54 |
55 |
--------------------------------------------------------------------------------
/docs/index.rst:
--------------------------------------------------------------------------------
1 | .. yara documentation master file, created by
2 | sphinx-quickstart on Tue Jul 8 11:04:03 2014.
3 | You can adapt this file completely to your liking, but it should at least
4 | contain the root `toctree` directive.
5 |
6 | Welcome to YARA's documentation!
7 | ================================
8 |
9 | YARA is a tool aimed at (but not limited to) helping malware researchers to
10 | identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a
11 | boolean expression which determine its logic. Let's see an example:
12 |
13 | .. code-block:: yara
14 |
15 | rule silent_banker : banker
16 | {
17 | meta:
18 | description = "This is just an example"
19 | threat_level = 3
20 | in_the_wild = true
21 | strings:
22 | $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
23 | $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
24 | $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
25 | condition:
26 | $a or $b or $c
27 | }
28 |
29 | The above rule is telling YARA that any file containing one of the three strings
30 | must be reported as silent_banker. This is just a simple example, more complex
31 | and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in this documentation.
32 |
33 | Contents:
34 |
35 | .. toctree::
36 | :maxdepth: 3
37 |
38 | gettingstarted
39 | writingrules
40 | modules
41 | writingmodules
42 | commandline
43 | yarapython
44 | capi
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/CONTRIBUTORS:
--------------------------------------------------------------------------------
1 | # This is the official list of people who can contribute
2 | # (and typically have contributed) code to the YARA repository.
3 | # The AUTHORS file lists the copyright holders; this file
4 | # lists people. For example, Google employees are listed here
5 | # but not in AUTHORS, because Google holds the copyright.
6 | #
7 | # The submission process automatically checks to make sure
8 | # that people submitting code are listed in this file (by email address).
9 | #
10 | # Names should be added to this file only after verifying that
11 | # the individual or the individual's organization has agreed to
12 | # the appropriate Contributor License Agreement, found here:
13 | #
14 | # http://code.google.com/legal/individual-cla-v1.0.html
15 | # http://code.google.com/legal/corporate-cla-v1.0.html
16 | #
17 | # The agreement for individuals can be filled out on the web.
18 | #
19 | # When adding J Random Contributor's name to this file,
20 | # either J's name or J's organization's name should be
21 | # added to the AUTHORS file, depending on whether the
22 | # individual or corporate CLA was used.
23 |
24 | # Names should be added to this file like so:
25 | # Name
26 |
27 | # Please keep the list sorted.
28 |
29 | Anthony Desnos
30 | Antonio Vargas Gonzalez
31 | Christian Blichmann
32 | Hilko Bengen
33 | Joachim Metz
34 | Karel Hajek
35 | Karl Hiramoto
36 | Mike Wiacek
37 | Shane Huntley
38 | Stefan Buehlmann
39 | Victor M. Alvarez ;
40 | Wesley Shields
41 |
--------------------------------------------------------------------------------
/yarac.man:
--------------------------------------------------------------------------------
1 | .\"Text automatically generated by txt2man
2 | .TH YARAC "1" "Jan 2014" "YARAC 2.0" "compile rules to yara"
3 | .SH NAME
4 | \fByarac \fP- compile rules to yara
5 | .SH SYNOPSIS
6 | .nf
7 | .fam C
8 | \fByarac\fP [OPTION]\.\.\. [RULE_FILE]\.\.\. \fIOUTPUT_FILE\fP
9 | .fam T
10 | .fi
11 | .fam T
12 | .fi
13 | .SH DESCRIPTION
14 | To invoke YARA you will need two things: a file with the rules you want to
15 | use (either in source code or compiled form) and the target to be scanned.
16 | The target can be a file, a folder, or a process.
17 | .PP
18 | Rule files can be passed directly in source code form, or can be previously
19 | compiled with the \fByarac\fP tool. You may prefer to use your rules in compiled
20 | form if you are going to invoke YARA multiple times with the same rules.
21 | This way you’ll save time, because for YARA is faster to load compiled rules
22 | than compiling the same rules over and over again.
23 | .PP
24 | The rules will be applied to the target specified as the last argument to YARA,
25 | if it’s a path to a directory all the files contained in it will be scanned.
26 | .SH OPTIONS
27 | .TP
28 | .B
29 | \fB-d\fP =
30 | define external variable.
31 | .TP
32 | .B \-w " --no-warnings"
33 | Disable warnings.
34 | .TP
35 | .B " --fail-on-warnings"
36 | Treat warnings as errors. Has no effect if used with
37 | .B --no-warnings.
38 | .TP
39 | .B \-v " --version"
40 | Show version information.
41 | .SH EXAMPLE
42 | The \fB-d\fP is used to define external variables. For example:
43 | .PP
44 | \fB-d\fP flag=true
45 | .PP
46 | \fB-d\fP beast=666
47 | .PP
48 | \fB-d\fP name="James Bond"
49 | .SH SEE ALSO
50 | \fByara\fP(1)
51 | .SH AUTHOR
52 | \fByarac\fP was written by Victor M. Alvarez .
53 | This manual page was written by Joao Eriberto Mota Filho for the Debian project (but may be used by others).
54 |
--------------------------------------------------------------------------------
/libyara/include/yara/exefiles.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_EXEFILES_H
31 | #define YR_EXEFILES_H
32 |
33 | uint64_t yr_get_entry_point_offset(const uint8_t* buffer, size_t buffer_length);
34 |
35 | uint64_t yr_get_entry_point_address(
36 | const uint8_t* buffer,
37 | size_t buffer_length,
38 | uint64_t base_address);
39 |
40 | #endif
41 |
--------------------------------------------------------------------------------
/libyara/modules/pb_tests/pb_tests.proto:
--------------------------------------------------------------------------------
1 |
2 | syntax = "proto2";
3 |
4 | package test;
5 | import "yara.proto";
6 |
7 | option (yara.module_options) = {
8 | name : "pb_tests"
9 | root_message: "RootMessage";
10 | };
11 |
12 |
13 | message Struct {
14 | option (yara.message_options).name = "struct";
15 | required string f_string = 1;
16 | enum Enum {
17 | option (yara.enum_options).name = "enum";
18 | FIRST = 0;
19 | SECOND = 1;
20 | }
21 | optional Enum f_enum = 2;
22 | message NestedStruct {
23 | optional int32 f_int32 = 1;
24 | optional string f_string = 2;
25 | }
26 | optional NestedStruct f_nested_struct = 3;
27 | repeated NestedStruct f_nested_struct_array = 4;
28 | }
29 |
30 | message MapStruct {
31 | optional int32 f_int32 = 1;
32 | optional int64 f_int64 = 2;
33 | }
34 |
35 | message RootMessage {
36 | optional int32 f_int32 = 1;
37 | optional int64 f_int64 = 2;
38 | //optional uint32 f_uint32 = 3; // not supported
39 | //optional uint64 f_uint64 = 4; // not supported
40 | optional sint32 f_sint32 = 5;
41 | optional sint64 f_sint64 = 6;
42 | //optional fixed32 f_fixed32 = 7; // not supported
43 | //optional fixed64 f_fixed64 = 8; // not supported
44 | optional sfixed32 f_sfixed32 = 9;
45 | optional sfixed64 f_sfixed64 = 10;
46 | optional bool f_bool = 11;
47 | optional string f_string = 12;
48 | optional bytes f_bytes = 13;
49 | repeated Struct f_struct_array = 14;
50 | map f_map_int32 = 15;
51 | map f_map_bool = 16;
52 | map f_map_string = 17;
53 | map f_map_float = 18;
54 | map f_map_struct = 19;
55 | oneof f_oneof {
56 | string f_oneof_string = 20;
57 | MapStruct f_oneof_struct = 21;
58 | }
59 | optional string f_ignored = 22 [(yara.field_options).ignore = true];
60 | optional string f_renamed = 23 [(yara.field_options).name = "f_yara_name"];
61 | }
62 |
--------------------------------------------------------------------------------
/tests/data/base64:
--------------------------------------------------------------------------------
1 | Plaintext Encoded Substring
2 | This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA== VGhpcyBwcm9ncmFtIGNhbm5vd
3 | AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q= RoaXMgcHJvZ3JhbSBjYW5ub3
4 | AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90 UaGlzIHByb2dyYW0gY2Fubm90
5 |
6 | These are the wide versions of the string. To make it easier I'm splitting
7 | them each onto their own line.
8 | T�h�i�s� �p�r�o�g�r�a�m� �c�a�n�n�o�t�
9 | VABoAGkAcwAgAHAAcgBvAGcAcgBhAG0AIABjAGEAbgBuAG8AdAA=
10 | VABoAGkAcwAgAHAAcgBvAGcAcgBhAG0AIABjAGEAbgBuAG8AdA
11 |
12 | AT�h�i�s� �p�r�o�g�r�a�m� �c�a�n�n�o�t�
13 | QVQAaABpAHMAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AbgBvAHQA
14 | QAaABpAHMAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AbgBvAHQA
15 |
16 | AAT�h�i�s� �p�r�o�g�r�a�m� �c�a�n�n�o�t�
17 | QUFUAGgAaQBzACAAcAByAG8AZwByAGEAbQAgAGMAYQBuAG4AbwB0AA==
18 | UAGgAaQBzACAAcAByAG8AZwByAGEAbQAgAGMAYQBuAG4AbwB0A
19 |
20 | These are the ascii strings converted to base64wide
21 | V�G�h�p�c�y�B�w�c�m�9�n�c�m�F�t�I�G�N�h�b�m�5�v�d�A�=�=�
22 | Q�V�R�o�a�X�M�g�c�H�J�v�Z�3�J�h�b�S�B�j�Y�W�5�u�b�3�Q�=�
23 | Q�U�F�U�a�G�l�z�I�H�B�y�b�2�d�y�Y�W�0�g�Y�2�F�u�b�m�9�0�
24 |
25 | These are the wide strings converted to base64wide
26 | V�A�B�o�A�G�k�A�c�w�A�g�A�H�A�A�c�g�B�v�A�G�c�A�c�g�B�h�A�G�0�A�I�A�B�j�A�G�E�A�b�g�B�u�A�G�8�A�d�A�A�=�
27 | Q�V�Q�A�a�A�B�p�A�H�M�A�I�A�B�w�A�H�I�A�b�w�B�n�A�H�I�A�Y�Q�B�t�A�C�A�A�Y�w�B�h�A�G�4�A�b�g�B�v�A�H�Q�A�
28 | Q�U�F�U�A�G�g�A�a�Q�B�z�A�C�A�A�c�A�B�y�A�G�8�A�Z�w�B�y�A�G�E�A�b�Q�A�g�A�G�M�A�Y�Q�B�u�A�G�4�A�b�w�B�0�A�A�=�=�
29 |
30 | Encoded with a custom alphabet (still using = for padding):
31 | !@#$%^&*(){}[].,|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu
32 | E&QYLh@fLVsWLV^c(&]QKVoeM!==
33 | |EAXJG[PL*)eIm)QKB@SHFodKm|=
34 | |D^DJ&Ui(*@hKlMhHFjPHl^dKVsj
35 |
36 | Encoded single byte (a) base64, second encoding is skipped
37 | YQ==
38 | AGE=
39 | AABh
40 | Encoded single byte (a) base64, second encoding is skipped
41 | �Y�Q�=�=�
42 | �A�G�E�=�
43 | �A�A�B�h�
44 |
--------------------------------------------------------------------------------
/libyara/include/yara.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_YARA_H
31 | #define YR_YARA_H
32 |
33 | #include "yara/compiler.h"
34 | #include "yara/error.h"
35 | #include "yara/filemap.h"
36 | #include "yara/hash.h"
37 | #include "yara/libyara.h"
38 | #include "yara/mem.h"
39 | #include "yara/modules.h"
40 | #include "yara/object.h"
41 | #include "yara/scanner.h"
42 | #include "yara/stream.h"
43 | #include "yara/strutils.h"
44 | #include "yara/utils.h"
45 |
46 | #endif
47 |
--------------------------------------------------------------------------------
/sandbox/collect_matches.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef SANDBOX_COLLECT_MATCHES_H_
31 | #define SANDBOX_COLLECT_MATCHES_H_
32 |
33 | struct YR_SCAN_CONTEXT;
34 |
35 | namespace yara {
36 |
37 | // Callback function for yr_scan_mem() that collects YARA matches in a
38 | // YaraMatches proto given in user_data.
39 | int CollectMatches(YR_SCAN_CONTEXT*, int message, void* message_data,
40 | void* user_data);
41 |
42 | } // namespace yara
43 |
44 | #endif // SANDBOX_COLLECT_MATCHES_H_
45 |
--------------------------------------------------------------------------------
/libyara/include/yara/base64.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2020. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_BASE64_H
31 | #define YR_BASE64_H
32 |
33 | #include
34 | #include
35 | #include
36 |
37 | typedef struct BASE64_NODE BASE64_NODE;
38 |
39 | struct BASE64_NODE
40 | {
41 | SIZED_STRING* str;
42 | int escaped;
43 | BASE64_NODE* next;
44 | };
45 |
46 | int yr_base64_ast_from_string(
47 | SIZED_STRING* in_str,
48 | YR_MODIFIER modifier,
49 | RE_AST** re_ast,
50 | RE_ERROR* error);
51 | #endif
52 |
--------------------------------------------------------------------------------
/libyara/modules/pe/authenticode-parser/certificate.h:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2021 Avast Software
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal
5 | in the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
7 | of the Software, and to permit persons to whom the Software is furnished to do
8 | so, subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in all
11 | copies or substantial portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 | SOFTWARE.
