54 |
55 |
--------------------------------------------------------------------------------
/CONTRIBUTORS:
--------------------------------------------------------------------------------
1 | # This is the official list of people who can contribute
2 | # (and typically have contributed) code to the YARA repository.
3 | # The AUTHORS file lists the copyright holders; this file
4 | # lists people. For example, Google employees are listed here
5 | # but not in AUTHORS, because Google holds the copyright.
6 | #
7 | # The submission process automatically checks to make sure
8 | # that people submitting code are listed in this file (by email address).
9 | #
10 | # Names should be added to this file only after verifying that
11 | # the individual or the individual's organization has agreed to
12 | # the appropriate Contributor License Agreement, found here:
13 | #
14 | # http://code.google.com/legal/individual-cla-v1.0.html
15 | # http://code.google.com/legal/corporate-cla-v1.0.html
16 | #
17 | # The agreement for individuals can be filled out on the web.
18 | #
19 | # When adding J Random Contributor's name to this file,
20 | # either J's name or J's organization's name should be
21 | # added to the AUTHORS file, depending on whether the
22 | # individual or corporate CLA was used.
23 |
24 | # Names should be added to this file like so:
25 | # Name
26 |
27 | # Please keep the list sorted.
28 |
29 | Anthony Desnos
30 | Antonio Vargas Gonzalez
31 | Christian Blichmann
32 | Hilko Bengen
33 | Joachim Metz
34 | Karl Hiramoto
35 | Mike Wiacek
36 | Shane Huntley
37 | Stefan Buehlmann
38 | Victor M. Alvarez ;
39 | Wesley Shields
40 |
--------------------------------------------------------------------------------
/docs/index.rst:
--------------------------------------------------------------------------------
1 | .. yara documentation master file, created by
2 | sphinx-quickstart on Tue Jul 8 11:04:03 2014.
3 | You can adapt this file completely to your liking, but it should at least
4 | contain the root `toctree` directive.
5 |
6 | Welcome to YARA's documentation!
7 | ================================
8 |
9 | YARA is a tool aimed at (but not limited to) helping malware researchers to
10 | identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a
11 | boolean expression which determine its logic. Let's see an example:
12 |
13 | .. code-block:: yara
14 |
15 | rule silent_banker : banker
16 | {
17 | meta:
18 | description = "This is just an example"
19 | threat_level = 3
20 | in_the_wild = true
21 | strings:
22 | $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
23 | $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
24 | $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
25 | condition:
26 | $a or $b or $c
27 | }
28 |
29 | The above rule is telling YARA that any file containing one of the three strings
30 | must be reported as silent_banker. This is just a simple example, more complex
31 | and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in this documentation.
32 |
33 | Contents:
34 |
35 | .. toctree::
36 | :maxdepth: 3
37 |
38 | gettingstarted
39 | writingrules
40 | modules
41 | writingmodules
42 | commandline
43 | yarapython
44 | capi
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/tests/test-version.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | int main (int argc, char **argv)
34 | {
35 | // make sure that versions defined in configure.ac and in
36 | // libyara/include/yara/libyara.h are in sync.
37 |
38 | return strcmp(PACKAGE_VERSION, YR_VERSION);
39 | }
40 |
--------------------------------------------------------------------------------
/yarac.man:
--------------------------------------------------------------------------------
1 | .\"Text automatically generated by txt2man
2 | .TH YARAC "1" "Jan 2014" "YARAC 2.0" "compile rules to yara"
3 | .SH NAME
4 | \fByarac \fP- compile rules to yara
5 | .SH SYNOPSIS
6 | .nf
7 | .fam C
8 | \fByarac\fP [OPTION]\.\.\. [RULE_FILE]\.\.\. \fIOUTPUT_FILE\fP
9 | .fam T
10 | .fi
11 | .fam T
12 | .fi
13 | .SH DESCRIPTION
14 | To invoke YARA you will need two things: a file with the rules you want to
15 | use (either in source code or compiled form) and the target to be scanned.
16 | The target can be a file, a folder, or a process.
17 | .PP
18 | Rule files can be passed directly in source code form, or can be previously
19 | compiled with the \fByarac\fP tool. You may prefer to use your rules in compiled
20 | form if you are going to invoke YARA multiple times with the same rules.
21 | This way you’ll save time, because for YARA is faster to load compiled rules
22 | than compiling the same rules over and over again.
23 | .PP
24 | The rules will be applied to the target specified as the last argument to YARA,
25 | if it’s a path to a directory all the files contained in it will be scanned.
26 | .SH OPTIONS
27 | .TP
28 | .B
29 | \fB-d\fP =
30 | define external variable.
31 | .TP
32 | .B \-w " --no-warnings"
33 | Disable warnings.
34 | .TP
35 | .B " --fail-on-warnings"
36 | Treat warnings as errors. Has no effect if used with
37 | .B --no-warnings.
38 | .TP
39 | .B \-v " --version"
40 | Show version information.
41 | .SH EXAMPLE
42 | The \fB-d\fP is used to define external variables. For example:
43 | .PP
44 | \fB-d\fP flag=true
45 | .PP
46 | \fB-d\fP beast=666
47 | .PP
48 | \fB-d\fP name="James Bond"
49 | .SH SEE ALSO
50 | \fByara\fP(1)
51 | .SH AUTHOR
52 | \fByarac\fP was written by Victor M. Alvarez .
53 | This manual page was written by Joao Eriberto Mota Filho for the Debian project (but may be used by others).
54 |
--------------------------------------------------------------------------------
/libyara/include/yara/exefiles.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_EXEFILES_H
31 | #define YR_EXEFILES_H
32 |
33 | uint64_t yr_get_entry_point_offset(
34 | const uint8_t* buffer,
35 | size_t buffer_length);
36 |
37 |
38 | uint64_t yr_get_entry_point_address(
39 | const uint8_t* buffer,
40 | size_t buffer_length,
41 | uint64_t base_address);
42 |
43 | #endif
44 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Generic auto-generated build files
2 | *~
3 | *.a
4 | *.la
5 | *.lai
6 | *.lo
7 | *.Plo
8 | *.Po
9 | *.o
10 | *.so
11 | *.so.[0-9][0-9]*
12 | *.so.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*
13 | *.Tpo
14 | *.m4
15 | *.dSYM
16 | .deps
17 | .libs
18 | INSTALL
19 | Makefile
20 | Makefile.in
21 | stamp-h1
22 |
23 | # Specific auto-generated build files
24 | /ABOUT-NLS
25 | /aclocal.m4
26 | /ar-lib
27 | /autom4te.cache/
28 | /build-aux
29 | /compile
30 | /config.guess
31 | /config.h
32 | /config.h.in
33 | /config.log
34 | /config.rpath
35 | /config.status
36 | /config.sub
37 | /configure
38 | /depcomp
39 | /install-sh
40 | /libtool
41 | /ltmain.sh
42 | /missing
43 | /test-driver
44 | /ylwrap
45 | /m4
46 | !/m4/acx_pthread.m4
47 |
48 | # Project specific files
49 | /yara
50 | /yarac
51 | /libyara/modules/.dirstamp
52 | libyara/proc/.dirstamp
53 | libyara/yara.pc
54 | /tests/.dirstamp
55 |
56 | # Linux and Mac files
57 | *.swp
58 | .DS_Store
59 |
60 | # Files generated by tests
61 | test-alignment
62 | test-alignment.log
63 | test-alignment.trs
64 | test-api
65 | test-api.log
66 | test-api.trs
67 | test-atoms
68 | test-atoms.log
69 | test-atoms.trs
70 | test-bitmask
71 | test-bitmask.log
72 | test-bitmask.trs
73 | test-elf
74 | test-elf.log
75 | test-elf.trs
76 | test-exception
77 | test-exception.log
78 | test-exception.trs
79 | test-rules
80 | test-rules.log
81 | test-rules.trs
82 | test-suite.log
83 | test-pe
84 | test-pe.log
85 | test-pe.trs
86 | test-macho
87 | test-macho.log
88 | test-macho.trs
89 | test-math
90 | test-math.log
91 | test-math.trs
92 | test-version
93 | test-version.log
94 | test-version.trs
95 |
96 | # Bazel
97 | bazel-*
98 |
99 | # Visual Studio files
100 | Release/
101 | Debug/
102 | windows/*/.vs
103 | x64/
104 | *.obj
105 | *.suo
106 | *.sdf
107 | *.opendb
108 | *.opensdf
109 | *.VC.db
110 |
111 | # NuGet
112 | windows/*/packages/
113 | *.trs
114 | *.log
115 | .dirstamp
116 |
--------------------------------------------------------------------------------
/sandbox/collect_matches.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef SANDBOX_COLLECT_MATCHES_H_
31 | #define SANDBOX_COLLECT_MATCHES_H_
32 |
33 | namespace yara {
34 |
35 | // Callback function for yr_scan_mem() that collects YARA matches in a
36 | // YaraMatches proto given in user_data.
37 | int CollectMatches(int message, void* message_data, void* user_data);
38 |
39 | } // namespace yara
40 |
41 | #endif // SANDBOX_COLLECT_MATCHES_H_
42 |
--------------------------------------------------------------------------------
/libyara/include/yara.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_YARA_H
31 | #define YR_YARA_H
32 |
33 | #include "yara/utils.h"
34 | #include "yara/filemap.h"
35 | #include "yara/compiler.h"
36 | #include "yara/modules.h"
37 | #include "yara/object.h"
38 | #include "yara/libyara.h"
39 | #include "yara/error.h"
40 | #include "yara/stream.h"
41 | #include "yara/hash.h"
42 | #include "yara/scanner.h"
43 | #include "yara/mem.h"
44 |
45 | #endif
46 |
--------------------------------------------------------------------------------
/docs/modules/magic.rst:
--------------------------------------------------------------------------------
1 |
2 | .. _magic-module:
3 |
4 | ############
5 | Magic module
6 | ############
7 |
8 | .. versionadded:: 3.1.0
9 |
10 | The Magic module allows you to identify the type of the file based on the
11 | output of `file `_, the standard
12 | Unix command.
13 |
14 | .. important::
15 | This module is not built into YARA by default, to learn how to include it
16 | refer to :ref:`compiling-yara`. Bad news for Windows users: **this module is
17 | not supported on Windows**.
18 |
19 | There are two functions in this module: :c:func:`type` and :c:func:`mime_type`.
20 | The first one returns the descriptive string returned by *file*, for example,
21 | if you run *file* against some PDF document you'll get something like this::
22 |
23 | $file some.pdf
24 | some.pdf: PDF document, version 1.5
25 |
26 | The :c:func:`type` function would return *"PDF document, version 1.5"* in this
27 | case. Using the :c:func:`mime_type` function is similar to passing the
28 | ``--mime`` argument to *file*.::
29 |
30 | $file --mime some.pdf
31 | some.pdf: application/pdf; charset=binary
32 |
33 |
34 | :c:func:`mime_type` would return *"application/pdf"*, without the charset part.
35 |
36 | By experimenting a little with the *file* command you can learn which output to
37 | expect for different file types. These are a few examples:
38 |
39 | * JPEG image data, JFIF standard 1.01
40 | * PE32 executable for MS Windows (GUI) Intel 80386 32-bit
41 | * PNG image data, 1240 x 1753, 8-bit/color RGBA, non-interlaced
42 | * ASCII text, with no line terminators
43 | * Zip archive data, at least v2.0 to extract
44 |
45 |
46 |
47 | .. c:function:: type()
48 |
49 | Function returning a string with the type of the file.
50 |
51 | *Example: magic.type() contains "PDF"*
52 |
53 |
54 | .. c:function:: mime_type()
55 |
56 | Function returning a string with the MIME type of the file.
57 |
58 | *Example: magic.mime_type() == "application/pdf"*
59 |
--------------------------------------------------------------------------------
/libyara/include/yara/scan.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_SCAN_H
31 | #define YR_SCAN_H
32 |
33 | #include
34 |
35 | // Bitmasks for flags.
36 | #define SCAN_FLAGS_FAST_MODE 1
37 | #define SCAN_FLAGS_PROCESS_MEMORY 2
38 | #define SCAN_FLAGS_NO_TRYCATCH 4
39 |
40 |
41 | int yr_scan_verify_match(
42 | YR_SCAN_CONTEXT* context,
43 | YR_AC_MATCH* ac_match,
44 | const uint8_t* data,
45 | size_t data_size,
46 | uint64_t data_base,
47 | size_t offset);
48 |
49 | #endif
50 |
--------------------------------------------------------------------------------
/libyara/include/yara/globals.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_GLOBALS_H
31 | #define YR_GLOBALS_H
32 |
33 | #include
34 | #include
35 |
36 | // Pre-computed tables for quickly converting a character to lowercase or to
37 | // its alternative case (uppercase if it is a lowercase and vice versa). This
38 | // tables are initialized by yr_initialize.
