[Forensics-changes] [yara] 382/415: Improve timeout detection
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:26 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 9687e06759e726390ed83d3da0039ca1e7fa1048
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Fri Jan 24 12:06:35 2014 +0100
Improve timeout detection
---
libyara/exec.c | 22 ++++++++++++++++++++--
libyara/exec.h | 4 +++-
libyara/rules.c | 11 ++++++-----
3 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/libyara/exec.c b/libyara/exec.c
index 05c8e6f..a22c93f 100644
--- a/libyara/exec.c
+++ b/libyara/exec.c
@@ -16,6 +16,7 @@ limitations under the License.
#include <string.h>
#include <assert.h>
+#include <time.h>
#include "exec.h"
#include "re.h"
@@ -68,7 +69,9 @@ function_read(int32_t)
int yr_execute_code(
YR_RULES* rules,
- EVALUATION_CONTEXT* context)
+ EVALUATION_CONTEXT* context,
+ int timeout,
+ time_t start_time)
{
int64_t r1;
int64_t r2;
@@ -88,6 +91,7 @@ int yr_execute_code(
int count;
int result;
int flags;
+ int cycle = 0;
int tidx = yr_get_tidx();
while(1)
@@ -95,7 +99,8 @@ int yr_execute_code(
switch(*ip)
{
case HALT:
- // When the halt instruction is reached the stack should be empty.
+ // When the halt instruction is reached the stack
+ // should be empty.
assert(sp == 0);
return ERROR_SUCCESS;
@@ -545,6 +550,19 @@ int yr_execute_code(
assert(FALSE);
}
+ if (timeout > 0) // timeout == 0 means no timeout
+ {
+ // Check for timeout every 10 instruction cycles.
+
+ if (++cycle == 10)
+ {
+ if (difftime(time(NULL), start_time) > timeout)
+ return ERROR_SCAN_TIMEOUT;
+
+ cycle = 0;
+ }
+ }
+
ip++;
}
diff --git a/libyara/exec.h b/libyara/exec.h
index 25fcde7..3e3f973 100644
--- a/libyara/exec.h
+++ b/libyara/exec.h
@@ -88,7 +88,9 @@ typedef struct _EVALUATION_CONTEXT
int yr_execute_code(
YR_RULES* rules,
- EVALUATION_CONTEXT* context);
+ EVALUATION_CONTEXT* context,
+ int timeout,
+ time_t start_time);
#endif
diff --git a/libyara/rules.c b/libyara/rules.c
index 0a08a36..b75193f 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -1012,7 +1012,6 @@ int yr_rules_scan_mem_block(
YR_AC_MATCH* ac_match;
YR_AC_STATE* current_state;
- time_t current_time;
size_t i;
current_state = rules->automaton->root;
@@ -1053,9 +1052,7 @@ int yr_rules_scan_mem_block(
if (timeout > 0 && i % 256 == 0)
{
- current_time = time(NULL);
-
- if (difftime(current_time, start_time) > timeout)
+ if (difftime(time(NULL), start_time) > timeout)
return ERROR_SCAN_TIMEOUT;
}
}
@@ -1163,7 +1160,11 @@ int yr_rules_scan_mem_blocks(
block = block->next;
}
- result = yr_execute_code(rules, &context);
+ result = yr_execute_code(
+ rules,
+ &context,
+ timeout,
+ start_time);
if (result != ERROR_SUCCESS)
goto _exit;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list