20 | */
21 |
22 | #ifndef AUTHENTICODE_PARSER_CERTIFICATE_H
23 | #define AUTHENTICODE_PARSER_CERTIFICATE_H
24 |
25 | #include
26 |
27 | #include
28 |
29 | #ifdef __cplusplus
30 | extern "C" {
31 | #endif
32 |
33 | Certificate* certificate_new(X509* x509);
34 | Certificate* certificate_copy(Certificate* cert);
35 | void certificate_free(Certificate* cert);
36 |
37 | void parse_x509_certificates(const STACK_OF(X509) * certs, CertificateArray* result);
38 |
39 | CertificateArray* parse_signer_chain(X509* signer_cert, STACK_OF(X509) * certs);
40 | int certificate_array_move(CertificateArray* dst, CertificateArray* src);
41 | int certificate_array_append(CertificateArray* dst, CertificateArray* src);
42 | CertificateArray* certificate_array_new(int certCount);
43 | void certificate_array_free(CertificateArray* arr);
44 |
45 | #ifdef __cplusplus
46 | }
47 | #endif
48 |
49 | #endif
50 |
--------------------------------------------------------------------------------
/cli/common.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017-2021. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 |
31 | #ifndef COMMON_H
32 | #define COMMON_H
33 |
34 | #include
35 |
36 | #include "unicode.h"
37 |
38 |
39 | #ifdef _UNICODE
40 | char* unicode_to_ansi(const char_t* str);
41 | #endif
42 |
43 | bool compile_files(
44 | YR_COMPILER* compiler,
45 | int argc,
46 | const char_t** argv);
47 |
48 | int define_external_variables(
49 | char** ext_vars,
50 | YR_RULES* rules,
51 | YR_COMPILER* compiler);
52 |
53 | bool is_integer(const char *str);
54 |
55 | bool is_float(const char *str);
56 |
57 | #endif
58 |
--------------------------------------------------------------------------------
/libyara/stream.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 |
34 | size_t yr_stream_read(void* ptr, size_t size, size_t count, YR_STREAM* stream)
35 | {
36 | if (stream->read == NULL)
37 | return 0;
38 |
39 | return stream->read(ptr, size, count, stream->user_data);
40 | }
41 |
42 |
43 | size_t yr_stream_write(
44 | const void* ptr,
45 | size_t size,
46 | size_t count,
47 | YR_STREAM* stream)
48 | {
49 | if (stream->write == NULL)
50 | return 0;
51 |
52 | return stream->write(ptr, size, count, stream->user_data);
53 | }
54 |
--------------------------------------------------------------------------------
/tests/test-version.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #include "util.h"
34 |
35 | int main(int argc, char **argv)
36 | {
37 | YR_DEBUG_INITIALIZE();
38 | YR_DEBUG_FPRINTF(1, stderr, "+ %s() { // in %s\n", __FUNCTION__, argv[0]);
39 |
40 | // make sure that versions defined in configure.ac and in
41 | // libyara/include/yara/libyara.h are in sync.
42 |
43 | int result = strcmp(PACKAGE_VERSION, YR_VERSION);
44 |
45 | YR_DEBUG_FPRINTF(
46 | 1, stderr, "} = %d // %s() in %s\n", result, __FUNCTION__, argv[0]);
47 |
48 | return result;
49 | }
50 |
--------------------------------------------------------------------------------
/libyara/include/tlshc/tlsh.h:
--------------------------------------------------------------------------------
1 | #ifndef __TLSH_TLSH_H__
2 | #define __TLSH_TLSH_H__
3 |
4 | #include
5 |
6 | #define TLSH_OPTION_CONSERVATIVE 2
7 | #define TLSH_OPTION_KEEP_BUCKET 4
8 | #define TLSH_OPTION_PRIVATE 8
9 | #define TLSH_OPTION_THREADED 16
10 |
11 | // Define TLSH_STRING_LEN_REQ, which is the string length of "T1" + the hex
12 | // value of the Tlsh hash. BUCKETS_256 & CHECKSUM_3B are compiler switches
13 | // defined in CMakeLists.txt
14 | #if defined BUCKETS_256
15 | #define TLSH_STRING_LEN_REQ 136
16 | // changed the minimum data length to 256 for version 3.3
17 | #define MIN_DATA_LENGTH 50
18 | // added the -force option for version 3.5
19 | // added the -conservatibe option for version 3.17
20 | #define MIN_CONSERVATIVE_DATA_LENGTH 256
21 | #endif
22 |
23 | #if defined BUCKETS_128
24 | #define TLSH_STRING_LEN_REQ 72
25 | // changed the minimum data length to 256 for version 3.3
26 | #define MIN_DATA_LENGTH 50
27 | // added the -force option for version 3.5
28 | // added the -conservatibe option for version 3.17
29 | #define MIN_CONSERVATIVE_DATA_LENGTH 256
30 | #endif
31 |
32 | #if defined BUCKETS_48
33 | // No 3 Byte checksum option for 48 Bucket min hash
34 | #define TLSH_STRING_LEN 30
35 | // changed the minimum data length to 256 for version 3.3
36 | #define MIN_DATA_LENGTH 10
37 | // added the -force option for version 3.5
38 | #define MIN_CONSERVATIVE_DATA_LENGTH 10
39 | #endif
40 |
41 | #define TLSH_STRING_BUFFER_LEN (TLSH_STRING_LEN_REQ + 1)
42 |
43 | #ifdef __cplusplus
44 | extern "C" {
45 | #endif
46 |
47 | typedef struct TlshImpl TlshImpl;
48 |
49 | typedef struct {
50 | TlshImpl* impl;
51 | } Tlsh;
52 |
53 | Tlsh* tlsh_new();
54 | void tlsh_free(Tlsh* tlsh);
55 | void tlsh_reset(Tlsh* tlsh);
56 | int tlsh_update(Tlsh* tlsh, const unsigned char* data, unsigned int len);
57 | int tlsh_final(Tlsh* tlsh, const unsigned char* data, unsigned int len, int tlsh_option);
58 | const char* tlsh_get_hash(Tlsh* tlsh, bool showvers);
59 |
60 | #ifdef __cplusplus
61 | }
62 | #endif
63 |
64 | #endif // __TLSH_TLSH_H__
--------------------------------------------------------------------------------
/libyara/modules/pe/authenticode-parser/countersignature.h:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2021 Avast Software
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal
5 | in the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
7 | of the Software, and to permit persons to whom the Software is furnished to do
8 | so, subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in all
11 | copies or substantial portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 | SOFTWARE.
20 | */
21 |
22 | #ifndef AUTHENTICODE_PARSER_COUNTERSIGNATURE_H
23 | #define AUTHENTICODE_PARSER_COUNTERSIGNATURE_H
24 |
25 | #include "certificate.h"
26 | #include "helper.h"
27 | #include
28 | #include
29 | #include
30 |
31 | #include
32 | #include
33 |
34 | #ifdef __cplusplus
35 | extern "C" {
36 | #endif
37 |
38 | Countersignature* pkcs9_countersig_new(
39 | const uint8_t* data, long size, STACK_OF(X509) * certs, ASN1_STRING* enc_digest);
40 | Countersignature* ms_countersig_new(const uint8_t* data, long size, ASN1_STRING* enc_digest);
41 |
42 | int countersignature_array_insert(CountersignatureArray* arr, Countersignature* sig);
43 | /* Moves all countersignatures of src and inserts them into dst */
44 | int countersignature_array_move(CountersignatureArray* dst, CountersignatureArray* src);
45 |
46 | void countersignature_free(Countersignature* sig);
47 | void countersignature_array_free(CountersignatureArray* arr);
48 |
49 | #ifdef __cplusplus
50 | }
51 | #endif
52 |
53 | #endif
54 |
--------------------------------------------------------------------------------
/docs/modules/console.rst:
--------------------------------------------------------------------------------
1 |
2 | .. _console-module:
3 |
4 | ##############
5 | Console module
6 | ##############
7 |
8 | .. versionadded:: 4.2.0
9 |
10 | The Console module allows you to log information during condition execution. By
11 | default, the log messages are sent to stdout but can be handled differently by
12 | using the C api (:ref:`scanning-data`).
13 |
14 | Every function in the console module returns true for the purposes of condition
15 | evaluation. This means you must logically and your statements together to get
16 | the proper output. For example:
17 |
18 | .. code-block:: yara
19 |
20 | import "console"
21 |
22 | rule example
23 | {
24 | condition:
25 | console.log("Hello") and console.log("World!")
26 | }
27 |
28 | .. c:function:: log(string)
29 |
30 | Function which sends the string to the main callback.
31 |
32 | *Example: console.log(pe.imphash())*
33 |
34 | .. c:function:: log(message, string)
35 |
36 | Function which sends the message and string to the main callback.
37 |
38 | *Example: console.log("The imphash is: ", pe.imphash())*
39 |
40 | .. c:function:: log(integer)
41 |
42 | Function which sends the integer to the main callback.
43 |
44 | *Example: console.log(uint32(0))*
45 |
46 | .. c:function:: log(message, integer)
47 |
48 | Function which sends the message and integer to the main callback.
49 |
50 | *Example: console.log("32bits at 0: ", uint32(0))*
51 |
52 | .. c:function:: log(float)
53 |
54 | Function which sends the floating point value to the main callback.
55 |
56 | *Example: console.log(math.entropy(0, filesize))*
57 |
58 | .. c:function:: log(message, float)
59 |
60 | Function which sends the message and the floating point value to the main
61 | callback.
62 |
63 | *Example: console.log("Entropy: ", math.entropy(0, filesize))*
64 |
65 | .. c:function:: hex(integer)
66 |
67 | Function which sends the integer to the main callback, formatted as a hex
68 | string.
69 |
70 | *Example: console.hex(uint32(0))*
71 |
72 | .. c:function:: hex(message, integer)
73 |
74 | Function which sends the integer to the main callback, formatted as a hex
75 | string.
76 |
77 | *Example: console.hex("Hex at 0: ", uint32(0))*
78 |
--------------------------------------------------------------------------------
/libyara/include/yara/scan.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_SCAN_H
31 | #define YR_SCAN_H
32 |
33 | #include
34 |
35 | //
36 | // Flags used with yr_scanner_set_flags and yr_rules_scan_xxx functions.
37 | //
38 | #define SCAN_FLAGS_FAST_MODE 1
39 | #define SCAN_FLAGS_PROCESS_MEMORY 2
40 | #define SCAN_FLAGS_NO_TRYCATCH 4
41 | #define SCAN_FLAGS_REPORT_RULES_MATCHING 8
42 | #define SCAN_FLAGS_REPORT_RULES_NOT_MATCHING 16
43 |
44 | int yr_scan_verify_match(
45 | YR_SCAN_CONTEXT* context,
46 | YR_AC_MATCH* ac_match,
47 | const uint8_t* data,
48 | size_t data_size,
49 | uint64_t data_base,
50 | size_t offset);
51 |
52 | #endif
53 |
--------------------------------------------------------------------------------
/docs/modules/magic.rst:
--------------------------------------------------------------------------------
1 |
2 | .. _magic-module:
3 |
4 | ############
5 | Magic module
6 | ############
7 |
8 | .. versionadded:: 3.1.0
9 |
10 | The Magic module allows you to identify the type of the file based on the
11 | output of `file `_, the standard
12 | Unix command.
13 |
14 | .. important::
15 | This module is not built into YARA by default, to learn how to include it
16 | refer to :ref:`compiling-yara`. Bad news for Windows users: **this module is
17 | not supported on Windows**.
18 |
19 | There are two functions in this module: :c:func:`type` and :c:func:`mime_type`.
20 | The first one returns the descriptive string returned by *file*, for example,
21 | if you run *file* against some PDF document you'll get something like this::
22 |
23 | $file some.pdf
24 | some.pdf: PDF document, version 1.5
25 |
26 | The :c:func:`type` function would return *"PDF document, version 1.5"* in this
27 | case. Using the :c:func:`mime_type` function is similar to passing the
28 | ``--mime`` argument to *file*.::
29 |
30 | $file --mime some.pdf
31 | some.pdf: application/pdf; charset=binary
32 |
33 |
34 | :c:func:`mime_type` would return *"application/pdf"*, without the charset part.
35 |
36 | By experimenting a little with the *file* command you can learn which output to
37 | expect for different file types. These are a few examples:
38 |
39 | * JPEG image data, JFIF standard 1.01
40 | * PE32 executable for MS Windows (GUI) Intel 80386 32-bit
41 | * PNG image data, 1240 x 1753, 8-bit/color RGBA, non-interlaced
42 | * ASCII text, with no line terminators
43 | * Zip archive data, at least v2.0 to extract
44 |
45 | libmagic will try and read its compiled file type database from /etc/magic.mgc
46 | by default. If this file doesn't exist, you can set the environment variable
47 | MAGIC to point to a magic.mgc file and libmagic will attempt to load from there
48 | as an alternative.
49 |
50 | .. c:function:: type()
51 |
52 | Function returning a string with the type of the file.
53 |
54 | *Example: magic.type() contains "PDF"*
55 |
56 |
57 | .. c:function:: mime_type()
58 |
59 | Function returning a string with the MIME type of the file.