39 | extern uint8_t yr_lowercase[256];
40 | extern uint8_t yr_altercase[256];
41 |
42 | extern YR_THREAD_STORAGE_KEY yr_tidx_key;
43 | extern YR_THREAD_STORAGE_KEY yr_recovery_state_key;
44 |
45 | #endif
46 |
--------------------------------------------------------------------------------
/libyara/stream.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 |
34 | size_t yr_stream_read(
35 | void* ptr,
36 | size_t size,
37 | size_t count,
38 | YR_STREAM* stream)
39 | {
40 | if (stream->read == NULL)
41 | return 0;
42 |
43 | return stream->read(ptr, size, count, stream->user_data);
44 | }
45 |
46 |
47 | size_t yr_stream_write(
48 | const void* ptr,
49 | size_t size,
50 | size_t count,
51 | YR_STREAM* stream)
52 | {
53 | if (stream->write == NULL)
54 | return 0;
55 |
56 | return stream->write(ptr, size, count, stream->user_data);
57 | }
58 |
--------------------------------------------------------------------------------
/tests/test-dotnet.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include "util.h"
6 |
7 | int main(int argc, char** argv)
8 | {
9 | char *top_srcdir = getenv("TOP_SRCDIR");
10 | if (top_srcdir)
11 | chdir(top_srcdir);
12 |
13 | yr_initialize();
14 |
15 | assert_true_rule_file(
16 | "import \"dotnet\" \
17 | rule test { \
18 | condition: \
19 | dotnet.assembly.name == \"hpjsoaputility.Sv.resources\" \
20 | }",
21 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171");
22 |
23 | assert_true_rule_file(
24 | "import \"dotnet\" \
25 | rule test { \
26 | condition: \
27 | dotnet.number_of_resources == 1 and \
28 | dotnet.resources[0].offset == 724 and \
29 | dotnet.resources[0].length == 180 and \
30 | dotnet.resources[0].name == \"hpjsoaputility.XmlStreamSoapExtension.pt.resources\" \
31 | }",
32 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171");
33 |
34 | assert_true_rule_file(
35 | "import \"dotnet\" \
36 | rule test { \
37 | condition: \
38 | dotnet.number_of_guids == 1 and \
39 | dotnet.guids[0] == \"3764d539-e21a-4366-bc7c-b56fa67efbb0\" \
40 | }",
41 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171");
42 |
43 | assert_true_rule_file(
44 | "import \"dotnet\" \
45 | rule test { \
46 | condition: \
47 | dotnet.number_of_streams == 5 and \
48 | dotnet.streams[0].name == \"#~\" and \
49 | dotnet.streams[1].name == \"#Strings\" and \
50 | dotnet.streams[2].name == \"#US\" and \
51 | dotnet.streams[3].name == \"#GUID\" and \
52 | dotnet.streams[4].name == \"#Blob\" \
53 | }",
54 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171");
55 |
56 | assert_true_rule_file(
57 | "import \"dotnet\" \
58 | rule test { \
59 | condition: \
60 | dotnet.module_name == \"hpjsoaputility.Sv.resources.dll\" and \
61 | dotnet.version == \"v2.0.50727\" \
62 | }",
63 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171");
64 |
65 | yr_finalize();
66 | return 0;
67 | }
68 |
--------------------------------------------------------------------------------
/libyara/modules/demo/demo.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 |
32 | #define MODULE_NAME demo
33 |
34 | begin_declarations;
35 |
36 | declare_string("greeting");
37 |
38 | end_declarations;
39 |
40 |
41 | int module_initialize(
42 | YR_MODULE* module)
43 | {
44 | return ERROR_SUCCESS;
45 | }
46 |
47 |
48 | int module_finalize(
49 | YR_MODULE* module)
50 | {
51 | return ERROR_SUCCESS;
52 | }
53 |
54 |
55 | int module_load(
56 | YR_SCAN_CONTEXT* context,
57 | YR_OBJECT* module_object,
58 | void* module_data,
59 | size_t module_data_size)
60 | {
61 | set_string("Hello World!", module_object, "greeting");
62 |
63 | return ERROR_SUCCESS;
64 | }
65 |
66 |
67 | int module_unload(
68 | YR_OBJECT* module_object)
69 | {
70 | return ERROR_SUCCESS;
71 | }
72 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/rules_fuzzer_corpus/2:
--------------------------------------------------------------------------------
1 | rule r1 { condition: true or false }
2 |
3 | rule r2 { condition: 0x1 and 0x2}
4 |
5 | rule r3 { condition: 2 > 1 }
6 |
7 | rule r4 { condition: 1.5 >= 1.0}
8 |
9 | rule r5 { condition: 0.5 <= 1}
10 |
11 | rule r6 { condition: "abc" == "abc"}
12 |
13 | rule r7 { condition: "ab" < "abc"}
14 |
15 | rule r8 { condition: (1 + 1) * 2 == (9 - 1) \ 2 }
16 |
17 | rule r9 { condition: 1.5 + 1.5 == 3}
18 |
19 | rule r10 { condition: -2.0-3.0 == -5}
20 |
21 | rule r11 { condition: ~0xAA ^ 0x5A & 0xFF == (~0xAA) ^ (0x5A & 0xFF) }
22 |
23 | rule r12 { strings: $a = "abc" wide nocase fullword condition: $a }
24 |
25 | rule r13 {
26 | strings:
27 | $a = "abcdef"
28 | $b = "cdef"
29 | $c = "ef"
30 | condition:
31 | all of them
32 | }
33 |
34 | rule r14 {
35 | strings:
36 | $a = "abcdef"
37 | $b = "cdef"
38 | $c = "ef"
39 | condition:
40 | for all of ($*) : ($)
41 | }
42 |
43 | rule r15 {
44 | strings:
45 | $a = { 64 01 00 00 60 01 }
46 | condition:
47 | $a
48 | }
49 |
50 | rule r16 {
51 | strings:
52 | $a = { 64 01 [1-3] (60|61) 01 }
53 | condition:
54 | $a
55 | }
56 |
57 | rule r17 {
58 | strings:
59 | $a = { 4D 5A [-] 6A 2A [-] 58 C3 }
60 | condition:
61 | $a
62 | }
63 |
64 | rule r18 {
65 | strings:
66 | $a = { 4D 5A [300-] 6A 2A [-] 58 C3}
67 | condition:
68 | $a
69 | }
70 |
71 | rule r19 {
72 | strings:
73 | $a = { 2e 7? (65 | ?? ) 78 }
74 | condition:
75 | $a
76 | }
77 |
78 | rule r21 {
79 | strings:
80 | $a = /a.*efg/
81 | condition:
82 | $a
83 | }
84 |
85 | rule r22 {
86 | strings:
87 | $a = /abc[^D]/ nocase
88 | condition:
89 | $a
90 | }
91 |
92 | rule r23 {
93 | strings:
94 | $a = /a[-]?c/
95 | condition:
96 | $a
97 | }
98 |
99 | rule r24 {
100 | strings:
101 | $a = /[0-9a-f]+/
102 | condition:
103 | $a
104 | }
105 |
106 | rule r25 {
107 | strings:
108 | $a = /[\\da-fA-F]+/
109 | condition:
110 | $a
111 | }
112 |
113 | rule r26 {
114 | strings:
115 | $a = /(bc+d$|ef*g.|h?i(j|k))/
116 | condition:
117 | $a
118 | }
119 |
120 | rule r27 {
121 | condition:
122 | "xxFoOxx" matches /fOo/i
123 | }
124 |
125 | rule r28 {
126 | condition:
127 | uint32be(0) == 0xAABBCCDD
128 | }
129 |
--------------------------------------------------------------------------------
/libyara/endian.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 |
32 | uint16_t _yr_bswap16(uint16_t x)
33 | {
34 | return (x >> 8 | x << 8);
35 | }
36 |
37 | uint32_t _yr_bswap32(uint32_t x)
38 | {
39 | return ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >> 8) |
40 | (((x) & 0x0000ff00) << 8) | (((x) & 0x000000ff) << 24));
41 | }
42 |
43 | uint64_t _yr_bswap64(uint64_t x)
44 | {
45 | return ((((x) & 0xff00000000000000ull) >> 56)
46 | | (((x) & 0x00ff000000000000ull) >> 40)
47 | | (((x) & 0x0000ff0000000000ull) >> 24)
48 | | (((x) & 0x000000ff00000000ull) >> 8)
49 | | (((x) & 0x00000000ff000000ull) << 8)
50 | | (((x) & 0x0000000000ff0000ull) << 24)
51 | | (((x) & 0x000000000000ff00ull) << 40)
52 | | (((x) & 0x00000000000000ffull) << 56));
53 | }
54 |
--------------------------------------------------------------------------------
/libyara/include/yara/mem.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_MEM_H
31 | #define YR_MEM_H
32 |
33 | #include
34 |
35 | #ifdef DMALLOC
36 |
37 | #define yr_malloc malloc
38 | #define yr_calloc calloc
39 | #define yr_realloc realloc
40 | #define yr_free free
41 | #define yr_strdup strdup
42 | #define yr_strndup strndup
43 |
44 | #include
45 |
46 | #else
47 |
48 | void* yr_calloc(
49 | size_t count,
50 | size_t size);
51 |
52 | void* yr_malloc(
53 | size_t size);
54 |
55 | void* yr_realloc(
56 | void* ptr,
57 | size_t size);
58 |
59 | void yr_free(
60 | void *ptr);
61 |
62 | char* yr_strdup(
63 | const char *str);
64 |
65 | char* yr_strndup(
66 | const char *str, size_t n);
67 |
68 | #endif
69 |
70 | int yr_heap_alloc(void);
71 |
72 | int yr_heap_free(void);
73 |
74 | #endif
75 |
--------------------------------------------------------------------------------
/libyara/proc/none.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #if defined(USE_NO_PROC)
31 |
32 | #include
33 | #include
34 |
35 | int _yr_process_attach(
36 | int pid,
37 | YR_PROC_ITERATOR_CTX* context)
38 | {
39 | return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
40 | }
41 |
42 | int _yr_process_detach(
43 | YR_PROC_ITERATOR_CTX* context)
44 | {
45 | return ERROR_INVALID_ARGUMENT;
46 | }
47 |
48 | YR_API const uint8_t* yr_process_fetch_memory_block_data(
49 | YR_MEMORY_BLOCK* block)
50 | {
51 | return NULL;
52 | }
53 |
54 | YR_API YR_MEMORY_BLOCK* yr_process_get_next_memory_block(
55 | YR_MEMORY_BLOCK_ITERATOR* iterator)
56 | {
57 | return NULL;
58 | }
59 |
60 | YR_API YR_MEMORY_BLOCK* yr_process_get_first_memory_block(
61 | YR_MEMORY_BLOCK_ITERATOR* iterator)
62 | {
63 | return NULL;
64 | }
65 |
66 | #endif
67 |
--------------------------------------------------------------------------------
/sandbox/yara_matches.proto:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | syntax = "proto3";
31 |
32 | package yara;
33 |
34 | // Identifies a single rule inside a namespace
35 | message YaraRuleId {
36 | string rule_namespace = 1; // Currently unused by yara_entrypoints.cc
37 | string rule_name = 2;
38 | }
39 |
40 | // Holds N mappings for the matches.
41 | message YaraMatches {
42 | // Holds one mapping from (namespace, name) --> N key-value entries.
43 | message Match {
44 | message Meta {
45 | string identifier = 1;
46 | oneof value {
47 | bytes bytes_value = 2;
48 | int64 int_value = 3;
49 | }
50 | }
51 |
52 | YaraRuleId id = 1;
53 | repeated Meta meta = 2;
54 | }
55 |
56 | repeated Match match = 1;
57 | }
58 |
59 | message YaraStatus {
60 | int64 code = 1;
61 | int64 line_number = 2;
62 | string message = 3;
63 | }
64 |
--------------------------------------------------------------------------------
/libyara/include/yara/stream.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_STREAM_H
31 | #define YR_STREAM_H
32 |
33 | #include
34 |
35 | typedef size_t (*YR_STREAM_READ_FUNC)(
36 | void* ptr,
37 | size_t size,
38 | size_t count,
39 | void* user_data);
40 |
41 |
42 | typedef size_t (*YR_STREAM_WRITE_FUNC)(
43 | const void* ptr,
44 | size_t size,
45 | size_t count,
46 | void* user_data);
47 |
48 |
49 | typedef struct _YR_STREAM
50 | {
51 | void* user_data;
52 |
53 | YR_STREAM_READ_FUNC read;
54 | YR_STREAM_WRITE_FUNC write;
55 |
56 | } YR_STREAM;
57 |
58 |
59 | size_t yr_stream_read(
60 | void* ptr,
61 | size_t size,
62 | size_t count,
63 | YR_STREAM* stream);
64 |
65 |
66 | size_t yr_stream_write(
67 | const void* ptr,
68 | size_t size,
69 | size_t count,
70 | YR_STREAM* stream);
71 |
72 | #endif
73 |
--------------------------------------------------------------------------------
/libyara/include/yara/proc.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_PROC_H
31 | #define YR_PROC_H
32 |
33 | #include
34 |
35 | typedef struct _YR_PROC_ITERATOR_CTX {
36 | const uint8_t* buffer;
37 | size_t buffer_size;
38 | YR_MEMORY_BLOCK current_block;
39 | void* proc_info;
40 | } YR_PROC_ITERATOR_CTX;
41 |
42 | YR_API int yr_process_open_iterator(
43 | int pid,
44 | YR_MEMORY_BLOCK_ITERATOR* iterator);
45 |
46 | YR_API int yr_process_close_iterator(
47 | YR_MEMORY_BLOCK_ITERATOR* iterator);
48 |
49 | YR_API YR_MEMORY_BLOCK* yr_process_get_first_memory_block(
50 | YR_MEMORY_BLOCK_ITERATOR* iterator);
51 |
52 | YR_API YR_MEMORY_BLOCK* yr_process_get_next_memory_block(
53 | YR_MEMORY_BLOCK_ITERATOR* iterator);
54 |
55 | YR_API const uint8_t* yr_process_fetch_memory_block_data(
56 | YR_MEMORY_BLOCK* block);
57 |
58 | #endif
59 |
--------------------------------------------------------------------------------
/libyara/include/yara/sizedstr.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef _SIZEDSTR_H
31 | #define _SIZEDSTR_H
32 |
33 | #include
34 |
35 | #include
36 |
37 | //
38 | // This struct is used to support strings containing null chars. The length of
39 | // the string is stored along the string data. However the string data is also
40 | // terminated with a null char.
41 | //
42 |
43 | #define SIZED_STRING_FLAGS_NO_CASE 1
44 | #define SIZED_STRING_FLAGS_DOT_ALL 2
45 |
46 | #pragma pack(push)
47 | #pragma pack(8)
48 |
49 |
50 | typedef struct _SIZED_STRING
51 | {
52 | uint32_t length;
53 | uint32_t flags;
54 |
55 | char c_string[1];
56 |
57 | } SIZED_STRING;
58 |
59 | #pragma pack(pop)
60 |
61 |
62 | int sized_string_cmp(
63 | SIZED_STRING* s1,
64 | SIZED_STRING* s2);
65 |
66 |
67 | SIZED_STRING* sized_string_dup(
68 | SIZED_STRING* s);
69 |
70 | #endif
71 |
--------------------------------------------------------------------------------
/libyara/modules/time/time.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014-2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 |
32 | #include
33 |
34 | #define MODULE_NAME time
35 |
36 |
37 | define_function(now)
38 | {
39 | time_t now = time(NULL);
40 | if (now == -1)
41 | return_integer(UNDEFINED);
42 | return_integer((long) now);
43 | }
44 |
45 |
46 | begin_declarations;
47 |
48 | declare_function("now", "", "i", now);
49 |
50 | end_declarations;
51 |
52 |
53 | int module_initialize(
54 | YR_MODULE* module)
55 | {
56 | return ERROR_SUCCESS;
57 | }
58 |
59 |
60 | int module_finalize(
61 | YR_MODULE* module)
62 | {
63 | return ERROR_SUCCESS;
64 | }
65 |
66 |
67 | int module_load(
68 | YR_SCAN_CONTEXT* context,
69 | YR_OBJECT* module_object,
70 | void* module_data,
71 | size_t module_data_size)
72 | {
73 | return ERROR_SUCCESS;
74 | }
75 |
76 |
77 | int module_unload(
78 | YR_OBJECT* module_object)
79 | {
80 | return ERROR_SUCCESS;
81 | }
82 |
--------------------------------------------------------------------------------
/libyara/include/yara/threading.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_MUTEX_H
31 | #define YR_MUTEX_H
32 |
33 |
34 |
35 | #if defined(_WIN32) || defined(__CYGWIN__)
36 |
37 | #include
38 |
39 | typedef DWORD YR_THREAD_ID;
40 | typedef DWORD YR_THREAD_STORAGE_KEY;
41 | typedef HANDLE YR_MUTEX;
42 |
43 | #else
44 |
45 | #include
46 |
47 | typedef pthread_t YR_THREAD_ID;
48 | typedef pthread_key_t YR_THREAD_STORAGE_KEY;
49 | typedef pthread_mutex_t YR_MUTEX;
50 |
51 | #endif
52 |
53 | YR_THREAD_ID yr_current_thread_id(void);
54 |
55 | int yr_mutex_create(YR_MUTEX*);
56 | int yr_mutex_destroy(YR_MUTEX*);
57 | int yr_mutex_lock(YR_MUTEX*);
58 | int yr_mutex_unlock(YR_MUTEX*);
59 |
60 | int yr_thread_storage_create(YR_THREAD_STORAGE_KEY*);
61 | int yr_thread_storage_destroy(YR_THREAD_STORAGE_KEY*);
62 | int yr_thread_storage_set_value(YR_THREAD_STORAGE_KEY*, void*);
63 | void* yr_thread_storage_get_value(YR_THREAD_STORAGE_KEY*);
64 |
65 | #endif
66 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/rules_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 |
34 | #include
35 |
36 |
37 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
38 | {
39 | yr_initialize();
40 | return 0;
41 | }
42 |
43 |
44 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
45 | {
46 | YR_RULES* rules;
47 | YR_COMPILER* compiler;
48 |
49 | char* buffer = (char*) malloc(size + 1);
50 |
51 | if (!buffer)
52 | return 0;
53 |
54 | strncpy(buffer, (const char *) data, size);
55 | buffer[size] = 0;
56 |
57 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
58 | {
59 | free(buffer);
60 | return 0;
61 | }
62 |
63 | if (yr_compiler_add_string(compiler, (const char*) buffer, NULL) == 0)
64 | {
65 | if (yr_compiler_get_rules(compiler, &rules) == ERROR_SUCCESS)
66 | yr_rules_destroy(rules);
67 | }
68 |
69 | yr_compiler_destroy(compiler);
70 | free(buffer);
71 |
72 | return 0;
73 | }
74 |
--------------------------------------------------------------------------------
/libyara/include/yara/stack.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_STACK_H
31 | #define YR_STACK_H
32 |
33 | typedef struct YR_STACK YR_STACK;
34 |
35 | struct YR_STACK
36 | {
37 | // Pointer to a heap-allocated array containing the void* values put in
38 | // in the stack. This array starts with a fixed size and it's grown as
39 | // required when new items are pushed into the stack.
40 | void* items;
41 |
42 | // Current capacity (i.e: the number of items that fit into the array)
43 | int capacity;
44 |
45 | // Size of each individual item in the stack.
46 | int item_size;
47 |
48 | // Index of the stack's top in the items array.
