├── .gitignore ├── .travis.yml ├── AUTHORS ├── BUILD.bazel ├── CONTRIBUTORS ├── COPYING ├── Makefile.am ├── README.md ├── WORKSPACE ├── appveyor.yml ├── args.c ├── args.h ├── bootstrap.sh ├── build.sh ├── common.h ├── configure.ac ├── dist ├── yara-python.spec └── yara.spec ├── docs ├── Makefile ├── capi.rst ├── commandline.rst ├── conf.py ├── gettingstarted.rst ├── index.rst ├── make.bat ├── modules.rst ├── modules │ ├── cuckoo.rst │ ├── dotnet.rst │ ├── elf.rst │ ├── hash.rst │ ├── magic.rst │ ├── math.rst │ ├── pe.rst │ └── time.rst ├── writingmodules.rst ├── writingrules.rst └── yarapython.rst ├── extra ├── TextMate-bundle.zip ├── UltraEdit-wordfile.txt ├── codemirror │ ├── index.html │ └── yara.js ├── logo.ai ├── logo.svg ├── old-logo.png └── old-logo.psd ├── libyara ├── Makefile.am ├── ahocorasick.c ├── arena.c ├── atoms.c ├── bitmask.c ├── compiler.c ├── crypto.h ├── endian.c ├── exception.h ├── exec.c ├── exefiles.c ├── filemap.c ├── grammar.c ├── grammar.h ├── grammar.y ├── hash.c ├── hex_grammar.c ├── hex_grammar.h ├── hex_grammar.y ├── hex_lexer.c ├── hex_lexer.l ├── include │ ├── yara.h │ └── yara │ │ ├── ahocorasick.h │ │ ├── arena.h │ │ ├── atoms.h │ │ ├── bitmask.h │ │ ├── compiler.h │ │ ├── dex.h │ │ ├── dotnet.h │ │ ├── elf.h │ │ ├── endian.h │ │ ├── error.h │ │ ├── exec.h │ │ ├── exefiles.h │ │ ├── filemap.h │ │ ├── globals.h │ │ ├── hash.h │ │ ├── hex_lexer.h │ │ ├── integers.h │ │ ├── lexer.h │ │ ├── libyara.h │ │ ├── limits.h │ │ ├── macho.h │ │ ├── mem.h │ │ ├── modules.h │ │ ├── object.h │ │ ├── parser.h │ │ ├── pe.h │ │ ├── pe_utils.h │ │ ├── proc.h │ │ ├── re.h │ │ ├── re_lexer.h │ │ ├── rules.h │ │ ├── scan.h │ │ ├── scanner.h │ │ ├── sizedstr.h │ │ ├── stack.h │ │ ├── stopwatch.h │ │ ├── stream.h │ │ ├── strutils.h │ │ ├── threading.h │ │ ├── types.h │ │ └── utils.h ├── lexer.c ├── lexer.l ├── libyara.c ├── mem.c ├── modules.c ├── modules │ ├── cuckoo │ │ └── cuckoo.c │ ├── demo │ │ └── demo.c │ ├── dex │ │ └── dex.c │ ├── dotnet │ │ └── dotnet.c │ ├── elf │ │ └── elf.c │ ├── hash │ │ └── hash.c │ ├── macho │ │ └── macho.c │ ├── magic │ │ └── magic.c │ ├── math │ │ └── math.c │ ├── module_list │ ├── pe │ │ ├── pe.c │ │ └── pe_utils.c │ ├── tests │ │ └── tests.c │ └── time │ │ └── time.c ├── object.c ├── parser.c ├── proc.c ├── proc │ ├── freebsd.c │ ├── linux.c │ ├── mach.c │ ├── none.c │ ├── openbsd.c │ └── windows.c ├── re.c ├── re_grammar.c ├── re_grammar.h ├── re_grammar.y ├── re_lexer.c ├── re_lexer.l ├── rules.c ├── scan.c ├── scanner.c ├── sizedstr.c ├── stack.c ├── stino.settings ├── stopwatch.c ├── stream.c ├── strutils.c ├── threading.c └── yara.pc.in ├── m4 └── acx_pthread.m4 ├── sample.file ├── sample.rules ├── sandbox ├── BUILD.bazel ├── collect_matches.cc ├── collect_matches.h ├── sandboxed_yara.cc ├── yara_entry_points.cc ├── yara_matches.proto ├── yara_transaction.cc ├── yara_transaction.h └── yara_transaction_test.cc ├── tests ├── BUILD.bazel ├── blob.h ├── data │ ├── 079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885 │ ├── 0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171 │ ├── baz.yar │ ├── foo.yar │ ├── include │ │ └── bar.yar │ ├── tiny │ ├── tiny-idata-51ff │ ├── tiny-idata-5200 │ ├── tiny-overlay │ ├── tiny-universal │ ├── tiny.notes │ ├── xor.out │ ├── xorwide.out │ └── xorwideandascii.out ├── oss-fuzz │ ├── dex_fuzzer.cc │ ├── dex_fuzzer_corpus │ │ ├── 1cf540db2f048bb21bd89379a57279b9ff4c308558715a3baee666a47393d86e │ │ ├── 25ef27f9543444652f0c68fe412d3da627a1d2a590b0a2b30e47466c1e962136 │ │ ├── 27fb31059503773723597edb875c937af971a6c15f91aac8c03c1fbdfa9e918c │ │ ├── 3ba9c082050f62e725c87ce4cf9f592fe9f177faf3a0c879f8fbe87312ca4b2c │ │ ├── b1203d95c56f02e7e6dbea714275cc05b47ac2510958b85f436571b801af44e7 │ │ ├── b343d1058063e6e4b652ccf0589f93d0dbb6b092960e4aebc3c3c58894831359 │ │ └── crash.poc │ ├── dotnet_fuzzer.cc │ ├── dotnet_fuzzer_corpus │ │ ├── buggy_stream_names │ │ ├── clusterfuzz-testcase-minimized-dotnet_fuzzer-5105966966636544 │ │ ├── clusterfuzz-testcase-minimized-dotnet_fuzzer-5725060321509376 │ │ └── obfuscated │ ├── elf_fuzzer.cc │ ├── elf_fuzzer_corpus │ │ ├── crash-03bca75466ee42801a8bff280de04afc3d1a3637 │ │ ├── crash-086300bbce1c6537573057336a343a82d483e2c0 │ │ ├── crash-2cafe4de66d87a83d83aaf65d8e4cea48f2c1144 │ │ ├── crash-370485c5b087f780a2447a03d775f7188e323d31 │ │ ├── crash-49bb55d669fda0683f945b89396a6bd458caf2d8 │ │ ├── crash-49d00b6b033eaeb07cd39809dbc1d7ba2df196ec │ │ ├── crash-723296cdc1c0dba83ea767d69286429e608c46c3 │ │ ├── crash-7dc27920ae1cb85333e7f2735a45014488134673 │ │ ├── crash-7e945ce5f43f515ea078c558a2e3205089d414e5 │ │ ├── crash-a809561e75b94bd5d4d8cf7488d9e2663fc1ccdc │ │ ├── crash-a8715a38a94161c9509309f5dbb5a7936aba8376 │ │ ├── crash-aee928239444a7b039500d4499035e6d30cb89da │ │ ├── crash-c4002396c52065d21fe1c1f05f8937aab8d59c18 │ │ ├── crash-c610b3036f195ad7fb05248a530278aad37b438d │ │ ├── crash-c6569e6e28f0a18bb2f3bf49c982333a359bed67 │ │ ├── crash-cc6844f44825a785de1b079c88f728e1c0f779fb │ │ ├── crash-f1fd008da535b110853885221ebfaac3f262a1c1e280f10929f7b353c44996c8 │ │ ├── poc-6bf54fca69bb5029676d747b12c74b597dd8c5939343ea8f2cbfea9e666dd6b1 │ │ ├── poc-789fc6da83de39c3ff394a950b0831f6fe5b63a85a46aaa236048b5c1dcf0e59 │ │ ├── poc-939e9cd87b0d80834210fbf54edc66341aebf416d7509f6633f1d49766978b22 │ │ ├── poc-93a9fd1909dd49fc2a9b654333504f249cdac58126d3cfc4728577e78cb3eb89 │ │ ├── poc-b5b03a1f305b2cc1c158e01fee6c08c65145325d4e073f04d969329577077862 │ │ └── poc-fa8bbacb5a12f057a0ed3999c37d78b4991e6b201bda4dc9a75a7c7970c7690d │ ├── macho_fuzzer.cc │ ├── macho_fuzzer_corpus │ │ ├── 1443c3cfb47c5eb41022a7063c24ab1bc9e45bfc31e98d5e6d3aa8377599b983 │ │ ├── 589f7b0e30d885ed91229646e58ccc7615007d2fab06451fef8785c6126adba7 │ │ ├── 5eefacbe52990526e4953802249447dd8c0a4b537459ca41e005a7173ca46138 │ │ ├── 6164a837fd33574f37464a765ab461fff94b52e659b114fb6109f2635678c564 │ │ ├── 66528aeb35dd705cc26a7daf4b8eda684f620efebfa0740fab84043e371ed566 │ │ ├── 6af5d157184d9144f86668f83e81760898df5db3c9e209596eb5fd9a91a7eeba │ │ ├── 797d1d450421b771482c0cc03f472e4eccbc9e4f544b6c12c1d4f070dec3c381 │ │ ├── 85494d8cb5753f1ad09be39428135feb35eb4ef44f39d6e1e75e2ad30d93e158 │ │ ├── b225048e85b14f08a43dd4752b9bb4b20840f5a8726eac0ff765d45c9e619828 │ │ └── fda81421d7403180923717a94e77aade8c9286d5b8de3ae0e2812343b666c6a7 │ ├── pe_fuzzer.cc │ ├── pe_fuzzer_corpus │ │ ├── 00388b550a2603a9e219bcb48acaf8cc115653cb1ea84cb4bccceb1aabe755b6 │ │ ├── 12f50a7dbf0c42f61ae1c351b2a9f75e8edb3bb55e582619edc7ece4eb0a3094 │ │ ├── 967af267b4124bada8f507cebf25f2192d146a4d63be71b45bfc03c5da7f21a7 │ │ ├── 99e98cb7096dee974e28fea0f76f1c30bc44fd5762cb12b2702910a28b28f95f │ │ ├── clusterfuzz-testcase-minimized-5211130361282560 │ │ ├── clusterfuzz-testcase-minimized-5839717883969536 │ │ ├── clusterfuzz-testcase-minimized-pe_fuzzer-5741846293643264 │ │ └── e5af0352010b1879ac1c63a69d3d9a02d577fa834165f855bd5ebee0f1105de1 │ ├── rules_fuzzer.cc │ ├── rules_fuzzer.dict │ ├── rules_fuzzer.options │ └── rules_fuzzer_corpus │ │ ├── 1 │ │ ├── 2 │ │ └── 3 ├── test-alignment.c ├── test-api.c ├── test-atoms.c ├── test-bitmask.c ├── test-dex.c ├── test-dotnet.c ├── test-elf.c ├── test-exception.c ├── test-macho.c ├── test-math.c ├── test-pe.c ├── test-re-split.c ├── test-rules.c ├── test-stack.c ├── test-version.c ├── util.c └── util.h ├── threading.c ├── threading.h ├── windows ├── vs2015 │ ├── NuGet.Config │ ├── libyara │ │ ├── libyara.vcxproj │ │ └── packages.config │ ├── yara.sln │ ├── yara │ │ └── yara.vcxproj │ └── yarac │ │ └── yarac.vcxproj └── vs2017 │ ├── NuGet.Config │ ├── libyara │ ├── libyara.vcxproj │ ├── libyara.vcxproj.user │ └── packages.config │ ├── yara.sln │ ├── yara │ └── yara.vcxproj │ └── yarac │ └── yarac.vcxproj ├── yara.c ├── yara.man ├── yarac.c └── yarac.man /.gitignore: -------------------------------------------------------------------------------- 1 | # Generic auto-generated build files 2 | *~ 3 | *.a 4 | *.la 5 | *.lai 6 | *.lo 7 | *.Plo 8 | *.Po 9 | *.o 10 | *.so 11 | *.so.[0-9][0-9]* 12 | *.so.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]* 13 | *.Tpo 14 | *.m4 15 | *.dSYM 16 | .deps 17 | .libs 18 | INSTALL 19 | Makefile 20 | Makefile.in 21 | stamp-h1 22 | 23 | # Specific auto-generated build files 24 | /ABOUT-NLS 25 | /aclocal.m4 26 | /ar-lib 27 | /autom4te.cache/ 28 | /build-aux 29 | /compile 30 | /config.guess 31 | /config.h 32 | /config.h.in 33 | /config.log 34 | /config.rpath 35 | /config.status 36 | /config.sub 37 | /configure 38 | /depcomp 39 | /install-sh 40 | /libtool 41 | /ltmain.sh 42 | /missing 43 | /test-driver 44 | /ylwrap 45 | /m4 46 | !