[Forensics-changes] [yara] 09/415: Added support for ascii and wide modifiers for the same string
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:42:37 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit a478428ae22587c382a870fca01e2edad26df464
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Wed Jan 21 16:22:09 2009 +0000
Added support for ascii and wide modifiers for the same string
---
libyara/libyara.tmproj | 66 +++++++++---------
libyara/scan.c | 181 ++++++++++++++++++++++++++++++-------------------
2 files changed, 144 insertions(+), 103 deletions(-)
diff --git a/libyara/libyara.tmproj b/libyara/libyara.tmproj
index 8a90e69..66ba30d 100644
--- a/libyara/libyara.tmproj
+++ b/libyara/libyara.tmproj
@@ -13,7 +13,7 @@
<key>filename</key>
<string>scan.c</string>
<key>lastUsed</key>
- <date>2009-01-20T16:43:08Z</date>
+ <date>2009-01-21T13:44:38Z</date>
<key>selected</key>
<true/>
</dict>
@@ -39,7 +39,7 @@
<key>filename</key>
<string>error.c</string>
<key>lastUsed</key>
- <date>2008-12-24T13:10:36Z</date>
+ <date>2009-01-21T13:44:31Z</date>
</dict>
<dict>
<key>filename</key>
@@ -51,7 +51,7 @@
<key>filename</key>
<string>ast.c</string>
<key>lastUsed</key>
- <date>2009-01-20T16:42:52Z</date>
+ <date>2009-01-21T12:31:40Z</date>
</dict>
<dict>
<key>filename</key>
@@ -69,7 +69,7 @@
<key>filename</key>
<string>../yara.c</string>
<key>lastUsed</key>
- <date>2009-01-20T16:42:55Z</date>
+ <date>2009-01-21T13:44:38Z</date>
</dict>
</array>
<key>expanded</key>
@@ -84,7 +84,7 @@
<key>filename</key>
<string>yara.h</string>
<key>lastUsed</key>
- <date>2009-01-20T16:43:08Z</date>
+ <date>2009-01-21T13:41:00Z</date>
</dict>
<dict>
<key>filename</key>
@@ -132,7 +132,7 @@
<key>filename</key>
<string>ast.h</string>
<key>lastUsed</key>
- <date>2009-01-20T15:08:20Z</date>
+ <date>2009-01-21T13:41:05Z</date>
</dict>
<dict>
<key>filename</key>
@@ -165,7 +165,7 @@
<key>firstVisibleColumn</key>
<integer>0</integer>
<key>firstVisibleLine</key>
- <integer>430</integer>
+ <integer>357</integer>
<key>selectFrom</key>
<dict>
<key>column</key>
@@ -200,30 +200,14 @@
<key>caret</key>
<dict>
<key>column</key>
- <integer>23</integer>
+ <integer>2</integer>
<key>line</key>
- <integer>23</integer>
+ <integer>0</integer>
</dict>
- <key>columnSelection</key>
- <false/>
<key>firstVisibleColumn</key>
<integer>0</integer>
<key>firstVisibleLine</key>
- <integer>75</integer>
- <key>selectFrom</key>
- <dict>
- <key>column</key>
- <integer>8</integer>
- <key>line</key>
- <integer>23</integer>
- </dict>
- <key>selectTo</key>
- <dict>
- <key>column</key>
- <integer>23</integer>
- <key>line</key>
- <integer>23</integer>
- </dict>
+ <integer>0</integer>
</dict>
<key>compile.c</key>
<dict>
@@ -384,14 +368,14 @@
<key>caret</key>
<dict>
<key>column</key>
- <integer>20</integer>
+ <integer>21</integer>
<key>line</key>
- <integer>388</integer>
+ <integer>495</integer>
</dict>
<key>firstVisibleColumn</key>
<integer>0</integer>
<key>firstVisibleLine</key>
- <integer>102</integer>
+ <integer>554</integer>
</dict>
<key>sizedstr.h</key>
<dict>
@@ -412,14 +396,30 @@
<key>caret</key>
<dict>
<key>column</key>
- <integer>28</integer>
+ <integer>8</integer>
<key>line</key>
- <integer>155</integer>
+ <integer>41</integer>
</dict>
+ <key>columnSelection</key>
+ <false/>
<key>firstVisibleColumn</key>
<integer>0</integer>
<key>firstVisibleLine</key>
- <integer>135</integer>
+ <integer>22</integer>
+ <key>selectFrom</key>
+ <dict>
+ <key>column</key>
+ <integer>28</integer>
+ <key>line</key>
+ <integer>41</integer>
+ </dict>
+ <key>selectTo</key>
+ <dict>
+ <key>column</key>
+ <integer>8</integer>
+ <key>line</key>
+ <integer>41</integer>
+ </dict>
</dict>
</dict>
<key>openDocuments</key>
@@ -443,6 +443,6 @@