49 | int top;
50 | };
51 |
52 |
53 | int yr_stack_create(
54 | int initial_capacity,
55 | int item_size,
56 | YR_STACK** stack);
57 |
58 |
59 | void yr_stack_destroy(
60 | YR_STACK* stack);
61 |
62 |
63 | int yr_stack_push(
64 | YR_STACK* stack,
65 | void* item);
66 |
67 |
68 | int yr_stack_pop(
69 | YR_STACK* stack,
70 | void* item);
71 |
72 | #endif
--------------------------------------------------------------------------------
/libyara/sizedstr.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 |
34 |
35 | int sized_string_cmp(
36 | SIZED_STRING* s1,
37 | SIZED_STRING* s2)
38 | {
39 | size_t i = 0;
40 |
41 | while (s1->length > i &&
42 | s2->length > i &&
43 | s1->c_string[i] == s2->c_string[i])
44 | {
45 | i++;
46 | }
47 |
48 | if (i == s1->length && i == s2->length)
49 | return 0;
50 | else if (i == s1->length)
51 | return -1;
52 | else if (i == s2->length)
53 | return 1;
54 | else if (s1->c_string[i] < s2->c_string[i])
55 | return -1;
56 | else
57 | return 1;
58 | }
59 |
60 |
61 | SIZED_STRING* sized_string_dup(
62 | SIZED_STRING* s)
63 | {
64 | SIZED_STRING* result = (SIZED_STRING*) yr_malloc(
65 | sizeof(SIZED_STRING) + s->length);
66 |
67 | if (result == NULL)
68 | return NULL;
69 |
70 | result->length = s->length;
71 | result->flags = s->flags;
72 |
73 | strncpy(result->c_string, s->c_string, s->length + 1);
74 |
75 | return result;
76 | }
77 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/elf_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #include
34 |
35 |
36 | YR_RULES* rules = NULL;
37 |
38 |
39 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
40 | {
41 | YR_COMPILER* compiler;
42 |
43 | if (yr_initialize() != ERROR_SUCCESS)
44 | return 0;
45 |
46 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
47 | return 0;
48 |
49 | if (yr_compiler_add_string(compiler, "import \"elf\"", NULL) == 0)
50 | yr_compiler_get_rules(compiler, &rules);
51 |
52 | yr_compiler_destroy(compiler);
53 |
54 | return 0;
55 | }
56 |
57 |
58 | int callback(int message, void* message_data, void* user_data)
59 | {
60 | return CALLBACK_CONTINUE;
61 | }
62 |
63 |
64 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
65 | {
66 | if (rules == NULL)
67 | return 0;
68 |
69 | yr_rules_scan_mem(
70 | rules,
71 | data,
72 | size,
73 | SCAN_FLAGS_NO_TRYCATCH,
74 | callback,
75 | NULL,
76 | 0);
77 |
78 | return 0;
79 | }
--------------------------------------------------------------------------------
/libyara/include/yara/stopwatch.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_STOPWATCH_H
31 | #define YR_STOPWATCH_H
32 |
33 | #include
34 | #include
35 |
36 | #if defined(_WIN32)
37 |
38 | #include
39 |
40 | typedef struct _YR_STOPWATCH
41 | {
42 | LARGE_INTEGER frequency;
43 | LARGE_INTEGER start;
44 |
45 | } YR_STOPWATCH;
46 |
47 | #elif defined(__MACH__)
48 |
49 | #include
50 |
51 | typedef struct _YR_STOPWATCH
52 | {
53 | mach_timebase_info_data_t timebase;
54 | uint64_t start;
55 |
56 | } YR_STOPWATCH;
57 |
58 | #else
59 |
60 | #include
61 |
62 | typedef struct _YR_STOPWATCH
63 | {
64 | union {
65 | struct timeval tv_start;
66 | struct timespec ts_start;
67 | };
68 |
69 | } YR_STOPWATCH;
70 |
71 | #endif
72 |
73 |
74 | // yr_stopwatch_start starts measuring time.
75 | void yr_stopwatch_start(
76 | YR_STOPWATCH* stopwatch);
77 |
78 | // yr_stopwatch_elapsed_us returns the number of microseconds elapsed
79 | // since the last call to yr_stopwatch_start.
80 | uint64_t yr_stopwatch_elapsed_us(
81 | YR_STOPWATCH* stopwatch);
82 |
83 | #endif
84 |
--------------------------------------------------------------------------------
/libyara/hex_grammar.h:
--------------------------------------------------------------------------------
1 | /* A Bison parser, made by GNU Bison 3.0.5. */
2 |
3 | /* Bison interface for Yacc-like parsers in C
4 |
5 | Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
6 |
7 | This program is free software: you can redistribute it and/or modify
8 | it under the terms of the GNU General Public License as published by
9 | the Free Software Foundation, either version 3 of the License, or
10 | (at your option) any later version.
11 |
12 | This program is distributed in the hope that it will be useful,
13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 | GNU General Public License for more details.
16 |
17 | You should have received a copy of the GNU General Public License
18 | along with this program. If not, see . */
19 |
20 | /* As a special exception, you may create a larger work that contains
21 | part or all of the Bison parser skeleton and distribute that work
22 | under terms of your choice, so long as that work isn't itself a
23 | parser generator using the skeleton or a modified version thereof
24 | as a parser skeleton. Alternatively, if you modify or redistribute
25 | the parser skeleton itself, you may (at your option) remove this
26 | special exception, which will cause the skeleton and the resulting
27 | Bison output files to be licensed under the GNU General Public
28 | License without this special exception.
29 |
30 | This special exception was added by the Free Software Foundation in
31 | version 2.2 of Bison. */
32 |
33 | #ifndef YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED
34 | # define YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED
35 | /* Debug traces. */
36 | #ifndef YYDEBUG
37 | # define YYDEBUG 0
38 | #endif
39 | #if YYDEBUG
40 | extern int hex_yydebug;
41 | #endif
42 |
43 | /* Token type. */
44 | #ifndef YYTOKENTYPE
45 | # define YYTOKENTYPE
46 | enum yytokentype
47 | {
48 | _BYTE_ = 258,
49 | _MASKED_BYTE_ = 259,
50 | _NUMBER_ = 260
51 | };
52 | #endif
53 | /* Tokens. */
54 | #define _BYTE_ 258
55 | #define _MASKED_BYTE_ 259
56 | #define _NUMBER_ 260
57 |
58 | /* Value type. */
59 | #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
60 |
61 | union YYSTYPE
62 | {
63 | #line 78 "hex_grammar.y" /* yacc.c:1916 */
64 |
65 | int64_t integer;
66 | RE_NODE *re_node;
67 |
68 | #line 69 "hex_grammar.h" /* yacc.c:1916 */
69 | };
70 |
71 | typedef union YYSTYPE YYSTYPE;
72 | # define YYSTYPE_IS_TRIVIAL 1
73 | # define YYSTYPE_IS_DECLARED 1
74 | #endif
75 |
76 |
77 |
78 | int hex_yyparse (void *yyscanner, HEX_LEX_ENVIRONMENT *lex_env);
79 |
80 | #endif /* !YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED */
81 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/dotnet_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #include
34 |
35 | const char* RULES = \
36 | "import \"dotnet\""
37 | "rule test {"
38 | " condition:"
39 | " dotnet.module_name == \"foo.exe\""
40 | "}";
41 |
42 | YR_RULES* rules = NULL;
43 |
44 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
45 | {
46 | YR_COMPILER* compiler;
47 |
48 | if (yr_initialize() != ERROR_SUCCESS)
49 | return 0;
50 |
51 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
52 | return 0;
53 |
54 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0)
55 | yr_compiler_get_rules(compiler, &rules);
56 |
57 | yr_compiler_destroy(compiler);
58 |
59 | return 0;
60 | }
61 |
62 |
63 | int callback(int message, void* message_data, void* user_data)
64 | {
65 | return CALLBACK_CONTINUE;
66 | }
67 |
68 |
69 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
70 | {
71 | if (rules == NULL)
72 | return 0;
73 |
74 | yr_rules_scan_mem(
75 | rules,
76 | data,
77 | size,
78 | SCAN_FLAGS_NO_TRYCATCH,
79 | callback,
80 | NULL,
81 | 0);
82 |
83 | return 0;
84 | }
85 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/macho_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #include
34 |
35 | const char* RULES = \
36 | "import \"macho\""
37 | "rule test {"
38 | " condition:"
39 | " macho.segments[1].sections[0].segname == \"__TEXT\""
40 | "}";
41 |
42 | YR_RULES* rules = NULL;
43 |
44 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
45 | {
46 | YR_COMPILER* compiler;
47 |
48 | if (yr_initialize() != ERROR_SUCCESS)
49 | return 0;
50 |
51 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
52 | return 0;
53 |
54 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0)
55 | yr_compiler_get_rules(compiler, &rules);
56 |
57 | yr_compiler_destroy(compiler);
58 |
59 | return 0;
60 | }
61 |
62 |
63 | int callback(int message, void* message_data, void* user_data)
64 | {
65 | return CALLBACK_CONTINUE;
66 | }
67 |
68 |
69 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
70 | {
71 | if (rules == NULL)
72 | return 0;
73 |
74 | yr_rules_scan_mem(
75 | rules,
76 | data,
77 | size,
78 | SCAN_FLAGS_NO_TRYCATCH,
79 | callback,
80 | NULL,
81 | 0);
82 |
83 | return 0;
84 | }
85 |
--------------------------------------------------------------------------------
/tests/oss-fuzz/pe_fuzzer.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #include
34 |
35 | const char* RULES = \
36 | "import \"pe\""
37 | "rule test {"
38 | " condition:"
39 | " pe.rva_to_offset(pe.sections[0].virtual_address) == pe.sections[0].raw_data_offset"
40 | "}";
41 |
42 | YR_RULES* rules = NULL;
43 |
44 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
45 | {
46 | YR_COMPILER* compiler;
47 |
48 | if (yr_initialize() != ERROR_SUCCESS)
49 | return 0;
50 |
51 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
52 | return 0;
53 |
54 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0)
55 | yr_compiler_get_rules(compiler, &rules);
56 |
57 | yr_compiler_destroy(compiler);
58 |
59 | return 0;
60 | }
61 |
62 |
63 | int callback(int message, void* message_data, void* user_data)
64 | {
65 | return CALLBACK_CONTINUE;
66 | }
67 |
68 |
69 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
70 | {
71 | if (rules == NULL)
72 | return 0;
73 |
74 | yr_rules_scan_mem(
75 | rules,
76 | data,
77 | size,
78 | SCAN_FLAGS_NO_TRYCATCH,
79 | callback,
80 | NULL,
81 | 0);
82 |
83 | return 0;
84 | }
--------------------------------------------------------------------------------
/tests/test-stack.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 |
31 | #include
32 | #include
33 | #include "util.h"
34 |
35 |
36 | int main(int argc, char** argv)
37 | {
38 | YR_STACK* stack;
39 |
40 | int item;
41 |
42 | yr_initialize();
43 | yr_stack_create(1, sizeof(item), &stack);
44 |
45 | item = 1;
46 |
47 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS)
48 | exit(EXIT_FAILURE);
49 |
50 | item = 2;
51 |
52 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS)
53 | exit(EXIT_FAILURE);
54 |
55 | item = 3;
56 |
57 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS)
58 | exit(EXIT_FAILURE);
59 |
60 | item = 4;
61 |
62 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS)
63 | exit(EXIT_FAILURE);
64 |
65 | if (!yr_stack_pop(stack, &item) || item != 4)
66 | exit(EXIT_FAILURE);
67 |
68 | if (!yr_stack_pop(stack, &item) || item != 3)
69 | exit(EXIT_FAILURE);
70 |
71 | if (!yr_stack_pop(stack, &item) || item != 2)
72 | exit(EXIT_FAILURE);
73 |
74 | if (!yr_stack_pop(stack, &item) || item != 1)
75 | exit(EXIT_FAILURE);
76 |
77 | if (yr_stack_pop(stack, &item) || item != 1)
78 | exit(EXIT_FAILURE);
79 |
80 | yr_stack_destroy(stack);
81 | yr_finalize();
82 | return 0;
83 | }
84 |
--------------------------------------------------------------------------------
/appveyor.yml:
--------------------------------------------------------------------------------
1 | # AppVeyor CI for Windows
2 |
3 | version: '{branch}-{build}'
4 |
5 | pull_requests:
6 | do_not_increment_build_number: true
7 |
8 | environment:
9 | matrix:
10 | - TARGET: vs2015
11 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
12 | VisualStudioVersion: 14.0
13 | platform: x86
14 | configuration: Release
15 | artifact_postfix: win32
16 | - TARGET: vs2015
17 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
18 | VisualStudioVersion: 14.0
19 | platform: x86
20 | configuration: Debug
21 | - TARGET: vs2015
22 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
23 | VisualStudioVersion: 14.0
24 | platform: x64
25 | configuration: Release
26 | artifact_postfix: win64
27 | - TARGET: vs2015
28 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
29 | VisualStudioVersion: 14.0
30 | platform: x64
31 | configuration: Debug
32 | - TARGET: cygwin
33 |
34 | for:
35 | -
36 | matrix:
37 | only:
38 | - TARGET: cygwin
39 |
40 | build_script:
41 | - cmd: C:\cygwin64\bin\bash -e -l -c "cd c:/projects/yara && ./build.sh"
42 |
43 | test_script:
44 | - cmd: C:\cygwin64\bin\bash -e -l -c "cd c:/projects/yara && make check"
45 |
46 | -
47 | matrix:
48 | only:
49 | - TARGET: vs2015
50 | - configuration: Release
51 |
52 | before_build:
53 | - ps: nuget restore windows/vs2015/yara.sln
54 |
55 | build:
56 | project: windows/vs2015/yara.sln
57 | verbosity: minimal
58 |
59 | after_build:
60 | - cmd: 7z a yara-%APPVEYOR_BUILD_VERSION%-%ARTIFACT_POSTFIX%.zip %APPVEYOR_BUILD_FOLDER%\windows\%TARGET%\%CONFIGURATION%\*.exe
61 |
62 | artifacts:
63 | - path: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX).zip
64 | name: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX)
65 | type: zip
66 |
67 | deploy:
68 | tag: $(APPVEYOR_REPO_TAG_NAME)
69 | release: YARA $(APPVEYOR_REPO_TAG_NAME)
70 | provider: GitHub
71 | auth_token:
72 | secure: d3qqX7bmrBiKJI38yFPc5vHrGGfS3LxLC7FaG6ewI2ghPPE22Pk6QtyrEFFb73PL
73 | artifact: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX)
74 | draft: true
75 | on:
76 | APPVEYOR_REPO_TAG: true # deploy on tag push only
77 |
78 | test: off
79 |
80 | -
81 | matrix:
82 | only:
83 | - TARGET: vs2015
84 | - configuration: Debug
85 |
86 | before_build:
87 | - ps: nuget restore windows/vs2015/yara.sln
88 |
89 | build:
90 | project: windows/vs2015/yara.sln
91 | verbosity: minimal
92 |
93 | test: off
94 |
95 | # Uncomment the lines below for enabling Remote Desktop in the Appveyor. This
96 | # allows connecting to the remote machine and debug issues.