60 |
61 | *Example: magic.mime_type() == "application/pdf"*
62 |
--------------------------------------------------------------------------------
/libyara/modules/demo/demo.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 |
32 | #define MODULE_NAME demo
33 |
34 | begin_declarations
35 | declare_string("greeting");
36 | end_declarations
37 |
38 |
39 | int module_initialize(YR_MODULE* module)
40 | {
41 | return ERROR_SUCCESS;
42 | }
43 |
44 |
45 | int module_finalize(YR_MODULE* module)
46 | {
47 | return ERROR_SUCCESS;
48 | }
49 |
50 |
51 | int module_load(
52 | YR_SCAN_CONTEXT* context,
53 | YR_OBJECT* module_object,
54 | void* module_data,
55 | size_t module_data_size)
56 | {
57 | yr_set_string("Hello World!", module_object, "greeting");
58 |
59 | return ERROR_SUCCESS;
60 | }
61 |
62 |
63 | int module_unload(YR_OBJECT* module_object)
64 | {
65 | return ERROR_SUCCESS;
66 | }
67 |
--------------------------------------------------------------------------------
/libyara/include/yara/mem.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_MEM_H
31 | #define YR_MEM_H
32 |
33 | #include
34 | #include
35 |
36 | #ifdef DMALLOC
37 |
38 | #define yr_malloc malloc
39 | #define yr_calloc calloc
40 | #define yr_realloc realloc
41 | #define yr_free free
42 | #define yr_strdup strdup
43 | #define yr_strndup strndup
44 |
45 | #include
46 |
47 | #else
48 |
49 | void* yr_calloc(size_t count, size_t size);
50 |
51 | void* yr_malloc(size_t size);
52 |
53 | void* yr_realloc(void* ptr, size_t size);
54 |
55 | char* yr_strdup(const char* str);
56 |
57 | char* yr_strndup(const char* str, size_t n);
58 |
59 | YR_API void yr_free(void* ptr);
60 |
61 | #endif
62 |
63 | int yr_heap_alloc(void);
64 |
65 | int yr_heap_free(void);
66 |
67 | #endif
68 |
--------------------------------------------------------------------------------
/libyara/include/yara/stream.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_STREAM_H
31 | #define YR_STREAM_H
32 |
33 | #include
34 |
35 | typedef size_t (*YR_STREAM_READ_FUNC)(
36 | void* ptr,
37 | size_t size,
38 | size_t count,
39 | void* user_data);
40 |
41 | typedef size_t (*YR_STREAM_WRITE_FUNC)(
42 | const void* ptr,
43 | size_t size,
44 | size_t count,
45 | void* user_data);
46 |
47 | typedef struct _YR_STREAM
48 | {
49 | void* user_data;
50 |
51 | YR_STREAM_READ_FUNC read;
52 | YR_STREAM_WRITE_FUNC write;
53 |
54 | } YR_STREAM;
55 |
56 | size_t yr_stream_read(void* ptr, size_t size, size_t count, YR_STREAM* stream);
57 |
58 | size_t yr_stream_write(
59 | const void* ptr,
60 | size_t size,
61 | size_t count,
62 | YR_STREAM* stream);
63 |
64 | #endif
65 |
--------------------------------------------------------------------------------
/libyara/endian.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 |
32 | uint16_t _yr_bswap16(uint16_t x)
33 | {
34 | return (x >> 8 | x << 8);
35 | }
36 |
37 | uint32_t _yr_bswap32(uint32_t x)
38 | {
39 | return (
40 | (((x) &0xff000000) >> 24) | (((x) &0x00ff0000) >> 8) |
41 | (((x) &0x0000ff00) << 8) | (((x) &0x000000ff) << 24));
42 | }
43 |
44 | uint64_t _yr_bswap64(uint64_t x)
45 | {
46 | return (
47 | (((x) &0xff00000000000000ull) >> 56) |
48 | (((x) &0x00ff000000000000ull) >> 40) |
49 | (((x) &0x0000ff0000000000ull) >> 24) |
50 | (((x) &0x000000ff00000000ull) >> 8) |
51 | (((x) &0x00000000ff000000ull) << 8) |
52 | (((x) &0x0000000000ff0000ull) << 24) |
53 | (((x) &0x000000000000ff00ull) << 40) |
54 | (((x) &0x00000000000000ffull) << 56));
55 | }
56 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/rules_fuzzer_corpus/2:
--------------------------------------------------------------------------------
1 | rule r1 { condition: true or false }
2 |
3 | rule r2 { condition: 0x1 and 0x2}
4 |
5 | rule r3 { condition: 2 > 1 }
6 |
7 | rule r4 { condition: 1.5 >= 1.0}
8 |
9 | rule r5 { condition: 0.5 <= 1}
10 |
11 | rule r6 { condition: "abc" == "abc"}
12 |
13 | rule r7 { condition: "ab" < "abc"}
14 |
15 | rule r8 { condition: (1 + 1) * 2 == (9 - 1) \ 2 }
16 |
17 | rule r9 { condition: 1.5 + 1.5 == 3}
18 |
19 | rule r10 { condition: -2.0-3.0 == -5}
20 |
21 | rule r11 { condition: ~0xAA ^ 0x5A & 0xFF == (~0xAA) ^ (0x5A & 0xFF) }
22 |
23 | rule r12 { strings: $a = "abc" wide nocase fullword condition: $a }
24 |
25 | rule r13 {
26 | strings:
27 | $a = "abcdef"
28 | $b = "cdef"
29 | $c = "ef"
30 | condition:
31 | all of them
32 | }
33 |
34 | rule r14 {
35 | strings:
36 | $a = "abcdef"
37 | $b = "cdef"
38 | $c = "ef"
39 | condition:
40 | for all of ($*) : ($)
41 | }
42 |
43 | rule r15 {
44 | strings:
45 | $a = { 64 01 00 00 60 01 }
46 | condition:
47 | $a
48 | }
49 |
50 | rule r16 {
51 | strings:
52 | $a = { 64 01 [1-3] (60|61) 01 }
53 | condition:
54 | $a
55 | }
56 |
57 | rule r17 {
58 | strings:
59 | $a = { 4D 5A [-] 6A 2A [-] 58 C3 }
60 | condition:
61 | $a
62 | }
63 |
64 | rule r18 {
65 | strings:
66 | $a = { 4D 5A [300-] 6A 2A [-] 58 C3}
67 | condition:
68 | $a
69 | }
70 |
71 | rule r19 {
72 | strings:
73 | $a = { 2e 7? (65 | ?? ) 78 }
74 | condition:
75 | $a
76 | }
77 |
78 | rule r21 {
79 | strings:
80 | $a = /a.*efg/
81 | condition:
82 | $a
83 | }
84 |
85 | rule r22 {
86 | strings:
87 | $a = /abc[^D]/ nocase
88 | condition:
89 | $a
90 | }
91 |
92 | rule r23 {
93 | strings:
94 | $a = /a[-]?c/
95 | condition:
96 | $a
97 | }
98 |
99 | rule r24 {
100 | strings:
101 | $a = /[0-9a-f]+/
102 | condition:
103 | $a
104 | }
105 |
106 | rule r25 {
107 | strings:
108 | $a = /[\\da-fA-F]+/
109 | condition:
110 | $a
111 | }
112 |
113 | rule r26 {
114 | strings:
115 | $a = /(bc+d$|ef*g.|h?i(j|k))/
116 | condition:
117 | $a
118 | }
119 |
120 | rule r27 {
121 | condition:
122 | "xxFoOxx" matches /fOo/i
123 | }
124 |
125 | rule r28 {
126 | condition:
127 | uint32be(0) == 0xAABBCCDD
128 | }
129 |
--------------------------------------------------------------------------------
/libyara/proc/none.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #if defined(USE_NO_PROC)
31 |
32 | #include
33 | #include
34 |
35 | int _yr_process_attach(int pid, YR_PROC_ITERATOR_CTX* context)
36 | {
37 | return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
38 | }
39 |
40 | int _yr_process_detach(YR_PROC_ITERATOR_CTX* context)
41 | {
42 | return ERROR_INVALID_ARGUMENT;
43 | }
44 |
45 | YR_API const uint8_t* yr_process_fetch_memory_block_data(YR_MEMORY_BLOCK* block)
46 | {
47 | return NULL;
48 | }
49 |
50 | YR_API YR_MEMORY_BLOCK* yr_process_get_next_memory_block(
51 | YR_MEMORY_BLOCK_ITERATOR* iterator)
52 | {
53 | iterator->last_error = ERROR_SUCCESS;
54 | return NULL;
55 | }
56 |
57 | YR_API YR_MEMORY_BLOCK* yr_process_get_first_memory_block(
58 | YR_MEMORY_BLOCK_ITERATOR* iterator)
59 | {
60 | return NULL;
61 | }
62 |
63 | #endif
64 |
--------------------------------------------------------------------------------
/libyara/include/yara/proc.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_PROC_H
31 | #define YR_PROC_H
32 |
33 | #include
34 |
35 | typedef struct _YR_PROC_ITERATOR_CTX
36 | {
37 | const uint8_t* buffer;
38 | size_t buffer_size;
39 | YR_MEMORY_BLOCK current_block;
40 | void* proc_info;
41 | } YR_PROC_ITERATOR_CTX;
42 |
43 | YR_API int yr_process_open_iterator(
44 | int pid,
45 | YR_MEMORY_BLOCK_ITERATOR* iterator);
46 |
47 | YR_API int yr_process_close_iterator(YR_MEMORY_BLOCK_ITERATOR* iterator);
48 |
49 | YR_API YR_MEMORY_BLOCK* yr_process_get_first_memory_block(
50 | YR_MEMORY_BLOCK_ITERATOR* iterator);
51 |
52 | YR_API YR_MEMORY_BLOCK* yr_process_get_next_memory_block(
53 | YR_MEMORY_BLOCK_ITERATOR* iterator);
54 |
55 | YR_API const uint8_t* yr_process_fetch_memory_block_data(
56 | YR_MEMORY_BLOCK* block);
57 |
58 | #endif
59 |
--------------------------------------------------------------------------------
/sandbox/yara_matches.proto:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | syntax = "proto3";
31 |
32 | package yara;
33 |
34 | // Identifies a single rule inside a namespace
35 | message YaraRuleId {
36 | string rule_namespace = 1; // Currently unused by yara_entrypoints.cc
37 | string rule_name = 2;
38 | }
39 |
40 | // Holds N mappings for the matches.
41 | message YaraMatches {
42 | // Holds one mapping from (namespace, name) --> N key-value entries.
43 | message Match {
44 | message Meta {
45 | string identifier = 1;
46 | oneof value {
47 | bytes bytes_value = 2;
48 | int64 int_value = 3;
49 | }
50 | }
51 |
52 | YaraRuleId id = 1;
53 | repeated Meta meta = 2;
54 | }
55 |
56 | repeated Match match = 1;
57 | }
58 |
59 | message YaraStatus {
60 | int64 code = 1;
61 | int64 line_number = 2;
62 | string message = 3;
63 | }
64 |
--------------------------------------------------------------------------------
/libyara/modules/time/time.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014-2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #define MODULE_NAME time
34 |
35 |
36 | define_function(now)
37 | {
38 | time_t now = time(NULL);
39 | if (now == -1)
40 | return_integer(YR_UNDEFINED);
41 | return_integer((long) now);
42 | }
43 |
44 |
45 | begin_declarations
46 | declare_function("now", "", "i", now);
47 | end_declarations;
48 |
49 |
50 | int module_initialize(YR_MODULE* module)
51 | {
52 | return ERROR_SUCCESS;
53 | }
54 |
55 |
56 | int module_finalize(YR_MODULE* module)
57 | {
58 | return ERROR_SUCCESS;
59 | }
60 |
61 |
62 | int module_load(
63 | YR_SCAN_CONTEXT* context,
64 | YR_OBJECT* module_object,
65 | void* module_data,
66 | size_t module_data_size)
67 | {
68 | return ERROR_SUCCESS;
69 | }
70 |
71 |
72 | int module_unload(YR_OBJECT* module_object)
73 | {
74 | return ERROR_SUCCESS;
75 | }
76 |
--------------------------------------------------------------------------------
/libyara/include/yara/stack.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_STACK_H
31 | #define YR_STACK_H
32 |
33 | typedef struct YR_STACK YR_STACK;
34 |
35 | struct YR_STACK
36 | {
37 | // Pointer to a heap-allocated array containing the void* values put in
38 | // in the stack. This array starts with a fixed size and it's grown as
39 | // required when new items are pushed into the stack.
40 | void* items;
41 |
42 | // Current capacity (i.e: the number of items that fit into the array)
43 | int capacity;
44 |
45 | // Size of each individual item in the stack.
46 | int item_size;
47 |
48 | // Index of the stack's top in the items array.
49 | int top;
50 | };
51 |
52 | int yr_stack_create(int initial_capacity, int item_size, YR_STACK** stack);
53 |
54 | void yr_stack_destroy(YR_STACK* stack);
55 |
56 | int yr_stack_push(YR_STACK* stack, void* item);
57 |
58 | int yr_stack_pop(YR_STACK* stack, void* item);
59 |
60 | #endif
61 |
--------------------------------------------------------------------------------
/cli/unicode.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2021. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_UNICODE_H
31 | #define YR_UNICODE_H
32 |
33 | #ifdef _MSC_VER
34 | #include
35 | #define char_t TCHAR
36 | #define PF_S "hs"
37 | #define PF_C "hc"
38 |
39 | #else
40 | #define char_t char
41 | #define _T(x) x
42 | #define PF_S "s"
43 | #define PF_C "c"
44 |
45 | #ifdef __CYGWIN__
46 | #define _tcstok_s strtok_r
47 | #else
48 | #define _tcstok_s strtok_s
49 | #endif
50 |
51 | #define _tcscmp strcmp
52 | #define _tcsdup strdup
53 | #define _tcschr strchr
54 | #define _tcslen strlen
55 | #define _tcsstr strstr
56 | #define _tcstol strtol
57 | #define _tcstoll strtoll
58 | #define _tstoi atoi
59 | #define _tstof atof
60 | #define _tisdigit isdigit
61 | #define _tfopen fopen
62 | #define _ftprintf fprintf
63 | #define _stprintf sprintf
64 | #define _tprintf printf
65 | #define _tmain main
66 | #define _sntprintf snprintf
67 | #endif
68 |
69 | #endif
70 |
--------------------------------------------------------------------------------
/libyara/modules/pe/authenticode-parser/helper.h:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2021 Avast Software
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal
5 | in the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
7 | of the Software, and to permit persons to whom the Software is furnished to do
8 | so, subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in all
11 | copies or substantial portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 | SOFTWARE.