/m4/acx_pthread.m4 47 | 48 | # Project specific files 49 | /yara 50 | /yarac 51 | /libyara/modules/.dirstamp 52 | libyara/proc/.dirstamp 53 | libyara/yara.pc 54 | /tests/.dirstamp 55 | 56 | # Linux and Mac files 57 | *.swp 58 | .DS_Store 59 | 60 | # Files generated by tests 61 | test-alignment 62 | test-alignment.log 63 | test-alignment.trs 64 | test-api 65 | test-api.log 66 | test-api.trs 67 | test-atoms 68 | test-atoms.log 69 | test-atoms.trs 70 | test-bitmask 71 | test-bitmask.log 72 | test-bitmask.trs 73 | test-elf 74 | test-elf.log 75 | test-elf.trs 76 | test-exception 77 | test-exception.log 78 | test-exception.trs 79 | test-rules 80 | test-rules.log 81 | test-rules.trs 82 | test-suite.log 83 | test-pe 84 | test-pe.log 85 | test-pe.trs 86 | test-macho 87 | test-macho.log 88 | test-macho.trs 89 | test-math 90 | test-math.log 91 | test-math.trs 92 | test-version 93 | test-version.log 94 | test-version.trs 95 | 96 | # Bazel 97 | bazel-* 98 | 99 | # Visual Studio files 100 | Release/ 101 | Debug/ 102 | windows/*/.vs 103 | x64/ 104 | *.obj 105 | *.suo 106 | *.sdf 107 | *.opendb 108 | *.opensdf 109 | *.VC.db 110 | 111 | # NuGet 112 | windows/*/packages/ 113 | *.trs 114 | *.log 115 | .dirstamp 116 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | # This is the official list of YARA authors for copyright purposes. 2 | # This file is distinct from the CONTRIBUTORS files. 3 | # See the latter for an explanation. 4 | 5 | # Names should be added to this file as 6 | # Name or Organization 7 | # The email address is not required for organizations. 8 | 9 | # Please keep the list sorted. 10 | 11 | Google Inc. 12 | Hilko Bengen 13 | Joachim Metz 14 | Stefan Buehlmann 15 | Victor M. Alvarez ; 16 | Wesley Shields 17 | -------------------------------------------------------------------------------- /CONTRIBUTORS: -------------------------------------------------------------------------------- 1 | # This is the official list of people who can contribute 2 | # (and typically have contributed) code to the YARA repository. 3 | # The AUTHORS file lists the copyright holders; this file 4 | # lists people. For example, Google employees are listed here 5 | # but not in AUTHORS, because Google holds the copyright. 6 | # 7 | # The submission process automatically checks to make sure 8 | # that people submitting code are listed in this file (by email address). 9 | # 10 | # Names should be added to this file only after verifying that 11 | # the individual or the individual's organization has agreed to 12 | # the appropriate Contributor License Agreement, found here: 13 | # 14 | # http://code.google.com/legal/individual-cla-v1.0.html 15 | # http://code.google.com/legal/corporate-cla-v1.0.html 16 | # 17 | # The agreement for individuals can be filled out on the web. 18 | # 19 | # When adding J Random Contributor's name to this file, 20 | # either J's name or J's organization's name should be 21 | # added to the AUTHORS file, depending on whether the 22 | # individual or corporate CLA was used. 23 | 24 | # Names should be added to this file like so: 25 | # Name 26 | 27 | # Please keep the list sorted. 28 | 29 | Anthony Desnos 30 | Antonio Vargas Gonzalez 31 | Christian Blichmann 32 | Hilko Bengen 33 | Joachim Metz 34 | Karl Hiramoto 35 | Mike Wiacek 36 | Shane Huntley 37 | Stefan Buehlmann 38 | Victor M. Alvarez ; 39 | Wesley Shields 40 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Copyright (c) 2007-2016. The YARA Authors. All Rights Reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without modification, 4 | are permitted provided that the following conditions are met: 5 | 6 | 1. Redistributions of source code must retain the above copyright notice, this 7 | list of conditions and the following disclaimer. 8 | 9 | 2. Redistributions in binary form must reproduce the above copyright notice, 10 | this list of conditions and the following disclaimer in the documentation and/or 11 | other materials provided with the distribution. 12 | 13 | 3. Neither the name of the copyright holder nor the names of its contributors 14 | may be used to endorse or promote products derived from this software without 15 | specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 18 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 21 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 24 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 26 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS=-std=gnu99 -Wall -I$(srcdir)/libyara/include 2 | 3 | if DEBUG 4 | AM_CFLAGS+=-g 5 | endif 6 | 7 | if OPTIMIZATION 8 | AM_CFLAGS+=-O3 9 | else 10 | AM_CFLAGS+=-O0 11 | endif 12 | 13 | if ADDRESS_SANITIZER 14 | AM_CFLAGS+=-fsanitize=address 15 | endif 16 | 17 | # Build the library in the hand subdirectory first. 18 | SUBDIRS = libyara 19 | DIST_SUBDIRS = libyara 20 | 21 | ACLOCAL_AMFLAGS=-I m4 22 | 23 | bin_PROGRAMS = yara yarac 24 | 25 | yara_SOURCES = args.c args.h common.h threading.c threading.h yara.c 26 | yara_LDADD = libyara/.libs/libyara.a #-Llibyara/.libs -lyara 27 | 28 | yarac_SOURCES = args.c args.h common.h yarac.c 29 | yarac_LDADD = -Llibyara/.libs -lyara 30 | 31 | test_alignment_SOURCES = tests/test-alignment.c 32 | test_atoms_SOURCES = tests/test-atoms.c tests/util.c libyara/atoms.c 33 | test_atoms_LDADD = libyara/.libs/libyara.a 34 | test_rules_SOURCES = tests/test-rules.c tests/util.c 35 | test_rules_LDADD = libyara/.libs/libyara.a 36 | test_pe_SOURCES = tests/test-pe.c tests/util.c 37 | test_pe_LDADD = libyara/.libs/libyara.a 38 | test_elf_SOURCES = tests/test-elf.c tests/util.c 39 | test_elf_LDADD = libyara/.libs/libyara.a 40 | test_version_SOURCES = tests/test-version.c 41 | test_api_LDADD = libyara/.libs/libyara.a 42 | test_api_SOURCES = tests/test-api.c tests/util.c 43 | test_bitmask_SOURCES = tests/test-bitmask.c 44 | test_bitmask_LDADD = libyara/.libs/libyara.a 45 | test_math_SOURCES = tests/test-math.c tests/util.c 46 | test_math_LDADD = libyara/.libs/libyara.a 47 | test_stack_SOURCES = tests/test-stack.c 48 | test_stack_LDADD = libyara/.libs/libyara.a 49 | test_re_split_SOURCES = tests/test-re-split.c 50 | test_re_split_LDADD = libyara/.libs/libyara.a 51 | 52 | TESTS = $(check_PROGRAMS) 53 | TESTS_ENVIRONMENT = TOP_SRCDIR=$(top_srcdir) 54 | 55 | check_PROGRAMS = test-alignment \ 56 | test-atoms \ 57 | test-api \ 58 | test-rules \ 59 | test-pe \ 60 | test-elf \ 61 | test-version \ 62 | test-bitmask \ 63 | test-math \ 64 | test-stack \ 65 | test-re-split 66 | 67 | if POSIX 68 | # The -fsanitize=address option makes test-exception fail. Include the test 69 | # only if the option is not enabled. 70 | if !ADDRESS_SANITIZER 71 | check_PROGRAMS+=test-exception 72 | test_exception_SOURCES = tests/test-exception.c tests/util.c 73 | test_exception_LDADD = libyara/.libs/libyara.a 74 | endif 75 | endif 76 | 77 | if MACHO_MODULE 78 | check_PROGRAMS+=test-macho 79 | test_macho_SOURCES = tests/test-macho.c tests/util.c 80 | test_macho_LDADD = libyara/.libs/libyara.a 81 | endif 82 | 83 | if DEX_MODULE 84 | check_PROGRAMS+=test-dex 85 | test_dex_SOURCES = tests/test-dex.c tests/util.c 86 | test_dex_LDADD = libyara/.libs/libyara.a 87 | endif 88 | 89 | if DOTNET_MODULE 90 | check_PROGRAMS+=test-dotnet 91 | test_dotnet_SOURCES = tests/test-dotnet.c tests/util.c 92 | test_dotnet_LDADD = libyara/.libs/libyara.a 93 | endif 94 | 95 | # man pages 96 | man1_MANS = yara.man yarac.man 97 | 98 | EXTRA_DIST = $(man1_MANS) README.md bootstrap.sh 99 | -------------------------------------------------------------------------------- /WORKSPACE: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2019. The YARA Authors. All Rights Reserved. 2 | # 3 | # Redistribution and use in source and binary forms, with or without modification, 4 | # are permitted provided that the following conditions are met: 5 | # 6 | # 1. Redistributions of source code must retain the above copyright notice, this 7 | # list of conditions and the following disclaimer. 8 | # 9 | # 2. Redistributions in binary form must reproduce the above copyright notice, 10 | # this list of conditions and the following disclaimer in the documentation and/or 11 | # other materials provided with the distribution. 12 | # 13 | # 3. Neither the name of the copyright holder nor the names of its contributors 14 | # may be used to endorse or promote products derived from this software without 15 | # specific prior written permission. 