97 | # on_finish:
98 | # - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
99 |
--------------------------------------------------------------------------------
/libyara/include/yara/bitmask.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_BITMASK_H
31 | #define YR_BITMASK_H
32 |
33 | #include
34 |
35 |
36 | #define YR_BITMASK unsigned long
37 |
38 | #define YR_BITMASK_SLOT_BITS (sizeof(YR_BITMASK) * 8)
39 | #define YR_BITMASK_SIZE(n) (((n) / (YR_BITMASK_SLOT_BITS)) + 1)
40 |
41 |
42 | #define yr_bitmask_set(bm, i) \
43 | do { \
44 | (bm)[(i) / YR_BITMASK_SLOT_BITS] |= 1UL << ((i) % YR_BITMASK_SLOT_BITS); \
45 | } while(0)
46 |
47 |
48 | #define yr_bitmask_clear(bm, i) \
49 | do { \
50 | (bm)[(i) / YR_BITMASK_SLOT_BITS] &= ~(1UL << ((i) % YR_BITMASK_SLOT_BITS)); \
51 | } while(0)
52 |
53 |
54 | #define yr_bitmask_clear_all(bm) \
55 | memset(bm, 0, sizeof(bm))
56 |
57 |
58 | #define yr_bitmask_isset(bm, i) \
59 | ( \
60 | (bm)[(i) / YR_BITMASK_SLOT_BITS] & (1UL << ((i) % YR_BITMASK_SLOT_BITS)) \
61 | )
62 |
63 |
64 | #define yr_bitmask_print(bm) \
65 | { \
66 | int i; \
67 | for (i = 0; i < sizeof(bm) / sizeof(bm[0]); i++) { \
68 | printf("%016lX\n", bm[i]); \
69 | } \
70 | }
71 |
72 |
73 | uint32_t yr_bitmask_find_non_colliding_offset(
74 | YR_BITMASK* a,
75 | YR_BITMASK* b,
76 | uint32_t len_a,
77 | uint32_t len_b,
78 | uint32_t* off_a);
79 |
80 | #endif
81 |
--------------------------------------------------------------------------------
/libyara/include/yara/filemap.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_FILEMAP_H
31 | #define YR_FILEMAP_H
32 |
33 | #include
34 |
35 | #if defined(_WIN32) || defined(__CYGWIN__)
36 | #include
37 | #define YR_FILE_DESCRIPTOR HANDLE
38 | #else
39 | #define YR_FILE_DESCRIPTOR int
40 | #endif
41 |
42 | #include
43 |
44 | #include
45 | #include
46 |
47 |
48 | typedef struct _YR_MAPPED_FILE
49 | {
50 | YR_FILE_DESCRIPTOR file;
51 | size_t size;
52 | const uint8_t* data;
53 | #if defined(_WIN32) || defined(__CYGWIN__)
54 | HANDLE mapping;
55 | #endif
56 |
57 | } YR_MAPPED_FILE;
58 |
59 |
60 | YR_API int yr_filemap_map(
61 | const char* file_path,
62 | YR_MAPPED_FILE* pmapped_file);
63 |
64 |
65 | YR_API int yr_filemap_map_fd(
66 | YR_FILE_DESCRIPTOR file,
67 | off_t offset,
68 | size_t size,
69 | YR_MAPPED_FILE* pmapped_file);
70 |
71 |
72 | YR_API int yr_filemap_map_ex(
73 | const char* file_path,
74 | off_t offset,
75 | size_t size,
76 | YR_MAPPED_FILE* pmapped_file);
77 |
78 |
79 | YR_API void yr_filemap_unmap(
80 | YR_MAPPED_FILE* pmapped_file);
81 |
82 |
83 | YR_API void yr_filemap_unmap_fd(
84 | YR_MAPPED_FILE* pmapped_file);
85 |
86 | #endif
87 |
--------------------------------------------------------------------------------
/sandbox/collect_matches.cc:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include "sandbox/collect_matches.h"
31 |
32 | #include "libyara/include/yara.h"
33 | #include "sandbox/yara_matches.pb.h"
34 |
35 | namespace yara {
36 |
37 | int CollectMatches(int message, void* message_data, void* user_data) {
38 | if (message != CALLBACK_MSG_RULE_MATCHING) {
39 | return ERROR_SUCCESS; // There are no matching rules, simply return
40 | }
41 |
42 | auto* rule = static_cast(message_data);
43 | YR_META* rule_meta = rule->metas;
44 |
45 | auto* match = reinterpret_cast(user_data)->add_match();
46 | if (rule->ns != nullptr && rule->ns->name != nullptr) {
47 | match->mutable_id()->set_rule_namespace(rule->ns->name);
48 | }
49 | match->mutable_id()->set_rule_name(rule->identifier);
50 | while (!META_IS_NULL(rule_meta)) {
51 | auto* meta = match->add_meta();
52 | meta->set_identifier(rule_meta->identifier);
53 | switch (rule_meta->type) {
54 | case META_TYPE_BOOLEAN:
55 | case META_TYPE_INTEGER:
56 | meta->set_int_value(rule_meta->integer);
57 | break;
58 | case META_TYPE_STRING:
59 | meta->set_bytes_value(rule_meta->string);
60 | break;
61 | }
62 | ++rule_meta;
63 | }
64 |
65 | return ERROR_SUCCESS;
66 | }
67 |
68 | } // namespace yara
69 |
--------------------------------------------------------------------------------
/threading.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 |
31 | #ifndef THREADING_H
32 | #define THREADING_H
33 |
34 | #if defined(_WIN32) || defined(__CYGWIN__)
35 | #include
36 | #else
37 | #include
38 | #include
39 | #include
40 | #endif
41 |
42 | #if defined(_WIN32) || defined(__CYGWIN__)
43 |
44 | typedef HANDLE SEMAPHORE;
45 | typedef CRITICAL_SECTION MUTEX;
46 | typedef HANDLE THREAD;
47 |
48 | typedef LPTHREAD_START_ROUTINE THREAD_START_ROUTINE;
49 |
50 | #else
51 |
52 | typedef sem_t* SEMAPHORE;
53 | typedef pthread_mutex_t MUTEX;
54 | typedef pthread_t THREAD;
55 | typedef void *(*THREAD_START_ROUTINE) (void *);
56 |
57 | #endif
58 |
59 | int mutex_init(
60 | MUTEX* mutex);
61 |
62 | void mutex_destroy(
63 | MUTEX* mutex);
64 |
65 | void mutex_lock(
66 | MUTEX* mutex);
67 |
68 | void mutex_unlock(
69 | MUTEX* mutex);
70 |
71 | int semaphore_init(
72 | SEMAPHORE* semaphore,
73 | int value);
74 |
75 | void semaphore_destroy(
76 | SEMAPHORE* semaphore);
77 |
78 | void semaphore_wait(
79 | SEMAPHORE* semaphore);
80 |
81 | void semaphore_release(
82 | SEMAPHORE* semaphore);
83 |
84 | int create_thread(
85 | THREAD* thread,
86 | THREAD_START_ROUTINE start_routine,
87 | void* param);
88 |
89 | void thread_join(
90 | THREAD* thread);
91 |
92 | #endif
93 |
--------------------------------------------------------------------------------
/tests/test-re-split.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include "util.h"
33 |
34 |
35 | int main(int argc, char** argv)
36 | {
37 | RE_AST* re_ast;
38 | RE_AST* re_ast_remain;
39 |
40 | RE_ERROR re_error;
41 |
42 | int32_t min_gap;
43 | int32_t max_gap;
44 |
45 | yr_initialize();
46 | yr_re_parse_hex(
47 | "{ 01 02 03 04 [0-300] 05 06 07 08 [1-400] 09 0A 0B 0C }",
48 | &re_ast, &re_error);
49 |
50 | assert(re_ast != NULL);
51 |
52 | yr_re_ast_split_at_chaining_point(
53 | re_ast, &re_ast_remain, &min_gap, &max_gap);
54 |
55 | assert(re_ast != NULL);
56 | assert(re_ast_remain != NULL);
57 | assert(min_gap == 0);
58 | assert(max_gap == 300);
59 |
60 | yr_re_ast_destroy(re_ast);
61 | re_ast = re_ast_remain;
62 |
63 | yr_re_ast_split_at_chaining_point(
64 | re_ast, &re_ast_remain, &min_gap, &max_gap);
65 |
66 | assert(re_ast != NULL);
67 | assert(re_ast_remain != NULL);
68 | assert(min_gap == 1);
69 | assert(max_gap == 400);
70 |
71 | yr_re_ast_destroy(re_ast);
72 | re_ast = re_ast_remain;
73 |
74 | yr_re_ast_split_at_chaining_point(
75 | re_ast, &re_ast_remain, &min_gap, &max_gap);
76 |
77 | assert(re_ast != NULL);
78 | assert(re_ast_remain == NULL);
79 |
80 | yr_re_ast_destroy(re_ast);
81 | yr_finalize();
82 | return 0;
83 | }
84 |
--------------------------------------------------------------------------------
/docs/modules/hash.rst:
--------------------------------------------------------------------------------
1 |
2 | .. _hash-module:
3 |
4 | ###########
5 | Hash module
6 | ###########
7 |
8 | .. versionadded:: 3.2.0
9 |
10 | The Hash module allows you to calculate hashes (MD5, SHA1, SHA256) from portions
11 | of your file and create signatures based on those hashes.
12 |
13 | .. important::
14 | This module depends on the OpenSSL library. Please refer to
15 | :ref:`compiling-yara` for information about how to build OpenSSL-dependant
16 | features into YARA.
17 |
18 | Good news for Windows users: this module is already included in the official
19 | Windows binaries.
20 |
21 | .. warning::
22 | The returned hash string is always in lowercase. This means that rule condition matching on hashes
23 | ``hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"``
24 | requires the hash string to be given in lowercase, otherwise the match condition
25 | will not work. (see https://github.com/VirusTotal/yara/issues/1004)
26 |
27 | .. c:function:: md5(offset, size)
28 |
29 | Returns the MD5 hash for *size* bytes starting at *offset*. When scanning a
30 | running process the *offset* argument should be a virtual address within
31 | the process address space. The returned string is always in lowercase.
32 |
33 | *Example: hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"*
34 |
35 | .. c:function:: md5(string)
36 |
37 | Returns the MD5 hash for the given string.
38 |
39 | *Example: hash.md5("dummy") == "275876e34cf609db118f3d84b799a790"*
40 |
41 | .. c:function:: sha1(offset, size)
42 |
43 | Returns the SHA1 hash for the *size* bytes starting at *offset*. When
44 | scanning a running process the *offset* argument should be a virtual address
45 | within the process address space. The returned string is always in
46 | lowercase.
47 |
48 | .. c:function:: sha1(string)
49 |
50 | Returns the SHA1 hash for the given string.
51 |
52 | .. c:function:: sha256(offset, size)
53 |
54 | Returns the SHA256 hash for the *size* bytes starting at *offset*. When
55 | scanning a running process the *offset* argument should be a virtual address
56 | within the process address space. The returned string is always in
57 | lowercase.
58 |
59 | .. c:function:: sha256(string)
60 |
61 | Returns the SHA256 hash for the given string.
62 |
63 | .. c:function:: checksum32(offset, size)
64 |
65 | Returns a 32-bit checksum for the *size* bytes starting at *offset*. The
66 | checksum is just the sum of all the bytes (unsigned).
67 |
68 | .. c:function:: checksum32(string)
69 |
70 | Returns a 32-bit checksum for the given string. The checksum is just the
71 | sum of all the bytes in the string (unsigned).
72 |
73 | .. c:function:: crc32(offset, size)
74 |
75 | Returns a crc32 checksum for the *size* bytes starting at *offset*.
76 |
77 | .. c:function:: crc32(string)
78 |
79 | Returns a crc32 checksum for the given string.
80 |
81 |
--------------------------------------------------------------------------------
/Makefile.am:
--------------------------------------------------------------------------------
1 | AM_CFLAGS=-std=gnu99 -Wall -I$(srcdir)/libyara/include
2 |
3 | if DEBUG
4 | AM_CFLAGS+=-g
5 | endif
6 |
7 | if OPTIMIZATION
8 | AM_CFLAGS+=-O3
9 | else
10 | AM_CFLAGS+=-O0
11 | endif
12 |
13 | if ADDRESS_SANITIZER
14 | AM_CFLAGS+=-fsanitize=address
15 | endif
16 |
17 | # Build the library in the hand subdirectory first.
18 | SUBDIRS = libyara
19 | DIST_SUBDIRS = libyara
20 |
21 | ACLOCAL_AMFLAGS=-I m4
22 |
23 | bin_PROGRAMS = yara yarac
24 |
25 | yara_SOURCES = args.c args.h common.h threading.c threading.h yara.c
26 | yara_LDADD = libyara/.libs/libyara.a #-Llibyara/.libs -lyara
27 |
28 | yarac_SOURCES = args.c args.h common.h yarac.c
29 | yarac_LDADD = -Llibyara/.libs -lyara
30 |
31 | test_alignment_SOURCES = tests/test-alignment.c
32 | test_atoms_SOURCES = tests/test-atoms.c tests/util.c libyara/atoms.c
33 | test_atoms_LDADD = libyara/.libs/libyara.a
34 | test_rules_SOURCES = tests/test-rules.c tests/util.c
35 | test_rules_LDADD = libyara/.libs/libyara.a
36 | test_pe_SOURCES = tests/test-pe.c tests/util.c
37 | test_pe_LDADD = libyara/.libs/libyara.a
38 | test_elf_SOURCES = tests/test-elf.c tests/util.c
39 | test_elf_LDADD = libyara/.libs/libyara.a
40 | test_version_SOURCES = tests/test-version.c
41 | test_api_LDADD = libyara/.libs/libyara.a
42 | test_api_SOURCES = tests/test-api.c tests/util.c
43 | test_bitmask_SOURCES = tests/test-bitmask.c
44 | test_bitmask_LDADD = libyara/.libs/libyara.a
45 | test_math_SOURCES = tests/test-math.c tests/util.c
46 | test_math_LDADD = libyara/.libs/libyara.a
47 | test_stack_SOURCES = tests/test-stack.c
48 | test_stack_LDADD = libyara/.libs/libyara.a
49 | test_re_split_SOURCES = tests/test-re-split.c
50 | test_re_split_LDADD = libyara/.libs/libyara.a
51 |
52 | TESTS = $(check_PROGRAMS)
53 | TESTS_ENVIRONMENT = TOP_SRCDIR=$(top_srcdir)
54 |
55 | check_PROGRAMS = test-alignment \
56 | test-atoms \
57 | test-api \
58 | test-rules \
59 | test-pe \
60 | test-elf \
61 | test-version \
62 | test-bitmask \
63 | test-math \
64 | test-stack \
65 | test-re-split
66 |
67 | if POSIX
68 | # The -fsanitize=address option makes test-exception fail. Include the test
69 | # only if the option is not enabled.
70 | if !ADDRESS_SANITIZER
71 | check_PROGRAMS+=test-exception
72 | test_exception_SOURCES = tests/test-exception.c tests/util.c
73 | test_exception_LDADD = libyara/.libs/libyara.a
74 | endif
75 | endif
76 |
77 | if MACHO_MODULE
78 | check_PROGRAMS+=test-macho
79 | test_macho_SOURCES = tests/test-macho.c tests/util.c
80 | test_macho_LDADD = libyara/.libs/libyara.a
81 | endif
82 |
83 | if DEX_MODULE
84 | check_PROGRAMS+=test-dex
85 | test_dex_SOURCES = tests/test-dex.c tests/util.c
86 | test_dex_LDADD = libyara/.libs/libyara.a
87 | endif
88 |
89 | if DOTNET_MODULE
90 | check_PROGRAMS+=test-dotnet
91 | test_dotnet_SOURCES = tests/test-dotnet.c tests/util.c
92 | test_dotnet_LDADD = libyara/.libs/libyara.a
93 | endif
94 |
95 | # man pages
96 | man1_MANS = yara.man yarac.man
97 |
98 | EXTRA_DIST = $(man1_MANS) README.md bootstrap.sh
99 |
--------------------------------------------------------------------------------
/WORKSPACE:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2019. The YARA Authors. All Rights Reserved.
2 | #
3 | # Redistribution and use in source and binary forms, with or without modification,
4 | # are permitted provided that the following conditions are met:
5 | #
6 | # 1. Redistributions of source code must retain the above copyright notice, this
7 | # list of conditions and the following disclaimer.
8 | #
9 | # 2. Redistributions in binary form must reproduce the above copyright notice,
10 | # this list of conditions and the following disclaimer in the documentation and/or
11 | # other materials provided with the distribution.
12 | #
13 | # 3. Neither the name of the copyright holder nor the names of its contributors
14 | # may be used to endorse or promote products derived from this software without
15 | # specific prior written permission.
16 | #
17 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
18 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
21 | # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
24 | # ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
26 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 |
28 | load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
29 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
30 |
31 | # BoringSSL, see
32 | # https://boringssl.googlesource.com/boringssl/+/master/INCORPORATING.md#bazel
33 | git_repository(
34 | name = "boringssl",
35 | commit = "095d78b14f91cc9a910408eaae84a3bdafc54da9", # 2019-06-05
36 | remote = "https://boringssl.googlesource.com/boringssl",
37 | shallow_since = "1559759280 +0000",
38 | )
39 |
40 | # Sandboxed API
41 | git_repository(
42 | name = "com_google_sandboxed_api",
43 | commit = "2301e05097818734f59b881d7fbe1624c17fc840", # 2019-07-08
44 | remote = "https://github.com/google/sandboxed-api.git",
45 | shallow_since = "1562590596 -0700",
46 | )
47 |
48 | load(
49 | "@com_google_sandboxed_api//sandboxed_api/bazel:sapi_deps.bzl",
50 | "sapi_deps",
51 | )
52 |
53 | sapi_deps()
54 |
55 | load("@com_google_protobuf//:protobuf_deps.bzl", "protobuf_deps")
56 |
57 | protobuf_deps()
58 |
59 | # GoogleTest/GoogleMock for testing the sandbox
60 | http_archive(
61 | name = "com_google_googletest",
62 | sha256 = "baed63b97595c32667694de0a434f8f23da59609c4a44f3360ba94b0abd5c583",
63 | strip_prefix = "googletest-8ffb7e5c88b20a297a2e786c480556467496463b",
64 | urls = ["https://github.com/google/googletest/archive/8ffb7e5c88b20a297a2e786c480556467496463b.zip"], # 2019-05-30
65 | )
66 |
--------------------------------------------------------------------------------
/libyara/include/yara/ahocorasick.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef _AHOCORASICK_H
31 | #define _AHOCORASICK_H
32 |
33 | #include
34 | #include
35 | #include
36 |
37 | // Number of bits dedicated to store the offset of the slot relative to its
38 | // own state.
39 | #define YR_AC_SLOT_OFFSET_BITS 9
40 |
41 | // Max number of slots in the transition table. This is the maximum number of
42 | // slots that can be addressed with 23-bit indexes.
