[Forensics-changes] [yara] 01/02: Update big endian patch, this should fix build problems with software that uses YARA.
Hilko Bengen
bengen at moszumanska.debian.org
Mon Oct 24 20:46:40 UTC 2016
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch master
in repository yara.
commit 1b0f66223943167d5fb644eacb547d63e15a87a7
Author: Hilko Bengen <bengen at debian.org>
Date: Mon Oct 24 22:21:46 2016 +0200
Update big endian patch, this should fix build problems with software that uses YARA.
---
.../0001-Fixes-for-big-endian-architectures.patch | 282 +++++++++++++--------
1 file changed, 178 insertions(+), 104 deletions(-)
diff --git a/debian/patches/0001-Fixes-for-big-endian-architectures.patch b/debian/patches/0001-Fixes-for-big-endian-architectures.patch
index bdd85b8..9539f5f 100644
--- a/debian/patches/0001-Fixes-for-big-endian-architectures.patch
+++ b/debian/patches/0001-Fixes-for-big-endian-architectures.patch
@@ -3,13 +3,14 @@ Date: Sun, 16 Oct 2016 14:54:58 +0200
Subject: Fixes for big-endian architectures
This is an adaptation of commits
-a9a1105d923912a27546e5a8940ec1ddc19cd1be and
-d272b9c742e15d6767f20a7f1c01579b468cceee which have been integrated in
+a9a1105d923912a27546e5a8940ec1ddc19cd1be,
+d272b9c742e15d6767f20a7f1c01579b468cceee, and
+d3b77eb1e9ee4731ea11c39fceb262cf4f2b006f which have been integrated in
upstream git.
---
Makefile.am | 4 +-
configure.ac | 2 +
- libyara/exec.c | 31 ++-
+ libyara/exec.c | 32 ++--
libyara/exefiles.c | 83 ++++----
libyara/grammar.c | 409 ++++++++++++++++++++--------------------
libyara/grammar.h | 2 +-
@@ -18,13 +19,15 @@ upstream git.
libyara/hex_grammar.h | 2 +-
libyara/hex_lexer.c | 141 +++++++-------
libyara/include/yara/compiler.h | 2 +-
+ libyara/include/yara/endian.h | 63 +++++++
libyara/include/yara/modules.h | 2 +-
libyara/include/yara/parser.h | 4 +-
- libyara/include/yara/pe.h | 5 +-
- libyara/include/yara/utils.h | 30 ++-
+ libyara/include/yara/pe.h | 4 +-
+ libyara/include/yara/utils.h | 3 -
libyara/lexer.c | 260 ++++++++++++-------------
- libyara/modules/elf.c | 135 +++++++------
- libyara/modules/pe.c | 265 +++++++++++++-------------
+ libyara/modules/elf.c | 136 +++++++------
+ libyara/modules/pe.c | 266 +++++++++++++-------------
+ libyara/modules/pe_utils.c | 1 +
libyara/parser.c | 20 +-
libyara/re_grammar.c | 161 ++++++++--------
libyara/re_grammar.h | 2 +-
@@ -32,7 +35,8 @@ upstream git.