16 | # 17 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 18 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 21 | # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 24 | # ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 26 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | 28 | load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository") 29 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") 30 | 31 | # BoringSSL, see 32 | # https://boringssl.googlesource.com/boringssl/+/master/INCORPORATING.md#bazel 33 | git_repository( 34 | name = "boringssl", 35 | commit = "095d78b14f91cc9a910408eaae84a3bdafc54da9", # 2019-06-05 36 | remote = "https://boringssl.googlesource.com/boringssl", 37 | shallow_since = "1559759280 +0000", 38 | ) 39 | 40 | # Sandboxed API 41 | git_repository( 42 | name = "com_google_sandboxed_api", 43 | commit = "2301e05097818734f59b881d7fbe1624c17fc840", # 2019-07-08 44 | remote = "https://github.com/google/sandboxed-api.git", 45 | shallow_since = "1562590596 -0700", 46 | ) 47 | 48 | load( 49 | "@com_google_sandboxed_api//sandboxed_api/bazel:sapi_deps.bzl", 50 | "sapi_deps", 51 | ) 52 | 53 | sapi_deps() 54 | 55 | load("@com_google_protobuf//:protobuf_deps.bzl", "protobuf_deps") 56 | 57 | protobuf_deps() 58 | 59 | # GoogleTest/GoogleMock for testing the sandbox 60 | http_archive( 61 | name = "com_google_googletest", 62 | sha256 = "baed63b97595c32667694de0a434f8f23da59609c4a44f3360ba94b0abd5c583", 63 | strip_prefix = "googletest-8ffb7e5c88b20a297a2e786c480556467496463b", 64 | urls = ["https://github.com/google/googletest/archive/8ffb7e5c88b20a297a2e786c480556467496463b.zip"], # 2019-05-30 65 | ) 66 | -------------------------------------------------------------------------------- /appveyor.yml: -------------------------------------------------------------------------------- 1 | # AppVeyor CI for Windows 2 | 3 | version: '{branch}-{build}' 4 | 5 | pull_requests: 6 | do_not_increment_build_number: true 7 | 8 | environment: 9 | matrix: 10 | - TARGET: vs2015 11 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015 12 | VisualStudioVersion: 14.0 13 | platform: x86 14 | configuration: Release 15 | artifact_postfix: win32 16 | - TARGET: vs2015 17 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015 18 | VisualStudioVersion: 14.0 19 | platform: x86 20 | configuration: Debug 21 | - TARGET: vs2015 22 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015 23 | VisualStudioVersion: 14.0 24 | platform: x64 25 | configuration: Release 26 | artifact_postfix: win64 27 | - TARGET: vs2015 28 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015 29 | VisualStudioVersion: 14.0 30 | platform: x64 31 | configuration: Debug 32 | - TARGET: cygwin 33 | 34 | for: 35 | - 36 | matrix: 37 | only: 38 | - TARGET: cygwin 39 | 40 | build_script: 41 | - cmd: C:\cygwin64\bin\bash -e -l -c "cd c:/projects/yara && ./build.sh" 42 | 43 | test_script: 44 | - cmd: C:\cygwin64\bin\bash -e -l -c "cd c:/projects/yara && make check" 45 | 46 | - 47 | matrix: 48 | only: 49 | - TARGET: vs2015 50 | - configuration: Release 51 | 52 | before_build: 53 | - ps: nuget restore windows/vs2015/yara.sln 54 | 55 | build: 56 | project: windows/vs2015/yara.sln 57 | verbosity: minimal 58 | 59 | after_build: 60 | - cmd: 7z a yara-%APPVEYOR_BUILD_VERSION%-%ARTIFACT_POSTFIX%.zip %APPVEYOR_BUILD_FOLDER%\windows\%TARGET%\%CONFIGURATION%\*.exe 61 | 62 | artifacts: 63 | - path: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX).zip 64 | name: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX) 65 | type: zip 66 | 67 | deploy: 68 | tag: $(APPVEYOR_REPO_TAG_NAME) 69 | release: YARA $(APPVEYOR_REPO_TAG_NAME) 70 | provider: GitHub 71 | auth_token: 72 | secure: d3qqX7bmrBiKJI38yFPc5vHrGGfS3LxLC7FaG6ewI2ghPPE22Pk6QtyrEFFb73PL 73 | artifact: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX) 74 | draft: true 75 | on: 76 | APPVEYOR_REPO_TAG: true # deploy on tag push only 77 | 78 | test: off 79 | 80 | - 81 | matrix: 82 | only: 83 | - TARGET: vs2015 84 | - configuration: Debug 85 | 86 | before_build: 87 | - ps: nuget restore windows/vs2015/yara.sln 88 | 89 | build: 90 | project: windows/vs2015/yara.sln 91 | verbosity: minimal 92 | 93 | test: off 94 | 95 | # Uncomment the lines below for enabling Remote Desktop in the Appveyor. This 96 | # allows connecting to the remote machine and debug issues. 97 | # on_finish: 98 | # - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) 99 | -------------------------------------------------------------------------------- /args.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef ARGPARSE_H 31 | #define ARGPARSE_H 32 | 33 | #include 34 | 35 | 36 | #ifdef __cplusplus 37 | extern "C" { 38 | #endif 39 | 40 | 41 | typedef enum _args_error_type { 42 | ARGS_ERROR_OK, 43 | ARGS_ERROR_UNKNOWN_OPT, 44 | ARGS_ERROR_TOO_MANY, 45 | ARGS_ERROR_REQUIRED_INTEGER_ARG, 46 | ARGS_ERROR_REQUIRED_STRING_ARG, 47 | ARGS_ERROR_UNEXPECTED_ARG, 48 | } args_error_type_t; 49 | 50 | 51 | typedef enum _args_option_type { 52 | // special 53 | ARGS_OPT_END, 54 | ARGS_OPT_GROUP, 55 | // options with no arguments 56 | ARGS_OPT_BOOLEAN, 57 | // options with arguments (optional or required) 58 | ARGS_OPT_INTEGER, 59 | ARGS_OPT_STRING, 60 | } args_option_type_t; 61 | 62 | 63 | typedef struct _args_option { 64 | args_option_type_t type; 65 | const char short_name; 66 | const char *long_name; 67 | void *value; 68 | int max_count; 69 | const char *help; 70 | const char *type_help; 71 | int count; 72 | } args_option_t; 73 | 74 | 75 | #define OPT_BOOLEAN(short_name, long_name, value, ...) \ 76 | { ARGS_OPT_BOOLEAN, short_name, long_name, value, 1, __VA_ARGS__ } 77 | 78 | #define OPT_INTEGER(short_name, long_name, value, ...) \ 79 | { ARGS_OPT_INTEGER, short_name, long_name, value, 1, __VA_ARGS__ } 80 | 81 | #define OPT_STRING_MULTI(short_name, long_name, value, max_count, ...) \ 82 | { ARGS_OPT_STRING, short_name, long_name, value, max_count, __VA_ARGS__ } 83 | 84 | #define OPT_STRING(short_name, long_name, value, ...) \ 85 | OPT_STRING_MULTI(short_name, long_name, value, 1, __VA_ARGS__) 86 | 87 | #define OPT_END() { ARGS_OPT_END, 0 } 88 | 89 | 90 | int args_parse( 91 | args_option_t *options, 92 | int argc, 93 | const char **argv); 94 | 95 | 96 | void args_print_usage( 97 | args_option_t *options, 98 | int alignment); 99 | 100 | 101 | #ifdef __cplusplus 102 | } 103 | #endif 104 | 105 | #endif 106 | -------------------------------------------------------------------------------- /bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | autoreconf --force --install 3 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ./bootstrap.sh 3 | ./configure 4 | make -------------------------------------------------------------------------------- /dist/yara-python.spec: -------------------------------------------------------------------------------- 1 | %define name yara-python 2 | %define version 3.2.0 3 | %define unmangled_version 3.2.0 4 | %define release 1 5 | 6 | Summary: Python bindings for YARA malware research tool 7 | Name: %{name} 8 | Version: %{version} 9 | Release: %{release} 10 | Source0: %{name}-%{unmangled_version}.tar.gz 11 | License: Apache License 2.0 12 | Group: Development/Libraries 13 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot 14 | Prefix: %{_prefix} 15 | Vendor: Victor M. Alvarez 16 | BuildRequires: gcc python-devel 17 | BuildRequires: libyara-devel 18 | 19 | %description 20 | YARA is a tool aimed at (but not limited to) helpingmalware researchers to identify and classify malwaresamples. With YARA you can create descriptions of malware families (or whatever you want to describe)based on textual or binary patterns. 21 | 22 | %prep 23 | %setup -n %{name}-%{unmangled_version} 24 | 25 | %build 26 | env CFLAGS="$RPM_OPT_FLAGS" python setup.py build 27 | 28 | %install 29 | python setup.py install -O1 --root=$RPM_BUILD_ROOT --record=INSTALLED_FILES 30 | 31 | %clean 32 | rm -rf $RPM_BUILD_ROOT 33 | 34 | %files -f INSTALLED_FILES 35 | %defattr(-,root,root) 36 | -------------------------------------------------------------------------------- /dist/yara.spec: -------------------------------------------------------------------------------- 1 | ## 2 | ## Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. 3 | ## Licensed under the Apache License, Version 2.0 (the "License"); 4 | ## you may not use this file except in compliance with the License. 5 | ## You may obtain a copy of the License at 6 | ## http://www.apache.org/licenses/LICENSE-2.0 7 | ## Unless required by applicable law or agreed to in writing, software 8 | ## distributed under the License is distributed on an "AS IS" BASIS, 9 | ## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 10 | ## See the License for the specific language governing permissions and 11 | ## limitations under the License. 12 | ## 13 | 14 | Name: yara 15 | Version: 3.2.0 16 | Release: 1 17 | License: Apache License 2.0 18 | Summary: A malware identification and classification tool 19 | Url: http://plusvic.github.io/yara/ 20 | Group: System/Filesystems 21 | Source: yara-%{version}.tar.gz 22 | BuildRoot: %{_tmppath}/%{name}-%{version}-build 23 | BuildRequires: autoconf automake libtool 24 | 25 | %description 26 | YARA is a tool aimed at helping malware researchers to identify and classify 27 | malware samples. With YARA you can create descriptions of malware families 28 | based on textual or binary patterns contained on samples of those families. 29 | 30 | %package -n libyara 31 | Summary: Library to support the yara malware identification tool 32 | Group: System/Libraries 33 | 34 | %description -n libyara 35 | YARA is a tool aimed at helping malware researchers to identify and classify 36 | malware samples. With YARA you can create descriptions of malware families 37 | based on textual or binary patterns contained on samples of those families. 