20 | */
21 |
22 | #ifndef AUTHENTICODE_PARSER_HELPER_H
23 | #define AUTHENTICODE_PARSER_HELPER_H
24 |
25 | #include
26 | #include
27 | #include
28 | #include
29 |
30 | #include
31 |
32 | #ifdef _WIN32
33 | #define timegm _mkgmtime
34 | #endif
35 |
36 | #ifdef __cplusplus
37 | extern "C" {
38 | #endif
39 |
40 | /* Endianity related functions for PE reading */
41 | uint16_t bswap16(uint16_t d);
42 | uint32_t bswap32(uint32_t d);
43 |
44 | #if defined(WORDS_BIGENDIAN)
45 | #define letoh16(x) bswap16(x)
46 | #define letoh32(x) bswap32(x)
47 | #define betoh16(x) (x)
48 | #define betoh32(x) (x)
49 | #else
50 | #define letoh16(x) (x)
51 | #define letoh32(x) (x)
52 | #define betoh16(x) bswap16(x)
53 | #define betoh32(x) bswap32(x)
54 | #endif
55 |
56 | /* Calculates digest md of data, return bytes written to digest or 0 on error
57 | * Maximum of EVP_MAX_MD_SIZE will be written to digest */
58 | int calculate_digest(const EVP_MD* md, const uint8_t* data, size_t len, uint8_t* digest);
59 | /* Copies data of length len into already existing arr */
60 | int byte_array_init(ByteArray* arr, const uint8_t* data, int len);
61 | /* Converts ASN1_TIME string time into a unix timestamp */
62 | int64_t ASN1_TIME_to_int64_t(const ASN1_TIME* time);
63 |
64 | #ifdef __cplusplus
65 | }
66 | #endif
67 |
68 | #endif
69 |
--------------------------------------------------------------------------------
/libyara/include/yara/pe_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef YR_PE_UTILS_H
2 | #define YR_PE_UTILS_H
3 |
4 | #include
5 |
6 | #define MAX_PE_SECTIONS 96
7 |
8 | #define IS_64BITS_PE(pe) \
9 | (yr_le16toh(pe->header64->OptionalHeader.Magic) == \
10 | IMAGE_NT_OPTIONAL_HDR64_MAGIC)
11 |
12 | #define OptionalHeader(pe, field) \
13 | (IS_64BITS_PE(pe) ? pe->header64->OptionalHeader.field \
14 | : pe->header->OptionalHeader.field)
15 |
16 | //
17 | // Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the
18 | // name of the DLL and a pointer to another linked list of
19 | // IMPORT_EXPORT_FUNCTION structures containing the details of imported
20 | // functions.
21 | //
22 |
23 | typedef struct _IMPORTED_DLL
24 | {
25 | char* name;
26 |
27 | struct _IMPORT_FUNCTION* functions;
28 | struct _IMPORTED_DLL* next;
29 |
30 | } IMPORTED_DLL, *PIMPORTED_DLL;
31 |
32 | //
33 | // This is used to track imported and exported functions. The "has_ordinal"
34 | // field is only used in the case of imports as those are optional. Every export
35 | // has an ordinal so we don't need the field there, but in the interest of
36 | // keeping duplicate code to a minimum we use this function for both imports and
37 | // exports.
38 | //
39 |
40 | typedef struct _IMPORT_FUNCTION
41 | {
42 | char* name;
43 | uint8_t has_ordinal;
44 | uint16_t ordinal;
45 | uint64_t rva;
46 |
47 | struct _IMPORT_FUNCTION* next;
48 |
49 | } IMPORT_FUNCTION, *PIMPORT_FUNCTION;
50 |
51 | typedef struct _PE
52 | {
53 | const uint8_t* data;
54 | size_t data_size;
55 |
56 | union
57 | {
58 | PIMAGE_NT_HEADERS32 header;
59 | PIMAGE_NT_HEADERS64 header64;
60 | };
61 |
62 | YR_HASH_TABLE* hash_table;
63 | YR_OBJECT* object;
64 | IMPORTED_DLL* imported_dlls;
65 | IMPORTED_DLL* delay_imported_dlls;
66 |
67 | uint32_t resources;
68 | uint32_t version_infos;
69 |
70 | } PE;
71 |
72 | #define fits_in_pe(pe, pointer, size) \
73 | ((size_t)(size) <= pe->data_size && (uint8_t*) (pointer) >= pe->data && \
74 | (uint8_t*) (pointer) <= pe->data + pe->data_size - (size))
75 |
76 | #define struct_fits_in_pe(pe, pointer, struct_type) \
77 | fits_in_pe(pe, pointer, sizeof(struct_type))
78 |
79 | PIMAGE_NT_HEADERS32 pe_get_header(const uint8_t* data, size_t data_size);
80 |
81 | PIMAGE_DATA_DIRECTORY pe_get_directory_entry(PE* pe, int entry);
82 |
83 | int64_t pe_rva_to_offset(PE* pe, uint64_t rva);
84 |
85 | char* ord_lookup(char* dll, uint16_t ord);
86 |
87 | #endif
88 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/rules_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 | #include
34 |
35 |
36 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
37 | {
38 | yr_initialize();
39 | return 0;
40 | }
41 |
42 |
43 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
44 | {
45 | YR_RULES* rules;
46 | YR_COMPILER* compiler;
47 |
48 | char* buffer = (char*) malloc(size + 1);
49 |
50 | if (!buffer)
51 | return 0;
52 |
53 | strncpy(buffer, (const char*) data, size);
54 | buffer[size] = 0;
55 |
56 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
57 | {
58 | free(buffer);
59 | return 0;
60 | }
61 |
62 | if (yr_compiler_add_string(compiler, (const char*) buffer, NULL) == 0)
63 | {
64 | if (yr_compiler_get_rules(compiler, &rules) == ERROR_SUCCESS)
65 | yr_rules_destroy(rules);
66 | }
67 |
68 | yr_compiler_destroy(compiler);
69 | free(buffer);
70 |
71 | return 0;
72 | }
73 |
--------------------------------------------------------------------------------
/libyara/include/yara/threading.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_MUTEX_H
31 | #define YR_MUTEX_H
32 |
33 | #if defined(_WIN32) || defined(__CYGWIN__)
34 |
35 | #include
36 |
37 | typedef DWORD YR_THREAD_ID;
38 | typedef DWORD YR_THREAD_STORAGE_KEY;
39 | typedef HANDLE YR_MUTEX;
40 |
41 | #define YR_TLS __declspec(thread)
42 |
43 | #else
44 |
45 | #include
46 |
47 | typedef pthread_t YR_THREAD_ID;
48 | typedef pthread_key_t YR_THREAD_STORAGE_KEY;
49 | typedef pthread_mutex_t YR_MUTEX;
50 |
51 | #define YR_TLS __thread
52 |
53 | #endif
54 |
55 | YR_THREAD_ID yr_current_thread_id(void);
56 |
57 | int yr_mutex_create(YR_MUTEX*);
58 | int yr_mutex_destroy(YR_MUTEX*);
59 | int yr_mutex_lock(YR_MUTEX*);
60 | int yr_mutex_unlock(YR_MUTEX*);
61 |
62 | int yr_thread_storage_create(YR_THREAD_STORAGE_KEY*);
63 | int yr_thread_storage_destroy(YR_THREAD_STORAGE_KEY*);
64 | int yr_thread_storage_set_value(YR_THREAD_STORAGE_KEY*, void*);
65 | void* yr_thread_storage_get_value(YR_THREAD_STORAGE_KEY*);
66 |
67 | #endif
68 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/elf_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 |
34 |
35 | YR_RULES* rules = NULL;
36 |
37 |
38 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
39 | {
40 | YR_COMPILER* compiler;
41 |
42 | if (yr_initialize() != ERROR_SUCCESS)
43 | return 0;
44 |
45 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
46 | return 0;
47 |
48 | if (yr_compiler_add_string(compiler, "import \"elf\"", NULL) == 0)
49 | yr_compiler_get_rules(compiler, &rules);
50 |
51 | yr_compiler_destroy(compiler);
52 |
53 | return 0;
54 | }
55 |
56 |
57 | int callback(
58 | YR_SCAN_CONTEXT* context,
59 | int message,
60 | void* message_data,
61 | void* user_data)
62 | {
63 | return CALLBACK_CONTINUE;
64 | }
65 |
66 |
67 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
68 | {
69 | if (rules == NULL)
70 | return 0;
71 |
72 | yr_rules_scan_mem(
73 | rules, data, size, SCAN_FLAGS_NO_TRYCATCH, callback, NULL, 0);
74 |
75 | return 0;
76 | }
77 |
--------------------------------------------------------------------------------
/libyara/include/yara/stopwatch.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_STOPWATCH_H
31 | #define YR_STOPWATCH_H
32 |
33 | #include
34 | #include
35 |
36 | #if defined(_WIN32)
37 |
38 | #include
39 |
40 | typedef struct _YR_STOPWATCH
41 | {
42 | LARGE_INTEGER frequency;
43 | LARGE_INTEGER start;
44 |
45 | } YR_STOPWATCH;
46 |
47 | #elif defined(__APPLE__) && defined(__MACH__)
48 |
49 | #include
50 |
51 | typedef struct _YR_STOPWATCH
52 | {
53 | mach_timebase_info_data_t timebase;
54 | uint64_t start;
55 |
56 | } YR_STOPWATCH;
57 |
58 | #else
59 |
60 | #include
61 |
62 | typedef struct _YR_STOPWATCH
63 | {
64 | union
65 | {
66 | struct timeval tv_start;
67 | struct timespec ts_start;
68 | };
69 |
70 | } YR_STOPWATCH;
71 |
72 | #endif
73 |
74 | // yr_stopwatch_start starts measuring time.
75 | void yr_stopwatch_start(YR_STOPWATCH* stopwatch);
76 |
77 | // yr_stopwatch_elapsed_ns returns the number of nanoseconds elapsed
78 | // since the last call to yr_stopwatch_start.
79 | uint64_t yr_stopwatch_elapsed_ns(YR_STOPWATCH* stopwatch);
80 |
81 | #endif
82 |
--------------------------------------------------------------------------------
/libyara/modules/pe/authenticode-parser/helper.c:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2021 Avast Software
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal
5 | in the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
7 | of the Software, and to permit persons to whom the Software is furnished to do
8 | so, subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in all
11 | copies or substantial portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 | SOFTWARE.