tests/test-elf.c | 29 +++
tests/test-pe.c | 2 +
tests/test-rules.c | 5 +-
- 25 files changed, 945 insertions(+), 917 deletions(-)
+ 27 files changed, 982 insertions(+), 919 deletions(-)
+ create mode 100644 libyara/include/yara/endian.h
create mode 100644 tests/test-elf.c
diff --git a/Makefile.am b/Makefile.am
@@ -69,10 +73,18 @@ index e9e27ee..6d821c8 100644
[LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
diff --git a/libyara/exec.c b/libyara/exec.c
-index b0a79b6..3facabd 100644
+index b0a79b6..1a347c0 100644
--- a/libyara/exec.c
+++ b/libyara/exec.c
-@@ -88,27 +88,18 @@ typedef union _STACK_ITEM {
+@@ -34,6 +34,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ #include <time.h>
+ #include <math.h>
+
++#include <yara/endian.h>
+ #include <yara/exec.h>
+ #include <yara/limits.h>
+ #include <yara/error.h>
+@@ -88,27 +89,18 @@ typedef union _STACK_ITEM {
#define little_endian_uint8_t(x) (x)
@@ -112,17 +124,17 @@ index b0a79b6..3facabd 100644
#define function_read(type, endianess) \
diff --git a/libyara/exefiles.c b/libyara/exefiles.c
-index f8d455a..599e397 100644
+index f8d455a..ad03c10 100644
--- a/libyara/exefiles.c
+++ b/libyara/exefiles.c
-@@ -32,6 +32,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+@@ -29,6 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ #include <limits.h>
+
++#include <yara/endian.h>
#include <yara/pe.h>
#include <yara/elf.h>
#include <yara/exec.h>
-+#include <yara/utils.h>
-
- #ifndef NULL
- #define NULL 0
@@ -56,26 +57,26 @@ PIMAGE_NT_HEADERS32 yr_get_pe_header(
mz_header = (PIMAGE_DOS_HEADER) buffer;
@@ -2677,6 +2689,75 @@ index f111373..440b777 100644
struct _YR_FIXUP* next;
} YR_FIXUP;
+diff --git a/libyara/include/yara/endian.h b/libyara/include/yara/endian.h
+new file mode 100644
+index 0000000..06d8c14
+--- /dev/null
++++ b/libyara/include/yara/endian.h
+@@ -0,0 +1,63 @@
++/*
++Copyright (c) 2016. The YARA Authors. All Rights Reserved.
++
++Redistribution and use in source and binary forms, with or without modification,
++are permitted provided that the following conditions are met:
++
++1. Redistributions of source code must retain the above copyright notice, this
++list of conditions and the following disclaimer.
++
++2. Redistributions in binary form must reproduce the above copyright notice,
++this list of conditions and the following disclaimer in the documentation and/or
++other materials provided with the distribution.
++
++3. Neither the name of the copyright holder nor the names of its contributors
++may be used to endorse or promote products derived from this software without
++specific prior written permission.
++
++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
++ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
++WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
++ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
++ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
++SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++*/
++
++#ifndef YR_ENDIAN_H
++#define YR_ENDIAN_H
++
++#include <config.h>
++
++#if defined(__GNUC__)
++#define yr_bswap16(x) __builtin_bswap16(x)
++#define yr_bswap32(x) __builtin_bswap32(x)
++#define yr_bswap64(x) __builtin_bswap64(x)
++#elif defined(_MSC_VER)
++#define yr_bswap16(x) _byteswap_ushort(x)
++#define yr_bswap32(x) _byteswap_ulong(x)
++#define yr_bswap64(x) _byteswap_uint64(x)
++#else
++#error Unknown compiler: Add yr_bswap* definitions
