[Forensics-changes] [yara] 166/415: Implemented process memory scanning
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:01 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 2630f8541b84039ec3f93a8d6d7703536f7dcf93
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Wed May 29 09:44:44 2013 +0000
Implemented process memory scanning
---
libyara/proc.c | 8 ++++++++
libyara/rules.c | 50 +++++++++++++++++++++++++++++++++++++++++++----
libyara/yara.h | 8 +++++++-
yara-python/yara-python.c | 6 +++---
yara.c | 23 ++++++++++++++--------
5 files changed, 79 insertions(+), 16 deletions(-)
diff --git a/libyara/proc.c b/libyara/proc.c
index e16c370..fa0e649 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -217,6 +217,10 @@ int get_process_memory(
current_block = new_block;
}
+ else
+ {
+ yr_free(data);
+ }
address += size;
}
@@ -303,6 +307,10 @@ int get_process_memory(
current_block = new_block;
}
+ else
+ {
+ yr_free(data);
+ }
}
ptrace(PTRACE_DETACH, pid, NULL, 0);
diff --git a/libyara/rules.c b/libyara/rules.c
index 45e4737..d564695 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -622,6 +622,7 @@ int yr_rules_scan_mem_block(
int yr_rules_scan_mem_blocks(
YARA_RULES* rules,
MEMORY_BLOCK* block,
+ int scanning_process_memory,
YARACALLBACK callback,
void* user_data)
{
@@ -641,7 +642,7 @@ int yr_rules_scan_mem_blocks(
{
if (context.entry_point == UNDEFINED)
{
- if (rules->scanning_process_memory)
+ if (scanning_process_memory)
context.entry_point = yr_get_entry_point_address(
block->data,
block->size,
@@ -719,9 +720,12 @@ int yr_rules_scan_mem(
block.base = 0;
block.next = NULL;
- rules->scanning_process_memory = FALSE;
-
- return yr_rules_scan_mem_blocks(rules, &block, callback, user_data);
+ return yr_rules_scan_mem_blocks(
+ rules,
+ &block,
+ FALSE,
+ callback,
+ user_data);
}
@@ -752,6 +756,44 @@ int yr_rules_scan_file(
}
+int yr_rules_scan_proc(
+ YARA_RULES* rules,
+ int pid,
+ YARACALLBACK callback,
+ void* user_data)
+{
+ MEMORY_BLOCK* first_block;
+ MEMORY_BLOCK* next_block;
+ MEMORY_BLOCK* block;
+
+ int result;
+
+ result = get_process_memory(pid, &first_block);
+
+ if (result == ERROR_SUCCESS)
+ result = yr_rules_scan_mem_blocks(
+ rules,
+ first_block,
+ TRUE,
+ callback,
+ user_data);
+
+ block = first_block;
+
+ while (block != NULL)
+ {
+ next_block = block->next;
+
+ yr_free(block->data);
+ yr_free(block);
+
+ block = next_block;
+ }
+
+ return result;
+}
+
+
int yr_rules_save(
YARA_RULES* rules,
const char* filename)
diff --git a/libyara/yara.h b/libyara/yara.h
index 6124404..63832cd 100644
--- a/libyara/yara.h
+++ b/libyara/yara.h
@@ -434,7 +434,6 @@ typedef struct _YARA_RULES {
EXTERNAL_VARIABLE* externals_list_head;
AC_AUTOMATON* automaton;
int8_t* code_start;
- int scanning_process_memory;
int last_error;
char last_error_extra_info[256];
@@ -530,6 +529,13 @@ int yr_rules_scan_file(
void* user_data);
+int yr_rules_scan_proc(
+ YARA_RULES* rules,
+ int pid,
+ YARACALLBACK callback,
+ void* user_data);
+
+
int yr_rules_save(
YARA_RULES* rules,
const char* filename);
diff --git a/yara-python/yara-python.c b/yara-python/yara-python.c
index 0ee5ecc..0cfcdcc 100644
--- a/yara-python/yara-python.c
+++ b/yara-python/yara-python.c
@@ -802,9 +802,9 @@ static PyObject * Rules_match(
{
callback_data.matches = PyList_New(0);
- /*error = yr_scan_proc(
+ error = yr_rules_scan_proc(
+ object->rules,
pid,
- object->compiler,
yara_callback,
&callback_data);
@@ -816,7 +816,7 @@ static PyObject * Rules_match(
return NULL;
else
return handle_error(error, NULL);
- }*/
+ }
}
else
{
diff --git a/yara.c b/yara.c
index dea99cd..cfc85b1 100644
--- a/yara.c
+++ b/yara.c
@@ -655,8 +655,6 @@ int main(
int errors;
int result;
- clock_t start, end;
-
if (!process_cmd_line(compiler, argc, argv))
return 0;
@@ -739,18 +737,27 @@ int main(
if (is_numeric(argv[argc - 1]))
{
pid = atoi(argv[argc - 1]);
- // result = yr_rules_scan_proc(pid, compiler, callback, (void*) argv[argc - 1]))
+ result = yr_rules_scan_proc(
+ rules,
+ pid,
+ callback,
+ (void*) argv[argc - 1]);
}
else if (is_directory(argv[argc - 1]))
{
- result = scan_dir(argv[argc - 1], recursive_search, rules, callback);
+ result = scan_dir(
+ argv[argc - 1],
+ recursive_search,
+ rules,
+ callback);
}
else
{
- start = clock();
- result = yr_rules_scan_file(rules, argv[argc - 1], callback, (void*) argv[argc - 1]);
- end = clock();
- printf( "Scanning time: %f s\n", (float)(end - start) / CLOCKS_PER_SEC);
+ result = yr_rules_scan_file(
+ rules,
+ argv[argc - 1],
+ callback,
+ (void*) argv[argc - 1]);
}
switch (result)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list