[Forensics-changes] [yara] 59/415: Implemented fast matching mode

Hilko Bengen bengen at moszumanska.debian.org
Thu Apr 3 05:42:45 UTC 2014 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to branch debian
in repository yara.

commit 8315ca10a95a60ab6a1a419a78c748f63d0ec136
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Fri Apr 9 10:57:17 2010 +0000

    Implemented fast matching mode
---
 libyara/ast.c     |  8 ++++++++
 libyara/grammar.c |  7 ++++++-
 libyara/grammar.h |  2 +-
 libyara/grammar.y |  5 +++++
 libyara/libyara.c |  1 +
 libyara/scan.c    | 12 ++++++++----
 libyara/yara.h    |  3 +++
 yara.c            | 10 ++++++++--
 yara.man          |  5 ++++-
 9 files changed, 44 insertions(+), 9 deletions(-)

diff --git a/libyara/ast.c b/libyara/ast.c
index 1ae687d..df78ec8 100644
--- a/libyara/ast.c
+++ b/libyara/ast.c
@@ -694,6 +694,14 @@ int new_string_identifier(int type, STRING* defined_strings, char* identifier, T
         {
     		/* the string has been used in an expression, mark it as referenced */
     		string->flags |= STRING_FLAGS_REFERENCED;  
+
+			/* in this cases we can't not use the fast-matching mode */
+			if (type == TERM_TYPE_STRING_COUNT ||
+			    type == TERM_TYPE_STRING_AT ||
+			    type == TERM_TYPE_STRING_IN_RANGE)
+			{
+				string->flags &= ~STRING_FLAGS_FAST_MATCH;
+			}
 	
             new_term = (TERM_STRING*) yr_malloc(sizeof(TERM_STRING));
 
diff --git a/libyara/grammar.c b/libyara/grammar.c
index 5acf1ca..3de3b0b 100644
--- a/libyara/grammar.c
+++ b/libyara/grammar.c
@@ -239,7 +239,7 @@ typedef union YYSTYPE
     void*           meta;
 
 }
-/* Line 193 of yacc.c.  */
+/* Line 187 of yacc.c.  */
 #line 244 "grammar.c"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
@@ -2741,6 +2741,11 @@ STRING* reduce_string_declaration(  yyscan_t yyscanner,
     }
     
     yr_free(str);
+
+    if (context->fast_match)
+	{
+		string->flags |= STRING_FLAGS_FAST_MATCH;
+	}
             
     return string;
 }
diff --git a/libyara/grammar.h b/libyara/grammar.h
index e073624..316e9fc 100644
--- a/libyara/grammar.h
+++ b/libyara/grammar.h
@@ -176,7 +176,7 @@ typedef union YYSTYPE
     void*           meta;
 
 }
-/* Line 1529 of yacc.c.  */
+/* Line 1489 of yacc.c.  */
 #line 181 "grammar.h"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
diff --git a/libyara/grammar.y b/libyara/grammar.y
index 94e955c..c04387c 100644
--- a/libyara/grammar.y
+++ b/libyara/grammar.y
@@ -735,6 +735,11 @@ STRING* reduce_string_declaration(  yyscan_t yyscanner,
     }
     
     yr_free(str);
+
+    if (context->fast_match)
+	{
+		string->flags |= STRING_FLAGS_FAST_MATCH;
+	}
             
     return string;
 }
diff --git a/libyara/libyara.c b/libyara/libyara.c
index 9b7b2ff..dcb3647 100644
--- a/libyara/libyara.c
+++ b/libyara/libyara.c
@@ -54,6 +54,7 @@ YARA_CONTEXT* yr_create_context()
 	context->external_variables = NULL;
     context->allow_includes = TRUE;
 	context->current_namespace = yr_create_namespace(context, "default");
+	context->fast_match = FALSE;
     
     memset(context->hash_table.hashed_strings_2b, 0, sizeof(context->hash_table.hashed_strings_2b));
     memset(context->hash_table.hashed_strings_1b, 0, sizeof(context->hash_table.hashed_strings_1b));
diff --git a/libyara/scan.c b/libyara/scan.c
index 6fa6cfb..71aae65 100644
--- a/libyara/scan.c
+++ b/libyara/scan.c
@@ -780,7 +780,13 @@ inline int find_matches_for_strings(   STRING_LIST_ENTRY* first_string,
    	while (entry != NULL)
 	{	
 		string = entry->string;
-
+		entry = entry->next;
+		
+		if ((string->flags & STRING_FLAGS_FOUND) && (string->flags & STRING_FLAGS_FAST_MATCH))
+		{
+			continue;
+		}
+		
 		if ( (string->flags & flags) && (len = string_match(buffer, buffer_size, string, flags, negative_size)))
 		{
 		    /*  
@@ -807,9 +813,7 @@ inline int find_matches_for_strings(   STRING_LIST_ENTRY* first_string,
     				return ERROR_INSUFICIENT_MEMORY;
     			}
 		    }
-		}
-		
-		entry = entry->next;
+		}		
 	}
 	
