_object_create(
@ -85,6 +86,11 @@ void yr_object_destroy(
YR_OBJECT* object);
int yr_object_copy(
YR_OBJECT* object,
YR_OBJECT** object_copy);
YR_OBJECT* yr_object_lookup_field(
YR_OBJECT* object,
const char* field_name);

6
src/dbg/yara/yara/parser.h
View File

@ -59,9 +59,9 @@ int yr_parser_emit_with_arg_double(
int yr_parser_emit_with_arg_reloc(
yyscan_t yyscanner,
uint8_t instruction,
int64_t argument,
void* argument,
uint8_t** instruction_address,
int64_t** argument_address);
void** argument_address);
int yr_parser_check_types(
@ -121,7 +121,7 @@ int yr_parser_emit_pushes_for_strings(
int yr_parser_reduce_external(
yyscan_t yyscanner,
const char* identifier,
uint8_t intruction);
uint8_t instruction);
int yr_parser_reduce_import(

54
src/dbg/yara/yara/pe.h
View File

@ -27,6 +27,12 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_PE_H
#define YR_PE_H
#include "endian.h"
#include "types.h"
#pragma pack(push, 1)
#if defined(_WIN32) || defined(__CYGWIN__)
@ -125,10 +131,10 @@ typedef struct _IMAGE_FILE_HEADER
#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved external references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line numbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Aggressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
@ -308,25 +314,42 @@ typedef struct _IMAGE_NT_HEADERS64
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
// IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is
// the same either way.
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((BYTE*)ntheader + \
FIELD_OFFSET( IMAGE_NT_HEADERS32, OptionalHeader ) + \
((PIMAGE_NT_HEADERS32)(ntheader))->FileHeader.SizeOfOptionalHeader \
yr_le16toh(((PIMAGE_NT_HEADERS32)(ntheader))->FileHeader.SizeOfOptionalHeader) \
))
// Subsystem Values
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
#define IMAGE_SUBSYSTEM_UNKNOWN 0
#define IMAGE_SUBSYSTEM_NATIVE 1
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3
#define IMAGE_SUBSYSTEM_OS2_CUI 5
#define IMAGE_SUBSYSTEM_POSIX_CUI 7
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12
#define IMAGE_SUBSYSTEM_EFI_ROM_IMAGE 13
#define IMAGE_SUBSYSTEM_XBOX 14
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
// DllCharacteristics values
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800
#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
//
// Section header format.
@ -505,11 +528,6 @@ typedef struct _RICH_SIGNATURE
#define RICH_DANS 0x536e6144 // "DanS"
#define RICH_RICH 0x68636952 // "Rich"
typedef struct _RICH_DATA
{
size_t len;
BYTE* raw_data;
BYTE* clear_data;
} RICH_DATA, *PRICH_DATA;
#pragma pack(pop)
#endif

114
src/dbg/yara/yara/pe_utils.h Normal file
View File

@ -0,0 +1,114 @@
#ifndef YR_PE_UTILS_H
#define YR_PE_UTILS_H
#include <yara/pe.h>
#define MAX_PE_SECTIONS 96
#define IS_64BITS_PE(pe) \
(yr_le16toh(pe->header64->OptionalHeader.Magic) == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
#define OptionalHeader(pe,field) \
(IS_64BITS_PE(pe) ? \
pe->header64->OptionalHeader.field : \
pe->header->OptionalHeader.field)
//
// Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the
// name of the DLL and a pointer to another linked list of
// IMPORT_EXPORT_FUNCTION structures containing the details of imported
// functions.
//
typedef struct _IMPORTED_DLL
{
char* name;
struct _IMPORT_EXPORT_FUNCTION* functions;
struct _IMPORTED_DLL* next;
} IMPORTED_DLL, *PIMPORTED_DLL;
//
// This is used to track imported and exported functions. The "has_ordinal"
// field is only used in the case of imports as those are optional. Every export
// has an ordinal so we don't need the field there, but in the interest of
// keeping duplicate code to a minimum we use this function for both imports and
// exports.
//
typedef struct _IMPORT_EXPORT_FUNCTION
{
char* name;
uint8_t has_ordinal;
uint16_t ordinal;
struct _IMPORT_EXPORT_FUNCTION* next;
} IMPORT_EXPORT_FUNCTION, *PIMPORT_EXPORT_FUNCTION;
typedef struct _PE
{
uint8_t* data;
size_t data_size;
union
{
PIMAGE_NT_HEADERS32 header;
PIMAGE_NT_HEADERS64 header64;
};
YR_OBJECT* object;
IMPORTED_DLL* imported_dlls;
IMPORT_EXPORT_FUNCTION* exported_functions;
uint32_t resources;
} PE;
#define fits_in_pe(pe, pointer, size) \
((size_t) size <= pe->data_size && \
(uint8_t*) (pointer) >= pe->data && \
(uint8_t*) (pointer) <= pe->data + pe->data_size - size)
#define struct_fits_in_pe(pe, pointer, struct_type) \
fits_in_pe(pe, pointer, sizeof(struct_type))
PIMAGE_NT_HEADERS32 pe_get_header(
uint8_t* data,
size_t data_size);
PIMAGE_DATA_DIRECTORY pe_get_directory_entry(
PE* pe,
int entry);
PIMAGE_DATA_DIRECTORY pe_get_directory_entry(
PE* pe,
int entry);
int64_t pe_rva_to_offset(
PE* pe,
uint64_t rva);
char* ord_lookup(
char* dll,
uint16_t ord);
#if HAVE_LIBCRYPTO
#include <openssl/asn1.h>
time_t ASN1_get_time_t(ASN1_TIME* time);
#endif
#endif