38 | 39 | %package -n yara-devel 40 | Summary: Development files to support the yara malware identification tool 41 | Group: Development/Libraries/C and C++ 42 | Requires: libyara = %{version}-%{release} 43 | 44 | %description -n yara-devel 45 | YARA is a tool aimed at helping malware researchers to identify and classify 46 | malware samples. With YARA you can create descriptions of malware families 47 | based on textual or binary patterns contained on samples of those families. 48 | 49 | %prep 50 | %setup -q 51 | 52 | %build 53 | ./bootstrap.sh 54 | ./configure 55 | make 56 | 57 | %install 58 | make install DESTDIR=%{buildroot} bindir=%{_bindir} libdir=%{_libdir} includedir=%{_includedir} mandir=%{_mandir} INSTALL="install -p" 59 | 60 | %post -n libyara -p /sbin/ldconfig 61 | 62 | %postun -n libyara -p /sbin/ldconfig 63 | 64 | %files 65 | %defattr(-,root,root) 66 | %{_bindir}/yara 67 | %{_bindir}/yarac 68 | %{_mandir}/man1/* 69 | 70 | %files -n libyara 71 | %defattr(-,root,root) 72 | %{_libdir}/libyara.so* 73 | %{_libdir}/pkgconfig/yara.pc 74 | 75 | %files -n yara-devel 76 | %defattr(-,root,root) 77 | %{_includedir}/yara.h 78 | %{_includedir}/yara/* 79 | %{_libdir}/libyara.a 80 | %{_libdir}/libyara.la 81 | 82 | 83 | %changelog 84 | * Sat Jan 25 2015 Domingo Kiser 3.2.0-1 85 | Initial Creation. 86 | -------------------------------------------------------------------------------- /docs/index.rst: -------------------------------------------------------------------------------- 1 | .. yara documentation master file, created by 2 | sphinx-quickstart on Tue Jul 8 11:04:03 2014. 3 | You can adapt this file completely to your liking, but it should at least 4 | contain the root `toctree` directive. 5 | 6 | Welcome to YARA's documentation! 7 | ================================ 8 | 9 | YARA is a tool aimed at (but not limited to) helping malware researchers to 10 | identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a 11 | boolean expression which determine its logic. Let's see an example: 12 | 13 | .. code-block:: yara 14 | 15 | rule silent_banker : banker 16 | { 17 | meta: 18 | description = "This is just an example" 19 | threat_level = 3 20 | in_the_wild = true 21 | strings: 22 | $a = {6A 40 68 00 30 00 00 6A 14 8D 91} 23 | $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} 24 | $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" 25 | condition: 26 | $a or $b or $c 27 | } 28 | 29 | The above rule is telling YARA that any file containing one of the three strings 30 | must be reported as silent_banker. This is just a simple example, more complex 31 | and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in this documentation. 32 | 33 | Contents: 34 | 35 | .. toctree:: 36 | :maxdepth: 3 37 | 38 | gettingstarted 39 | writingrules 40 | modules 41 | writingmodules 42 | commandline 43 | yarapython 44 | capi 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /docs/modules.rst: -------------------------------------------------------------------------------- 1 | ******* 2 | Modules 3 | ******* 4 | 5 | Modules are the method YARA provides for extending its features. They allow you 6 | to define data structures and functions which can be used in your rules to 7 | express more complex conditions. Here you'll find described some modules 8 | officially distributed with YARA, but you can also learn how to write your own 9 | modules in the :ref:`writing-modules` section. 10 | 11 | 12 | .. toctree:: 13 | :maxdepth: 3 14 | 15 | PE 16 | ELF 17 | Cuckoo 18 | Magic 19 | Hash 20 | Math 21 | Dotnet 22 | Time 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /docs/modules/hash.rst: -------------------------------------------------------------------------------- 1 | 2 | .. _hash-module: 3 | 4 | ########### 5 | Hash module 6 | ########### 7 | 8 | .. versionadded:: 3.2.0 9 | 10 | The Hash module allows you to calculate hashes (MD5, SHA1, SHA256) from portions 11 | of your file and create signatures based on those hashes. 12 | 13 | .. important:: 14 | This module depends on the OpenSSL library. Please refer to 15 | :ref:`compiling-yara` for information about how to build OpenSSL-dependant 16 | features into YARA. 17 | 18 | Good news for Windows users: this module is already included in the official 19 | Windows binaries. 20 | 21 | .. warning:: 22 | The returned hash string is always in lowercase. This means that rule condition matching on hashes 23 | ``hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"`` 24 | requires the hash string to be given in lowercase, otherwise the match condition 25 | will not work. (see https://github.com/VirusTotal/yara/issues/1004) 26 | 27 | .. c:function:: md5(offset, size) 28 | 29 | Returns the MD5 hash for *size* bytes starting at *offset*. When scanning a 30 | running process the *offset* argument should be a virtual address within 31 | the process address space. The returned string is always in lowercase. 32 | 33 | *Example: hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"* 34 | 35 | .. c:function:: md5(string) 36 | 37 | Returns the MD5 hash for the given string. 38 | 39 | *Example: hash.md5("dummy") == "275876e34cf609db118f3d84b799a790"* 40 | 41 | .. c:function:: sha1(offset, size) 42 | 43 | Returns the SHA1 hash for the *size* bytes starting at *offset*. When 44 | scanning a running process the *offset* argument should be a virtual address 45 | within the process address space. The returned string is always in 46 | lowercase. 47 | 48 | .. c:function:: sha1(string) 49 | 50 | Returns the SHA1 hash for the given string. 51 | 52 | .. c:function:: sha256(offset, size) 53 | 54 | Returns the SHA256 hash for the *size* bytes starting at *offset*. When 55 | scanning a running process the *offset* argument should be a virtual address 56 | within the process address space. The returned string is always in 57 | lowercase. 58 | 59 | .. c:function:: sha256(string) 60 | 61 | Returns the SHA256 hash for the given string. 62 | 63 | .. c:function:: checksum32(offset, size) 64 | 65 | Returns a 32-bit checksum for the *size* bytes starting at *offset*. The 66 | checksum is just the sum of all the bytes (unsigned). 67 | 68 | .. c:function:: checksum32(string) 69 | 70 | Returns a 32-bit checksum for the given string. The checksum is just the 71 | sum of all the bytes in the string (unsigned). 72 | 73 | .. c:function:: crc32(offset, size) 74 | 75 | Returns a crc32 checksum for the *size* bytes starting at *offset*. 76 | 77 | .. c:function:: crc32(string) 78 | 79 | Returns a crc32 checksum for the given string. 80 | 81 | -------------------------------------------------------------------------------- /docs/modules/magic.rst: -------------------------------------------------------------------------------- 1 | 2 | .. _magic-module: 3 | 4 | ############ 5 | Magic module 6 | ############ 7 | 8 | .. versionadded:: 3.1.0 9 | 10 | The Magic module allows you to identify the type of the file based on the 11 | output of `file `_, the standard 12 | Unix command. 13 | 14 | .. important:: 15 | This module is not built into YARA by default, to learn how to include it 16 | refer to :ref:`compiling-yara`. Bad news for Windows users: **this module is 17 | not supported on Windows**. 18 | 19 | There are two functions in this module: :c:func:`type` and :c:func:`mime_type`. 20 | The first one returns the descriptive string returned by *file*, for example, 21 | if you run *file* against some PDF document you'll get something like this:: 22 | 23 | $file some.pdf 24 | some.pdf: PDF document, version 1.5 25 | 26 | The :c:func:`type` function would return *"PDF document, version 1.5"* in this 27 | case. Using the :c:func:`mime_type` function is similar to passing the 28 | ``--mime`` argument to *file*.:: 29 | 30 | $file --mime some.pdf 31 | some.pdf: application/pdf; charset=binary 32 | 33 | 34 | :c:func:`mime_type` would return *"application/pdf"*, without the charset part. 35 | 36 | By experimenting a little with the *file* command you can learn which output to 37 | expect for different file types. These are a few examples: 38 | 39 | * JPEG image data, JFIF standard 1.01 40 | * PE32 executable for MS Windows (GUI) Intel 80386 32-bit 41 | * PNG image data, 1240 x 1753, 8-bit/color RGBA, non-interlaced 42 | * ASCII text, with no line terminators 43 | * Zip archive data, at least v2.0 to extract 44 | 45 | 46 | 47 | .. c:function:: type() 48 | 49 | Function returning a string with the type of the file. 50 | 51 | *Example: magic.type() contains "PDF"* 52 | 53 | 54 | .. c:function:: mime_type() 55 | 56 | Function returning a string with the MIME type of the file. 57 | 58 | *Example: magic.mime_type() == "application/pdf"* 59 | -------------------------------------------------------------------------------- /docs/modules/math.rst: -------------------------------------------------------------------------------- 1 | 2 | .. _math-module: 3 | 4 | ########### 5 | Math module 6 | ########### 7 | 8 | .. versionadded:: 3.3.0 9 | 10 | The Math module allows you to calculate certain values from portions of your 11 | file and create signatures based on those results. 