++#endif
++
++#if defined(WORDS_BIGENDIAN)
++#define yr_le16toh(x) yr_bswap16(x)
++#define yr_le32toh(x) yr_bswap32(x)
++#define yr_le64toh(x) yr_bswap64(x)
++#define yr_be16toh(x) (x)
++#define yr_be32toh(x) (x)
++#define yr_be64toh(x) (x)
++#else
++#define yr_le16toh(x) (x)
++#define yr_le32toh(x) (x)
++#define yr_le64toh(x) (x)
++#define yr_be16toh(x) yr_bswap16(x)
++#define yr_be32toh(x) yr_bswap32(x)
++#define yr_be64toh(x) yr_bswap64(x)
++#endif
++
++#endif
diff --git a/libyara/include/yara/modules.h b/libyara/include/yara/modules.h
index 3b5b058..38e1bcd 100644
--- a/libyara/include/yara/modules.h
@@ -2707,20 +2788,19 @@ index 8fff40e..77c26b6 100644
int yr_parser_check_types(
diff --git a/libyara/include/yara/pe.h b/libyara/include/yara/pe.h
-index 9afa314..31c3136 100644
+index 9afa314..d28eac9 100644
--- a/libyara/include/yara/pe.h
+++ b/libyara/include/yara/pe.h
-@@ -27,6 +27,9 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+@@ -27,6 +27,8 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-+#include <yara/types.h>
-+#include <yara/utils.h>
++#include <yara/endian.h>
+
#pragma pack(push, 1)
#if defined(_WIN32) || defined(__CYGWIN__)
-@@ -308,7 +311,7 @@ typedef struct _IMAGE_NT_HEADERS64 {
+@@ -308,7 +310,7 @@ typedef struct _IMAGE_NT_HEADERS64 {
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((BYTE*)ntheader + \
FIELD_OFFSET( IMAGE_NT_HEADERS32, OptionalHeader ) + \
@@ -2730,53 +2810,19 @@ index 9afa314..31c3136 100644
// Subsystem Values
diff --git a/libyara/include/yara/utils.h b/libyara/include/yara/utils.h
-index 104d9ee..da0fb88 100644
+index 104d9ee..2061d3a 100644
--- a/libyara/include/yara/utils.h
+++ b/libyara/include/yara/utils.h
-@@ -31,6 +31,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- #ifndef YR_UTILS_H
- #define YR_UTILS_H
-
-+#include <config.h>
-+
- #ifndef TRUE
- #define TRUE 1
- #endif
-@@ -68,7 +70,33 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+@@ -68,9 +68,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define yr_min(x, y) ((x < y) ? (x) : (y))
#define yr_max(x, y) ((x > y) ? (x) : (y))
-#define PTR_TO_INT64(x) ((int64_t) (size_t) x)
-+#if defined(__GNUC__)
-+#define yr_bswap16(x) __builtin_bswap16(x)
-+#define yr_bswap32(x) __builtin_bswap32(x)
-+#define yr_bswap64(x) __builtin_bswap64(x)
-+#elif defined(_MSC_VER)
-+#define yr_bswap16(x) _byteswap_ushort(x)
-+#define yr_bswap32(x) _byteswap_ulong(x)
-+#define yr_bswap64(x) _byteswap_uint64(x)
-+#else
-+#error Unknown compiler: Add yr_bswap* definitions
-+#endif
-+
-+#if defined(WORDS_BIGENDIAN)
-+#define yr_le16toh(x) yr_bswap16(x)
-+#define yr_le32toh(x) yr_bswap32(x)
-+#define yr_le64toh(x) yr_bswap64(x)
-+#define yr_be16toh(x) (x)
-+#define yr_be32toh(x) (x)
-+#define yr_be64toh(x) (x)
-+#else
-+#define yr_le16toh(x) (x)
-+#define yr_le32toh(x) (x)
-+#define yr_le64toh(x) (x)
-+#define yr_be16toh(x) yr_bswap16(x)
-+#define yr_be32toh(x) yr_bswap32(x)
-+#define yr_be64toh(x) yr_bswap64(x)
-+#endif
-
-
+-
+-
#ifdef NDEBUG
+
+ #define assertf(expr, msg, ...) ((void)0)
diff --git a/libyara/lexer.c b/libyara/lexer.c
index d0f3688..6669c5c 100644
--- a/libyara/lexer.c
@@ -3705,10 +3751,18 @@ index d0f3688..6669c5c 100644
diff --git a/libyara/modules/elf.c b/libyara/modules/elf.c
-index ed4ccd1..08c3ce4 100644
+index ed4ccd1..e934084 100644
--- a/libyara/modules/elf.c
+++ b/libyara/modules/elf.c
-@@ -48,7 +48,7 @@ int get_elf_type(