166
src/dbg/yara/yara/re.h
View File

@ -55,15 +55,14 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define RE_NODE_ANCHOR_END 18
#define RE_NODE_WORD_BOUNDARY 19
#define RE_NODE_NON_WORD_BOUNDARY 20
#define RE_NODE_RANGE_ANY 21
#define RE_OPCODE_ANY 0xA0
#define RE_OPCODE_ANY_EXCEPT_NEW_LINE 0xA1
#define RE_OPCODE_LITERAL 0xA2
#define RE_OPCODE_LITERAL_NO_CASE 0xA3
#define RE_OPCODE_MASKED_LITERAL 0xA4
#define RE_OPCODE_CLASS 0xA5
#define RE_OPCODE_CLASS_NO_CASE 0xA6
#define RE_OPCODE_WORD_CHAR 0xA7
#define RE_OPCODE_NON_WORD_CHAR 0xA8
#define RE_OPCODE_SPACE 0xA9
@ -76,40 +75,35 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define RE_OPCODE_MATCH_AT_START 0xB1
#define RE_OPCODE_WORD_BOUNDARY 0xB2
#define RE_OPCODE_NON_WORD_BOUNDARY 0xB3
#define RE_OPCODE_REPEAT_ANY_GREEDY 0xB4
#define RE_OPCODE_REPEAT_ANY_UNGREEDY 0xB5
#define RE_OPCODE_SPLIT_A 0xC0
#define RE_OPCODE_SPLIT_B 0xC1
#define RE_OPCODE_PUSH 0xC2
#define RE_OPCODE_POP 0xC3
#define RE_OPCODE_JNZ 0xC4
#define RE_OPCODE_JUMP 0xC5
#define RE_OPCODE_JUMP 0xC2
#define RE_OPCODE_REPEAT_START_GREEDY 0xC3
#define RE_OPCODE_REPEAT_END_GREEDY 0xC4
#define RE_OPCODE_REPEAT_START_UNGREEDY 0xC5
#define RE_OPCODE_REPEAT_END_UNGREEDY 0xC6
#define RE_FLAGS_FAST_HEX_REGEXP 0x02
#define RE_FLAGS_FAST_REGEXP 0x02
#define RE_FLAGS_BACKWARDS 0x04
#define RE_FLAGS_EXHAUSTIVE 0x08
#define RE_FLAGS_WIDE 0x10
#define RE_FLAGS_NO_CASE 0x20
#define RE_FLAGS_SCAN 0x40
#define RE_FLAGS_DOT_ALL 0x80
#define RE_FLAGS_NOT_AT_START 0x100
#define RE_FLAGS_GREEDY 0x400
#define RE_FLAGS_UNGREEDY 0x800
typedef struct RE RE;
typedef struct RE_AST RE_AST;
typedef struct RE_NODE RE_NODE;
typedef struct RE_ERROR RE_ERROR;
typedef uint8_t RE_SPLIT_ID_TYPE;
typedef uint8_t* RE_CODE;
#define CHAR_IN_CLASS(chr, cls) \
((cls)[(chr) / 8] & 1 << ((chr) % 8))
#define IS_WORD_CHAR(chr) \
(isalnum(chr) || (chr) == '_')
struct RE_NODE
@ -136,26 +130,39 @@ struct RE_NODE
RE_NODE* left;
RE_NODE* right;
RE_CODE forward_code;
RE_CODE backward_code;
uint8_t* forward_code;
uint8_t* backward_code;
};
struct RE_AST
{
uint32_t flags;
RE_NODE* root_node;
};
// Disable warning due to zero length array in Microsoft's compiler
#ifdef _MSC_VER
#pragma warning(push)
#pragma warning(disable:4200)
#endif
struct RE
{
uint32_t flags;
RE_NODE* root_node;
YR_ARENA* code_arena;
RE_CODE code;
uint8_t code[0];
};
#ifdef _MSC_VER
#pragma warning(pop)
#endif
struct RE_ERROR
{
char message[512];
};
@ -166,38 +173,35 @@ typedef int RE_MATCH_CALLBACK_FUNC(