12 | 13 | .. important:: 14 | Where noted these functions return floating point numbers. YARA is able to 15 | convert integers to floating point numbers during most operations. For 16 | example this will convert 7 to 7.0 automatically, because the return type 17 | of the entropy function is a floating point value: 18 | 19 | *math.entropy(0, filesize) >= 7* 20 | 21 | The one exception to this is when a function requires a floating point 22 | number as an argument. For example, this will cause a syntax error because 23 | the arguments must be floating point numbers: 24 | 25 | *math.in_range(2, 1, 3)* 26 | 27 | .. c:function:: entropy(offset, size) 28 | 29 | Returns the entropy for *size* bytes starting at *offset*. When scanning a 30 | running process the *offset* argument should be a virtual address within 31 | the process address space. The returned value is a float. 32 | 33 | *Example: math.entropy(0, filesize) >= 7* 34 | 35 | .. c:function:: entropy(string) 36 | 37 | Returns the entropy for the given string. 38 | 39 | *Example: math.entropy("dummy") > 7* 40 | 41 | .. c:function:: monte_carlo_pi(offset, size) 42 | 43 | Returns the percentage away from Pi for the *size* bytes starting at 44 | *offset* when run through the Monte Carlo from Pi test. When scanning a 45 | running process the *offset* argument should be a virtual address within 46 | the process address space. The returned value is a float. 47 | 48 | *Example: math.monte_carlo_pi(0, filesize) < 0.07* 49 | 50 | .. c:function:: monte_carlo_pi(string) 51 | 52 | Return the percentage away from Pi for the given string. 53 | 54 | .. c:function:: serial_correlation(offset, size) 55 | 56 | Returns the serial correlation for the *size* bytes starting at *offset*. 57 | When scanning a running process the *offset* argument should be a virtual 58 | address within the process address space. The returned value is a float 59 | between 0.0 and 1.0. 60 | 61 | *Example: math.serial_correlation(0, filesize) < 0.2* 62 | 63 | .. c:function:: serial_correlation(string) 64 | 65 | Return the serial correlation for the given string. 66 | 67 | .. c:function:: mean(offset, size) 68 | 69 | Returns the mean for the *size* bytes starting at *offset*. When scanning 70 | a running process the *offset* argument should be a virtual address within 71 | the process address space. The returned value is a float. 72 | 73 | *Example: math.mean(0, filesize) < 72.0* 74 | 75 | .. c:function:: mean(string) 76 | 77 | Return the mean for the given string. 78 | 79 | .. c:function:: deviation(offset, size, mean) 80 | 81 | Returns the deviation from the mean for the *size* bytes starting at 82 | *offset*. When scanning a running process the *offset* argument should be 83 | a virtual address within the process address space. The returned value is 84 | a float. 85 | 86 | The mean of an equally distributed random sample of bytes is 127.5, which 87 | is available as the constant math.MEAN_BYTES. 88 | 89 | *Example: math.deviation(0, filesize, math.MEAN_BYTES) == 64.0* 90 | 91 | .. c:function:: deviation(string, mean) 92 | 93 | Return the deviation from the mean for the given string. 94 | 95 | .. c:function:: in_range(test, lower, upper) 96 | 97 | Returns true if the *test* value is between *lower* and *upper* values. The 98 | comparisons are inclusive. 99 | 100 | *Example: math.in_range(math.deviation(0, filesize, math.MEAN_BYTES), 63.9, 64,1)* 101 | 102 | .. c:function:: max(int, int) 103 | 104 | .. versionadded:: 3.8.0 105 | 106 | Returns the maximum of two unsigned integer values. 107 | 108 | .. c:function:: min(int, int) 109 | 110 | .. versionadded:: 3.8.0 111 | 112 | Returns the minimum of two unsigned integer values. 113 | -------------------------------------------------------------------------------- /docs/modules/time.rst: -------------------------------------------------------------------------------- 1 | 2 | .. _time-module: 3 | 4 | ############ 5 | Time module 6 | ############ 7 | 8 | .. versionadded:: 3.7.0 9 | 10 | The Time module allows you to use temporal conditions in your YARA rules. 11 | 12 | .. c:function:: now() 13 | 14 | Function returning an integer which is the number of seconds since January 15 | 1, 1970. 16 | 17 | *Example: pe.timestamp > time.now()* 18 | -------------------------------------------------------------------------------- /extra/TextMate-bundle.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/extra/TextMate-bundle.zip -------------------------------------------------------------------------------- /extra/UltraEdit-wordfile.txt: -------------------------------------------------------------------------------- 1 | /L20"YARA rules" YARA_LANG Line Comment = // Block Comment On = /* Block Comment Off = */ Escape Char = \ String Chars = " File Extensions = YAR 2 | /Marker Characters = "//" 3 | /Delimiters = ~!@%^&*()-+=|\/{}[]<>:;"' , .? 4 | /Function String = "rule [a-zA-Z0-9_]*" 5 | /Indent Strings = "{" 6 | /Unindent Strings = "}" 7 | /Open Brace Strings = "{" "(" "[" 8 | /Close Brace Strings = "}" ")" "]" 9 | 10 | /C1"YARA Keywords" 11 | and at any all ascii 12 | condition contains 13 | entrypoint 14 | for false filesize fullword 15 | global 16 | is in include int8 int16 int32 17 | meta matches 18 | nocase not 19 | or of 20 | private 21 | rule rva 22 | section strings 23 | them true 24 | uint8 uint16 uint32 25 | wide 26 | 27 | /C4"YARA Strings" 28 | " 29 | // / 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /extra/codemirror/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | CodeMirror: YARA mode 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 26 | 27 |
28 |

YARA mode

29 |
30 | 42 |
43 | 53 |

MIME type: text/x-yara

54 |
55 | -------------------------------------------------------------------------------- /extra/codemirror/yara.js: -------------------------------------------------------------------------------- 1 | /* 2 | Language mode for CodeMirror (https://codemirror.net/) 3 | */ 4 | 5 | CodeMirror.defineMode("yara", function(config) { 6 | function words(str) { 7 | var obj = {}, words = str.split(" "); 8 | for (var i = 0; i < words.length; ++i) obj[words[i]] = true; 9 | return obj; 10 | } 11 | var keywords = words("all and any ascii at condition contains entrypoint filesize for " + 12 | "fullword global import in include int16 int32 int8 matches meta " + 13 | "nocase not of or private rule strings them uint16 uint32 " + 14 | "uint8 wide xor"); 15 | 16 | var atoms = {"true": true, "false": true}; 17 | 18 | var isOperatorChar = /[+\-*&%=<>!?|\/]/; 19 | 20 | function tokenBase(stream, state) { 21 | var ch = stream.next(); 22 | if (ch == "#" && state.startOfLine) { 23 | stream.skipToEnd(); 24 | return "meta"; 25 | } 26 | if (/[\[\]{}\(\),;\:\.]/.test(ch)) { 27 | return null 28 | } 29 | if (/\d/.test(ch)) { 30 | stream.eatWhile(/[\w\.]/); 31 | return "number"; 32 | } 33 | if (ch == "/") { 34 | if (stream.eat("/")) { 35 | stream.skipToEnd(); 36 | return "comment"; 37 | } 38 | if (stream.eat("*")) { 39 | state.tokenize = tokenComment; 40 | return tokenComment(stream, state); 41 | } 42 | } 43 | if (ch == '"' || ch == '/') { 44 | state.tokenize = tokenString(ch); 45 | return state.tokenize(stream, state); 46 | } 47 | if (isOperatorChar.test(ch)) { 48 | stream.eatWhile(isOperatorChar); 49 | return "operator"; 50 | } 51 | stream.eatWhile(/[\w\$_]/); 52 | var cur = stream.current(); 53 | if (keywords.propertyIsEnumerable(cur)) return "keyword"; 54 | if (atoms.propertyIsEnumerable(cur)) return "atom"; 55 | return "word"; 56 | } 57 | 58 | function tokenString(quote) { 59 | return function(stream, state) { 60 | var escaped = false, next, end = false; 61 | while ((next = stream.next()) != null) { 62 | if (next == quote && !escaped) {end = true; break;} 63 | escaped = !escaped && next == "\\"; 64 | } 65 | if (end || !escaped) state.tokenize = null; 66 | return "string"; 67 | }; 68 | } 69 | 70 | function tokenComment(stream, state) { 71 | var maybeEnd = false, ch; 72 | while (ch = stream.next()) { 73 | if (ch == "/" && maybeEnd) { 74 | state.tokenize = null; 75 | break; 76 | } 77 | maybeEnd = (ch == "*"); 78 | } 79 | return "comment"; 80 | } 81 | 82 | // Interface 83 | 84 | return { 85 | startState: function(basecolumn) { 86 | return {tokenize: null}; 87 | }, 88 | 89 | token: function(stream, state) { 90 | if (stream.eatSpace()) return null; 91 | var style = (state.tokenize || tokenBase)(stream, state); 92 | return style; 93 | }, 94 | 95 | electricChars: "{}" 96 | }; 97 | }); 98 | 99 | CodeMirror.defineMIME("text/yara", "yara"); 100 | CodeMirror.defineMIME("text/x-yara", "yara"); 101 | -------------------------------------------------------------------------------- /extra/logo.ai: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/extra/logo.ai -------------------------------------------------------------------------------- /extra/old-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/extra/old-logo.png -------------------------------------------------------------------------------- /extra/old-logo.