43 | #define YR_AC_MAX_TRANSITION_TABLE_SIZE 0x800000
44 |
45 | #define YR_AC_ROOT_STATE 0
46 | #define YR_AC_NEXT_STATE(t) (t >> YR_AC_SLOT_OFFSET_BITS)
47 | #define YR_AC_INVALID_TRANSITION(t, c) (((t) & 0x1FF) != c)
48 |
49 | #define YR_AC_MAKE_TRANSITION(state, code) \
50 | ((YR_AC_TRANSITION) \
51 | ((((YR_AC_TRANSITION) state) << YR_AC_SLOT_OFFSET_BITS) | (code)))
52 |
53 |
54 | int yr_ac_automaton_create(
55 | YR_AC_AUTOMATON** automaton);
56 |
57 |
58 | int yr_ac_automaton_destroy(
59 | YR_AC_AUTOMATON* automaton);
60 |
61 |
62 | int yr_ac_add_string(
63 | YR_AC_AUTOMATON* automaton,
64 | YR_STRING* string,
65 | YR_ATOM_LIST_ITEM* atom,
66 | YR_ARENA* matches_arena);
67 |
68 |
69 | int yr_ac_compile(
70 | YR_AC_AUTOMATON* automaton,
71 | YR_ARENA* arena,
72 | YR_AC_TABLES* tables);
73 |
74 |
75 | void yr_ac_print_automaton(
76 | YR_AC_AUTOMATON* automaton);
77 |
78 |
79 | #endif
80 |
--------------------------------------------------------------------------------
/dist/yara.spec:
--------------------------------------------------------------------------------
1 | ##
2 | ## Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved.
3 | ## Licensed under the Apache License, Version 2.0 (the "License");
4 | ## you may not use this file except in compliance with the License.
5 | ## You may obtain a copy of the License at
6 | ## http://www.apache.org/licenses/LICENSE-2.0
7 | ## Unless required by applicable law or agreed to in writing, software
8 | ## distributed under the License is distributed on an "AS IS" BASIS,
9 | ## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10 | ## See the License for the specific language governing permissions and
11 | ## limitations under the License.
12 | ##
13 |
14 | Name: yara
15 | Version: 3.2.0
16 | Release: 1
17 | License: Apache License 2.0
18 | Summary: A malware identification and classification tool
19 | Url: http://plusvic.github.io/yara/
20 | Group: System/Filesystems
21 | Source: yara-%{version}.tar.gz
22 | BuildRoot: %{_tmppath}/%{name}-%{version}-build
23 | BuildRequires: autoconf automake libtool
24 |
25 | %description
26 | YARA is a tool aimed at helping malware researchers to identify and classify
27 | malware samples. With YARA you can create descriptions of malware families
28 | based on textual or binary patterns contained on samples of those families.
29 |
30 | %package -n libyara
31 | Summary: Library to support the yara malware identification tool
32 | Group: System/Libraries
33 |
34 | %description -n libyara
35 | YARA is a tool aimed at helping malware researchers to identify and classify
36 | malware samples. With YARA you can create descriptions of malware families
37 | based on textual or binary patterns contained on samples of those families.
38 |
39 | %package -n yara-devel
40 | Summary: Development files to support the yara malware identification tool
41 | Group: Development/Libraries/C and C++
42 | Requires: libyara = %{version}-%{release}
43 |
44 | %description -n yara-devel
45 | YARA is a tool aimed at helping malware researchers to identify and classify
46 | malware samples. With YARA you can create descriptions of malware families
47 | based on textual or binary patterns contained on samples of those families.
48 |
49 | %prep
50 | %setup -q
51 |
52 | %build
53 | ./bootstrap.sh
54 | ./configure
55 | make
56 |
57 | %install
58 | make install DESTDIR=%{buildroot} bindir=%{_bindir} libdir=%{_libdir} includedir=%{_includedir} mandir=%{_mandir} INSTALL="install -p"
59 |
60 | %post -n libyara -p /sbin/ldconfig
61 |
62 | %postun -n libyara -p /sbin/ldconfig
63 |
64 | %files
65 | %defattr(-,root,root)
66 | %{_bindir}/yara
67 | %{_bindir}/yarac
68 | %{_mandir}/man1/*
69 |
70 | %files -n libyara
71 | %defattr(-,root,root)
72 | %{_libdir}/libyara.so*
73 | %{_libdir}/pkgconfig/yara.pc
74 |
75 | %files -n yara-devel
76 | %defattr(-,root,root)
77 | %{_includedir}/yara.h
78 | %{_includedir}/yara/*
79 | %{_libdir}/libyara.a
80 | %{_libdir}/libyara.la
81 |
82 |
83 | %changelog
84 | * Sat Jan 25 2015 Domingo Kiser 3.2.0-1
85 | Initial Creation.
86 |
--------------------------------------------------------------------------------
/libyara/include/yara/libyara.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_LIBYARA_H
31 | #define YR_LIBYARA_H
32 |
33 | #include
34 |
35 | #define YR_MAJOR_VERSION 3
36 | #define YR_MINOR_VERSION 11
37 | #define YR_MICRO_VERSION 0
38 |
39 | #define version_str(s) _version_str(s)
40 | #define _version_str(s) #s
41 |
42 | // Version as a string
43 | #define YR_VERSION version_str(YR_MAJOR_VERSION) \
44 | "." version_str(YR_MINOR_VERSION) \
45 | "." version_str(YR_MICRO_VERSION)
46 |
47 | // Version as a single 4-byte hex number, e.g. 0x030401 == 3.4.1.
48 | #define YR_VERSION_HEX ((YR_MAJOR_VERSION << 16) | \
49 | (YR_MINOR_VERSION << 8) | \
50 | (YR_MICRO_VERSION << 0))
51 |
52 |
53 | // Enumerated type listing configuration options
54 | typedef enum _YR_CONFIG_NAME
55 | {
56 | YR_CONFIG_STACK_SIZE,
57 | YR_CONFIG_MAX_STRINGS_PER_RULE,
58 | YR_CONFIG_MAX_MATCH_DATA,
59 |
60 | YR_CONFIG_LAST // End-of-enum marker, not a configuration
61 |
62 | } YR_CONFIG_NAME;
63 |
64 |
65 | #define DEFAULT_STACK_SIZE 16384
66 | #define DEFAULT_MAX_STRINGS_PER_RULE 10000
67 | #define DEFAULT_MAX_MATCH_DATA 512
68 |
69 |
70 | YR_API int yr_initialize(void);
71 |
72 |
73 | YR_API int yr_finalize(void);
74 |
75 |
76 | YR_DEPRECATED_API void yr_finalize_thread(void);
77 |
78 |
79 | YR_API int yr_get_tidx(void);
80 |
81 |
82 | YR_API void yr_set_tidx(int);
83 |
84 |
85 | YR_API int yr_set_configuration(YR_CONFIG_NAME, void*);
86 |
87 |
88 | YR_API int yr_get_configuration(YR_CONFIG_NAME, void*);
89 |
90 |
91 | #endif
92 |
--------------------------------------------------------------------------------
/libyara/include/yara/pe_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef YR_PE_UTILS_H
2 | #define YR_PE_UTILS_H
3 |
4 | #include
5 |
6 | #define MAX_PE_SECTIONS 96
7 |
8 |
9 | #define IS_64BITS_PE(pe) \
10 | (yr_le16toh(pe->header64->OptionalHeader.Magic) == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
11 |
12 |
13 | #define OptionalHeader(pe,field) \
14 | (IS_64BITS_PE(pe) ? \
15 | pe->header64->OptionalHeader.field : \
16 | pe->header->OptionalHeader.field)
17 |
18 |
19 | //
20 | // Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the
21 | // name of the DLL and a pointer to another linked list of
22 | // IMPORT_EXPORT_FUNCTION structures containing the details of imported
23 | // functions.
24 | //
25 |
26 | typedef struct _IMPORTED_DLL
27 | {
28 | char *name;
29 |
30 | struct _IMPORT_FUNCTION *functions;
31 | struct _IMPORTED_DLL *next;
32 |
33 | } IMPORTED_DLL, *PIMPORTED_DLL;
34 |
35 |
36 | //
37 | // This is used to track imported and exported functions. The "has_ordinal"
38 | // field is only used in the case of imports as those are optional. Every export
39 | // has an ordinal so we don't need the field there, but in the interest of
40 | // keeping duplicate code to a minimum we use this function for both imports and
41 | // exports.
42 | //
43 |
44 | typedef struct _IMPORT_FUNCTION
45 | {
46 | char *name;
47 | uint8_t has_ordinal;
48 | uint16_t ordinal;
49 |
50 | struct _IMPORT_FUNCTION *next;
51 |
52 | } IMPORT_FUNCTION, *PIMPORT_FUNCTION;
53 |
54 |
55 | typedef struct _EXPORT_FUNCTION
56 | {
57 | char *name;
58 | uint16_t ordinal;
59 | } EXPORT_FUNCTION, *PEXPORT_FUNCTION;
60 |
61 |
62 | typedef struct _EXPORT_FUNCTIONS
63 | {
64 | uint32_t number_of_exports;
65 | EXPORT_FUNCTION* functions;
66 | } EXPORT_FUNCTIONS, *PEXPORT_FUNCTIONS;
67 |
68 |
69 | typedef struct _PE
70 | {
71 | const uint8_t* data;
72 | size_t data_size;
73 |
74 | union {
75 | PIMAGE_NT_HEADERS32 header;
76 | PIMAGE_NT_HEADERS64 header64;
77 | };
78 |
79 | YR_HASH_TABLE* hash_table;
80 | YR_OBJECT* object;
81 | IMPORTED_DLL* imported_dlls;
82 | EXPORT_FUNCTIONS* exported_functions;
83 |
84 | uint32_t resources;
85 |
86 | } PE;
87 |
88 |
89 | #define fits_in_pe(pe, pointer, size) \
90 | ((size_t) size <= pe->data_size && \
91 | (uint8_t*) (pointer) >= pe->data && \
92 | (uint8_t*) (pointer) <= pe->data + pe->data_size - size)
93 |
94 | #define struct_fits_in_pe(pe, pointer, struct_type) \
95 | fits_in_pe(pe, pointer, sizeof(struct_type))
96 |
97 |
98 | PIMAGE_NT_HEADERS32 pe_get_header(
99 | const uint8_t* data,
100 | size_t data_size);
101 |
102 |
103 | PIMAGE_DATA_DIRECTORY pe_get_directory_entry(
104 | PE* pe,
105 | int entry);
106 |
107 |
108 | int64_t pe_rva_to_offset(
109 | PE* pe,
110 | uint64_t rva);
111 |
112 |
113 | char *ord_lookup(
114 | char *dll,
115 | uint16_t ord);
116 |
117 |
118 | #if HAVE_LIBCRYPTO
119 | #include
120 | time_t ASN1_get_time_t(ASN1_TIME* time);
121 | #endif
122 |
123 | #endif
124 |
--------------------------------------------------------------------------------
/libyara/proc.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 | #include
33 |
34 | int _yr_process_attach(int, YR_PROC_ITERATOR_CTX*);
35 | int _yr_process_detach(YR_PROC_ITERATOR_CTX*);
36 |
37 | YR_API int yr_process_open_iterator(
38 | int pid,
39 | YR_MEMORY_BLOCK_ITERATOR* iterator)
40 | {
41 | YR_PROC_ITERATOR_CTX* context = (YR_PROC_ITERATOR_CTX*) \
42 | yr_malloc(sizeof(YR_PROC_ITERATOR_CTX));
43 |
44 | if (context == NULL)
45 | return ERROR_INSUFFICIENT_MEMORY;
46 |
47 | iterator->context = context;
48 | iterator->first = yr_process_get_first_memory_block;
49 | iterator->next = yr_process_get_next_memory_block;
50 |
51 | context->buffer = NULL;
52 | context->buffer_size = 0;
53 | context->current_block.base = 0;
54 | context->current_block.size = 0;
55 | context->current_block.context = context;
56 | context->current_block.fetch_data = yr_process_fetch_memory_block_data;
57 | context->proc_info = NULL;
58 |
59 | FAIL_ON_ERROR_WITH_CLEANUP(
60 | _yr_process_attach(pid, context),
61 | yr_free(context));
62 |
63 | return ERROR_SUCCESS;
64 | }
65 |
66 |
67 | YR_API int yr_process_close_iterator(
68 | YR_MEMORY_BLOCK_ITERATOR* iterator)
69 | {
70 | YR_PROC_ITERATOR_CTX* context = (YR_PROC_ITERATOR_CTX*) iterator->context;
71 |
72 | if (context != NULL)
73 | {
74 | _yr_process_detach(context);
75 |
76 | if (context->buffer != NULL)
77 | yr_free((void*) context->buffer);
78 |
79 | yr_free(context->proc_info);
80 | yr_free(context);
81 |
82 | iterator->context = NULL;
83 | }
84 |
85 | return ERROR_SUCCESS;
86 | }
87 |
--------------------------------------------------------------------------------
/windows/vs2015/yara.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.25123.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libyara", "libyara\libyara.vcxproj", "{E236CE39-D8F3-4DB6-985C-F2794FF17746}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yara", "yara\yara.vcxproj", "{DF8232C7-D8C1-4D05-9921-F8F504134410}"
9 | ProjectSection(ProjectDependencies) = postProject
10 | {E236CE39-D8F3-4DB6-985C-F2794FF17746} = {E236CE39-D8F3-4DB6-985C-F2794FF17746}
11 | EndProjectSection
12 | EndProject
13 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yarac", "yarac\yarac.vcxproj", "{7C72350B-AA5B-41AD-8957-CE3924A7F11B}"
14 | ProjectSection(ProjectDependencies) = postProject
15 | {E236CE39-D8F3-4DB6-985C-F2794FF17746} = {E236CE39-D8F3-4DB6-985C-F2794FF17746}
16 | EndProjectSection
17 | EndProject
18 | Global
19 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
20 | Debug|x64 = Debug|x64
21 | Debug|x86 = Debug|x86
22 | Release|x64 = Release|x64
23 | Release|x86 = Release|x86
24 | EndGlobalSection
25 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
26 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x64.ActiveCfg = Debug|x64
27 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x64.Build.0 = Debug|x64
28 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x86.ActiveCfg = Debug|Win32
29 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x86.Build.0 = Debug|Win32
30 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x64.ActiveCfg = Release|x64
31 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x64.Build.0 = Release|x64
32 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x86.ActiveCfg = Release|Win32
33 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x86.Build.0 = Release|Win32
34 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x64.ActiveCfg = Debug|x64
35 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x64.Build.0 = Debug|x64
36 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x86.ActiveCfg = Debug|Win32
37 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x86.Build.0 = Debug|Win32
38 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x64.ActiveCfg = Release|x64
39 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x64.Build.0 = Release|x64
40 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x86.ActiveCfg = Release|Win32
41 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x86.Build.0 = Release|Win32
42 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x64.ActiveCfg = Debug|x64
43 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x64.Build.0 = Debug|x64
44 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x86.ActiveCfg = Debug|Win32
45 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x86.Build.0 = Debug|Win32
46 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x64.ActiveCfg = Release|x64
47 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x64.Build.0 = Release|x64
48 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x86.ActiveCfg = Release|Win32
49 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x86.Build.0 = Release|Win32
50 | EndGlobalSection
51 | GlobalSection(SolutionProperties) = preSolution
52 | HideSolutionNode = FALSE
53 | EndGlobalSection
54 | EndGlobal
55 |
--------------------------------------------------------------------------------
/windows/vs2017/yara.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.25123.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libyara", "libyara\libyara.vcxproj", "{E236CE39-D8F3-4DB6-985C-F2794FF17746}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yara", "yara\yara.vcxproj", "{DF8232C7-D8C1-4D05-9921-F8F504134410}"
9 | ProjectSection(ProjectDependencies) = postProject
10 | {E236CE39-D8F3-4DB6-985C-F2794FF17746} = {E236CE39-D8F3-4DB6-985C-F2794FF17746}
11 | EndProjectSection
12 | EndProject
13 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yarac", "yarac\yarac.vcxproj", "{7C72350B-AA5B-41AD-8957-CE3924A7F11B}"
14 | ProjectSection(ProjectDependencies) = postProject
15 | {E236CE39-D8F3-4DB6-985C-F2794FF17746} = {E236CE39-D8F3-4DB6-985C-F2794FF17746}
16 | EndProjectSection
17 | EndProject
18 | Global
19 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
20 | Debug|x64 = Debug|x64
21 | Debug|x86 = Debug|x86
22 | Release|x64 = Release|x64
23 | Release|x86 = Release|x86
24 | EndGlobalSection
25 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
26 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x64.ActiveCfg = Debug|x64
27 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x64.Build.0 = Debug|x64
28 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x86.ActiveCfg = Debug|Win32
29 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x86.Build.0 = Debug|Win32
30 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x64.ActiveCfg = Release|x64
31 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x64.Build.0 = Release|x64
32 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x86.ActiveCfg = Release|Win32
33 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x86.Build.0 = Release|Win32
34 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x64.ActiveCfg = Debug|x64
35 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x64.Build.0 = Debug|x64
36 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x86.ActiveCfg = Debug|Win32
37 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x86.Build.0 = Debug|Win32
38 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x64.ActiveCfg = Release|x64
39 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x64.Build.0 = Release|x64
40 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x86.ActiveCfg = Release|Win32
41 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x86.Build.0 = Release|Win32
42 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x64.ActiveCfg = Debug|x64
43 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x64.Build.0 = Debug|x64
44 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x86.ActiveCfg = Debug|Win32
45 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x86.Build.0 = Debug|Win32
46 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x64.ActiveCfg = Release|x64
47 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x64.Build.0 = Release|x64
48 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x86.ActiveCfg = Release|Win32
49 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x86.Build.0 = Release|Win32
50 | EndGlobalSection
51 | GlobalSection(SolutionProperties) = preSolution
52 | HideSolutionNode = FALSE
53 | EndGlobalSection
54 | EndGlobal
55 |
--------------------------------------------------------------------------------
/libyara/re_grammar.h:
--------------------------------------------------------------------------------
1 | /* A Bison parser, made by GNU Bison 3.0.5. */
2 |
3 | /* Bison interface for Yacc-like parsers in C
4 |
5 | Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
6 |
7 | This program is free software: you can redistribute it and/or modify
8 | it under the terms of the GNU General Public License as published by
9 | the Free Software Foundation, either version 3 of the License, or
10 | (at your option) any later version.