void* args);
int yr_re_create(
RE** re);
int yr_re_ast_create(
RE_AST** re_ast);
void yr_re_ast_destroy(
RE_AST* re_ast);
void yr_re_ast_print(
RE_AST* re_ast);
SIZED_STRING* yr_re_ast_extract_literal(
RE_AST* re_ast);
int yr_re_parse(
const char* re_string,
int flags,
RE** re,
RE_ERROR* error);
int yr_re_ast_contains_dot_star(
RE_AST* re_ast);
int yr_re_parse_hex(
const char* hex_string,
int flags,
RE** re,
RE_ERROR* error);
int yr_re_ast_split_at_chaining_point(
RE_AST* re_ast,
RE_AST** result_re_ast,
RE_AST** remainder_re_ast,
int32_t* min_gap,
int32_t* max_gap);
int yr_re_compile(
const char* re_string,
int flags,
YR_ARENA* code_arena,
RE** re,
RE_ERROR* error);
void yr_re_destroy(
RE* re);
void yr_re_print(
RE* re);
int yr_re_ast_emit_code(
RE_AST* re_ast,
YR_ARENA* arena,
int backwards_code);
RE_NODE* yr_re_node_create(
@ -210,38 +214,50 @@ void yr_re_node_destroy(
RE_NODE* node);
SIZED_STRING* yr_re_extract_literal(
RE* re);
int yr_re_contains_dot_star(
RE* re);
int yr_re_split_at_chaining_point(
RE* re,
RE** result_re,
RE** remainder_re,
int32_t* min_gap,
int32_t* max_gap);
int yr_re_emit_code(
RE* re,
YR_ARENA* arena);
int yr_re_exec(
RE_CODE re_code,
uint8_t* re_code,
uint8_t* input,
size_t input_size,
size_t input_forwards_size,
size_t input_backwards_size,
int flags,
RE_MATCH_CALLBACK_FUNC callback,
void* callback_args);
void* callback_args,
int* matches);
int yr_re_fast_exec(
uint8_t* code,
uint8_t* input_data,
size_t input_forwards_size,
size_t input_backwards_size,
int flags,
RE_MATCH_CALLBACK_FUNC callback,
void* callback_args,
int* matches);
int yr_re_parse(
const char* re_string,
RE_AST** re_ast,
RE_ERROR* error);
int yr_re_parse_hex(
const char* hex_string,
RE_AST** re_ast,
RE_ERROR* error);
int yr_re_compile(
const char* re_string,
int flags,
YR_ARENA* code_arena,
RE** re,
RE_ERROR* error);
int yr_re_match(
RE_CODE re_code,
RE* re,
const char* target);

5
src/dbg/yara/yara/re_lexer.h
View File

@ -58,7 +58,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typedef void* yyscan_t;
#endif
#define YY_EXTRA_TYPE RE*
#define YY_EXTRA_TYPE RE_AST*
#define YY_USE_CONST
@ -105,6 +105,5 @@ void yyfatal(
int yr_parse_re_string(
const char* re_string,
int flags,
RE** re,
RE_AST** re_ast,
RE_ERROR* error);

1
src/dbg/yara/yara/scan.h
View File

@ -35,6 +35,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Bitmasks for flags.
#define SCAN_FLAGS_FAST_MODE 1
#define SCAN_FLAGS_PROCESS_MEMORY 2
#define SCAN_FLAGS_NO_TRYCATCH 4
int yr_scan_verify_match(