20 | */
21 |
22 | #include "helper.h"
23 |
24 | #include
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 |
31 | uint16_t bswap16(uint16_t d)
32 | {
33 | return (d << 8) | (d >> 8);
34 | }
35 |
36 | uint32_t bswap32(uint32_t d)
37 | {
38 | return (((d)&0xff000000) >> 24) | (((d)&0x00ff0000) >> 8) | (((d)&0x0000ff00) << 8) |
39 | (((d)&0x000000ff) << 24);
40 | }
41 |
42 | int calculate_digest(const EVP_MD* md, const uint8_t* data, size_t len, uint8_t* digest)
43 | {
44 | unsigned int outLen = 0;
45 |
46 | EVP_MD_CTX* mdCtx = EVP_MD_CTX_new();
47 | if (!mdCtx)
48 | goto end;
49 |
50 | if (!EVP_DigestInit_ex(mdCtx, md, NULL) || !EVP_DigestUpdate(mdCtx, data, len) ||
51 | !EVP_DigestFinal_ex(mdCtx, digest, &outLen))
52 | goto end;
53 |
54 | end:
55 | EVP_MD_CTX_free(mdCtx);
56 | return (int)outLen;
57 | }
58 |
59 | int byte_array_init(ByteArray* arr, const uint8_t* data, int len)
60 | {
61 | if (len == 0) {
62 | arr->data = NULL;
63 | arr->len = 0;
64 | return 0;
65 | }
66 |
67 | arr->data = (uint8_t*)malloc(len);
68 | if (!arr->data)
69 | return -1;
70 |
71 | arr->len = len;
72 | memcpy(arr->data, data, len);
73 | return 0;
74 | }
75 |
76 | int64_t ASN1_TIME_to_int64_t(const ASN1_TIME* time)
77 | {
78 | struct tm t = {0};
79 | if (!time)
80 | return timegm(&t);
81 |
82 | ASN1_TIME_to_tm(time, &t);
83 | return timegm(&t);
84 | }
85 |
--------------------------------------------------------------------------------
/tests/test-pb.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 |
32 | #include "util.h"
33 |
34 | int main(int argc, char** argv)
35 | {
36 | int result = 0;
37 |
38 | YR_DEBUG_INITIALIZE();
39 | YR_DEBUG_FPRINTF(1, stderr, "+ %s() { // in %s\n", __FUNCTION__, __FILE__);
40 |
41 | init_top_srcdir();
42 | yr_initialize();
43 |
44 | assert_true_rule_module_data_file(
45 | "import \"pb_tests\" \
46 | rule test { \
47 | condition: \
48 | pb_tests.f_int32 == 1111 and \
49 | pb_tests.f_int64 == 2222 and \
50 | pb_tests.f_string == \"foo\" and \
51 | pb_tests.f_struct_array[0].f_enum == pb_tests.struct.enum.SECOND \
52 | }",
53 | "tests/data/test-pb.data.bin");
54 |
55 | assert_true_rule_module_data_file(
56 | "import \"pb_tests\" \
57 | rule test { \
58 | condition: \
59 | for any s in pb_tests.f_struct_array : ( \
60 | s.f_nested_struct.f_int32 == 3333 \
61 | ) \
62 | }",
63 | "tests/data/test-pb.data.bin");
64 |
65 | yr_finalize();
66 |
67 | YR_DEBUG_FPRINTF(
68 | 1, stderr, "} = %d // %s() in %s\n", result, __FUNCTION__, __FILE__);
69 |
70 | return result;
71 | }
72 |
--------------------------------------------------------------------------------
/libyara/include/yara/filemap.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_FILEMAP_H
31 | #define YR_FILEMAP_H
32 |
33 | #include
34 |
35 | #if defined(_WIN32) || defined(__CYGWIN__)
36 | #include
37 | #define YR_FILE_DESCRIPTOR HANDLE
38 | #else
39 | #define YR_FILE_DESCRIPTOR int
40 | #endif
41 |
42 | #include
43 | #include
44 | #include
45 |
46 |
47 | typedef struct _YR_MAPPED_FILE
48 | {
49 | YR_FILE_DESCRIPTOR file;
50 | size_t size;
51 | const uint8_t* data;
52 | #if defined(_WIN32) || defined(__CYGWIN__)
53 | HANDLE mapping;
54 | #endif
55 |
56 | } YR_MAPPED_FILE;
57 |
58 |
59 | YR_API int yr_filemap_map(const char* file_path, YR_MAPPED_FILE* pmapped_file);
60 |
61 |
62 | YR_API int yr_filemap_map_fd(
63 | YR_FILE_DESCRIPTOR file,
64 | uint64_t offset,
65 | size_t size,
66 | YR_MAPPED_FILE* pmapped_file);
67 |
68 |
69 | YR_API int yr_filemap_map_ex(
70 | const char* file_path,
71 | uint64_t offset,
72 | size_t size,
73 | YR_MAPPED_FILE* pmapped_file);
74 |
75 |
76 | YR_API void yr_filemap_unmap(YR_MAPPED_FILE* pmapped_file);
77 |
78 |
79 | YR_API void yr_filemap_unmap_fd(YR_MAPPED_FILE* pmapped_file);
80 |
81 | #endif
82 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/dotnet_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 |
34 | const char* RULES = "import \"dotnet\""
35 | "rule test {"
36 | " condition:"
37 | " dotnet.module_name == \"foo.exe\""
38 | "}";
39 |
40 | YR_RULES* rules = NULL;
41 |
42 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
43 | {
44 | YR_COMPILER* compiler;
45 |
46 | if (yr_initialize() != ERROR_SUCCESS)
47 | return 0;
48 |
49 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
50 | return 0;
51 |
52 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0)
53 | yr_compiler_get_rules(compiler, &rules);
54 |
55 | yr_compiler_destroy(compiler);
56 |
57 | return 0;
58 | }
59 |
60 |
61 | int callback(
62 | YR_SCAN_CONTEXT* context,
63 | int message,
64 | void* message_data,
65 | void* user_data)
66 | {
67 | return CALLBACK_CONTINUE;
68 | }
69 |
70 |
71 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
72 | {
73 | if (rules == NULL)
74 | return 0;
75 |
76 | yr_rules_scan_mem(
77 | rules, data, size, SCAN_FLAGS_NO_TRYCATCH, callback, NULL, 0);
78 |
79 | return 0;
80 | }
81 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/macho_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 |
34 | const char* RULES = "import \"macho\""
35 | "rule test {"
36 | " condition:"
37 | " macho.segments[1].sections[0].segname == \"__TEXT\""
38 | "}";
39 |
40 | YR_RULES* rules = NULL;
41 |
42 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
43 | {
44 | YR_COMPILER* compiler;
45 |
46 | if (yr_initialize() != ERROR_SUCCESS)
47 | return 0;
48 |
49 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
50 | return 0;
51 |
52 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0)
53 | yr_compiler_get_rules(compiler, &rules);
54 |
55 | yr_compiler_destroy(compiler);
56 |
57 | return 0;
58 | }
59 |
60 |
61 | int callback(
62 | YR_SCAN_CONTEXT* context,
63 | int message,
64 | void* message_data,
65 | void* user_data)
66 | {
67 | return CALLBACK_CONTINUE;
68 | }
69 |
70 |
71 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
72 | {
73 | if (rules == NULL)
74 | return 0;
75 |
76 | yr_rules_scan_mem(
77 | rules, data, size, SCAN_FLAGS_NO_TRYCATCH, callback, NULL, 0);
78 |
79 | return 0;
80 | }
81 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/pe_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 |
34 | const char* RULES = "import \"pe\""
35 | "rule test {"
36 | " condition:"
37 | " pe.rva_to_offset(pe.sections[0].virtual_address) == "
38 | "pe.sections[0].raw_data_offset"
39 | "}";
40 |
41 | YR_RULES* rules = NULL;
42 |
43 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
44 | {
45 | YR_COMPILER* compiler;
46 |
47 | if (yr_initialize() != ERROR_SUCCESS)
48 | return 0;
49 |
50 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
51 | return 0;
52 |
53 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0)
54 | yr_compiler_get_rules(compiler, &rules);
55 |
56 | yr_compiler_destroy(compiler);
57 |
58 | return 0;
59 | }
60 |
61 |
62 | int callback(
63 | YR_SCAN_CONTEXT* context,
64 | int message,
65 | void* message_data,
66 | void* user_data)
67 | {
68 | return CALLBACK_CONTINUE;
69 | }
70 |
71 |
72 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
73 | {
74 | if (rules == NULL)
75 | return 0;
76 |
77 | yr_rules_scan_mem(
78 | rules, data, size, SCAN_FLAGS_NO_TRYCATCH, callback, NULL, 0);
79 |
80 | return 0;
81 | }
82 |
--------------------------------------------------------------------------------
/docs/modules/hash.rst:
--------------------------------------------------------------------------------
1 |
2 | .. _hash-module:
3 |
4 | ###########
5 | Hash module
6 | ###########
7 |
8 | .. versionadded:: 3.2.0
9 |
10 | The Hash module allows you to calculate hashes (MD5, SHA1, SHA256) from portions
11 | of your file and create signatures based on those hashes.
12 |
13 | .. important::
14 | This module depends on the OpenSSL library. Please refer to
15 | :ref:`compiling-yara` for information about how to build OpenSSL-dependant
16 | features into YARA.
17 |
18 | Good news for Windows users: this module is already included in the official
19 | Windows binaries.
20 |
21 | .. warning::
22 | The returned hash string is always in lowercase. This means that rule condition matching on hashes
23 | ``hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"``
24 | requires the hash string to be given in lowercase, otherwise the match condition
25 | will not work. (see https://github.com/VirusTotal/yara/issues/1004)
26 |
27 | .. c:function:: md5(offset, size)
28 |
29 | Returns the MD5 hash for *size* bytes starting at *offset*. When scanning a
30 | running process the *offset* argument should be a virtual address within
31 | the process address space. The returned string is always in lowercase.
32 |
33 | *Example: hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"*
34 |
35 | .. c:function:: md5(string)
36 |
37 | Returns the MD5 hash for the given string.
38 |
39 | *Example: hash.md5("dummy") == "275876e34cf609db118f3d84b799a790"*
40 |
41 | .. c:function:: sha1(offset, size)
42 |
43 | Returns the SHA1 hash for the *size* bytes starting at *offset*. When
44 | scanning a running process the *offset* argument should be a virtual address
45 | within the process address space. The returned string is always in
46 | lowercase.
47 |
48 | .. c:function:: sha1(string)
49 |
50 | Returns the SHA1 hash for the given string.
51 |
52 | .. c:function:: sha256(offset, size)
53 |
54 | Returns the SHA256 hash for the *size* bytes starting at *offset*. When
55 | scanning a running process the *offset* argument should be a virtual address
56 | within the process address space. The returned string is always in
57 | lowercase.
58 |
59 | .. c:function:: sha256(string)
60 |
61 | Returns the SHA256 hash for the given string.
62 |
63 | .. c:function:: checksum32(offset, size)
64 |
65 | Returns a 32-bit checksum for the *size* bytes starting at *offset*. The
66 | checksum is just the sum of all the bytes (unsigned).
67 |
68 | .. c:function:: checksum32(string)
69 |
70 | Returns a 32-bit checksum for the given string. The checksum is just the
71 | sum of all the bytes in the string (unsigned).
72 |
73 | .. c:function:: crc32(offset, size)
74 |
75 | Returns a crc32 checksum for the *size* bytes starting at *offset*.
76 |
77 | .. c:function:: crc32(string)
78 |
79 | Returns a crc32 checksum for the given string.
80 |
81 |
--------------------------------------------------------------------------------
/libyara/include/yara/ahocorasick.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef _AHOCORASICK_H
31 | #define _AHOCORASICK_H
32 |
33 | #include
34 | #include
35 | #include
36 |
37 | // Number of bits dedicated to store the offset of the slot relative to its
38 | // own state.
39 | #define YR_AC_SLOT_OFFSET_BITS 9
40 |
41 | // Max number of slots in the transition table. This is the maximum number of
42 | // slots that can be addressed with 23-bit indexes.
43 | #define YR_AC_MAX_TRANSITION_TABLE_SIZE 0x800000
44 |
45 | #define YR_AC_ROOT_STATE 0
46 | #define YR_AC_NEXT_STATE(t) (t >> YR_AC_SLOT_OFFSET_BITS)
47 | #define YR_AC_INVALID_TRANSITION(t, c) (((t) &0x1FF) != c)
48 |
49 | #define YR_AC_MAKE_TRANSITION(state, code) \
50 | ((YR_AC_TRANSITION)( \
51 | (((YR_AC_TRANSITION) state) << YR_AC_SLOT_OFFSET_BITS) | (code)))
52 |
53 | int yr_ac_automaton_create(YR_ARENA* arena, YR_AC_AUTOMATON** automaton);
54 |
55 | int yr_ac_automaton_destroy(YR_AC_AUTOMATON* automaton);
56 |
57 | int yr_ac_add_string(
58 | YR_AC_AUTOMATON* automaton,
59 | YR_STRING* string,
60 | uint32_t string_idx,
61 | YR_ATOM_LIST_ITEM* atom,
62 | YR_ARENA* arena);
63 |
64 | int yr_ac_compile(YR_AC_AUTOMATON* automaton, YR_ARENA* arena);
65 |
66 | void yr_ac_print_automaton(YR_AC_AUTOMATON* automaton);
67 |
68 | #endif
69 |
--------------------------------------------------------------------------------
/sandbox/collect_matches.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include "sandbox/collect_matches.h"
31 |
32 | #include "libyara/include/yara.h"
33 | #include "sandbox/yara_matches.pb.h"
34 |
35 | namespace yara
36 | {
37 | int CollectMatches(
38 | YR_SCAN_CONTEXT*,
39 | int message,
40 | void* message_data,
41 | void* user_data)
42 | {
43 | if (message != CALLBACK_MSG_RULE_MATCHING)
44 | {
45 | return ERROR_SUCCESS; // There are no matching rules, simply return
46 | }
47 |
48 | auto* rule = static_cast(message_data);
49 | YR_META* rule_meta = rule->metas;
50 |
51 | auto* match = reinterpret_cast(user_data)->add_match();
52 |
53 | if (rule->ns != nullptr && rule->ns->name != nullptr)
54 | {
55 | match->mutable_id()->set_rule_namespace(rule->ns->name);
56 | }
57 |
58 | match->mutable_id()->set_rule_name(rule->identifier);
59 |
60 | yr_rule_metas_foreach(rule, rule_meta)
61 | {
62 | auto* meta = match->add_meta();
63 | meta->set_identifier(rule_meta->identifier);
64 | switch (rule_meta->type)
65 | {
66 | case META_TYPE_BOOLEAN:
67 | case META_TYPE_INTEGER:
68 | meta->set_int_value(rule_meta->integer);
69 | break;
70 | case META_TYPE_STRING:
71 | meta->set_bytes_value(rule_meta->string);
72 | break;
73 | }
74 | }
75 |
76 | return ERROR_SUCCESS;
77 | }
78 |
79 | } // namespace yara
80 |
--------------------------------------------------------------------------------
/cli/threading.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef THREADING_H
31 | #define THREADING_H
32 |
33 | #if defined(_WIN32) || defined(__CYGWIN__)
34 | #include
35 | #else
36 | #include
37 | #include
38 | #if defined(__APPLE__)
39 | #include
40 | #else
41 | #include
42 | #endif
43 | #endif
44 |
45 | #if defined(_WIN32) || defined(__CYGWIN__)
46 |
47 | typedef HANDLE SEMAPHORE;
48 | typedef CRITICAL_SECTION MUTEX;
49 | typedef HANDLE THREAD;
50 |
51 | typedef LPTHREAD_START_ROUTINE THREAD_START_ROUTINE;
52 |
53 | #else
54 |
55 | typedef pthread_mutex_t MUTEX;
56 | typedef pthread_t THREAD;
57 | typedef void* (*THREAD_START_ROUTINE)(void*);
58 |
59 | #if defined(__APPLE__)
60 | typedef semaphore_t SEMAPHORE;
61 | #else
62 | typedef sem_t* SEMAPHORE;
63 | #endif
64 |
65 | #endif
66 |
67 | int cli_mutex_init(MUTEX* mutex);
68 |
69 | void cli_mutex_destroy(MUTEX* mutex);
70 |
71 | void cli_mutex_lock(MUTEX* mutex);
72 |
73 | void cli_mutex_unlock(MUTEX* mutex);
74 |
75 | int cli_semaphore_init(SEMAPHORE* semaphore, int value);
76 |
77 | void cli_semaphore_destroy(SEMAPHORE* semaphore);
78 |
79 | int cli_semaphore_wait(SEMAPHORE* semaphore, time_t abs_timeout);
80 |
81 | void cli_semaphore_release(SEMAPHORE* semaphore);
82 |
83 | int cli_create_thread(
84 | THREAD* thread,
85 | THREAD_START_ROUTINE start_routine,
86 | void* param);
87 |
88 | void cli_thread_join(THREAD* thread);
89 |
90 | #endif
91 |
--------------------------------------------------------------------------------
/tests/test-stack.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #include "util.h"
34 |
35 | int main(int argc, char** argv)
36 | {
37 | int result = 0;
38 |
39 | YR_DEBUG_INITIALIZE();
40 | YR_DEBUG_FPRINTF(1, stderr, "+ %s() { // in %s\n", __FUNCTION__, argv[0]);
41 |
42 | YR_STACK* stack;
43 |
44 | int item;
45 |
46 | yr_initialize();
47 | yr_stack_create(1, sizeof(item), &stack);
48 |
49 | item = 1;
50 |
51 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS)
52 | exit(EXIT_FAILURE);
53 |
54 | item = 2;
55 |
56 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS)
57 | exit(EXIT_FAILURE);
58 |
59 | item = 3;
60 |
61 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS)
62 | exit(EXIT_FAILURE);
63 |
64 | item = 4;
65 |
66 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS)
67 | exit(EXIT_FAILURE);
68 |
69 | if (!yr_stack_pop(stack, &item) || item != 4)
70 | exit(EXIT_FAILURE);
71 |
72 | if (!yr_stack_pop(stack, &item) || item != 3)
73 | exit(EXIT_FAILURE);
74 |
75 | if (!yr_stack_pop(stack, &item) || item != 2)
76 | exit(EXIT_FAILURE);
77 |
78 | if (!yr_stack_pop(stack, &item) || item != 1)
79 | exit(EXIT_FAILURE);
80 |
81 | if (yr_stack_pop(stack, &item) || item != 1)
82 | exit(EXIT_FAILURE);
83 |
84 | yr_stack_destroy(stack);
85 | yr_finalize();
86 |
87 | YR_DEBUG_FPRINTF(
88 | 1, stderr, "} = %d // %s() in %s\n", result, __FUNCTION__, argv[0]);
89 |
90 | return result;
91 | }
92 |
--------------------------------------------------------------------------------
/dist/yara.spec:
--------------------------------------------------------------------------------
1 | ##
2 | ## Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved.