<key>showFileHierarchyDrawer</key>
<true/>
<key>windowFrame</key>
- <string>{{229, 24}, {1047, 754}}</string>
+ <string>{{230, 24}, {1047, 754}}</string>
</dict>
</plist>
diff --git a/libyara/scan.c b/libyara/scan.c
index 1ab5f44..fee4531 100644
--- a/libyara/scan.c
+++ b/libyara/scan.c
@@ -275,29 +275,87 @@ int init_hash_table(RULE_LIST* rule_list)
if (hashable && string->flags & STRING_FLAGS_NO_CASE)
{
+ /*
+ if string is case-insensitive add an entry in the hash table
+ for each posible combination
+ */
+
x = tolower(x);
y = tolower(y);
+
+ /* both lowercases */
+
+ entry = (STRING_LIST_ENTRY*) malloc(sizeof(STRING_LIST_ENTRY));
+
+ if (entry == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
+
+ entry->next = rule_list->hash_table[x][y];
+ entry->string = string;
+ rule_list->hash_table[x][y] = entry;
+
+ /* X uppercase Y lowercase */
+
+ x = toupper(x);
+
+ entry = (STRING_LIST_ENTRY*) malloc(sizeof(STRING_LIST_ENTRY));
+
+ if (entry == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
+
+ entry->next = rule_list->hash_table[x][y];
+ entry->string = string;
+ rule_list->hash_table[x][y] = entry;
+
+ /* both uppercases */
+
+ y = toupper(y);
+
+ entry = (STRING_LIST_ENTRY*) malloc(sizeof(STRING_LIST_ENTRY));
+
+ if (entry == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
+
+ entry->next = rule_list->hash_table[x][y];
+ entry->string = string;
+ rule_list->hash_table[x][y] = entry;
+
+ /* X lowercase Y uppercase */
+
+ x = tolower(x);
+
+ entry = (STRING_LIST_ENTRY*) malloc(sizeof(STRING_LIST_ENTRY));
+
+ if (entry == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
+
+ entry->next = rule_list->hash_table[x][y];
+ entry->string = string;
+ rule_list->hash_table[x][y] = entry;
+
}
-
- entry = (STRING_LIST_ENTRY*) malloc(sizeof(STRING_LIST_ENTRY));
-
- if (entry == NULL)
+ else if (hashable)
{
- return ERROR_INSUFICIENT_MEMORY;
- }
-
- entry->string = string;
-
- if (hashable)
- {
- entry->next = rule_list->hash_table[x][y]; /* insert new entry at begining of list */
- rule_list->hash_table[x][y] = entry;
+ entry = (STRING_LIST_ENTRY*) malloc(sizeof(STRING_LIST_ENTRY));
+
+ if (entry == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
+
+ entry->next = rule_list->hash_table[x][y];
+ entry->string = string;
+ rule_list->hash_table[x][y] = entry;
}
- else
+ else /* non hashable */
{
- entry->next = rule_list->non_hashed_strings;
+ entry = (STRING_LIST_ENTRY*) malloc(sizeof(STRING_LIST_ENTRY));
+
+ if (entry == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
+
+ entry->next = rule_list->non_hashed_strings;
+ entry->string = string;
rule_list->non_hashed_strings = entry;
- }
+ }
string = string->next;
}
@@ -378,7 +436,7 @@ void clear_marks(RULE_LIST* rule_list)
}
}
-int string_match(unsigned char* buffer, unsigned int buffer_size, STRING* string, int negative_size)
+int string_match(unsigned char* buffer, unsigned int buffer_size, STRING* string, int flags, int negative_size)
{
int match;
int i, len;
@@ -386,11 +444,11 @@ int string_match(unsigned char* buffer, unsigned int buffer_size, STRING* string
unsigned char* tmp;
- if (IS_HEX(string))
+ if ((flags & STRING_FLAGS_HEXADECIMAL) && IS_HEX(string))
{
return hex_match(buffer, buffer_size, string->string, string->length, string->mask);
}
- else if (IS_REGEXP(string))
+ else if ((flags & STRING_FLAGS_REGEXP) && IS_REGEXP(string))
{
if (IS_WIDE(string))
{
@@ -434,7 +492,8 @@ int string_match(unsigned char* buffer, unsigned int buffer_size, STRING* string
return regexp_match(buffer, buffer_size, string->string, string->length, string->re, negative_size);
}
}
- else if (IS_WIDE(string) && string->length * 2 <= buffer_size)
+
+ if ((flags & STRING_FLAGS_WIDE) && IS_WIDE(string) && string->length * 2 <= buffer_size)