+@@ -30,6 +30,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ #include <limits.h>
+
+ #include <yara/elf.h>
++#include <yara/endian.h>
+ #include <yara/modules.h>
+ #include <yara/mem.h>
+
+@@ -48,7 +49,7 @@ int get_elf_type(
elf_ident = (elf_ident_t*) buffer;
@@ -3717,7 +3771,7 @@ index ed4ccd1..08c3ce4 100644
{
return elf_ident->_class;
}
-@@ -58,11 +58,11 @@ int get_elf_type(
+@@ -58,11 +59,11 @@ int get_elf_type(
}
}
@@ -3733,7 +3787,7 @@ index ed4ccd1..08c3ce4 100644
#define ELF_RVA_TO_OFFSET(bits) \
-@@ -77,30 +77,34 @@ uint64_t elf_rva_to_offset_##bits( \
+@@ -77,30 +78,34 @@ uint64_t elf_rva_to_offset_##bits( \
\
/* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE */ \
\
@@ -3780,7 +3834,7 @@ index ed4ccd1..08c3ce4 100644
} \
\
section++; \
-@@ -122,83 +126,96 @@ void parse_elf_header_##bits( \
+@@ -122,83 +127,96 @@ void parse_elf_header_##bits( \
elf##bits##_section_header_t* section; \
elf##bits##_program_header_t* segment; \
\
@@ -3917,7 +3971,7 @@ index ed4ccd1..08c3ce4 100644
\
segment++; \
} \
-@@ -398,7 +415,7 @@ int module_load(
+@@ -398,7 +416,7 @@ int module_load(
elf_header32 = (elf32_header_t*) block_data;
if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
@@ -3926,7 +3980,7 @@ index ed4ccd1..08c3ce4 100644
{
parse_elf_header_32(
elf_header32,
-@@ -418,7 +435,7 @@ int module_load(
+@@ -418,7 +436,7 @@ int module_load(
elf_header64 = (elf64_header_t*) block_data;
if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
@@ -3936,10 +3990,18 @@ index ed4ccd1..08c3ce4 100644
parse_elf_header_64(
elf_header64,
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
-index 1af5562..6976340 100644
+index 1af5562..1671ea7 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
-@@ -207,46 +207,46 @@ PIMAGE_NT_HEADERS32 pe_get_header(
+@@ -47,6 +47,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ #endif
+ #endif
+
++#include <yara/endian.h>
+ #include <yara/pe.h>
+ #include <yara/modules.h>
+ #include <yara/mem.h>
+@@ -207,46 +208,46 @@ PIMAGE_NT_HEADERS32 pe_get_header(
mz_header = (PIMAGE_DOS_HEADER) data;
@@ -4016,7 +4078,7 @@ index 1af5562..6976340 100644
data_size > headers_size)
{
return pe_header;
-@@ -280,13 +280,13 @@ void pe_parse_rich_signature(
+@@ -280,13 +281,13 @@ void pe_parse_rich_signature(
mz_header = (PIMAGE_DOS_HEADER) pe->data;
@@ -4033,7 +4095,7 @@ index 1af5562..6976340 100644
sizeof(pe_header->Signature) + \
sizeof(IMAGE_FILE_HEADER);
-@@ -301,9 +301,9 @@ void pe_parse_rich_signature(
+@@ -301,9 +302,9 @@ void pe_parse_rich_signature(
rich_signature = (PRICH_SIGNATURE) (pe->data + 0x80);
@@ -4046,7 +4108,7 @@ index 1af5562..6976340 100644
{
return;
}
-@@ -312,7 +312,7 @@ void pe_parse_rich_signature(
+@@ -312,7 +313,7 @@ void pe_parse_rich_signature(
rich_ptr <= (DWORD*) (pe->data + headers_size);
rich_ptr++)
{
@@ -4055,7 +4117,7 @@ index 1af5562..6976340 100644
{
// Multiple by 4 because we are counting in DWORDs.
rich_len = (rich_ptr - (DWORD*) rich_signature) * 4;
-@@ -411,17 +411,17 @@ int64_t pe_rva_to_offset(
+@@ -411,17 +412,17 @@ int64_t pe_rva_to_offset(
int alignment = 0;
int rest = 0;
@@ -4078,7 +4140,7 @@ index 1af5562..6976340 100644
{
// Round section_offset
//
-@@ -434,11 +434,11 @@ int64_t pe_rva_to_offset(
+@@ -434,11 +435,11 @@ int64_t pe_rva_to_offset(
// If FileAlignment is >= 0x200, it is apparently ignored (see
// Ero Carreras's pefile.py, PE.adjust_FileAlignment).