4
src/dbg/yara/yara/sizedstr.h
View File

@ -63,4 +63,8 @@ int sized_string_cmp(
SIZED_STRING* s1,
SIZED_STRING* s2);
SIZED_STRING* sized_string_dup(
SIZED_STRING* s);
#endif

2
src/dbg/yara/yara/strutils.h
View File

@ -35,8 +35,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include "integers.h"
#include "config.h"
// Cygwin already has these functions.
#if defined(_WIN32) && !defined(__CYGWIN__)
#if defined(_MSC_VER) && _MSC_VER < 1900

79
src/dbg/yara/yara/types.h
View File

@ -44,8 +44,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include <time.h>
#endif
typedef int32_t tidx_mask_t;
#define DECLARE_REFERENCE(type, name) \
union { type name; int64_t name##_; } YR_ALIGN(8)
@ -61,7 +59,7 @@ typedef int32_t tidx_mask_t;
#define STRING_GFLAGS_ASCII 0x08
#define STRING_GFLAGS_WIDE 0x10
#define STRING_GFLAGS_REGEXP 0x20
#define STRING_GFLAGS_FAST_HEX_REGEXP 0x40
#define STRING_GFLAGS_FAST_REGEXP 0x40
#define STRING_GFLAGS_FULL_WORD 0x80
#define STRING_GFLAGS_ANONYMOUS 0x100
#define STRING_GFLAGS_SINGLE_MATCH 0x200
@ -72,6 +70,7 @@ typedef int32_t tidx_mask_t;
#define STRING_GFLAGS_CHAIN_TAIL 0x4000
#define STRING_GFLAGS_FIXED_OFFSET 0x8000
#define STRING_GFLAGS_GREEDY_REGEXP 0x10000
#define STRING_GFLAGS_DOT_ALL 0x20000
#define STRING_IS_HEX(x) \
(((x)->g_flags) & STRING_GFLAGS_HEXADECIMAL)
@ -79,6 +78,9 @@ typedef int32_t tidx_mask_t;
#define STRING_IS_NO_CASE(x) \
(((x)->g_flags) & STRING_GFLAGS_NO_CASE)
#define STRING_IS_DOT_ALL(x) \
(((x)->g_flags) & STRING_GFLAGS_DOT_ALL)
#define STRING_IS_ASCII(x) \
(((x)->g_flags) & STRING_GFLAGS_ASCII)
@ -109,8 +111,8 @@ typedef int32_t tidx_mask_t;
#define STRING_IS_LITERAL(x) \
(((x)->g_flags) & STRING_GFLAGS_LITERAL)
#define STRING_IS_FAST_HEX_REGEXP(x) \
(((x)->g_flags) & STRING_GFLAGS_FAST_HEX_REGEXP)
#define STRING_IS_FAST_REGEXP(x) \
(((x)->g_flags) & STRING_GFLAGS_FAST_REGEXP)
#define STRING_IS_CHAIN_PART(x) \
(((x)->g_flags) & STRING_GFLAGS_CHAIN_PART)
@ -292,8 +294,6 @@ typedef YR_AC_MATCH_TABLE_ENTRY* YR_AC_MATCH_TABLE;
typedef struct _YARA_RULES_FILE_HEADER
{
uint32_t version;
DECLARE_REFERENCE(YR_RULE*, rules_list_head);
DECLARE_REFERENCE(YR_EXTERNAL_VARIABLE*, externals_list_head);
DECLARE_REFERENCE(uint8_t*, code_start);
@ -371,7 +371,7 @@ typedef struct _YR_AC_AUTOMATON
typedef struct _YR_RULES
{
tidx_mask_t tidx_mask;
unsigned char tidx_mask[YR_BITARRAY_NCHARS(MAX_THREADS)];
uint8_t* code_start;
YR_MUTEX mutex;
@ -384,7 +384,6 @@ typedef struct _YR_RULES
} YR_RULES;
struct _YR_MEMORY_BLOCK;
struct _YR_MEMORY_BLOCK_ITERATOR;
@ -445,53 +444,37 @@ typedef struct _YR_SCAN_CONTEXT
} YR_SCAN_CONTEXT;
struct _YR_OBJECT;
typedef union _YR_VALUE
{
int64_t i;
double d;
void* p;
struct _YR_OBJECT* o;
YR_STRING* s;
SIZED_STRING* ss;
RE* re;
} YR_VALUE;
#define OBJECT_COMMON_FIELDS \
int8_t type; \
const char* identifier; \
void* data; \
struct _YR_OBJECT* parent;
struct _YR_OBJECT* parent; \
void* data;
typedef struct _YR_OBJECT
{
OBJECT_COMMON_FIELDS
YR_VALUE value;
} YR_OBJECT;
typedef struct _YR_OBJECT_INTEGER
{
OBJECT_COMMON_FIELDS
int64_t value;
} YR_OBJECT_INTEGER;
typedef struct _YR_OBJECT_DOUBLE
{
OBJECT_COMMON_FIELDS
double value;
} YR_OBJECT_DOUBLE;
typedef struct _YR_OBJECT_STRING
{
OBJECT_COMMON_FIELDS
SIZED_STRING* value;
} YR_OBJECT_STRING;
typedef struct _YR_OBJECT_REGEXP
{
OBJECT_COMMON_FIELDS
RE* value;
} YR_OBJECT_REGEXP;
typedef struct _YR_OBJECT_STRUCTURE
{
OBJECT_COMMON_FIELDS
@ -522,7 +505,7 @@ struct _YR_OBJECT_FUNCTION;
typedef int (*YR_MODULE_FUNC)(
void* args,
YR_VALUE* args,
YR_SCAN_CONTEXT* context,
struct _YR_OBJECT_FUNCTION* function_obj);
@ -530,18 +513,24 @@ typedef int (*YR_MODULE_FUNC)(
typedef struct _YR_OBJECT_FUNCTION
{
OBJECT_COMMON_FIELDS
YR_OBJECT* return_obj;
struct
{
const char* arguments_fmt;
YR_MODULE_FUNC code;
} prototypes[MAX_OVERLOADED_FUNCTIONS];
} YR_OBJECT_FUNCTION;
#define object_as_structure(obj) ((YR_OBJECT_STRUCTURE*) (obj))
#define object_as_array(obj) ((YR_OBJECT_ARRAY*) (obj))
#define object_as_dictionary(obj) ((YR_OBJECT_DICTIONARY*) (obj))
#define object_as_function(obj) ((YR_OBJECT_FUNCTION*) (obj))
typedef struct _YR_STRUCTURE_MEMBER
{
YR_OBJECT* object;

