[Forensics-changes] [yara] 166/415: Implemented process memory scanning

Hilko Bengen bengen at moszumanska.debian.org
Thu Apr 3 05:43:01 UTC 2014


This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to branch debian
in repository yara.

commit 2630f8541b84039ec3f93a8d6d7703536f7dcf93
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Wed May 29 09:44:44 2013 +0000

    Implemented process memory scanning
---
 libyara/proc.c            |  8 ++++++++
 libyara/rules.c           | 50 +++++++++++++++++++++++++++++++++++++++++++----
 libyara/yara.h            |  8 +++++++-
 yara-python/yara-python.c |  6 +++---
 yara.c                    | 23 ++++++++++++++--------
 5 files changed, 79 insertions(+), 16 deletions(-)

diff --git a/libyara/proc.c b/libyara/proc.c
index e16c370..fa0e649 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -217,6 +217,10 @@ int get_process_memory(
 
         current_block = new_block;
       }
+      else
+      {
+        yr_free(data);
+      }
 
       address += size;
     }
@@ -303,6 +307,10 @@ int get_process_memory(
 
       current_block = new_block;
     }
+    else
+    {
+      yr_free(data);
+    }
   }
 
   ptrace(PTRACE_DETACH, pid, NULL, 0);
diff --git a/libyara/rules.c b/libyara/rules.c
index 45e4737..d564695 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -622,6 +622,7 @@ int yr_rules_scan_mem_block(
 int yr_rules_scan_mem_blocks(
     YARA_RULES* rules,
     MEMORY_BLOCK* block,
+    int scanning_process_memory,
     YARACALLBACK callback,
     void* user_data)
 {
@@ -641,7 +642,7 @@ int yr_rules_scan_mem_blocks(
   {
     if (context.entry_point == UNDEFINED)
     {
-      if (rules->scanning_process_memory)
+      if (scanning_process_memory)
         context.entry_point = yr_get_entry_point_address(
             block->data,
             block->size,
@@ -719,9 +720,12 @@ int yr_rules_scan_mem(
   block.base = 0;
   block.next = NULL;
 
-  rules->scanning_process_memory = FALSE;
-
-  return yr_rules_scan_mem_blocks(rules, &block, callback, user_data);
+  return yr_rules_scan_mem_blocks(
+      rules,
+      &block,
+      FALSE,
+      callback,
+      user_data);
 }
 
 
@@ -752,6 +756,44 @@ int yr_rules_scan_file(
 }
 
 
+int yr_rules_scan_proc(
+    YARA_RULES* rules,
+    int pid,
+    YARACALLBACK callback,
+    void* user_data)
+{
+  MEMORY_BLOCK* first_block;
+  MEMORY_BLOCK* next_block;
+  MEMORY_BLOCK* block;
+
+  int result;
+
+  result = get_process_memory(pid, &first_block);
+
+  if (result == ERROR_SUCCESS)
+    result = yr_rules_scan_mem_blocks(
+        rules,
+        first_block,
+        TRUE,
+        callback,
+        user_data);
+
+  block = first_block;
+
+  while (block != NULL)
+  {
+    next_block = block->next;
+
+    yr_free(block->data);
+    yr_free(block);
+
+    block = next_block;
+  }
+
+  return result;
+}
+
+
 int yr_rules_save(
     YARA_RULES* rules,
     const char* filename)
diff --git a/libyara/yara.h b/libyara/yara.h
index 6124404..63832cd 100644
--- a/libyara/yara.h
+++ b/libyara/yara.h
@@ -434,7 +434,6 @@ typedef struct _YARA_RULES {
   EXTERNAL_VARIABLE*   externals_list_head;
   AC_AUTOMATON*        automaton;
   int8_t*              code_start;
-  int                  scanning_process_memory;
   int                  last_error;
   char                 last_error_extra_info[256];
 
@@ -530,6 +529,13 @@ int yr_rules_scan_file(
     void* user_data);
 
 
+int yr_rules_scan_proc(
+    YARA_RULES* rules,
+    int pid,
+    YARACALLBACK callback,
+    void* user_data);
+
+
 int yr_rules_save(
     YARA_RULES* rules,
     const char* filename);
diff --git a/yara-python/yara-python.c b/yara-python/yara-python.c
index 0ee5ecc..0cfcdcc 100644
--- a/yara-python/yara-python.c
+++ b/yara-python/yara-python.c
@@ -802,9 +802,9 @@ static PyObject * Rules_match(
     {
       callback_data.matches = PyList_New(0);
 
-      /*error = yr_scan_proc(
+      error = yr_rules_scan_proc(
+          object->rules,
           pid,
-          object->compiler,
           yara_callback,
           &callback_data);
 
@@ -816,7 +816,7 @@ static PyObject * Rules_match(
           return NULL;
         else
           return handle_error(error, NULL);
-      }*/
+      }
     }
     else
     {
diff --git a/yara.c b/yara.c
index dea99cd..cfc85b1 100644
--- a/yara.c
+++ b/yara.c
@@ -655,8 +655,6 @@ int main(
   int errors;
   int result;
 
-  clock_t start, end;
-
   if (!process_cmd_line(compiler, argc, argv))
     return 0;
 
@@ -739,18 +737,27 @@ int main(
   if (is_numeric(argv[argc - 1]))
   {
     pid = atoi(argv[argc - 1]);
-    // result = yr_rules_scan_proc(pid, compiler, callback, (void*) argv[argc - 1]))
+    result = yr_rules_scan_proc(
+        rules,
+        pid,
+        callback,
+        (void*) argv[argc - 1]);
   }
   else if (is_directory(argv[argc - 1]))
   {
-    result = scan_dir(argv[argc - 1], recursive_search, rules, callback);
+    result = scan_dir(
+        argv[argc - 1],
+        recursive_search,
+        rules,
+        callback);
   }
   else
   {
-    start = clock();
-    result = yr_rules_scan_file(rules, argv[argc - 1], callback, (void*) argv[argc - 1]);
-    end = clock();
-    printf( "Scanning time: %f s\n", (float)(end - start) / CLOCKS_PER_SEC);
+    result = yr_rules_scan_file(
+        rules,
+        argv[argc - 1],
+        callback,
+        (void*) argv[argc - 1]);
   }
 
   switch (result)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git



More information about the forensics-changes mailing list