3 | ## Licensed under the Apache License, Version 2.0 (the "License");
4 | ## you may not use this file except in compliance with the License.
5 | ## You may obtain a copy of the License at
6 | ## http://www.apache.org/licenses/LICENSE-2.0
7 | ## Unless required by applicable law or agreed to in writing, software
8 | ## distributed under the License is distributed on an "AS IS" BASIS,
9 | ## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10 | ## See the License for the specific language governing permissions and
11 | ## limitations under the License.
12 | ##
13 |
14 | Name: yara
15 | Version: 3.2.0
16 | Release: 1
17 | License: Apache License 2.0
18 | Summary: A malware identification and classification tool
19 | Url: http://plusvic.github.io/yara/
20 | Group: System/Filesystems
21 | Source: yara-%{version}.tar.gz
22 | BuildRoot: %{_tmppath}/%{name}-%{version}-build
23 | BuildRequires: autoconf automake libtool
24 |
25 | %description
26 | YARA is a tool aimed at helping malware researchers to identify and classify
27 | malware samples. With YARA you can create descriptions of malware families
28 | based on textual or binary patterns contained on samples of those families.
29 |
30 | %package -n libyara
31 | Summary: Library to support the yara malware identification tool
32 | Group: System/Libraries
33 |
34 | %description -n libyara
35 | YARA is a tool aimed at helping malware researchers to identify and classify
36 | malware samples. With YARA you can create descriptions of malware families
37 | based on textual or binary patterns contained on samples of those families.
38 |
39 | %package -n yara-devel
40 | Summary: Development files to support the yara malware identification tool
41 | Group: Development/Libraries/C and C++
42 | Requires: libyara = %{version}-%{release}
43 |
44 | %description -n yara-devel
45 | YARA is a tool aimed at helping malware researchers to identify and classify
46 | malware samples. With YARA you can create descriptions of malware families
47 | based on textual or binary patterns contained on samples of those families.
48 |
49 | %prep
50 | %setup -q
51 |
52 | %build
53 | ./bootstrap.sh
54 | ./configure
55 | make
56 |
57 | %install
58 | make install DESTDIR=%{buildroot} bindir=%{_bindir} libdir=%{_libdir} includedir=%{_includedir} mandir=%{_mandir} INSTALL="install -p"
59 |
60 | %post -n libyara -p /sbin/ldconfig
61 |
62 | %postun -n libyara -p /sbin/ldconfig
63 |
64 | %files
65 | %defattr(-,root,root)
66 | %{_bindir}/yara
67 | %{_bindir}/yarac
68 | %{_mandir}/man1/*
69 |
70 | %files -n libyara
71 | %defattr(-,root,root)
72 | %{_libdir}/libyara.so*
73 | %{_libdir}/pkgconfig/yara.pc
74 |
75 | %files -n yara-devel
76 | %defattr(-,root,root)
77 | %{_includedir}/yara.h
78 | %{_includedir}/yara/*
79 | %{_libdir}/libyara.a
80 | %{_libdir}/libyara.la
81 |
82 |
83 | %changelog
84 | * Sat Jan 25 2015 Domingo Kiser 3.2.0-1
85 | Initial Creation.
86 |
--------------------------------------------------------------------------------
/tests/mapper.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2021. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 | #include
39 |
40 | char str[] = "!dlrow ,olleH";
41 | int fd;
42 |
43 | char* map_file(char* path)
44 | {
45 | if ((fd = open(path, O_RDONLY)) < 0)
46 | {
47 | fprintf(stderr, "open: %s: %s\n", path, strerror(errno));
48 | exit(1);
49 | }
50 | char* rv = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
51 | if (rv == NULL)
52 | {
53 | fprintf(stderr, "mmap: %s: failed: %s\n", path, strerror(errno));
54 | exit(1);
55 | }
56 | close(fd);
57 | return rv;
58 | }
59 |
60 | int main(int argc, char** argv)
61 | {
62 | char* buf;
63 |
64 | if (argc < 2)
65 | {
66 | fprintf(stderr, "no argument\n");
67 | exit(1);
68 | }
69 | else if (strcmp(argv[1], "open") == 0)
70 | {
71 | if (argc < 3)
72 | exit(1);
73 |
74 | printf("%s: %s %s\n", argv[0], argv[1], argv[2]);
75 | buf = map_file(argv[2]);
76 | }
77 | else if (strcmp(argv[1], "patch") == 0)
78 | {
79 | if (argc < 3)
80 | exit(1);
81 |
82 | printf("%s: %s %s\n", argv[0], argv[1], argv[2]);
83 | buf = map_file(argv[2]);
84 |
85 | for (int i = 0; i < sizeof(str) - 1; i++)
86 | {
87 | buf[i] = str[sizeof(str) - i - 2];
88 | }
89 | }
90 | else
91 | {
92 | fprintf(stderr, "unknown argument <%s>\n", argv[1]);
93 | exit(1);
94 | }
95 | sleep(3600);
96 | }
97 |
--------------------------------------------------------------------------------
/tests/test-re-split.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #include "util.h"
34 |
35 | int main(int argc, char** argv)
36 | {
37 | int result = 0;
38 |
39 | YR_DEBUG_INITIALIZE();
40 | YR_DEBUG_FPRINTF(1, stderr, "+ %s() { // in %s\n", __FUNCTION__, argv[0]);
41 |
42 | RE_AST* re_ast;
43 | RE_AST* re_ast_remain;
44 |
45 | RE_ERROR re_error;
46 |
47 | int32_t min_gap;
48 | int32_t max_gap;
49 |
50 | yr_initialize();
51 | yr_re_parse_hex(
52 | "{ 01 02 03 04 [0-300] 05 06 07 08 [1-400] 09 0A 0B 0C }",
53 | &re_ast,
54 | &re_error);
55 |
56 | assert(re_ast != NULL);
57 |
58 | yr_re_ast_split_at_chaining_point(re_ast, &re_ast_remain, &min_gap, &max_gap);
59 |
60 | assert(re_ast != NULL);
61 | assert(re_ast_remain != NULL);
62 | assert(min_gap == 0);
63 | assert(max_gap == 300);
64 |
65 | yr_re_ast_destroy(re_ast);
66 | re_ast = re_ast_remain;
67 |
68 | yr_re_ast_split_at_chaining_point(re_ast, &re_ast_remain, &min_gap, &max_gap);
69 |
70 | assert(re_ast != NULL);
71 | assert(re_ast_remain != NULL);
72 | assert(min_gap == 1);
73 | assert(max_gap == 400);
74 |
75 | yr_re_ast_destroy(re_ast);
76 | re_ast = re_ast_remain;
77 |
78 | yr_re_ast_split_at_chaining_point(re_ast, &re_ast_remain, &min_gap, &max_gap);
79 |
80 | assert(re_ast != NULL);
81 | assert(re_ast_remain == NULL);
82 |
83 | yr_re_ast_destroy(re_ast);
84 | yr_finalize();
85 |
86 | YR_DEBUG_FPRINTF(
87 | 1, stderr, "} = %d // %s() in %s\n", result, __FUNCTION__, argv[0]);
88 |
89 | return result;
90 | }
91 |
--------------------------------------------------------------------------------
/libyara/include/yara/sizedstr.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef _SIZEDSTR_H
31 | #define _SIZEDSTR_H
32 |
33 | #include
34 | #include
35 |
36 | // SIZED_STRING_FLAGS_NO_CASE indicates that the has been decorated with
37 | // the "nocase" modifier or with the /i modifier in the case of regular
38 | // expressions.
39 | #define SIZED_STRING_FLAGS_NO_CASE 1
40 |
41 | // SIZED_STRING_FLAGS_DOT_ALL is used for strings that contain a regular
42 | // expression that had the /s modifier.
43 | #define SIZED_STRING_FLAGS_DOT_ALL 2
44 |
45 |
46 | #pragma pack(push)
47 | #pragma pack(1)
48 |
49 | //
50 | // This struct is used to support strings containing null chars. The length of
51 | // the string is stored along the string data. However the string data is also
52 | // terminated with a null char.