11 |
12 | This program is distributed in the hope that it will be useful,
13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 | GNU General Public License for more details.
16 |
17 | You should have received a copy of the GNU General Public License
18 | along with this program. If not, see . */
19 |
20 | /* As a special exception, you may create a larger work that contains
21 | part or all of the Bison parser skeleton and distribute that work
22 | under terms of your choice, so long as that work isn't itself a
23 | parser generator using the skeleton or a modified version thereof
24 | as a parser skeleton. Alternatively, if you modify or redistribute
25 | the parser skeleton itself, you may (at your option) remove this
26 | special exception, which will cause the skeleton and the resulting
27 | Bison output files to be licensed under the GNU General Public
28 | License without this special exception.
29 |
30 | This special exception was added by the Free Software Foundation in
31 | version 2.2 of Bison. */
32 |
33 | #ifndef YY_RE_YY_RE_GRAMMAR_H_INCLUDED
34 | # define YY_RE_YY_RE_GRAMMAR_H_INCLUDED
35 | /* Debug traces. */
36 | #ifndef YYDEBUG
37 | # define YYDEBUG 0
38 | #endif
39 | #if YYDEBUG
40 | extern int re_yydebug;
41 | #endif
42 |
43 | /* Token type. */
44 | #ifndef YYTOKENTYPE
45 | # define YYTOKENTYPE
46 | enum yytokentype
47 | {
48 | _CHAR_ = 258,
49 | _ANY_ = 259,
50 | _RANGE_ = 260,
51 | _CLASS_ = 261,
52 | _WORD_CHAR_ = 262,
53 | _NON_WORD_CHAR_ = 263,
54 | _SPACE_ = 264,
55 | _NON_SPACE_ = 265,
56 | _DIGIT_ = 266,
57 | _NON_DIGIT_ = 267,
58 | _WORD_BOUNDARY_ = 268,
59 | _NON_WORD_BOUNDARY_ = 269
60 | };
61 | #endif
62 | /* Tokens. */
63 | #define _CHAR_ 258
64 | #define _ANY_ 259
65 | #define _RANGE_ 260
66 | #define _CLASS_ 261
67 | #define _WORD_CHAR_ 262
68 | #define _NON_WORD_CHAR_ 263
69 | #define _SPACE_ 264
70 | #define _NON_SPACE_ 265
71 | #define _DIGIT_ 266
72 | #define _NON_DIGIT_ 267
73 | #define _WORD_BOUNDARY_ 268
74 | #define _NON_WORD_BOUNDARY_ 269
75 |
76 | /* Value type. */
77 | #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
78 |
79 | union YYSTYPE
80 | {
81 | #line 73 "re_grammar.y" /* yacc.c:1916 */
82 |
83 | int integer;
84 | uint32_t range;
85 | RE_NODE* re_node;
86 | RE_CLASS* re_class;
87 |
88 | #line 89 "re_grammar.h" /* yacc.c:1916 */
89 | };
90 |
91 | typedef union YYSTYPE YYSTYPE;
92 | # define YYSTYPE_IS_TRIVIAL 1
93 | # define YYSTYPE_IS_DECLARED 1
94 | #endif
95 |
96 |
97 |
98 | int re_yyparse (void *yyscanner, RE_LEX_ENVIRONMENT *lex_env);
99 |
100 | #endif /* !YY_RE_YY_RE_GRAMMAR_H_INCLUDED */
101 |
--------------------------------------------------------------------------------
/extra/codemirror/yara.js:
--------------------------------------------------------------------------------
1 | /*
2 | Language mode for CodeMirror (https://codemirror.net/)
3 | */
4 |
5 | CodeMirror.defineMode("yara", function(config) {
6 | function words(str) {
7 | var obj = {}, words = str.split(" ");
8 | for (var i = 0; i < words.length; ++i) obj[words[i]] = true;
9 | return obj;
10 | }
11 | var keywords = words("all and any ascii at condition contains entrypoint filesize for " +
12 | "fullword global import in include int16 int32 int8 matches meta " +
13 | "nocase not of or private rule strings them uint16 uint32 " +
14 | "uint8 wide xor");
15 |
16 | var atoms = {"true": true, "false": true};
17 |
18 | var isOperatorChar = /[+\-*&%=<>!?|\/]/;
19 |
20 | function tokenBase(stream, state) {
21 | var ch = stream.next();
22 | if (ch == "#" && state.startOfLine) {
23 | stream.skipToEnd();
24 | return "meta";
25 | }
26 | if (/[\[\]{}\(\),;\:\.]/.test(ch)) {
27 | return null
28 | }
29 | if (/\d/.test(ch)) {
30 | stream.eatWhile(/[\w\.]/);
31 | return "number";
32 | }
33 | if (ch == "/") {
34 | if (stream.eat("/")) {
35 | stream.skipToEnd();
36 | return "comment";
37 | }
38 | if (stream.eat("*")) {
39 | state.tokenize = tokenComment;
40 | return tokenComment(stream, state);
41 | }
42 | }
43 | if (ch == '"' || ch == '/') {
44 | state.tokenize = tokenString(ch);
45 | return state.tokenize(stream, state);
46 | }
47 | if (isOperatorChar.test(ch)) {
48 | stream.eatWhile(isOperatorChar);
49 | return "operator";
50 | }
51 | stream.eatWhile(/[\w\$_]/);
52 | var cur = stream.current();
53 | if (keywords.propertyIsEnumerable(cur)) return "keyword";
54 | if (atoms.propertyIsEnumerable(cur)) return "atom";
55 | return "word";
56 | }
57 |
58 | function tokenString(quote) {
59 | return function(stream, state) {
60 | var escaped = false, next, end = false;
61 | while ((next = stream.next()) != null) {
62 | if (next == quote && !escaped) {end = true; break;}
63 | escaped = !escaped && next == "\\";
64 | }
65 | if (end || !escaped) state.tokenize = null;
66 | return "string";
67 | };
68 | }
69 |
70 | function tokenComment(stream, state) {
71 | var maybeEnd = false, ch;
72 | while (ch = stream.next()) {
73 | if (ch == "/" && maybeEnd) {
74 | state.tokenize = null;
75 | break;
76 | }
77 | maybeEnd = (ch == "*");
78 | }
79 | return "comment";
80 | }
81 |
82 | // Interface
83 |
84 | return {
85 | startState: function(basecolumn) {
86 | return {tokenize: null};
87 | },
88 |
89 | token: function(stream, state) {
90 | if (stream.eatSpace()) return null;
91 | var style = (state.tokenize || tokenBase)(stream, state);
92 | return style;
93 | },
94 |
95 | electricChars: "{}"
96 | };
97 | });
98 |
99 | CodeMirror.defineMIME("text/yara", "yara");
100 | CodeMirror.defineMIME("text/x-yara", "yara");
101 |
--------------------------------------------------------------------------------
/libyara/include/yara/strutils.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_STRUTILS_H
31 | #define YR_STRUTILS_H
32 |
33 | #include
34 | #include
35 | #include
36 |
37 | #include
38 |
39 |
40 | #if defined(_WIN32) || defined(__CYGWIN__)
41 |
42 | #if !defined(PRIu64)
43 | #define PRIu64 "I64u"
44 | #endif
45 |
46 | #if !defined(PRIx64)
47 | #define PRIx64 "I64x"
48 | #endif
49 |
50 | #if !defined(PRId64)
51 | #define PRId64 "I64d"
52 | #endif
53 |
54 | #else
55 | #include
56 | #endif
57 |
58 |
59 | // Cygwin already has these functions.
60 | #if defined(_WIN32) && !defined(__CYGWIN__)
61 | #if defined(_MSC_VER) && _MSC_VER < 1900
62 |
63 | #if !defined(snprintf)
64 | #define snprintf _snprintf
65 | #endif
66 |
67 | #endif
68 | #define strcasecmp _stricmp
69 | #define strncasecmp _strnicmp
70 | #endif
71 |
72 |
73 | uint64_t xtoi(
74 | const char* hexstr);
75 |
76 |
77 | #if !HAVE_STRLCPY && !defined(strlcpy)
78 | size_t strlcpy(
79 | char *dst,
80 | const char *src,
81 | size_t size);
82 | #endif
83 |
84 |
85 | #if !HAVE_STRLCAT && !defined(strlcat)
86 | size_t strlcat(
87 | char *dst,
88 | const char *src,
89 | size_t size);
90 | #endif
91 |
92 |
93 | #if !HAVE_MEMMEM && !defined(memmem)
94 | void* memmem(
95 | const void *haystack,
96 | size_t haystack_size,
97 | const void *needle,
98 | size_t needle_size);
99 | #endif
100 |
101 |
102 | int strnlen_w(
103 | const char* w_str);
104 |
105 |
106 | int strcmp_w(
107 | const char* w_str,
108 | const char* str);
109 |
110 |
111 | size_t strlcpy_w(
112 | char* dst,
113 | const char* w_src,
114 | size_t n);
115 |
116 | #endif
117 |
--------------------------------------------------------------------------------
/libyara/include/yara/dex.h:
--------------------------------------------------------------------------------
1 | #ifndef _DEX_H
2 | #define _DEX_H
3 |
4 | #include
5 |
6 | #include
7 | #include
8 |
9 | #define DEX_FILE_MAGIC_035 "dex\n035\x00"
10 | #define DEX_FILE_MAGIC_036 "dex\n036\x00"
11 | #define DEX_FILE_MAGIC_037 "dex\n037\x00"
12 | #define DEX_FILE_MAGIC_038 "dex\n038\x00"
13 |
14 | #pragma pack(push,1)
15 |
16 | typedef struct
17 | {
18 | uint8_t magic[8];
19 | uint32_t checksum;
20 | uint8_t signature[20];
21 | uint32_t file_size;
22 | uint32_t header_size;
23 | uint32_t endian_tag;
24 | uint32_t link_size;
25 | uint32_t link_offset;
26 | uint32_t map_offset;
27 | uint32_t string_ids_size;
28 | uint32_t string_ids_offset;
29 | uint32_t type_ids_size;
30 | uint32_t type_ids_offset;
31 | uint32_t proto_ids_size;
32 | uint32_t proto_ids_offset;
33 | uint32_t field_ids_size;
34 | uint32_t field_ids_offset;
35 | uint32_t method_ids_size;
36 | uint32_t method_ids_offset;
37 | uint32_t class_defs_size;
38 | uint32_t class_defs_offset;
39 | uint32_t data_size;
40 | uint32_t data_offset;
41 | } dex_header_t;
42 |
43 | typedef struct {
44 | uint32_t string_data_offset;
45 | } string_id_item_t;
46 |
47 |
48 | typedef struct {
49 | uint32_t utf16_size;
50 | } string_data_item_t;
51 |
52 | typedef struct {
53 | uint32_t descriptor_idx;
54 | } type_id_item_t;
55 |
56 | typedef struct {
57 | uint32_t shorty_idx;
58 | uint32_t return_type_idx;
59 | uint32_t parameters_offset;
60 | } proto_id_item_t;
61 |
62 | typedef struct {
63 | uint16_t class_idx;
64 | uint16_t type_idx;
65 | uint32_t name_idx;
66 | } field_id_item_t;
67 |
68 | typedef struct {
69 | uint16_t class_idx;
70 | uint16_t proto_idx;
71 | uint32_t name_idx;
72 | } method_id_item_t;
73 |
74 | typedef struct {
75 | uint32_t class_idx;
76 | uint32_t access_flags;
77 | uint32_t super_class_idx;
78 | uint32_t interfaces_off;
79 | uint32_t source_file_idx;
80 | uint32_t annotations_offset;
81 | uint32_t class_data_offset;
82 | uint32_t static_values_offset;
83 | } class_id_item_t;
84 |
85 | typedef struct {
86 | uint32_t static_fields_size;
87 | uint32_t instance_fields_size;
88 | uint32_t direct_methods_size;
89 | uint32_t virtual_methods_size;
90 | } class_data_item_t;
91 |
92 | typedef struct {
93 | uint32_t field_idx_diff;
94 | uint32_t access_flags;
95 | } encoded_field_t;
96 |
97 | typedef struct {
98 | uint32_t method_idx_diff;
99 | uint32_t access_flags;
100 | uint32_t code_off;
101 | } encoded_method_t;
102 |
103 | typedef struct {
104 | uint16_t registers_size;
105 | uint16_t ins_size;
106 | uint16_t outs_size;
107 | uint16_t tries_size;
108 | uint32_t debug_info_off;
109 | uint32_t insns_size;
110 | } code_item_t;
111 |
112 | typedef struct {
113 | uint16_t type;
114 | uint16_t unused;
115 | uint32_t size;
116 | uint32_t offset;
117 | } map_item_t;
118 |
119 | typedef struct _DEX
120 | {
121 | const uint8_t* data;
122 | size_t data_size;
123 | dex_header_t *header;
124 | YR_OBJECT* object;
125 | } DEX;
126 |
127 |
128 | #define fits_in_dex(dex, pointer, size) \
129 | ((size_t) size <= dex->data_size && \
130 | (uint8_t*) (pointer) >= dex->data && \
131 | (uint8_t*) (pointer) <= dex->data + dex->data_size - size)
132 |
133 | #define struct_fits_in_dex(dex, pointer, struct_type) \
134 | fits_in_dex(dex, pointer, sizeof(struct_type))
135 |
136 | #pragma pack(pop)
137 |
138 | #endif
--------------------------------------------------------------------------------
/tests/test-dex.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "util.h"
3 | #include "blob.h"
4 |
5 | int main(int argc, char** argv)
6 | {
7 | yr_initialize();
8 |
9 | assert_true_rule_blob(
10 | "import \"dex\" rule test { condition: dex.header.magic == \
11 | dex.DEX_FILE_MAGIC_035 }",
12 | DEX_FILE);
13 |
14 | assert_true_rule_blob(
15 | "import \"dex\" rule test { condition: dex.header.checksum == \
16 | 0x3F9C602F }",
17 | DEX_FILE);
18 |
19 | assert_true_rule_blob(
20 | "import \"dex\" rule test { condition: dex.header.data_size == \
21 | 0x18C }",
22 | DEX_FILE);
23 |
24 | assert_true_rule_blob(
25 | "import \"dex\" rule test { condition: dex.string_ids[0].value ==\
26 | \"\" }",
27 | DEX_FILE);
28 |
29 | assert_true_rule_blob(
30 | "import \"dex\" rule test { condition: dex.string_ids[8].value == \
31 | \"com.google.helloyara\" }",
32 | DEX_FILE);
33 |
34 | assert_true_rule_blob(
35 | "import \"dex\" rule test { condition: dex.type_ids[0].descriptor_idx == \
36 | 0x2 }",
37 | DEX_FILE);
38 |
39 | assert_true_rule_blob(
40 | "import \"dex\" rule test { condition: dex.proto_ids[0].shorty_idx == \
41 | 0x6 }",
42 | DEX_FILE);
43 |
44 | assert_true_rule_blob(
45 | "import \"dex\" rule test { condition: dex.field_ids[0].class_idx == \
46 | 0x1 }",
47 | DEX_FILE);
48 |
49 | assert_true_rule_blob(
50 | "import \"dex\" rule test { condition: dex.method_ids[0].class_idx == \
51 | 0x1 }",
52 | DEX_FILE);
53 |
54 | assert_true_rule_blob(
55 | "import \"dex\" rule test { condition: dex.class_defs[0].class_idx == \
56 | 0x1 }",
57 | DEX_FILE);
58 |
59 | assert_true_rule_blob(
60 | "import \"dex\" rule test { condition: dex.number_of_fields == 2 }",
61 | DEX_FILE);
62 |
63 | assert_true_rule_blob(
64 | "import \"dex\" rule test { condition: dex.field[0].class_name == \
65 | \"Lcom/android/tools/ir/server/AppInfo;\" }",
66 | DEX_FILE);
67 |
68 | assert_true_rule_blob(
69 | "import \"dex\" rule test { condition: dex.field[0].name == \
70 | \"applicationId\" }",
71 | DEX_FILE);
72 |
73 | assert_true_rule_blob(
74 | "import \"dex\" rule test { condition: dex.number_of_methods == 2 }",
75 | DEX_FILE);
76 |
77 | assert_true_rule_blob(
78 | "import \"dex\" rule test { condition: dex.method[0].class_name == \
79 | \"Lcom/android/tools/ir/server/AppInfo;\" }",
80 | DEX_FILE);
81 |
82 | assert_true_rule_blob(
83 | "import \"dex\" rule test { condition: dex.method[0].proto == \"V\" }",
84 | DEX_FILE);
85 |
86 | assert_true_rule_blob(
87 | "import \"dex\" rule test { condition: dex.method[0].name == \
88 | \"\" }",
89 | DEX_FILE);
90 |
91 | assert_true_rule_blob(
92 | "import \"dex\" rule test { condition: dex.method[1].name == \
93 | \"\" }",
94 | DEX_FILE);
95 |
96 | assert_true_rule_blob(
97 | "import \"dex\" rule test { condition: dex.map_list.size == 12 }",
98 | DEX_FILE);
99 |
100 | assert_true_rule_blob(
101 | "import \"dex\" rule test { condition: \
102 | dex.map_list.map_item[0].type == dex.TYPE_HEADER_ITEM \
103 | }",
104 | DEX_FILE);
105 |
106 | yr_finalize();
107 | return 0;
108 | }
109 |
--------------------------------------------------------------------------------
/libyara/include/yara/endian.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_ENDIAN_H
31 | #define YR_ENDIAN_H
32 |
33 | #include
34 |
35 |
36 | #if defined(__has_builtin)
37 | # if __has_builtin(__builtin_bswap16)
38 | # define yr_bswap16(x) __builtin_bswap16(x)