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/extra/old-logo.psd -------------------------------------------------------------------------------- /libyara/Makefile.am: -------------------------------------------------------------------------------- 1 | MODULES = modules/tests/tests.c 2 | 3 | MODULES += modules/elf/elf.c 4 | 5 | MODULES += modules/math/math.c 6 | 7 | MODULES += modules/time/time.c 8 | 9 | MODULES += modules/pe/pe.c 10 | MODULES += modules/pe/pe_utils.c 11 | 12 | if CUCKOO_MODULE 13 | MODULES += modules/cuckoo/cuckoo.c 14 | endif 15 | 16 | if MAGIC_MODULE 17 | MODULES += modules/magic/magic.c 18 | endif 19 | 20 | if HASH_MODULE 21 | MODULES += modules/hash/hash.c 22 | endif 23 | 24 | if DOTNET_MODULE 25 | MODULES += modules/dotnet/dotnet.c 26 | endif 27 | 28 | if MACHO_MODULE 29 | MODULES += modules/macho/macho.c 30 | endif 31 | 32 | if DEX_MODULE 33 | MODULES += modules/dex/dex.c 34 | endif 35 | 36 | # 37 | # Add your modules here: 38 | # 39 | # MODULES += modules/yourmodule.c 40 | # 41 | 42 | AM_YFLAGS=-d 43 | 44 | AM_CFLAGS=-Wall -Wno-deprecated-declarations \ 45 | -std=gnu99 \ 46 | -D_GNU_SOURCE \ 47 | -I$(srcdir)/include 48 | 49 | if DEBUG 50 | AM_CFLAGS+=-g 51 | endif 52 | 53 | if OPTIMIZATION 54 | AM_CFLAGS+=-O3 55 | else 56 | AM_CFLAGS+=-O0 57 | endif 58 | 59 | if ADDRESS_SANITIZER 60 | AM_CFLAGS+=-fsanitize=address 61 | endif 62 | 63 | if GCC 64 | AM_CFLAGS+=-fvisibility=hidden 65 | endif 66 | 67 | ACLOCAL_AMFLAGS=-I m4 68 | 69 | include_HEADERS = include/yara.h 70 | 71 | yaraincludedir = $(includedir)/yara 72 | yarainclude_HEADERS = \ 73 | include/yara/ahocorasick.h \ 74 | include/yara/arena.h \ 75 | include/yara/atoms.h \ 76 | include/yara/bitmask.h \ 77 | include/yara/compiler.h \ 78 | include/yara/error.h \ 79 | include/yara/exec.h \ 80 | include/yara/exefiles.h \ 81 | include/yara/filemap.h \ 82 | include/yara/hash.h \ 83 | include/yara/integers.h \ 84 | include/yara/libyara.h \ 85 | include/yara/limits.h \ 86 | include/yara/mem.h \ 87 | include/yara/modules.h \ 88 | include/yara/object.h \ 89 | include/yara/parser.h \ 90 | include/yara/proc.h \ 91 | include/yara/re.h \ 92 | include/yara/rules.h \ 93 | include/yara/scan.h \ 94 | include/yara/scanner.h \ 95 | include/yara/sizedstr.h \ 96 | include/yara/stack.h \ 97 | include/yara/stopwatch.h \ 98 | include/yara/stream.h \ 99 | include/yara/strutils.h \ 100 | include/yara/threading.h \ 101 | include/yara/types.h \ 102 | include/yara/utils.h 103 | 104 | noinst_HEADERS = \ 105 | crypto.h \ 106 | exception.h \ 107 | include/yara/dotnet.h \ 108 | include/yara/elf.h \ 109 | include/yara/endian.h \ 110 | include/yara/globals.h \ 111 | include/yara/hex_lexer.h \ 112 | include/yara/lexer.h \ 113 | include/yara/pe.h \ 114 | include/yara/pe_utils.h \ 115 | include/yara/re_lexer.h \ 116 | modules/module_list 117 | 118 | 119 | lib_LTLIBRARIES = libyara.la 120 | 121 | libyara_la_LDFLAGS = -version-number 3:10:0 122 | 123 | BUILT_SOURCES = \ 124 | lexer.c \ 125 | hex_lexer.c \ 126 | re_lexer.c \ 127 | grammar.c \ 128 | hex_grammar.c \ 129 | re_grammar.c 130 | 131 | libyara_la_SOURCES = \ 132 | $(MODULES) \ 133 | grammar.y \ 134 | ahocorasick.c \ 135 | arena.c \ 136 | atoms.c \ 137 | bitmask.c \ 138 | compiler.c \ 139 | endian.c \ 140 | exec.c \ 141 | exefiles.c \ 142 | filemap.c \ 143 | hash.c \ 144 | hex_grammar.y \ 145 | hex_lexer.l \ 146 | lexer.l \ 147 | libyara.c \ 148 | mem.c \ 149 | modules.c \ 150 | object.c \ 151 | parser.c \ 152 | proc.c \ 153 | re.c \ 154 | re_grammar.y \ 155 | re_lexer.l \ 156 | rules.c \ 157 | scan.c \ 158 | scanner.c \ 159 | sizedstr.c \ 160 | stack.c \ 161 | stopwatch.c \ 162 | strutils.c \ 163 | stream.c \ 164 | threading.c 165 | 166 | 167 | if USE_WINDOWS_PROC 168 | libyara_la_SOURCES += proc/windows.c 169 | endif 170 | 171 | if USE_LINUX_PROC 172 | libyara_la_SOURCES += proc/linux.c 173 | endif 174 | 175 | if USE_FREEBSD_PROC 176 | libyara_la_SOURCES += proc/freebsd.c 177 | endif 178 | 179 | if USE_OPENBSD_PROC 180 | libyara_la_SOURCES += proc/openbsd.c 181 | endif 182 | 183 | if USE_MACH_PROC 184 | libyara_la_SOURCES += proc/mach.c 185 | endif 186 | 187 | if USE_NO_PROC 188 | libyara_la_SOURCES += proc/none.c 189 | endif 190 | 191 | pkgconfigdir = $(libdir)/pkgconfig 192 | nodist_pkgconfig_DATA = yara.pc 193 | -------------------------------------------------------------------------------- /libyara/endian.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | 32 | uint16_t _yr_bswap16(uint16_t x) 33 | { 34 | return (x >> 8 | x << 8); 35 | } 36 | 37 | uint32_t _yr_bswap32(uint32_t x) 38 | { 39 | return ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >> 8) | 40 | (((x) & 0x0000ff00) << 8) | (((x) & 0x000000ff) << 24)); 41 | } 42 | 43 | uint64_t _yr_bswap64(uint64_t x) 44 | { 45 | return ((((x) & 0xff00000000000000ull) >> 56) 46 | | (((x) & 0x00ff000000000000ull) >> 40) 47 | | (((x) & 0x0000ff0000000000ull) >> 24) 48 | | (((x) & 0x000000ff00000000ull) >> 8) 49 | | (((x) & 0x00000000ff000000ull) << 8) 50 | | (((x) & 0x0000000000ff0000ull) << 24) 51 | | (((x) & 0x000000000000ff00ull) << 40) 52 | | (((x) & 0x00000000000000ffull) << 56)); 53 | } 54 | -------------------------------------------------------------------------------- /libyara/hex_grammar.h: -------------------------------------------------------------------------------- 1 | /* A Bison parser, made by GNU Bison 3.0.5. */ 2 | 3 | /* Bison interface for Yacc-like parsers in C 4 | 5 | Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc. 6 | 7 | This program is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 3 of the License, or 10 | (at your option) any later version. 11 | 12 | This program is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with this program. If not, see . */ 19 | 20 | /* As a special exception, you may create a larger work that contains 21 | part or all of the Bison parser skeleton and distribute that work 22 | under terms of your choice, so long as that work isn't itself a 23 | parser generator using the skeleton or a modified version thereof 24 | as a parser skeleton. Alternatively, if you modify or redistribute 25 | the parser skeleton itself, you may (at your option) remove this 26 | special exception, which will cause the skeleton and the resulting 27 | Bison output files to be licensed under the GNU General Public 28 | License without this special exception. 29 | 30 | This special exception was added by the Free Software Foundation in 31 | version 2.2 of Bison. */ 32 | 33 | #ifndef YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED 34 | # define YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED 35 | /* Debug traces. */ 36 | #ifndef YYDEBUG 37 | # define YYDEBUG 0 38 | #endif 39 | #if YYDEBUG 40 | extern int hex_yydebug; 41 | #endif 42 | 43 | /* Token type. */ 44 | #ifndef YYTOKENTYPE 45 | # define YYTOKENTYPE 46 | enum yytokentype 47 | { 48 | _BYTE_ = 258, 49 | _MASKED_BYTE_ = 259, 50 | _NUMBER_ = 260 51 | }; 52 | #endif 53 | /* Tokens. */ 54 | #define _BYTE_ 258 55 | #define _MASKED_BYTE_ 259 56 | #define _NUMBER_ 260 57 | 58 | /* Value type. */ 59 | #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED 60 | 61 | union YYSTYPE 62 | { 63 | #line 78 "hex_grammar.y" /* yacc.c:1916 */ 64 | 65 | int64_t integer; 66 | RE_NODE *re_node; 67 | 68 | #line 69 "hex_grammar.h" /* yacc.c:1916 */ 69 | }; 70 | 71 | typedef union YYSTYPE YYSTYPE; 72 | # define YYSTYPE_IS_TRIVIAL 1 73 | # define YYSTYPE_IS_DECLARED 1 74 | #endif 75 | 76 | 77 | 78 | int hex_yyparse (void *yyscanner, HEX_LEX_ENVIRONMENT *lex_env); 79 | 80 | #endif /* !YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED */ 81 | -------------------------------------------------------------------------------- /libyara/include/yara.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_YARA_H 31 | #define YR_YARA_H 32 | 33 | #include "yara/utils.h" 34 | #include "yara/filemap.h" 35 | #include "yara/compiler.h" 36 | #include "yara/modules.h" 37 | #include "yara/object.h" 38 | #include "yara/libyara.h" 39 | #include "yara/error.h" 40 | #include "yara/stream.h" 41 | #include "yara/hash.h" 42 | #include "yara/scanner.h" 43 | #include "yara/mem.h" 44 | 45 | #endif 46 | -------------------------------------------------------------------------------- /libyara/include/yara/ahocorasick.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef _AHOCORASICK_H 31 | #define _AHOCORASICK_H 32 | 33 | #include 34 | #include 35 | #include 36 | 37 | // Number of bits dedicated to store the offset of the slot relative to its 38 | // own state. 