53 | //
54 | typedef struct _SIZED_STRING
55 | {
56 | uint32_t length;
57 | uint32_t flags;
58 |
59 | char c_string[1];
60 |
61 | } SIZED_STRING;
62 |
63 | #pragma pack(pop)
64 |
65 | int ss_compare(SIZED_STRING* s1, SIZED_STRING* s2);
66 |
67 | int ss_icompare(SIZED_STRING* s1, SIZED_STRING* s2);
68 |
69 | bool ss_contains(SIZED_STRING* s1, SIZED_STRING* s2);
70 |
71 | bool ss_icontains(SIZED_STRING* s1, SIZED_STRING* s2);
72 |
73 | bool ss_startswith(SIZED_STRING* s1, SIZED_STRING* s2);
74 |
75 | bool ss_istartswith(SIZED_STRING* s1, SIZED_STRING* s2);
76 |
77 | bool ss_endswith(SIZED_STRING* s1, SIZED_STRING* s2);
78 |
79 | bool ss_iendswith(SIZED_STRING* s1, SIZED_STRING* s2);
80 |
81 | SIZED_STRING* ss_dup(SIZED_STRING* s);
82 |
83 | SIZED_STRING* ss_new(const char* s);
84 |
85 | SIZED_STRING* ss_convert_to_wide(SIZED_STRING* s);
86 |
87 | #endif
88 |
--------------------------------------------------------------------------------
/libyara/include/yara/endian.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_ENDIAN_H
31 | #define YR_ENDIAN_H
32 |
33 | #include
34 |
35 | #if defined(__has_builtin)
36 | #if __has_builtin(__builtin_bswap16)
37 | #define yr_bswap16(x) __builtin_bswap16(x)
38 | #endif
39 | #endif
40 |
41 | #if !defined(yr_bswap16) && defined(_MSC_VER)
42 | #define yr_bswap16(x) _byteswap_ushort(x)
43 | #endif
44 |
45 | #if !defined(yr_bswap16)
46 | uint16_t _yr_bswap16(uint16_t x);
47 | #define yr_bswap16(x) _yr_bswap16(x)
48 | #endif
49 |
50 | #if defined(__has_builtin)
51 | #if __has_builtin(__builtin_bswap32)
52 | #define yr_bswap32(x) __builtin_bswap32(x)
53 | #endif
54 | #endif
55 |
56 | #if !defined(yr_bswap32) && defined(_MSC_VER)
57 | #define yr_bswap32(x) _byteswap_ulong(x)
58 | #endif
59 |
60 | #if !defined(yr_bswap32)
61 | uint32_t _yr_bswap32(uint32_t x);
62 | #define yr_bswap32(x) _yr_bswap32(x)
63 | #endif
64 |
65 | #if defined(__has_builtin)
66 | #if __has_builtin(__builtin_bswap64)
67 | #define yr_bswap64(x) __builtin_bswap64(x)
68 | #endif
69 | #endif
70 |
71 | #if !defined(yr_bswap64) && defined(_MSC_VER)
72 | #define yr_bswap64(x) _byteswap_uint64(x)
73 | #endif
74 |
75 | #if !defined(yr_bswap64)
76 | uint64_t _yr_bswap64(uint64_t x);
77 | #define yr_bswap64(x) _yr_bswap64(x)
78 | #endif
79 |
80 | #if defined(WORDS_BIGENDIAN)
81 | #define yr_le16toh(x) yr_bswap16(x)
82 | #define yr_le32toh(x) yr_bswap32(x)
83 | #define yr_le64toh(x) yr_bswap64(x)
84 | #define yr_be16toh(x) (x)
85 | #define yr_be32toh(x) (x)
86 | #define yr_be64toh(x) (x)
87 | #else
88 | #define yr_le16toh(x) (x)
89 | #define yr_le32toh(x) (x)
90 | #define yr_le64toh(x) (x)
91 | #define yr_be16toh(x) yr_bswap16(x)
92 | #define yr_be32toh(x) yr_bswap32(x)
93 | #define yr_be64toh(x) yr_bswap64(x)
94 | #endif
95 |
96 | #endif
97 |
--------------------------------------------------------------------------------
/extra/codemirror/yara.js:
--------------------------------------------------------------------------------
1 | /*
2 | Language mode for CodeMirror (https://codemirror.net/)
3 | */
4 |
5 | CodeMirror.defineMode("yara", function(config) {
6 | function words(str) {
7 | var obj = {}, words = str.split(" ");
8 | for (var i = 0; i < words.length; ++i) obj[words[i]] = true;
9 | return obj;
10 | }
11 | var keywords = words("all and any ascii at base64 base64wide condition contains endswith entrypoint filesize for " +
12 | "fullword global icontains iendswith import in include int16 int32 int8 istartswith matches meta " +
13 | "nocase not of or private rule startswith strings them uint16 uint32 " +
14 | "uint8 wide xor");
15 |
16 | var atoms = {"true": true, "false": true};
17 |
18 | var isOperatorChar = /[+\-*&%=<>!?|\/]/;
19 |
20 | function tokenBase(stream, state) {
21 | var ch = stream.next();
22 | if (ch == "#" && state.startOfLine) {
23 | stream.skipToEnd();
24 | return "meta";
25 | }
26 | if (/[\[\]{}\(\),;\:\.]/.test(ch)) {
27 | return null
28 | }
29 | if (/\d/.test(ch)) {
30 | stream.eatWhile(/[\w\.]/);
31 | return "number";
32 | }
33 | if (ch == "/") {
34 | if (stream.eat("/")) {
35 | stream.skipToEnd();
36 | return "comment";
37 | }
38 | if (stream.eat("*")) {
39 | state.tokenize = tokenComment;
40 | return tokenComment(stream, state);
41 | }
42 | }
43 | if (ch == '"' || ch == '/') {
44 | state.tokenize = tokenString(ch);
45 | return state.tokenize(stream, state);
46 | }
47 | if (isOperatorChar.test(ch)) {
48 | stream.eatWhile(isOperatorChar);
49 | return "operator";
50 | }
51 | stream.eatWhile(/[\w\$_]/);
52 | var cur = stream.current();
53 | if (keywords.propertyIsEnumerable(cur)) return "keyword";
54 | if (atoms.propertyIsEnumerable(cur)) return "atom";
55 | return "word";
56 | }
57 |
58 | function tokenString(quote) {
59 | return function(stream, state) {
60 | var escaped = false, next, end = false;
61 | while ((next = stream.next()) != null) {
62 | if (next == quote && !escaped) {end = true; break;}
63 | escaped = !escaped && next == "\\";
64 | }
65 | if (end || !escaped) state.tokenize = null;
66 | return "string";
67 | };
68 | }
69 |
70 | function tokenComment(stream, state) {
71 | var maybeEnd = false, ch;
72 | while (ch = stream.next()) {
73 | if (ch == "/" && maybeEnd) {
74 | state.tokenize = null;
75 | break;
76 | }
77 | maybeEnd = (ch == "*");
78 | }
79 | return "comment";
80 | }
81 |
82 | // Interface
83 |
84 | return {
85 | startState: function(basecolumn) {
86 | return {tokenize: null};
87 | },
88 |
89 | token: function(stream, state) {
90 | if (stream.eatSpace()) return null;
91 | var style = (state.tokenize || tokenBase)(stream, state);
92 | return style;
93 | },
94 |
95 | electricChars: "{}"
96 | };
97 | });
98 |
99 | CodeMirror.defineMIME("text/yara", "yara");
100 | CodeMirror.defineMIME("text/x-yara", "yara");
101 |
--------------------------------------------------------------------------------
/libyara/include/yara/unaligned.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_UNALIGNED_H
31 | #define YR_UNALIGNED_H
32 |
33 | #include
34 |
35 | #pragma pack(push)
36 | #pragma pack(1)
37 |
38 | typedef struct
39 | {
40 | uint16_t val;
41 | } uint16_una_t;
42 |
43 | typedef struct
44 | {
45 | uint32_t val;
46 | } uint32_una_t;
47 |
48 | typedef struct
49 | {
50 | uint64_t val;
51 | } uint64_una_t;
52 |
53 | typedef struct
54 | {
55 | int16_t val;
56 | } int16_una_t;
57 |
58 | typedef struct
59 | {
60 | int32_t val;
61 | } int32_una_t;
62 |
63 | typedef struct
64 | {
65 | int64_t val;
66 | } int64_una_t;
67 |
68 | typedef struct
69 | {
70 | char *val;
71 | } charp_una_t;
72 |
73 | #pragma pack(pop)
74 |
75 | static inline uint16_t yr_unaligned_u16(const void *ptr)
76 | {
77 | const uint16_una_t *tmp = (const uint16_una_t *) ptr;
78 | return tmp->val;
79 | }
80 |
81 | static inline uint32_t yr_unaligned_u32(const void *ptr)
82 | {
83 | const uint32_una_t *tmp = (const uint32_una_t *) ptr;
84 | return tmp->val;
85 | }
86 |
87 | static inline uint64_t yr_unaligned_u64(const void *ptr)
88 | {
89 | const uint64_una_t *tmp = (const uint64_una_t *) ptr;
90 | return tmp->val;
91 | }
92 |
93 | static inline uint16_t yr_unaligned_i16(const void *ptr)
94 | {
95 | const int16_una_t *tmp = (const int16_una_t *) ptr;
96 | return tmp->val;
97 | }
98 |
99 | static inline uint32_t yr_unaligned_i32(const void *ptr)
100 | {
101 | const int32_una_t *tmp = (const int32_una_t *) ptr;
102 | return tmp->val;
103 | }
104 |
105 | static inline uint64_t yr_unaligned_i64(const void *ptr)
106 | {
107 | const int64_una_t *tmp = (const int64_una_t *) ptr;
108 | return tmp->val;
109 | }
110 |
111 | static inline char *yr_unaligned_char_ptr(const void *ptr)
112 | {
113 | const charp_una_t *tmp = (const charp_una_t *) ptr;
114 | return tmp->val;
115 | }
116 |
117 | #endif
118 |
--------------------------------------------------------------------------------
/appveyor.yml:
--------------------------------------------------------------------------------
1 | # AppVeyor CI for Windows
2 |
3 | version: '{branch}-{build}'
4 |
5 | pull_requests:
6 | do_not_increment_build_number: true
7 |
8 | environment:
9 | matrix:
10 | - TARGET: vs2015
11 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
12 | VisualStudioVersion: 14.0
13 | platform: x86
14 | configuration: Release
15 | artifact_postfix: win32
16 | - TARGET: vs2015
17 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
18 | VisualStudioVersion: 14.0
19 | platform: x86
20 | configuration: Debug
21 | - TARGET: vs2015
22 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
23 | VisualStudioVersion: 14.0
24 | platform: x64
25 | configuration: Release
26 | artifact_postfix: win64
27 | - TARGET: vs2015
28 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
29 | VisualStudioVersion: 14.0
30 | platform: x64
31 | configuration: Debug
32 | - TARGET: cygwin
33 |
34 | for:
35 | -
36 | matrix:
37 | only:
38 | - TARGET: cygwin
39 |
40 | # Disable the installation of flex and bison packages. For some reason this
41 | # now (2021-04-19) upgrades the perl_base package to version 5.32.1-1 which
42 | # later fails with error:
43 | # Can't locate threads.pm in @INC (you may need to install the threads module)
44 | #
45 | # before_build:
46 | # - cmd: C:\cygwin64\setup-x86_64.exe --quiet-mode --no-desktop --no-shortcuts --no-startmenu --no-admin --packages flex,bison
47 |
48 | build_script:
49 | - cmd: C:\cygwin64\bin\bash -e -l -c "cd c:/projects/yara && ./build.sh"
50 |
51 | test_script:
52 | - cmd: C:\cygwin64\bin\bash -e -l -c "cd c:/projects/yara && make check"
53 |
54 | -
55 | matrix:
56 | only:
57 | - TARGET: vs2015
58 | - configuration: Release
59 |
60 | before_build:
61 | - ps: nuget restore windows/vs2015/yara.sln
62 |
63 | build:
64 | project: windows/vs2015/yara.sln
65 | verbosity: minimal
66 |
67 | after_build:
68 | - cmd: 7z a yara-%APPVEYOR_BUILD_VERSION%-%ARTIFACT_POSTFIX%.zip %APPVEYOR_BUILD_FOLDER%\windows\%TARGET%\%CONFIGURATION%\yara*.exe
69 |
70 | artifacts:
71 | - path: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX).zip
72 | name: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX)
73 | type: zip
74 |
75 | deploy:
76 | tag: $(APPVEYOR_REPO_TAG_NAME)
77 | release: YARA $(APPVEYOR_REPO_TAG_NAME)
78 | provider: GitHub
79 | auth_token:
80 | secure: k+4xp4M/IEqXhKKYwo3DY2ko6VenOfSBEij3AasSiz1i8vsCwfcGxhuae0kj7Gj2
81 | artifact: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX)
82 | draft: true
83 | on:
84 | APPVEYOR_REPO_TAG: true # deploy on tag push only
85 |
86 | test_script:
87 | - cmd: c:/projects/yara/windows/vs2015/%CONFIGURATION%/test-alignment.exe
88 |
89 | -
90 | matrix:
91 | only:
92 | - TARGET: vs2015
93 | - configuration: Debug
94 |
95 | before_build:
96 | - ps: nuget restore windows/vs2015/yara.sln
97 |
98 | build:
99 | project: windows/vs2015/yara.sln
100 | verbosity: minimal
101 |
102 | test_script:
103 | - cmd: c:/projects/yara/windows/vs2015/%CONFIGURATION%/test-alignment.exe
104 |
105 |
106 | # Uncomment the lines below for enabling Remote Desktop in the Appveyor. This
107 | # allows connecting to the remote machine and debug issues.
108 | # on_finish:
109 | # - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
110 |
--------------------------------------------------------------------------------
/libyara/modules/pe/authenticode-parser/structs.c:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2021 Avast Software
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal
5 | in the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
7 | of the Software, and to permit persons to whom the Software is furnished to do
8 | so, subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in all
11 | copies or substantial portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 | SOFTWARE.