39 | # endif
40 | #endif
41 |
42 | #if !defined(yr_bswap16) && defined(_MSC_VER)
43 | # define yr_bswap16(x) _byteswap_ushort(x)
44 | #endif
45 |
46 | #if !defined(yr_bswap16)
47 | uint16_t _yr_bswap16(uint16_t x);
48 | # define yr_bswap16(x) _yr_bswap16(x)
49 | #endif
50 |
51 |
52 | #if defined(__has_builtin)
53 | # if __has_builtin(__builtin_bswap32)
54 | # define yr_bswap32(x) __builtin_bswap32(x)
55 | # endif
56 | #endif
57 |
58 | #if !defined(yr_bswap32) && defined(_MSC_VER)
59 | # define yr_bswap32(x) _byteswap_ulong(x)
60 | #endif
61 |
62 | #if !defined(yr_bswap32)
63 | uint32_t _yr_bswap32(uint32_t x);
64 | #define yr_bswap32(x) _yr_bswap32(x)
65 | #endif
66 |
67 |
68 | #if defined(__has_builtin)
69 | # if __has_builtin(__builtin_bswap64)
70 | # define yr_bswap64(x) __builtin_bswap64(x)
71 | # endif
72 | #endif
73 |
74 | #if !defined(yr_bswap64) && defined(_MSC_VER)
75 | # define yr_bswap64(x) _byteswap_uint64(x)
76 | #endif
77 |
78 | #if !defined(yr_bswap64)
79 | uint64_t _yr_bswap64(uint64_t x);
80 | #define yr_bswap64(x) _yr_bswap64(x)
81 | #endif
82 |
83 |
84 | #if defined(WORDS_BIGENDIAN)
85 | #define yr_le16toh(x) yr_bswap16(x)
86 | #define yr_le32toh(x) yr_bswap32(x)
87 | #define yr_le64toh(x) yr_bswap64(x)
88 | #define yr_be16toh(x) (x)
89 | #define yr_be32toh(x) (x)
90 | #define yr_be64toh(x) (x)
91 | #else
92 | #define yr_le16toh(x) (x)
93 | #define yr_le32toh(x) (x)
94 | #define yr_le64toh(x) (x)
95 | #define yr_be16toh(x) yr_bswap16(x)
96 | #define yr_be32toh(x) yr_bswap32(x)
97 | #define yr_be64toh(x) yr_bswap64(x)
98 | #endif
99 |
100 | #endif
101 |
--------------------------------------------------------------------------------
/args.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef ARGPARSE_H
31 | #define ARGPARSE_H
32 |
33 | #include
34 |
35 |
36 | #ifdef __cplusplus
37 | extern "C" {
38 | #endif
39 |
40 |
41 | typedef enum _args_error_type {
42 | ARGS_ERROR_OK,
43 | ARGS_ERROR_UNKNOWN_OPT,
44 | ARGS_ERROR_TOO_MANY,
45 | ARGS_ERROR_REQUIRED_INTEGER_ARG,
46 | ARGS_ERROR_REQUIRED_STRING_ARG,
47 | ARGS_ERROR_UNEXPECTED_ARG,
48 | } args_error_type_t;
49 |
50 |
51 | typedef enum _args_option_type {
52 | // special
53 | ARGS_OPT_END,
54 | ARGS_OPT_GROUP,
55 | // options with no arguments
56 | ARGS_OPT_BOOLEAN,
57 | // options with arguments (optional or required)
58 | ARGS_OPT_INTEGER,
59 | ARGS_OPT_STRING,
60 | } args_option_type_t;
61 |
62 |
63 | typedef struct _args_option {
64 | args_option_type_t type;
65 | const char short_name;
66 | const char *long_name;
67 | void *value;
68 | int max_count;
69 | const char *help;
70 | const char *type_help;
71 | int count;
72 | } args_option_t;
73 |
74 |
75 | #define OPT_BOOLEAN(short_name, long_name, value, ...) \
76 | { ARGS_OPT_BOOLEAN, short_name, long_name, value, 1, __VA_ARGS__ }
77 |
78 | #define OPT_INTEGER(short_name, long_name, value, ...) \
79 | { ARGS_OPT_INTEGER, short_name, long_name, value, 1, __VA_ARGS__ }
80 |
81 | #define OPT_STRING_MULTI(short_name, long_name, value, max_count, ...) \
82 | { ARGS_OPT_STRING, short_name, long_name, value, max_count, __VA_ARGS__ }
83 |
84 | #define OPT_STRING(short_name, long_name, value, ...) \
85 | OPT_STRING_MULTI(short_name, long_name, value, 1, __VA_ARGS__)
86 |
87 | #define OPT_END() { ARGS_OPT_END, 0 }
88 |
89 |
90 | int args_parse(
91 | args_option_t *options,
92 | int argc,
93 | const char **argv);
94 |
95 |
96 | void args_print_usage(
97 | args_option_t *options,
98 | int alignment);
99 |
100 |
101 | #ifdef __cplusplus
102 | }
103 | #endif
104 |
105 | #endif
106 |
--------------------------------------------------------------------------------
/libyara/include/yara/re_lexer.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #undef yyparse
31 | #undef yylex
32 | #undef yyerror
33 | #undef yyfatal
34 | #undef yychar
35 | #undef yydebug
36 | #undef yynerrs
37 | #undef yyget_extra
38 | #undef yyget_lineno
39 |
40 | #undef YY_FATAL_ERROR
41 | #undef YY_DECL
42 | #undef LEX_ENV
43 |
44 |
45 | #define yyparse re_yyparse
46 | #define yylex re_yylex
47 | #define yyerror re_yyerror
48 | #define yyfatal re_yyfatal
49 | #define yychar re_yychar
50 | #define yydebug re_yydebug
51 | #define yynerrs re_yynerrs
52 | #define yyget_extra re_yyget_extra
53 | #define yyget_lineno re_yyget_lineno
54 |
55 |
56 | #ifndef YY_TYPEDEF_YY_SCANNER_T
57 | #define YY_TYPEDEF_YY_SCANNER_T
58 | typedef void* yyscan_t;
59 | #endif
60 |
61 | #define YY_EXTRA_TYPE RE_AST*
62 | #define YY_USE_CONST
63 |
64 |
65 | typedef struct _RE_LEX_ENVIRONMENT
66 | {
67 | RE_CLASS re_class;
68 | int last_error;
69 | char last_error_message[256];
70 |
71 | } RE_LEX_ENVIRONMENT;
72 |
73 |
74 | #define LEX_ENV ((RE_LEX_ENVIRONMENT*) lex_env)
75 |
76 | #define YY_FATAL_ERROR(msg) re_yyfatal(yyscanner, msg)
77 |
78 | #include
79 |
80 | #define YY_DECL int re_yylex \
81 | (YYSTYPE * yylval_param , yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env)
82 |
83 |
84 | YY_EXTRA_TYPE yyget_extra(
85 | yyscan_t yyscanner);
86 |
87 | int yylex(
88 | YYSTYPE* yylval_param,
89 | yyscan_t yyscanner,
90 | RE_LEX_ENVIRONMENT* lex_env);
91 |
92 | int yyparse(
93 | void *yyscanner,
94 | RE_LEX_ENVIRONMENT *lex_env);
95 |
96 | void yyerror(
97 | yyscan_t yyscanner,
98 | RE_LEX_ENVIRONMENT* lex_env,
99 | const char *error_message);
100 |
101 | void yyfatal(
102 | yyscan_t yyscanner,
103 | const char *error_message);
104 |
105 | int yr_parse_re_string(
106 | const char* re_string,
107 | RE_AST** re_ast,
108 | RE_ERROR* error);
109 |
--------------------------------------------------------------------------------
/libyara/include/yara/hex_lexer.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com].
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 |
32 | #undef yyparse
33 | #undef yylex
34 | #undef yyerror
35 | #undef yyfatal
36 | #undef yychar
37 | #undef yydebug
38 | #undef yynerrs
39 | #undef yyget_extra
40 | #undef yyget_lineno
41 |
42 | #undef YY_FATAL_ERROR
43 | #undef YY_DECL
44 | #undef LEX_ENV
45 |
46 | #define yyparse hex_yyparse
47 | #define yylex hex_yylex
48 | #define yyerror hex_yyerror
49 | #define yyfatal hex_yyfatal
50 | #define yychar hex_yychar
51 | #define yydebug hex_yydebug
52 | #define yynerrs hex_yynerrs
53 | #define yyget_extra hex_yyget_extra
54 | #define yyget_lineno hex_yyget_lineno
55 |
56 |
57 | #ifndef YY_TYPEDEF_YY_SCANNER_T
58 | #define YY_TYPEDEF_YY_SCANNER_T
59 | typedef void* yyscan_t;
60 | #endif
61 |
62 | #define YY_EXTRA_TYPE RE_AST*
63 | #define YY_USE_CONST
64 |
65 |
66 | typedef struct _HEX_LEX_ENVIRONMENT
67 | {
68 | int inside_or;
69 | int last_error;
70 | char last_error_message[256];
71 |
72 | } HEX_LEX_ENVIRONMENT;
73 |
74 |
75 | #define YY_FATAL_ERROR(msg) hex_yyfatal(yyscanner, msg)
76 |
77 | #define LEX_ENV ((HEX_LEX_ENVIRONMENT*) lex_env)
78 |
79 | #include
80 |
81 | #define YY_DECL int hex_yylex \
82 | (YYSTYPE * yylval_param , yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env)
83 |
84 |
85 | YY_EXTRA_TYPE yyget_extra(
86 | yyscan_t yyscanner);
87 |
88 | int yylex(
89 | YYSTYPE* yylval_param,
90 | yyscan_t yyscanner,
91 | HEX_LEX_ENVIRONMENT* lex_env);
92 |
93 | int yyparse(
94 | void *yyscanner,
95 | HEX_LEX_ENVIRONMENT *lex_env);
96 |
97 | void yyerror(
98 | yyscan_t yyscanner,
99 | HEX_LEX_ENVIRONMENT* lex_env,
100 | const char *error_message);
101 |
102 | void yyfatal(
103 | yyscan_t yyscanner,
104 | const char *error_message);
105 |
106 | int yr_parse_hex_string(
107 | const char* hex_string,
108 | RE_AST** re_ast,
109 | RE_ERROR* error);
110 |
--------------------------------------------------------------------------------
/libyara/include/yara/hash.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_HASH_H
31 | #define YR_HASH_H
32 |
33 | #include
34 |
35 | #include
36 | #include
37 |
38 | typedef struct _YR_HASH_TABLE_ENTRY
39 | {
40 | void* key;
41 | size_t key_length;
42 | char* ns;
43 | void* value;
44 |
45 | struct _YR_HASH_TABLE_ENTRY* next;
46 |
47 | } YR_HASH_TABLE_ENTRY;
48 |
49 |
50 | typedef struct _YR_HASH_TABLE
51 | {
52 | int size;
53 |
54 | YR_HASH_TABLE_ENTRY* buckets[1];
55 |
56 | } YR_HASH_TABLE;
57 |
58 |
59 | typedef int (*YR_HASH_TABLE_FREE_VALUE_FUNC)(void* value);
60 |
61 |
62 | uint32_t yr_hash(
63 | uint32_t seed,
64 | const void* buffer,
65 | size_t len);
66 |
67 |
68 | YR_API int yr_hash_table_create(
69 | int size,
70 | YR_HASH_TABLE** table);
71 |
72 |
73 | YR_API void yr_hash_table_clean(
74 | YR_HASH_TABLE* table,
75 | YR_HASH_TABLE_FREE_VALUE_FUNC free_value);
76 |
77 |
78 | YR_API void yr_hash_table_destroy(
79 | YR_HASH_TABLE* table,
80 | YR_HASH_TABLE_FREE_VALUE_FUNC free_value);
81 |
82 |
83 | YR_API void* yr_hash_table_lookup(
84 | YR_HASH_TABLE* table,
85 | const char* key,
86 | const char* ns);
87 |
88 |
89 | YR_API void* yr_hash_table_remove(
90 | YR_HASH_TABLE* table,
91 | const char* key,
92 | const char* ns);
93 |
94 |
95 | YR_API int yr_hash_table_add(
96 | YR_HASH_TABLE* table,
97 | const char* key,
98 | const char* ns,
99 | void* value);
100 |
101 |
102 | YR_API void* yr_hash_table_lookup_raw_key(
103 | YR_HASH_TABLE* table,
104 | const void* key,
105 | size_t key_length,
106 | const char* ns);
107 |
108 |
109 | YR_API void* yr_hash_table_remove_raw_key(
110 | YR_HASH_TABLE* table,
111 | const void* key,
112 | size_t key_length,
113 | const char* ns);
114 |
115 |
116 | YR_API int yr_hash_table_add_raw_key(
117 | YR_HASH_TABLE* table,
118 | const void* key,
119 | size_t key_length,
120 | const char* ns,
121 | void* value);
122 |
123 | #endif
124 |
--------------------------------------------------------------------------------
/libyara/include/yara/integers.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_INTEGERS_H
31 | #define YR_INTEGERS_H
32 |
33 |
34 | #if ( defined( _MSC_VER ) && ( _MSC_VER < 1600 ) ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) )
35 |
36 | #ifdef __cplusplus
37 | extern "C" {
38 | #endif
39 |
40 | // Microsoft Visual Studio C++ before Visual Studio 2010 or earlier versions of
41 | // the Borland C++ Builder do not support the (u)int#_t type definitions but
42 | // have __int# definitions instead
43 |
44 | typedef __int8 int8_t;
45 | typedef unsigned __int8 uint8_t;
46 | typedef __int16 int16_t;
47 | typedef unsigned __int16 uint16_t;
48 | typedef __int32 int32_t;
49 | typedef unsigned __int32 uint32_t;
50 | typedef __int64 int64_t;
51 | typedef unsigned __int64 uint64_t;
52 |
53 | #ifdef __cplusplus
54 | }
55 | #endif
56 |
57 |
58 | #ifndef INT8_MIN
59 | #define INT8_MIN (-127i8 - 1)
60 | #endif
61 |
62 | #ifndef INT8_MIN
63 | #define INT16_MIN (-32767i16 - 1)
64 | #endif
65 |
66 | #ifndef INT32_MIN
67 | #define INT32_MIN (-2147483647i32 - 1)
68 | #endif
69 |
70 | #ifndef INT64_MIN
71 | #define INT64_MIN (-9223372036854775807i64 - 1)
72 | #endif
73 |
74 | #ifndef INT8_MAX
75 | #define INT8_MAX 127i8
76 | #endif
77 |
78 | #ifndef INT16_MAX
79 | #define INT16_MAX 32767i16
80 | #endif
81 |
82 | #ifndef INT32_MAX
83 | #define INT32_MAX 2147483647i32
84 | #endif
85 |
86 | #ifndef INT64_MAX
87 | #define INT64_MAX 9223372036854775807i64
88 | #endif
89 |
90 | #ifndef UINT8_MAX
91 | #define UINT8_MAX 0xffui8
92 | #endif
93 |
94 | #ifndef UINT16_MAX
95 | #define UINT16_MAX 0xffffui16
96 | #endif
97 |
98 | #ifndef UINT32_MAX
99 | #define UINT32_MAX 0xffffffffui32
100 | #endif
101 |
102 | #ifndef UINT64_MAX
103 | #define UINT64_MAX 0xffffffffffffffffui64
104 | #endif
105 |
106 | #else
107 |
108 | // Other "compilers" and later versions of Microsoft Visual Studio C++ and
109 | // Borland C/C++ define the types in
110 |
111 | #include
112 |
113 | #endif
114 |
115 | #endif
116 |
--------------------------------------------------------------------------------
/libyara/include/yara/scanner.h:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #ifndef YR_SCANNER_H
31 | #define YR_SCANNER_H
32 |
33 | #include
34 | #include
35 |
36 |
37 | typedef YR_SCAN_CONTEXT YR_SCANNER;
38 |
39 |
40 | YR_API int yr_scanner_create(
41 | YR_RULES* rules,
42 | YR_SCANNER** scanner);
43 |
44 |
45 | YR_API void yr_scanner_destroy(
46 | YR_SCANNER* scanner);
47 |
48 |
49 | YR_API void yr_scanner_set_callback(
50 | YR_SCANNER* scanner,
51 | YR_CALLBACK_FUNC callback,
52 | void* user_data);
53 |
54 |
55 | YR_API void yr_scanner_set_timeout(
56 | YR_SCANNER* scanner,
57 | int timeout);
58 |
59 |
60 | YR_API void yr_scanner_set_flags(
61 | YR_SCANNER* scanner,
62 | int flags);
63 |
64 |
65 | YR_API int yr_scanner_define_integer_variable(
66 | YR_SCANNER* scanner,
67 | const char* identifier,
68 | int64_t value);
69 |
70 |
71 | YR_API int yr_scanner_define_boolean_variable(
72 | YR_SCANNER* scanner,
73 | const char* identifier,
74 | int value);
75 |
76 |
77 | YR_API int yr_scanner_define_float_variable(
78 | YR_SCANNER* scanner,
79 | const char* identifier,
80 | double value);
81 |
82 |
83 | YR_API int yr_scanner_define_string_variable(
84 | YR_SCANNER* scanner,
85 | const char* identifier,
86 | const char* value);
87 |
88 |
89 | YR_API int yr_scanner_scan_mem_blocks(
90 | YR_SCANNER* scanner,
91 | YR_MEMORY_BLOCK_ITERATOR* iterator);
92 |
93 |
94 | YR_API int yr_scanner_scan_mem(
95 | YR_SCANNER* scanner,
96 | const uint8_t* buffer,
97 | size_t buffer_size);
98 |
99 |
100 | YR_API int yr_scanner_scan_file(
101 | YR_SCANNER* scanner,
102 | const char* filename);
103 |
104 |
105 | YR_API int yr_scanner_scan_fd(
106 | YR_SCANNER* scanner,
107 | YR_FILE_DESCRIPTOR fd);
108 |
109 |
110 | YR_API int yr_scanner_scan_proc(
111 | YR_SCANNER* scanner,
112 | int pid);
113 |
114 |
115 | YR_API YR_RULE* yr_scanner_last_error_rule(
116 | YR_SCANNER* scanner);
117 |
118 |
119 | YR_API YR_STRING* yr_scanner_last_error_string(
120 | YR_SCANNER* scanner);
121 |
122 | #endif
123 |
--------------------------------------------------------------------------------
/docs/modules/math.rst:
--------------------------------------------------------------------------------
1 |
2 | .. _math-module:
3 |
4 | ###########
5 | Math module
6 | ###########
7 |
8 | .. versionadded:: 3.3.0
9 |
10 | The Math module allows you to calculate certain values from portions of your
11 | file and create signatures based on those results.