@@ -4094,7 +4156,7 @@ index 1af5562..6976340 100644
if (alignment)
{
-@@ -498,11 +498,11 @@ uint8_t* parse_resource_name(
+@@ -498,11 +499,11 @@ uint8_t* parse_resource_name(
// If high bit is set it is an offset relative to rsrc_data, which contains
// a resource directory string.
@@ -4108,7 +4170,7 @@ index 1af5562..6976340 100644
// A resource directory string is 2 bytes for a string and then a variable
// length Unicode string. Make sure we at least have two bytes.
-@@ -544,15 +544,15 @@ int _pe_iterate_resources(
+@@ -544,15 +545,15 @@ int _pe_iterate_resources(
// A few sanity checks to avoid corrupt files
@@ -4129,7 +4191,7 @@ index 1af5562..6976340 100644
// The first directory entry is just after the resource directory,
// by incrementing resource_dir we skip sizeof(resource_dir) bytes
-@@ -570,15 +570,15 @@ int _pe_iterate_resources(
+@@ -570,15 +571,15 @@ int _pe_iterate_resources(
switch(rsrc_tree_level)
{
case 0:
@@ -4148,7 +4210,7 @@ index 1af5562..6976340 100644
lang_string = parse_resource_name(pe, rsrc_data, entry);
break;
}
-@@ -662,11 +662,11 @@ int pe_iterate_resources(
+@@ -662,11 +663,11 @@ int pe_iterate_resources(
PIMAGE_DATA_DIRECTORY directory = pe_get_directory_entry(
pe, IMAGE_DIRECTORY_ENTRY_RESOURCE);
@@ -4162,7 +4224,7 @@ index 1af5562..6976340 100644
if (offset < 0)
return 0;
-@@ -675,14 +675,14 @@ int pe_iterate_resources(
+@@ -675,14 +676,14 @@ int pe_iterate_resources(
if (struct_fits_in_pe(pe, rsrc_dir, IMAGE_RESOURCE_DIRECTORY))
{
@@ -4180,7 +4242,7 @@ index 1af5562..6976340 100644
pe->object,
"resource_version.minor");
-@@ -720,7 +720,7 @@ void pe_parse_version_info(
+@@ -720,7 +721,7 @@ void pe_parse_version_info(
{
PVERSION_INFO version_info;
@@ -4189,7 +4251,7 @@ index 1af5562..6976340 100644
if (version_info_offset < 0)
return;
-@@ -741,16 +741,16 @@ void pe_parse_version_info(
+@@ -741,16 +742,16 @@ void pe_parse_version_info(
while(fits_in_pe(pe, version_info->Key, sizeof("VarFileInfo") * 2) &&
strcmp_w(version_info->Key, "VarFileInfo") == 0 &&
@@ -4209,7 +4271,7 @@ index 1af5562..6976340 100644
{
PVERSION_INFO string_table = ADD_OFFSET(
version_info,
-@@ -758,11 +758,11 @@ void pe_parse_version_info(
+@@ -758,11 +759,11 @@ void pe_parse_version_info(
version_info = ADD_OFFSET(
version_info,
@@ -4223,7 +4285,7 @@ index 1af5562..6976340 100644
string_table < version_info)
{
PVERSION_INFO string = ADD_OFFSET(
-@@ -771,11 +771,11 @@ void pe_parse_version_info(
+@@ -771,11 +772,11 @@ void pe_parse_version_info(
string_table = ADD_OFFSET(
string_table,
@@ -4237,7 +4299,7 @@ index 1af5562..6976340 100644
string < string_table)
{
if (string->ValueLength > 0)
-@@ -814,9 +814,9 @@ int pe_collect_resources(
+@@ -814,9 +815,9 @@ int pe_collect_resources(
{
DWORD length;