23
src/dbg/yara/yara/utils.h
View File

@ -31,6 +31,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#ifndef YR_UTILS_H
#define YR_UTILS_H
#include <limits.h>
#ifndef TRUE
#define TRUE 1
#endif
@ -68,8 +70,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define yr_min(x, y) ((x < y) ? (x) : (y))
#define yr_max(x, y) ((x > y) ? (x) : (y))
#define PTR_TO_INT64(x) ((int64_t) (size_t) x)
#define yr_swap(x, y, T) do { T temp = x; x = y; y = temp; } while (0)
#ifdef NDEBUG
@ -87,4 +88,22 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#endif
// Set, unset, and test bits in an array of unsigned characters by integer
// index. The underlying array must be of type char or unsigned char to
// ensure compatibility with the CHAR_BIT constant used in these definitions.
#define YR_BITARRAY_SET(uchar_array_base, bitnum) \
(((uchar_array_base)[(bitnum)/CHAR_BIT]) = \
((uchar_array_base)[(bitnum)/CHAR_BIT] | (1 << ((bitnum) % CHAR_BIT))))
#define YR_BITARRAY_UNSET(uchar_array_base, bitnum) \
(((uchar_array_base)[(bitnum)/CHAR_BIT]) = \
((uchar_array_base)[(bitnum)/CHAR_BIT] & (~(1 << ((bitnum) % CHAR_BIT)))))
#define YR_BITARRAY_TEST(uchar_array_base, bitnum) \
(((uchar_array_base)[(bitnum)/CHAR_BIT] & (1 << ((bitnum) % CHAR_BIT))) != 0)
#define YR_BITARRAY_NCHARS(bitnum) \
(((bitnum)+(CHAR_BIT-1))/CHAR_BIT)
#endif

BIN
src/dbg/yara/yara_x64.lib
View File

Binary file not shown.

BIN
src/dbg/yara/yara_x86.lib
View File

Binary file not shown.