     return ERROR_SUCCESS;
diff --git a/libyara/yara.h b/libyara/yara.h
index 15f7958..ac0fca7 100644
--- a/libyara/yara.h
+++ b/libyara/yara.h
@@ -48,6 +48,7 @@ GNU General Public License for more details.
 #define STRING_FLAGS_REGEXP                     0x40
 #define STRING_FLAGS_FULL_WORD                  0x80
 #define STRING_FLAGS_ANONYMOUS                  0x100
+#define STRING_FLAGS_FAST_MATCH                 0x200
 
 #define IS_HEX(x)       (((x)->flags) & STRING_FLAGS_HEXADECIMAL)
 #define IS_NO_CASE(x)   (((x)->flags) & STRING_FLAGS_NO_CASE)
@@ -273,6 +274,8 @@ typedef struct _YARA_CONTEXT
     int                     allow_includes;
     char                    include_base_dir[MAX_PATH];
 
+	int						fast_match;
+
 } YARA_CONTEXT;
 
 
diff --git a/yara.c b/yara.c
index 8ae1c52..ed35173 100644
--- a/yara.c
+++ b/yara.c
@@ -44,6 +44,7 @@ int show_strings = FALSE;
 int show_meta = FALSE;
 int negate = FALSE;
 
+
 TAG* specified_tags_list = NULL;
 
 typedef struct _IDENTIFIER
@@ -60,7 +61,7 @@ IDENTIFIER* specified_rules_list = NULL;
 
 void show_help()
 {
-    printf("usage:  yara [ OPTION ]... [RULEFILE]... FILE\n");
+    printf("usage:  yara [OPTION]... [RULEFILE]... FILE\n");
     printf("options:\n");
 	printf("  -t <tag>                  print rules tagged as <tag> and ignore the rest. Can be used more than once.\n");
     printf("  -i <identifier>           print rules named <identifier> and ignore the rest. Can be used more than once.\n");
@@ -70,6 +71,7 @@ void show_help()
 	printf("  -s                        print matching strings.\n");
 	printf("  -d <identifier>=<value>   define external variable.\n");
     printf("  -r                        recursively search directories.\n");
+	printf("  -f                        fast matching mode.\n");
 	printf("  -v                        show version information.\n");
 	printf("\nReport bugs to: <%s>\n", PACKAGE_BUGREPORT);
 }
@@ -393,7 +395,7 @@ int process_cmd_line(YARA_CONTEXT* context, int argc, char const* argv[])
     IDENTIFIER* identifier;
 	opterr = 0;
  
-	while ((c = getopt (argc, (char**) argv, "rnsvgmt:i:d:")) != -1)
+	while ((c = getopt (argc, (char**) argv, "rnsvgmt:i:d:f")) != -1)
 	{
 		switch (c)
 	    {
@@ -420,6 +422,10 @@ int process_cmd_line(YARA_CONTEXT* context, int argc, char const* argv[])
 			case 'n':
     			negate = TRUE;
     			break;
+
+			case 'f':
+    			context->fast_match = TRUE;
+    			break;
 		
 		   	case 't':
 		
diff --git a/yara.man b/yara.man
index 9a19ca1..cb54ff0 100644
--- a/yara.man
+++ b/yara.man
@@ -3,7 +3,7 @@
 yara \- find files matching patterns and rules written in a special-purpose language.
 .SH SYNOPSIS
 .B yara 
-[ OPTION ]... [RULEFILE]... FILE
+[OPTION]... [RULEFILE]... FILE
 .SH DESCRIPTION
 .I Yara 
 scans the given 
@@ -44,6 +44,9 @@ Define an external variable. This option can be used multiple times.
 .B \-r 
 Scan files in directories recursively.
 .TP
+.B \-f 
+Speeds up scanning by searching only for the first occurrence of each pattern.
+.TP
 .B \-v 
 Show version information.
 .SH EXAMPLES

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list