@@ -4249,7 +4311,7 @@ index 1af5562..6976340 100644
return RESOURCE_CALLBACK_CONTINUE;
set_integer(
-@@ -826,7 +826,7 @@ int pe_collect_resources(
+@@ -826,7 +827,7 @@ int pe_collect_resources(
pe->resources);
set_integer(
@@ -4258,7 +4320,7 @@ index 1af5562..6976340 100644
pe->object,
"resources[%i].length",
pe->resources);
-@@ -906,13 +906,13 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
+@@ -906,13 +907,13 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
int num_functions = 0;
int64_t offset = pe_rva_to_offset(
@@ -4274,7 +4336,7 @@ index 1af5562..6976340 100644
if (offset < 0)
return NULL;
-@@ -922,16 +922,16 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
+@@ -922,16 +923,16 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
PIMAGE_THUNK_DATA64 thunks64 = (PIMAGE_THUNK_DATA64)(pe->data + offset);
while (struct_fits_in_pe(pe, thunks64, IMAGE_THUNK_DATA64) &&
@@ -4294,7 +4356,7 @@ index 1af5562..6976340 100644
if (offset >= 0)
{
-@@ -949,9 +949,9 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
+@@ -949,9 +950,9 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
else
{
// If imported by ordinal. Lookup the ordinal.
@@ -4306,7 +4368,7 @@ index 1af5562..6976340 100644
has_ordinal = 1;
}
-@@ -989,16 +989,16 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
+@@ -989,16 +990,16 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
PIMAGE_THUNK_DATA32 thunks32 = (PIMAGE_THUNK_DATA32)(pe->data + offset);
while (struct_fits_in_pe(pe, thunks32, IMAGE_THUNK_DATA32) &&
@@ -4326,7 +4388,7 @@ index 1af5562..6976340 100644
if (offset >= 0)
{
-@@ -1016,9 +1016,9 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
+@@ -1016,9 +1017,9 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
else
{
// If imported by ordinal. Lookup the ordinal.
@@ -4338,7 +4400,7 @@ index 1af5562..6976340 100644
has_ordinal = 1;
}
-@@ -1102,10 +1102,10 @@ IMPORTED_DLL* pe_parse_imports(
+@@ -1102,10 +1103,10 @@ IMPORTED_DLL* pe_parse_imports(
PIMAGE_DATA_DIRECTORY directory = pe_get_directory_entry(
pe, IMAGE_DIRECTORY_ENTRY_IMPORT);
@@ -4351,7 +4413,7 @@ index 1af5562..6976340 100644
if (offset < 0)
return NULL;
-@@ -1114,9 +1114,9 @@ IMPORTED_DLL* pe_parse_imports(
+@@ -1114,9 +1115,9 @@ IMPORTED_DLL* pe_parse_imports(
(pe->data + offset);
while (struct_fits_in_pe(pe, imports, IMAGE_IMPORT_DESCRIPTOR) &&
@@ -4363,7 +4425,7 @@ index 1af5562..6976340 100644
if (offset >= 0)
{
-@@ -1180,19 +1180,19 @@ void pe_parse_certificates(
+@@ -1180,19 +1181,19 @@ void pe_parse_certificates(
set_integer(0, pe->object, "number_of_signatures");
// directory->VirtualAddress is a file offset. Don't call pe_rva_to_offset().
@@ -4389,7 +4451,7 @@ index 1af5562..6976340 100644
//
// Walk the directory, pulling out certificates.