39 | #define YR_AC_SLOT_OFFSET_BITS 9 40 | 41 | // Max number of slots in the transition table. This is the maximum number of 42 | // slots that can be addressed with 23-bit indexes. 43 | #define YR_AC_MAX_TRANSITION_TABLE_SIZE 0x800000 44 | 45 | #define YR_AC_ROOT_STATE 0 46 | #define YR_AC_NEXT_STATE(t) (t >> YR_AC_SLOT_OFFSET_BITS) 47 | #define YR_AC_INVALID_TRANSITION(t, c) (((t) & 0x1FF) != c) 48 | 49 | #define YR_AC_MAKE_TRANSITION(state, code) \ 50 | ((YR_AC_TRANSITION) \ 51 | ((((YR_AC_TRANSITION) state) << YR_AC_SLOT_OFFSET_BITS) | (code))) 52 | 53 | 54 | int yr_ac_automaton_create( 55 | YR_AC_AUTOMATON** automaton); 56 | 57 | 58 | int yr_ac_automaton_destroy( 59 | YR_AC_AUTOMATON* automaton); 60 | 61 | 62 | int yr_ac_add_string( 63 | YR_AC_AUTOMATON* automaton, 64 | YR_STRING* string, 65 | YR_ATOM_LIST_ITEM* atom, 66 | YR_ARENA* matches_arena); 67 | 68 | 69 | int yr_ac_compile( 70 | YR_AC_AUTOMATON* automaton, 71 | YR_ARENA* arena, 72 | YR_AC_TABLES* tables); 73 | 74 | 75 | void yr_ac_print_automaton( 76 | YR_AC_AUTOMATON* automaton); 77 | 78 | 79 | #endif 80 | -------------------------------------------------------------------------------- /libyara/include/yara/bitmask.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_BITMASK_H 31 | #define YR_BITMASK_H 32 | 33 | #include 34 | 35 | 36 | #define YR_BITMASK unsigned long 37 | 38 | #define YR_BITMASK_SLOT_BITS (sizeof(YR_BITMASK) * 8) 39 | #define YR_BITMASK_SIZE(n) (((n) / (YR_BITMASK_SLOT_BITS)) + 1) 40 | 41 | 42 | #define yr_bitmask_set(bm, i) \ 43 | do { \ 44 | (bm)[(i) / YR_BITMASK_SLOT_BITS] |= 1UL << ((i) % YR_BITMASK_SLOT_BITS); \ 45 | } while(0) 46 | 47 | 48 | #define yr_bitmask_clear(bm, i) \ 49 | do { \ 50 | (bm)[(i) / YR_BITMASK_SLOT_BITS] &= ~(1UL << ((i) % YR_BITMASK_SLOT_BITS)); \ 51 | } while(0) 52 | 53 | 54 | #define yr_bitmask_clear_all(bm) \ 55 | memset(bm, 0, sizeof(bm)) 56 | 57 | 58 | #define yr_bitmask_isset(bm, i) \ 59 | ( \ 60 | (bm)[(i) / YR_BITMASK_SLOT_BITS] & (1UL << ((i) % YR_BITMASK_SLOT_BITS)) \ 61 | ) 62 | 63 | 64 | #define yr_bitmask_print(bm) \ 65 | { \ 66 | int i; \ 67 | for (i = 0; i < sizeof(bm) / sizeof(bm[0]); i++) { \ 68 | printf("%016lX\n", bm[i]); \ 69 | } \ 70 | } 71 | 72 | 73 | uint32_t yr_bitmask_find_non_colliding_offset( 74 | YR_BITMASK* a, 75 | YR_BITMASK* b, 76 | uint32_t len_a, 77 | uint32_t len_b, 78 | uint32_t* off_a); 79 | 80 | #endif 81 | -------------------------------------------------------------------------------- /libyara/include/yara/dex.h: -------------------------------------------------------------------------------- 1 | #ifndef _DEX_H 2 | #define _DEX_H 3 | 4 | #include 5 | 6 | #include 7 | #include 8 | 9 | #define DEX_FILE_MAGIC_035 "dex\n035\x00" 10 | #define DEX_FILE_MAGIC_036 "dex\n036\x00" 11 | #define DEX_FILE_MAGIC_037 "dex\n037\x00" 12 | #define DEX_FILE_MAGIC_038 "dex\n038\x00" 13 | 14 | #pragma pack(push,1) 15 | 16 | typedef struct 17 | { 18 | uint8_t magic[8]; 19 | uint32_t checksum; 20 | uint8_t signature[20]; 21 | uint32_t file_size; 22 | uint32_t header_size; 23 | uint32_t endian_tag; 24 | uint32_t link_size; 25 | uint32_t link_offset; 26 | uint32_t map_offset; 27 | uint32_t string_ids_size; 28 | uint32_t string_ids_offset; 29 | uint32_t type_ids_size; 30 | uint32_t type_ids_offset; 31 | uint32_t proto_ids_size; 32 | uint32_t proto_ids_offset; 33 | uint32_t field_ids_size; 34 | uint32_t field_ids_offset; 35 | uint32_t method_ids_size; 36 | uint32_t method_ids_offset; 37 | uint32_t class_defs_size; 38 | uint32_t class_defs_offset; 39 | uint32_t data_size; 40 | uint32_t data_offset; 41 | } dex_header_t; 42 | 43 | typedef struct { 44 | uint32_t string_data_offset; 45 | } string_id_item_t; 46 | 47 | 48 | typedef struct { 49 | uint32_t utf16_size; 50 | } string_data_item_t; 51 | 52 | typedef struct { 53 | uint32_t descriptor_idx; 54 | } type_id_item_t; 55 | 56 | typedef struct { 57 | uint32_t shorty_idx; 58 | uint32_t return_type_idx; 59 | uint32_t parameters_offset; 60 | } proto_id_item_t; 61 | 62 | typedef struct { 63 | uint16_t class_idx; 64 | uint16_t type_idx; 65 | uint32_t name_idx; 66 | } field_id_item_t; 67 | 68 | typedef struct { 69 | uint16_t class_idx; 70 | uint16_t proto_idx; 71 | uint32_t name_idx; 72 | } method_id_item_t; 73 | 74 | typedef struct { 75 | uint32_t class_idx; 76 | uint32_t access_flags; 77 | uint32_t super_class_idx; 78 | uint32_t interfaces_off; 79 | uint32_t source_file_idx; 80 | uint32_t annotations_offset; 81 | uint32_t class_data_offset; 82 | uint32_t static_values_offset; 83 | } class_id_item_t; 84 | 85 | typedef struct { 86 | uint32_t static_fields_size; 87 | uint32_t instance_fields_size; 88 | uint32_t direct_methods_size; 89 | uint32_t virtual_methods_size; 90 | } class_data_item_t; 91 | 92 | typedef struct { 93 | uint32_t field_idx_diff; 94 | uint32_t access_flags; 95 | } encoded_field_t; 96 | 97 | typedef struct { 98 | uint32_t method_idx_diff; 99 | uint32_t access_flags; 100 | uint32_t code_off; 101 | } encoded_method_t; 102 | 103 | typedef struct { 104 | uint16_t registers_size; 105 | uint16_t ins_size; 106 | uint16_t outs_size; 107 | uint16_t tries_size; 108 | uint32_t debug_info_off; 109 | uint32_t insns_size; 110 | } code_item_t; 111 | 112 | typedef struct { 113 | uint16_t type; 114 | uint16_t unused; 115 | uint32_t size; 116 | uint32_t offset; 117 | } map_item_t; 118 | 119 | typedef struct _DEX 120 | { 121 | const uint8_t* data; 122 | size_t data_size; 123 | dex_header_t *header; 124 | YR_OBJECT* object; 125 | } DEX; 126 | 127 | 128 | #define fits_in_dex(dex, pointer, size) \ 129 | ((size_t) size <= dex->data_size && \ 130 | (uint8_t*) (pointer) >= dex->data && \ 131 | (uint8_t*) (pointer) <= dex->data + dex->data_size - size) 132 | 133 | #define struct_fits_in_dex(dex, pointer, struct_type) \ 134 | fits_in_dex(dex, pointer, sizeof(struct_type)) 135 | 136 | #pragma pack(pop) 137 | 138 | #endif -------------------------------------------------------------------------------- /libyara/include/yara/endian.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_ENDIAN_H 31 | #define YR_ENDIAN_H 32 | 33 | #include 34 | 35 | 36 | #if defined(__has_builtin) 37 | # if __has_builtin(__builtin_bswap16) 38 | # define yr_bswap16(x) __builtin_bswap16(x) 39 | # endif 40 | #endif 41 | 42 | #if !defined(yr_bswap16) && defined(_MSC_VER) 43 | # define yr_bswap16(x) _byteswap_ushort(x) 44 | #endif 45 | 46 | #if !defined(yr_bswap16) 47 | uint16_t _yr_bswap16(uint16_t x); 48 | # define yr_bswap16(x) _yr_bswap16(x) 49 | #endif 50 | 51 | 52 | #if defined(__has_builtin) 53 | # if __has_builtin(__builtin_bswap32) 54 | # define yr_bswap32(x) __builtin_bswap32(x) 55 | # endif 56 | #endif 57 | 58 | #if !defined(yr_bswap32) && defined(_MSC_VER) 59 | # define yr_bswap32(x) _byteswap_ulong(x) 60 | #endif 61 | 62 | #if !defined(yr_bswap32) 63 | uint32_t _yr_bswap32(uint32_t x); 64 | #define yr_bswap32(x) _yr_bswap32(x) 65 | #endif 66 | 67 | 68 | #if defined(__has_builtin) 69 | # if __has_builtin(__builtin_bswap64) 70 | # define yr_bswap64(x) __builtin_bswap64(x) 71 | # endif 72 | #endif 73 | 74 | #if !defined(yr_bswap64) && defined(_MSC_VER) 75 | # define yr_bswap64(x) _byteswap_uint64(x) 76 | #endif 77 | 78 | #if !defined(yr_bswap64) 79 | uint64_t _yr_bswap64(uint64_t x); 80 | #define yr_bswap64(x) _yr_bswap64(x) 81 | #endif 82 | 83 | 84 | #if defined(WORDS_BIGENDIAN) 85 | #define yr_le16toh(x) yr_bswap16(x) 86 | #define yr_le32toh(x) yr_bswap32(x) 87 | #define yr_le64toh(x) yr_bswap64(x) 88 | #define yr_be16toh(x) (x) 89 | #define yr_be32toh(x) (x) 90 | #define yr_be64toh(x) (x) 91 | #else 92 | #define yr_le16toh(x) (x) 93 | #define yr_le32toh(x) (x) 94 | #define yr_le64toh(x) (x) 95 | #define yr_be16toh(x) yr_bswap16(x) 96 | #define yr_be32toh(x) yr_bswap32(x) 97 | #define yr_be64toh(x) yr_bswap64(x) 98 | #endif 99 | 100 | #endif 101 | -------------------------------------------------------------------------------- /libyara/include/yara/exefiles.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_EXEFILES_H 31 | #define YR_EXEFILES_H 32 | 33 | uint64_t yr_get_entry_point_offset( 34 | const uint8_t* buffer, 35 | size_t buffer_length); 36 | 37 | 38 | uint64_t yr_get_entry_point_address( 39 | const uint8_t* buffer, 40 | size_t buffer_length, 41 | uint64_t base_address); 42 | 43 | #endif 44 | -------------------------------------------------------------------------------- /libyara/include/yara/filemap.