20 | */
21 |
22 | #include "structs.h"
23 |
24 | ASN1_CHOICE(SpcString) = {
25 | ASN1_IMP_OPT(SpcString, value.unicode, ASN1_BMPSTRING, 0),
26 | ASN1_IMP_OPT(SpcString, value.ascii, ASN1_IA5STRING, 1)
27 | } ASN1_CHOICE_END(SpcString)
28 |
29 | ASN1_SEQUENCE(SpcSerializedObject) = {
30 | ASN1_SIMPLE(SpcSerializedObject, classId, ASN1_OCTET_STRING),
31 | ASN1_SIMPLE(SpcSerializedObject, serializedData, ASN1_OCTET_STRING)
32 | } ASN1_SEQUENCE_END(SpcSerializedObject)
33 |
34 | ASN1_CHOICE(SpcLink) = {
35 | ASN1_IMP_OPT(SpcLink, value.url, ASN1_IA5STRING, 0),
36 | ASN1_IMP_OPT(SpcLink, value.moniker, SpcSerializedObject, 1),
37 | ASN1_EXP_OPT(SpcLink, value.file, SpcString, 2)
38 | } ASN1_CHOICE_END(SpcLink)
39 |
40 | ASN1_SEQUENCE(SpcAttributeTypeAndOptionalValue) = {
41 | ASN1_SIMPLE(SpcAttributeTypeAndOptionalValue, type, ASN1_OBJECT),
42 | ASN1_OPT(SpcAttributeTypeAndOptionalValue, value, ASN1_ANY)
43 | } ASN1_SEQUENCE_END(SpcAttributeTypeAndOptionalValue)
44 |
45 | ASN1_SEQUENCE(SpcPeImageData) = {
46 | ASN1_SIMPLE(SpcPeImageData, flags, ASN1_BIT_STRING),
47 | ASN1_EXP_OPT(SpcPeImageData, file, SpcLink, 0)
48 | } ASN1_SEQUENCE_END(SpcPeImageData)
49 |
50 | ASN1_SEQUENCE(AlgorithmIdentifier) = {
51 | ASN1_SIMPLE(AlgorithmIdentifier, algorithm, ASN1_OBJECT),
52 | ASN1_OPT(AlgorithmIdentifier, parameters, ASN1_ANY)
53 | } ASN1_SEQUENCE_END(AlgorithmIdentifier)
54 |
55 | ASN1_SEQUENCE(DigestInfo) = {
56 | ASN1_SIMPLE(DigestInfo, digestAlgorithm, AlgorithmIdentifier),
57 | ASN1_SIMPLE(DigestInfo, digest, ASN1_OCTET_STRING)
58 | } ASN1_SEQUENCE_END(DigestInfo)
59 |
60 | ASN1_SEQUENCE(SpcIndirectDataContent) = {
61 | ASN1_SIMPLE(SpcIndirectDataContent, data, SpcAttributeTypeAndOptionalValue),
62 | ASN1_SIMPLE(SpcIndirectDataContent, messageDigest, DigestInfo)
63 | } ASN1_SEQUENCE_END(SpcIndirectDataContent)
64 |
65 | ASN1_SEQUENCE(SpcSpOpusInfo) = {
66 | ASN1_EXP_OPT(SpcSpOpusInfo, programName, SpcString, 0),
67 | ASN1_EXP_OPT(SpcSpOpusInfo, moreInfo, SpcLink, 1)
68 | } ASN1_SEQUENCE_END(SpcSpOpusInfo)
69 |
70 | IMPLEMENT_ASN1_FUNCTIONS(SpcString)
71 | IMPLEMENT_ASN1_FUNCTIONS(SpcSerializedObject)
72 | IMPLEMENT_ASN1_FUNCTIONS(SpcLink)
73 | IMPLEMENT_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue)
74 | IMPLEMENT_ASN1_FUNCTIONS(SpcPeImageData)
75 | IMPLEMENT_ASN1_FUNCTIONS(AlgorithmIdentifier)
76 | IMPLEMENT_ASN1_FUNCTIONS(DigestInfo)
77 | IMPLEMENT_ASN1_FUNCTIONS(SpcIndirectDataContent)
78 | IMPLEMENT_ASN1_FUNCTIONS(SpcSpOpusInfo)
79 |
--------------------------------------------------------------------------------
/libyara/hex_grammar.h:
--------------------------------------------------------------------------------
1 | /* A Bison parser, made by GNU Bison 3.8.2. */
2 |
3 | /* Bison interface for Yacc-like parsers in C
4 |
5 | Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
6 | Inc.
7 |
8 | This program is free software: you can redistribute it and/or modify
9 | it under the terms of the GNU General Public License as published by
10 | the Free Software Foundation, either version 3 of the License, or
11 | (at your option) any later version.
12 |
13 | This program is distributed in the hope that it will be useful,
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | GNU General Public License for more details.
17 |
18 | You should have received a copy of the GNU General Public License
19 | along with this program. If not, see . */
20 |
21 | /* As a special exception, you may create a larger work that contains
22 | part or all of the Bison parser skeleton and distribute that work
23 | under terms of your choice, so long as that work isn't itself a
24 | parser generator using the skeleton or a modified version thereof
25 | as a parser skeleton. Alternatively, if you modify or redistribute
26 | the parser skeleton itself, you may (at your option) remove this
27 | special exception, which will cause the skeleton and the resulting
28 | Bison output files to be licensed under the GNU General Public
29 | License without this special exception.
30 |
31 | This special exception was added by the Free Software Foundation in
32 | version 2.2 of Bison. */
33 |
34 | /* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
35 | especially those whose name start with YY_ or yy_. They are
36 | private implementation details that can be changed or removed. */
37 |
38 | #ifndef YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED
39 | # define YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED
40 | /* Debug traces. */
41 | #ifndef YYDEBUG
42 | # define YYDEBUG 0
43 | #endif
44 | #if YYDEBUG
45 | extern int hex_yydebug;
46 | #endif
47 |
48 | /* Token kinds. */
49 | #ifndef YYTOKENTYPE
50 | # define YYTOKENTYPE
51 | enum yytokentype
52 | {
53 | YYEMPTY = -2,
54 | YYEOF = 0, /* "end of file" */
55 | YYerror = 256, /* error */
56 | YYUNDEF = 257, /* "invalid token" */
57 | _BYTE_ = 258, /* _BYTE_ */
58 | _MASKED_BYTE_ = 259, /* _MASKED_BYTE_ */
59 | _NOT_BYTE_ = 260, /* _NOT_BYTE_ */
60 | _MASKED_NOT_BYTE_ = 261, /* _MASKED_NOT_BYTE_ */
61 | _NUMBER_ = 262 /* _NUMBER_ */
62 | };
63 | typedef enum yytokentype yytoken_kind_t;
64 | #endif
65 | /* Token kinds. */
66 | #define YYEMPTY -2
67 | #define YYEOF 0
68 | #define YYerror 256
69 | #define YYUNDEF 257
70 | #define _BYTE_ 258
71 | #define _MASKED_BYTE_ 259
72 | #define _NOT_BYTE_ 260
73 | #define _MASKED_NOT_BYTE_ 261
74 | #define _NUMBER_ 262
75 |
76 | /* Value type. */
77 | #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
78 | union YYSTYPE
79 | {
80 | #line 78 "hex_grammar.y"
81 |
82 | int64_t integer;
83 | RE_NODE *re_node;
84 |
85 | #line 86 "hex_grammar.h"
86 |
87 | };
88 | typedef union YYSTYPE YYSTYPE;
89 | # define YYSTYPE_IS_TRIVIAL 1
90 | # define YYSTYPE_IS_DECLARED 1
91 | #endif
92 |
93 |
94 |
95 |
96 | int hex_yyparse (void *yyscanner, HEX_LEX_ENVIRONMENT *lex_env);
97 |
98 |
99 | #endif /* !YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED */
100 |
--------------------------------------------------------------------------------
/libyara/include/yara/strutils.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_STRUTILS_H
31 | #define YR_STRUTILS_H
32 |
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 |
39 | #if defined(_WIN32)
40 |
41 | #if !defined(PRIu64)
42 | #define PRIu64 "I64u"
43 | #endif
44 |
45 | #if !defined(PRIu32)
46 | #define PRIu32 "I32u"
47 | #endif
48 |
49 | #if !defined(PRIx64)
50 | #define PRIx64 "I64x"
51 | #endif
52 |
53 | #if !defined(PRId64)
54 | #define PRId64 "I64d"
55 | #endif
56 |
57 | #if !defined(PRIi32)
58 | #define PRIi32 "I32i"
59 | #endif
60 |
61 | #if !defined(PRIi64)
62 | #define PRIi64 "I64i"
63 | #endif
64 |
65 | #if !defined(PRIo64)
66 | #define PRIo64 "I64o"
67 | #endif
68 |
69 | #else
70 | #include
71 | #endif
72 |
73 | // Cygwin already has these functions.
74 | #if defined(_WIN32) && !defined(__CYGWIN__)
75 | #if defined(_MSC_VER) && _MSC_VER < 1900
76 |
77 | #if !defined(snprintf)
78 | #define snprintf _snprintf
79 | #endif
80 |
81 | #endif
82 | #define strcasecmp _stricmp
83 | #define strncasecmp _strnicmp
84 | #endif
85 |
86 | uint64_t xtoi(const char* hexstr);
87 |
88 | #if !HAVE_STRLCPY && !defined(strlcpy)
89 | size_t strlcpy(char* dst, const char* src, size_t size);
90 | #endif
91 |
92 | #if !HAVE_STRLCAT && !defined(strlcat)
93 | size_t strlcat(char* dst, const char* src, size_t size);
94 | #endif
95 |
96 | #if !HAVE_MEMMEM && !defined(memmem)
97 | void* memmem(
98 | const void* haystack,
99 | size_t haystack_size,
100 | const void* needle,
101 | size_t needle_size);
102 | #endif
103 |
104 | int strnlen_w(const char* w_str);
105 |
106 | int strcmp_w(const char* w_str, const char* str);
107 |
108 | size_t strlcpy_w(char* dst, const char* w_src, size_t n);
109 |
110 | #endif
111 |
112 | int yr_isalnum(const uint8_t* s);
113 |
114 | void yr_vasprintf(char** strp, const char* fmt, va_list ap);
115 |
116 | void yr_asprintf(char** strp, const char* fmt, ...);
117 |
--------------------------------------------------------------------------------
/libyara/include/yara/dex.h:
--------------------------------------------------------------------------------
1 | #ifndef _DEX_H
2 | #define _DEX_H
3 |
4 | #include
5 | #include
6 | #include
7 |
8 | #define DEX_FILE_MAGIC_035 "dex\n035\x00"
9 | #define DEX_FILE_MAGIC_036 "dex\n036\x00"
10 | #define DEX_FILE_MAGIC_037 "dex\n037\x00"
11 | #define DEX_FILE_MAGIC_038 "dex\n038\x00"
12 | #define DEX_FILE_MAGIC_039 "dex\n039\x00"
13 |
14 | #pragma pack(push, 1)
15 |
16 | typedef struct
17 | {
18 | uint8_t magic[8];
19 | uint32_t checksum;
20 | uint8_t signature[20];
21 | uint32_t file_size;
22 | uint32_t header_size;
23 | uint32_t endian_tag;
24 | uint32_t link_size;
25 | uint32_t link_offset;
26 | uint32_t map_offset;
27 | uint32_t string_ids_size;
28 | uint32_t string_ids_offset;
29 | uint32_t type_ids_size;
30 | uint32_t type_ids_offset;
31 | uint32_t proto_ids_size;
32 | uint32_t proto_ids_offset;
33 | uint32_t field_ids_size;
34 | uint32_t field_ids_offset;
35 | uint32_t method_ids_size;
36 | uint32_t method_ids_offset;
37 | uint32_t class_defs_size;
38 | uint32_t class_defs_offset;
39 | uint32_t data_size;
40 | uint32_t data_offset;
41 | } dex_header_t;
42 |
43 | typedef struct
44 | {
45 | uint32_t string_data_offset;
46 | } string_id_item_t;
47 |
48 | typedef struct
49 | {
50 | uint32_t utf16_size;
51 | } string_data_item_t;
52 |
53 | typedef struct
54 | {
55 | uint32_t descriptor_idx;
56 | } type_id_item_t;
57 |
58 | typedef struct
59 | {
60 | uint32_t shorty_idx;
61 | uint32_t return_type_idx;
62 | uint32_t parameters_offset;
63 | } proto_id_item_t;
64 |
65 | typedef struct
66 | {
67 | uint16_t class_idx;
68 | uint16_t type_idx;
69 | uint32_t name_idx;
70 | } field_id_item_t;
71 |
72 | typedef struct
73 | {
74 | uint16_t class_idx;
75 | uint16_t proto_idx;
76 | uint32_t name_idx;
77 | } method_id_item_t;
78 |
79 | typedef struct
80 | {
81 | uint32_t class_idx;
82 | uint32_t access_flags;
83 | uint32_t super_class_idx;
84 | uint32_t interfaces_offset;
85 | uint32_t source_file_idx;
86 | uint32_t annotations_offset;
87 | uint32_t class_data_offset;
88 | uint32_t static_values_offset;
89 | } class_id_item_t;
90 |
91 | typedef struct
92 | {
93 | uint32_t static_fields_size;
94 | uint32_t instance_fields_size;
95 | uint32_t direct_methods_size;
96 | uint32_t virtual_methods_size;
97 | } class_data_item_t;
98 |
99 | typedef struct
100 | {
101 | uint32_t field_idx_diff;
102 | uint32_t access_flags;
103 | } encoded_field_t;
104 |
105 | typedef struct
106 | {
107 | uint32_t method_idx_diff;
108 | uint32_t access_flags;
109 | uint32_t code_off;
110 | } encoded_method_t;
111 |
112 | typedef struct
113 | {
114 | uint16_t registers_size;
115 | uint16_t ins_size;
116 | uint16_t outs_size;
117 | uint16_t tries_size;
118 | uint32_t debug_info_off;
119 | uint32_t insns_size;
120 | } code_item_t;
121 |
122 | typedef struct
123 | {
124 | uint16_t type;
125 | uint16_t unused;
126 | uint32_t size;
127 | uint32_t offset;
128 | } map_item_t;
129 |
130 | typedef struct _DEX
131 | {
132 | const uint8_t* data;
133 | size_t data_size;
134 | dex_header_t* header;
135 | YR_OBJECT* object;
136 | } DEX;
137 |
138 | #define fits_in_dex(dex, pointer, size) \
139 | ((size_t) size <= dex->data_size && (uint8_t*) (pointer) >= dex->data && \
140 | (uint8_t*) (pointer) <= dex->data + dex->data_size - size)
141 |
142 | #define struct_fits_in_dex(dex, pointer, struct_type) \
143 | fits_in_dex(dex, pointer, sizeof(struct_type))
144 |
145 | #pragma pack(pop)
146 |
147 | #endif
148 |
--------------------------------------------------------------------------------
15 |
16 |
21 |