-@@ -1206,10 +1206,10 @@ void pe_parse_certificates(
+@@ -1206,10 +1207,10 @@ void pe_parse_certificates(
//
while (struct_fits_in_pe(pe, win_cert, WIN_CERTIFICATE) &&
@@ -4403,7 +4465,7 @@ index 1af5562..6976340 100644
{
BIO* cert_bio;
PKCS7* pkcs7;
-@@ -1217,9 +1217,9 @@ void pe_parse_certificates(
+@@ -1217,9 +1218,9 @@ void pe_parse_certificates(
// Some sanity checks
@@ -4416,7 +4478,7 @@ index 1af5562..6976340 100644
{
break;
}
-@@ -1227,16 +1227,16 @@ void pe_parse_certificates(
+@@ -1227,16 +1228,16 @@ void pe_parse_certificates(
// Don't support legacy revision for now.
// Make sure type is PKCS#7 too.
@@ -4437,7 +4499,7 @@ index 1af5562..6976340 100644
if (!cert_bio)
break;
-@@ -1398,29 +1398,31 @@ void pe_parse_header(
+@@ -1398,29 +1399,31 @@ void pe_parse_header(
int i, scount;
set_integer(
@@ -4476,7 +4538,7 @@ index 1af5562..6976340 100644
pe->object, "image_base");
set_integer(
-@@ -1432,31 +1434,31 @@ void pe_parse_header(
+@@ -1432,31 +1435,31 @@ void pe_parse_header(
pe->object, "linker_version.minor");
set_integer(
@@ -4515,7 +4577,7 @@ index 1af5562..6976340 100644
pe->object, "subsystem");
pe_iterate_resources(
-@@ -1468,7 +1470,7 @@ void pe_parse_header(
+@@ -1468,7 +1471,7 @@ void pe_parse_header(
section = IMAGE_FIRST_SECTION(pe->header);
@@ -4524,7 +4586,7 @@ index 1af5562..6976340 100644
for (i = 0; i < scount; i++)
{
-@@ -1483,20 +1485,23 @@ void pe_parse_header(
+@@ -1483,20 +1486,23 @@ void pe_parse_header(
pe->object, "sections[%i].name", i);
set_integer(
@@ -4553,7 +4615,7 @@ index 1af5562..6976340 100644
pe->object, "sections[%i].virtual_size", i);
section++;
-@@ -1614,7 +1619,7 @@ define_function(exports)
+@@ -1614,7 +1620,7 @@ define_function(exports)
// If the PE doesn't export any functions, return FALSE
@@ -4562,7 +4624,7 @@ index 1af5562..6976340 100644
return_integer(0);
offset = pe_rva_to_offset(pe, directory->VirtualAddress);
-@@ -1628,18 +1633,18 @@ define_function(exports)
+@@ -1628,18 +1634,18 @@ define_function(exports)
if (!struct_fits_in_pe(pe, exports, IMAGE_EXPORT_DIRECTORY))
return_integer(0);
@@ -4585,7 +4647,7 @@ index 1af5562..6976340 100644
{
char* name;
offset = pe_rva_to_offset(pe, names[i]);
-@@ -2536,7 +2541,7 @@ int module_load(
+@@ -2536,7 +2542,7 @@ int module_load(
// Ignore DLLs while scanning a process
if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
@@ -4594,6 +4656,18 @@ index 1af5562..6976340 100644
{
pe = (PE*) yr_malloc(sizeof(PE));
+diff --git a/libyara/modules/pe_utils.c b/libyara/modules/pe_utils.c
+index 81a7ae4..1c5b889 100644
+--- a/libyara/modules/pe_utils.c
++++ b/libyara/modules/pe_utils.c
+@@ -2,6 +2,7 @@
+
+ #include <stdio.h>
+
++#include <yara/endian.h>
+ #include <yara/mem.h>
+ #include <yara/integers.h>
+
diff --git a/libyara/parser.c b/libyara/parser.c
index 1123869..6548e52 100644
--- a/libyara/parser.c
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list