{
if(IS_NO_CASE(string))
{
@@ -466,11 +525,13 @@ int string_match(unsigned char* buffer, unsigned int buffer_size, STRING* string
match = 0;
}
}
- }
+ }
- return match;
+ if (match > 0)
+ return match;
}
- else if (string->length <= buffer_size)
+
+ if ((flags & STRING_FLAGS_ASCII) && IS_ASCII(string) && string->length <= buffer_size)
{
if(IS_NO_CASE(string))
{
@@ -504,8 +565,7 @@ int find_matches_for_strings( STRING_LIST_ENTRY* first_string,
unsigned char* buffer,
unsigned int buffer_size,
unsigned int current_file_offset,
- int wide,
- int no_case,
+ int flags,
int negative_size)
{
int len;
@@ -519,11 +579,10 @@ int find_matches_for_strings( STRING_LIST_ENTRY* first_string,
{
string = entry->string;
- if ((!wide || IS_WIDE(string)) &&
- (!no_case || IS_NO_CASE(string)) &&
- (len = string_match(buffer, buffer_size, string, negative_size)))
+ if ( (string->flags & flags) && (len = string_match(buffer, buffer_size, string, flags, negative_size)))
{
- /* If this string already matched we must check that this match is not
+ /*
+ If this string already matched we must check that this match is not
overlapping a previous one. This can occur for example if we search
for the string 'aa' and the file contains 'aaaaaa'.
*/
@@ -541,6 +600,7 @@ int find_matches_for_strings( STRING_LIST_ENTRY* first_string,
overlap = TRUE;
break;
}
+
match = match->next;
}
}
@@ -576,23 +636,18 @@ inline int find_matches( unsigned char first_char,
unsigned char* buffer,
unsigned int buffer_size,
unsigned int current_file_offset,
- int wide,
+ int flags,
int negative_size,
RULE_LIST* rule_list)
{
- unsigned char first_char_lower;
- unsigned char second_char_lower;
int result;
-
- /* case sensitive */
-
+
result = find_matches_for_strings( rule_list->hash_table[first_char][second_char],
buffer,
buffer_size,
current_file_offset,
- wide,
- FALSE,
+ flags,
negative_size);
if (result == ERROR_SUCCESS)
@@ -601,38 +656,10 @@ inline int find_matches( unsigned char first_char,
buffer,
buffer_size,
current_file_offset,
- wide,
- FALSE,
+ flags,
negative_size);
- }
-
- /* case insensitive */
-
- first_char_lower = tolower(first_char);
- second_char_lower = tolower(second_char);
-
- if (result == ERROR_SUCCESS && (first_char_lower != first_char || second_char_lower != second_char))
- {
- result = find_matches_for_strings( rule_list->hash_table[first_char_lower][second_char_lower],
- buffer,
- buffer_size,
- current_file_offset,
- wide,
- TRUE,
- negative_size);
-
- if (result == ERROR_SUCCESS)
- {
- result = find_matches_for_strings( rule_list->non_hashed_strings,
- buffer,
- buffer_size,
- current_file_offset,
- wide,
- TRUE,
- negative_size);
- }
- }
-
+ }
+
return result;
}
@@ -660,7 +687,14 @@ int scan_mem(unsigned char* buffer, unsigned int buffer_size, RULE_LIST* rule_li
for (i = 0; i < buffer_size - 1; i++)
{
/* search for normal strings */
- error = find_matches(buffer[i], buffer[i + 1], buffer + i, buffer_size - i, i, FALSE, i, rule_list);
+ error = find_matches( buffer[i],
+ buffer[i + 1],
+ buffer + i,
+ buffer_size - i,
+ i,
+ STRING_FLAGS_HEXADECIMAL | STRING_FLAGS_ASCII | STRING_FLAGS_REGEXP,
+ i,
+ rule_list);
if (error != ERROR_SUCCESS)
return error;
@@ -668,7 +702,14 @@ int scan_mem(unsigned char* buffer, unsigned int buffer_size, RULE_LIST* rule_li
/* search for wide strings */
if (i < buffer_size - 3 && buffer[i + 1] == 0 && buffer[i + 3] == 0)
{
- error = find_matches(buffer[i], buffer[i + 2], buffer + i, buffer_size - i, i, TRUE, i, rule_list);
+ error = find_matches( buffer[i],
+ buffer[i + 2],
+ buffer + i,
+ buffer_size - i,
+ i,
+ STRING_FLAGS_WIDE,
+ i,
+ rule_list);
if (error != ERROR_SUCCESS)
return error;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list