12 |
13 | .. important::
14 | Where noted these functions return floating point numbers. YARA is able to
15 | convert integers to floating point numbers during most operations. For
16 | example this will convert 7 to 7.0 automatically, because the return type
17 | of the entropy function is a floating point value:
18 |
19 | *math.entropy(0, filesize) >= 7*
20 |
21 | The one exception to this is when a function requires a floating point
22 | number as an argument. For example, this will cause a syntax error because
23 | the arguments must be floating point numbers:
24 |
25 | *math.in_range(2, 1, 3)*
26 |
27 | .. c:function:: entropy(offset, size)
28 |
29 | Returns the entropy for *size* bytes starting at *offset*. When scanning a
30 | running process the *offset* argument should be a virtual address within
31 | the process address space. The returned value is a float.
32 |
33 | *Example: math.entropy(0, filesize) >= 7*
34 |
35 | .. c:function:: entropy(string)
36 |
37 | Returns the entropy for the given string.
38 |
39 | *Example: math.entropy("dummy") > 7*
40 |
41 | .. c:function:: monte_carlo_pi(offset, size)
42 |
43 | Returns the percentage away from Pi for the *size* bytes starting at
44 | *offset* when run through the Monte Carlo from Pi test. When scanning a
45 | running process the *offset* argument should be a virtual address within
46 | the process address space. The returned value is a float.
47 |
48 | *Example: math.monte_carlo_pi(0, filesize) < 0.07*
49 |
50 | .. c:function:: monte_carlo_pi(string)
51 |
52 | Return the percentage away from Pi for the given string.
53 |
54 | .. c:function:: serial_correlation(offset, size)
55 |
56 | Returns the serial correlation for the *size* bytes starting at *offset*.
57 | When scanning a running process the *offset* argument should be a virtual
58 | address within the process address space. The returned value is a float
59 | between 0.0 and 1.0.
60 |
61 | *Example: math.serial_correlation(0, filesize) < 0.2*
62 |
63 | .. c:function:: serial_correlation(string)
64 |
65 | Return the serial correlation for the given string.
66 |
67 | .. c:function:: mean(offset, size)
68 |
69 | Returns the mean for the *size* bytes starting at *offset*. When scanning
70 | a running process the *offset* argument should be a virtual address within
71 | the process address space. The returned value is a float.
72 |
73 | *Example: math.mean(0, filesize) < 72.0*
74 |
75 | .. c:function:: mean(string)
76 |
77 | Return the mean for the given string.
78 |
79 | .. c:function:: deviation(offset, size, mean)
80 |
81 | Returns the deviation from the mean for the *size* bytes starting at
82 | *offset*. When scanning a running process the *offset* argument should be
83 | a virtual address within the process address space. The returned value is
84 | a float.
85 |
86 | The mean of an equally distributed random sample of bytes is 127.5, which
87 | is available as the constant math.MEAN_BYTES.
88 |
89 | *Example: math.deviation(0, filesize, math.MEAN_BYTES) == 64.0*
90 |
91 | .. c:function:: deviation(string, mean)
92 |
93 | Return the deviation from the mean for the given string.
94 |
95 | .. c:function:: in_range(test, lower, upper)
96 |
97 | Returns true if the *test* value is between *lower* and *upper* values. The
98 | comparisons are inclusive.
99 |
100 | *Example: math.in_range(math.deviation(0, filesize, math.MEAN_BYTES), 63.9, 64,1)*
101 |
102 | .. c:function:: max(int, int)
103 |
104 | .. versionadded:: 3.8.0
105 |
106 | Returns the maximum of two unsigned integer values.
107 |
108 | .. c:function:: min(int, int)
109 |
110 | .. versionadded:: 3.8.0
111 |
112 | Returns the minimum of two unsigned integer values.
113 |
--------------------------------------------------------------------------------
/libyara/mem.c:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without modification,
5 | are permitted provided that the following conditions are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation and/or
12 | other materials provided with the distribution.
13 |
14 | 3. Neither the name of the copyright holder nor the names of its contributors
15 | may be used to endorse or promote products derived from this software without
16 | specific prior written permission.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | */
29 |
30 | #include
31 | #include
32 |
33 | #if defined(_WIN32) || defined(__CYGWIN__)
34 |
35 | #include
36 | #include
37 |
38 | static HANDLE hHeap;
39 |
40 | int yr_heap_alloc(void)
41 | {
42 | hHeap = HeapCreate(0, 0x8000, 0);
43 |
44 | if (hHeap == NULL)
45 | return ERROR_INTERNAL_FATAL_ERROR;
46 |
47 | return ERROR_SUCCESS;
48 | }
49 |
50 |
51 | int yr_heap_free(void)
52 | {
53 | if (HeapDestroy(hHeap))
54 | return ERROR_SUCCESS;
55 | else
56 | return ERROR_INTERNAL_FATAL_ERROR;
57 | }
58 |
59 |
60 | void* yr_calloc(size_t count, size_t size)
61 | {
62 | return (void*) HeapAlloc(hHeap, HEAP_ZERO_MEMORY, count * size);
63 | }
64 |
65 |
66 | void* yr_malloc(size_t size)
67 | {
68 | return (void*) HeapAlloc(hHeap, HEAP_ZERO_MEMORY, size);
69 | }
70 |
71 |
72 | void* yr_realloc(void* ptr, size_t size)
73 | {
74 | return (void*) HeapReAlloc(hHeap, HEAP_ZERO_MEMORY, ptr, size);
75 | }
76 |
77 |
78 | void yr_free(void* ptr)
79 | {
80 | HeapFree(hHeap, 0, ptr);
81 | }
82 |
83 |
84 | char* yr_strdup(const char *str)
85 | {
86 | size_t len = strlen(str);
87 | char *dup = (char*) yr_malloc(len + 1);
88 |
89 | if (dup == NULL)
90 | return NULL;
91 |
92 | memcpy(dup, str, len);
93 | dup[len] = '\0';
94 |
95 | return (char*) dup;
96 | }
97 |
98 |
99 | char* yr_strndup(const char *str, size_t n)
100 | {
101 | size_t len = strnlen(str, n);
102 | char *dup = (char*) yr_malloc(len + 1);
103 |
104 | if (dup == NULL)
105 | return NULL;
106 |
107 | memcpy(dup, str, len);
108 | dup[len] = '\0';
109 |
110 | return (char *) dup;
111 | }
112 |
113 | #else
114 |
115 | #include
116 | #include
117 | #include
118 |
119 | int yr_heap_alloc(void)
120 | {
121 | return ERROR_SUCCESS;
122 | }
123 |
124 |
125 | int yr_heap_free(void)
126 | {
127 | return ERROR_SUCCESS;
128 | }
129 |
130 |
131 | void* yr_calloc(size_t count, size_t size)
132 | {
133 | return calloc(count, size);
134 | }
135 |
136 |
137 | void* yr_malloc(size_t size)
138 | {
139 | return malloc(size);
140 | }
141 |
142 |
143 | void* yr_realloc(void* ptr, size_t size)
144 | {
145 | return realloc(ptr, size);
146 | }
147 |
148 |
149 | void yr_free(void *ptr)
150 | {
151 | free(ptr);
152 | }
153 |
154 |
155 | char* yr_strdup(const char *str)
156 | {
157 | return strdup(str);
158 | }
159 |
160 |
161 | char* yr_strndup(const char *str, size_t n)
162 | {
163 | return strndup(str, n);
164 | }
165 |
166 | #endif
167 |
--------------------------------------------------------------------------------
/libyara/Makefile.am:
--------------------------------------------------------------------------------
1 | MODULES = modules/tests/tests.c
2 |
3 | MODULES += modules/elf/elf.c
4 |
5 | MODULES += modules/math/math.c
6 |
7 | MODULES += modules/time/time.c
8 |
9 | MODULES += modules/pe/pe.c
10 | MODULES += modules/pe/pe_utils.c
11 |
12 | if CUCKOO_MODULE
13 | MODULES += modules/cuckoo/cuckoo.c
14 | endif
15 |
16 | if MAGIC_MODULE
17 | MODULES += modules/magic/magic.c
18 | endif
19 |
20 | if HASH_MODULE
21 | MODULES += modules/hash/hash.c
22 | endif
23 |
24 | if DOTNET_MODULE
25 | MODULES += modules/dotnet/dotnet.c
26 | endif
27 |
28 | if MACHO_MODULE
29 | MODULES += modules/macho/macho.c
30 | endif
31 |
32 | if DEX_MODULE
33 | MODULES += modules/dex/dex.c
34 | endif
35 |
36 | #
37 | # Add your modules here:
38 | #
39 | # MODULES += modules/yourmodule.c
40 | #
41 |
42 | AM_YFLAGS=-d
43 |
44 | AM_CFLAGS=-Wall -Wno-deprecated-declarations \
45 | -std=gnu99 \
46 | -D_GNU_SOURCE \
47 | -I$(srcdir)/include
48 |
49 | if DEBUG
50 | AM_CFLAGS+=-g
51 | endif
52 |
53 | if OPTIMIZATION
54 | AM_CFLAGS+=-O3
55 | else
56 | AM_CFLAGS+=-O0
57 | endif
58 |
59 | if ADDRESS_SANITIZER
60 | AM_CFLAGS+=-fsanitize=address
61 | endif
62 |
63 | if GCC
64 | AM_CFLAGS+=-fvisibility=hidden
65 | endif
66 |
67 | ACLOCAL_AMFLAGS=-I m4
68 |
69 | include_HEADERS = include/yara.h
70 |
71 | yaraincludedir = $(includedir)/yara
72 | yarainclude_HEADERS = \
73 | include/yara/ahocorasick.h \
74 | include/yara/arena.h \
75 | include/yara/atoms.h \
76 | include/yara/bitmask.h \
77 | include/yara/compiler.h \
78 | include/yara/error.h \
79 | include/yara/exec.h \
80 | include/yara/exefiles.h \
81 | include/yara/filemap.h \
82 | include/yara/hash.h \
83 | include/yara/integers.h \
84 | include/yara/libyara.h \
85 | include/yara/limits.h \
86 | include/yara/mem.h \
87 | include/yara/modules.h \
88 | include/yara/object.h \
89 | include/yara/parser.h \
90 | include/yara/proc.h \
91 | include/yara/re.h \
92 | include/yara/rules.h \
93 | include/yara/scan.h \
94 | include/yara/scanner.h \
95 | include/yara/sizedstr.h \
96 | include/yara/stack.h \
97 | include/yara/stopwatch.h \
98 | include/yara/stream.h \
99 | include/yara/strutils.h \
100 | include/yara/threading.h \
101 | include/yara/types.h \
102 | include/yara/utils.h
103 |
104 | noinst_HEADERS = \
105 | crypto.h \
106 | exception.h \
107 | include/yara/dotnet.h \
108 | include/yara/elf.h \
109 | include/yara/endian.h \
110 | include/yara/globals.h \
111 | include/yara/hex_lexer.h \
112 | include/yara/lexer.h \
113 | include/yara/pe.h \
114 | include/yara/pe_utils.h \
115 | include/yara/re_lexer.h \
116 | modules/module_list
117 |
118 |
119 | lib_LTLIBRARIES = libyara.la
120 |
121 | libyara_la_LDFLAGS = -version-number 3:10:0
122 |
123 | BUILT_SOURCES = \
124 | lexer.c \
125 | hex_lexer.c \
126 | re_lexer.c \
127 | grammar.c \
128 | hex_grammar.c \
129 | re_grammar.c
130 |
131 | libyara_la_SOURCES = \
132 | $(MODULES) \
133 | grammar.y \
134 | ahocorasick.c \
135 | arena.c \
136 | atoms.c \
137 | bitmask.c \
138 | compiler.c \
139 | endian.c \
140 | exec.c \
141 | exefiles.c \
142 | filemap.c \
143 | hash.c \
144 | hex_grammar.y \
145 | hex_lexer.l \
146 | lexer.l \
147 | libyara.c \
148 | mem.c \
149 | modules.c \
150 | object.c \
151 | parser.c \
152 | proc.c \
153 | re.c \
154 | re_grammar.y \
155 | re_lexer.l \
156 | rules.c \
157 | scan.c \
158 | scanner.c \
159 | sizedstr.c \
160 | stack.c \
161 | stopwatch.c \
162 | strutils.c \
163 | stream.c \
164 | threading.c
165 |
166 |
167 | if USE_WINDOWS_PROC
168 | libyara_la_SOURCES += proc/windows.c
169 | endif
170 |
171 | if USE_LINUX_PROC
172 | libyara_la_SOURCES += proc/linux.c
173 | endif
174 |
175 | if USE_FREEBSD_PROC
176 | libyara_la_SOURCES += proc/freebsd.c
177 | endif
178 |
179 | if USE_OPENBSD_PROC
180 | libyara_la_SOURCES += proc/openbsd.c
181 | endif
182 |
183 | if USE_MACH_PROC
184 | libyara_la_SOURCES += proc/mach.c
185 | endif
186 |
187 | if USE_NO_PROC
188 | libyara_la_SOURCES += proc/none.c
189 | endif
190 |
191 | pkgconfigdir = $(libdir)/pkgconfig
192 | nodist_pkgconfig_DATA = yara.pc
193 |
--------------------------------------------------------------------------------
15 |
16 |
21 |