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_FILEMAP_H 31 | #define YR_FILEMAP_H 32 | 33 | #include 34 | 35 | #if defined(_WIN32) || defined(__CYGWIN__) 36 | #include 37 | #define YR_FILE_DESCRIPTOR HANDLE 38 | #else 39 | #define YR_FILE_DESCRIPTOR int 40 | #endif 41 | 42 | #include 43 | 44 | #include 45 | #include 46 | 47 | 48 | typedef struct _YR_MAPPED_FILE 49 | { 50 | YR_FILE_DESCRIPTOR file; 51 | size_t size; 52 | const uint8_t* data; 53 | #if defined(_WIN32) || defined(__CYGWIN__) 54 | HANDLE mapping; 55 | #endif 56 | 57 | } YR_MAPPED_FILE; 58 | 59 | 60 | YR_API int yr_filemap_map( 61 | const char* file_path, 62 | YR_MAPPED_FILE* pmapped_file); 63 | 64 | 65 | YR_API int yr_filemap_map_fd( 66 | YR_FILE_DESCRIPTOR file, 67 | off_t offset, 68 | size_t size, 69 | YR_MAPPED_FILE* pmapped_file); 70 | 71 | 72 | YR_API int yr_filemap_map_ex( 73 | const char* file_path, 74 | off_t offset, 75 | size_t size, 76 | YR_MAPPED_FILE* pmapped_file); 77 | 78 | 79 | YR_API void yr_filemap_unmap( 80 | YR_MAPPED_FILE* pmapped_file); 81 | 82 | 83 | YR_API void yr_filemap_unmap_fd( 84 | YR_MAPPED_FILE* pmapped_file); 85 | 86 | #endif 87 | -------------------------------------------------------------------------------- /libyara/include/yara/globals.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_GLOBALS_H 31 | #define YR_GLOBALS_H 32 | 33 | #include 34 | #include 35 | 36 | // Pre-computed tables for quickly converting a character to lowercase or to 37 | // its alternative case (uppercase if it is a lowercase and vice versa). This 38 | // tables are initialized by yr_initialize. 39 | extern uint8_t yr_lowercase[256]; 40 | extern uint8_t yr_altercase[256]; 41 | 42 | extern YR_THREAD_STORAGE_KEY yr_tidx_key; 43 | extern YR_THREAD_STORAGE_KEY yr_recovery_state_key; 44 | 45 | #endif 46 | -------------------------------------------------------------------------------- /libyara/include/yara/hash.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_HASH_H 31 | #define YR_HASH_H 32 | 33 | #include 34 | 35 | #include 36 | #include 37 | 38 | typedef struct _YR_HASH_TABLE_ENTRY 39 | { 40 | void* key; 41 | size_t key_length; 42 | char* ns; 43 | void* value; 44 | 45 | struct _YR_HASH_TABLE_ENTRY* next; 46 | 47 | } YR_HASH_TABLE_ENTRY; 48 | 49 | 50 | typedef struct _YR_HASH_TABLE 51 | { 52 | int size; 53 | 54 | YR_HASH_TABLE_ENTRY* buckets[1]; 55 | 56 | } YR_HASH_TABLE; 57 | 58 | 59 | typedef int (*YR_HASH_TABLE_FREE_VALUE_FUNC)(void* value); 60 | 61 | 62 | uint32_t yr_hash( 63 | uint32_t seed, 64 | const void* buffer, 65 | size_t len); 66 | 67 | 68 | YR_API int yr_hash_table_create( 69 | int size, 70 | YR_HASH_TABLE** table); 71 | 72 | 73 | YR_API void yr_hash_table_clean( 74 | YR_HASH_TABLE* table, 75 | YR_HASH_TABLE_FREE_VALUE_FUNC free_value); 76 | 77 | 78 | YR_API void yr_hash_table_destroy( 79 | YR_HASH_TABLE* table, 80 | YR_HASH_TABLE_FREE_VALUE_FUNC free_value); 81 | 82 | 83 | YR_API void* yr_hash_table_lookup( 84 | YR_HASH_TABLE* table, 85 | const char* key, 86 | const char* ns); 87 | 88 | 89 | YR_API void* yr_hash_table_remove( 90 | YR_HASH_TABLE* table, 91 | const char* key, 92 | const char* ns); 93 | 94 | 95 | YR_API int yr_hash_table_add( 96 | YR_HASH_TABLE* table, 97 | const char* key, 98 | const char* ns, 99 | void* value); 100 | 101 | 102 | YR_API void* yr_hash_table_lookup_raw_key( 103 | YR_HASH_TABLE* table, 104 | const void* key, 105 | size_t key_length, 106 | const char* ns); 107 | 108 | 109 | YR_API void* yr_hash_table_remove_raw_key( 110 | YR_HASH_TABLE* table, 111 | const void* key, 112 | size_t key_length, 113 | const char* ns); 114 | 115 | 116 | YR_API int yr_hash_table_add_raw_key( 117 | YR_HASH_TABLE* table, 118 | const void* key, 119 | size_t key_length, 120 | const char* ns, 121 | void* value); 122 | 123 | #endif 124 | -------------------------------------------------------------------------------- /libyara/include/yara/hex_lexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com]. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | 32 | #undef yyparse 33 | #undef yylex 34 | #undef yyerror 35 | #undef yyfatal 36 | #undef yychar 37 | #undef yydebug 38 | #undef yynerrs 39 | #undef yyget_extra 40 | #undef yyget_lineno 41 | 42 | #undef YY_FATAL_ERROR 43 | #undef YY_DECL 44 | #undef LEX_ENV 45 | 46 | #define yyparse hex_yyparse 47 | #define yylex hex_yylex 48 | #define yyerror hex_yyerror 49 | #define yyfatal hex_yyfatal 50 | #define yychar hex_yychar 51 | #define yydebug hex_yydebug 52 | #define yynerrs hex_yynerrs 53 | #define yyget_extra hex_yyget_extra 54 | #define yyget_lineno hex_yyget_lineno 55 | 56 | 57 | #ifndef YY_TYPEDEF_YY_SCANNER_T 58 | #define YY_TYPEDEF_YY_SCANNER_T 59 | typedef void* yyscan_t; 60 | #endif 61 | 62 | #define YY_EXTRA_TYPE RE_AST* 63 | #define YY_USE_CONST 64 | 65 | 66 | typedef struct _HEX_LEX_ENVIRONMENT 67 | { 68 | int inside_or; 69 | int last_error; 70 | char last_error_message[256]; 71 | 72 | } HEX_LEX_ENVIRONMENT; 73 | 74 | 75 | #define YY_FATAL_ERROR(msg) hex_yyfatal(yyscanner, msg) 76 | 77 | #define LEX_ENV ((HEX_LEX_ENVIRONMENT*) lex_env) 78 | 79 | #include 80 | 81 | #define YY_DECL int hex_yylex \ 82 | (YYSTYPE * yylval_param , yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env) 83 | 84 | 85 | YY_EXTRA_TYPE yyget_extra( 86 | yyscan_t yyscanner); 87 | 88 | int yylex( 89 | YYSTYPE* yylval_param, 90 | yyscan_t yyscanner, 91 | HEX_LEX_ENVIRONMENT* lex_env); 92 | 93 | int yyparse( 94 | void *yyscanner, 95 | HEX_LEX_ENVIRONMENT *lex_env); 96 | 97 | void yyerror( 98 | yyscan_t yyscanner, 99 | HEX_LEX_ENVIRONMENT* lex_env, 100 | const char *error_message); 101 | 102 | void yyfatal( 103 | yyscan_t yyscanner, 104 | const char *error_message); 105 | 106 | int yr_parse_hex_string( 107 | const char* hex_string, 108 | RE_AST** re_ast, 109 | RE_ERROR* error); 110 | -------------------------------------------------------------------------------- /libyara/include/yara/integers.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_INTEGERS_H 31 | #define YR_INTEGERS_H 32 | 33 | 34 | #if ( defined( _MSC_VER ) && ( _MSC_VER < 1600 ) ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) ) 35 | 36 | #ifdef __cplusplus 37 | extern "C" { 38 | #endif 39 | 40 | // Microsoft Visual Studio C++ before Visual Studio 2010 or earlier versions of 41 | // the Borland C++ Builder do not support the (u)int#_t type definitions but 42 | // have __int# definitions instead 43 | 44 | typedef __int8 int8_t; 45 | typedef unsigned __int8 uint8_t; 46 | typedef __int16 int16_t; 47 | typedef unsigned __int16 uint16_t; 48 | typedef __int32 int32_t; 49 | typedef unsigned __int32 uint32_t; 50 | typedef __int64 int64_t; 51 | typedef unsigned __int64 uint64_t; 52 | 53 | #ifdef __cplusplus 54 | } 55 | #endif 56 | 57 | 58 | #ifndef INT8_MIN 59 | #define INT8_MIN (-127i8 - 1) 60 | #endif 61 | 62 | #ifndef INT8_MIN 63 | #define INT16_MIN (-32767i16 - 1) 64 | #endif 65 | 66 | #ifndef INT32_MIN 67 | #define INT32_MIN (-2147483647i32 - 1) 68 | #endif 69 | 70 | #ifndef INT64_MIN 71 | #define INT64_MIN (-9223372036854775807i64 - 1) 72 | #endif 73 | 74 | #ifndef INT8_MAX 75 | #define INT8_MAX 127i8 76 | #endif 77 | 78 | #ifndef INT16_MAX 79 | #define INT16_MAX 32767i16 80 | #endif 81 | 82 | #ifndef INT32_MAX 83 | #define INT32_MAX 2147483647i32 84 | #endif 85 | 86 | #ifndef INT64_MAX 87 | #define INT64_MAX 9223372036854775807i64 88 | #endif 89 | 90 | #ifndef UINT8_MAX 91 | #define UINT8_MAX 0xffui8 92 | #endif 93 | 94 | #ifndef UINT16_MAX 95 | #define UINT16_MAX 0xffffui16 96 | #endif 97 | 98 | #ifndef UINT32_MAX 99 | #define UINT32_MAX 0xffffffffui32 100 | #endif 101 | 102 | #ifndef UINT64_MAX 103 | #define UINT64_MAX 0xffffffffffffffffui64 104 | #endif 105 | 106 | #else 107 | 108 | // Other "compilers" and later versions of Microsoft Visual Studio C++ and 109 | // Borland C/C++ define the types in 110 | 111 | #include 112 | 113 | #endif 114 | 115 | #endif 116 | -------------------------------------------------------------------------------- /libyara/include/yara/libyara.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_LIBYARA_H 31 | #define YR_LIBYARA_H 32 | 33 | #include 34 | 35 | #define YR_MAJOR_VERSION 3 36 | #define YR_MINOR_VERSION 11 37 | #define YR_MICRO_VERSION 0 38 | 39 | #define version_str(s) _version_str(s) 40 | #define _version_str(s) #s 41 | 42 | // Version as a string 43 | #define YR_VERSION version_str(YR_MAJOR_VERSION) \ 44 | "." version_str(YR_MINOR_VERSION) \ 45 | "." version_str(YR_MICRO_VERSION) 46 | 47 | // Version as a single 4-byte hex number, e.g. 0x030401 == 3.4.1. 48 | #define YR_VERSION_HEX ((YR_MAJOR_VERSION << 16) | \ 49 | (YR_MINOR_VERSION << 8) | \ 50 | (YR_MICRO_VERSION << 0)) 51 | 52 | 53 | // Enumerated type listing configuration options 54 | typedef enum _YR_CONFIG_NAME 55 | { 56 | YR_CONFIG_STACK_SIZE, 57 | YR_CONFIG_MAX_STRINGS_PER_RULE, 58 | YR_CONFIG_MAX_MATCH_DATA, 59 | 60 | YR_CONFIG_LAST // End-of-enum marker, not a configuration 61 | 62 | } YR_CONFIG_NAME; 63 | 64 | 65 | #define DEFAULT_STACK_SIZE 16384 66 | #define DEFAULT_MAX_STRINGS_PER_RULE 10000 67 | #define DEFAULT_MAX_MATCH_DATA 512 68 | 69 | 70 | YR_API int yr_initialize(void); 71 | 72 | 73 | YR_API int yr_finalize(void); 74 | 75 | 76 | YR_DEPRECATED_API void yr_finalize_thread(void); 77 | 78 | 79 | YR_API int yr_get_tidx(void); 80 | 81 | 82 | YR_API void yr_set_tidx(int); 83 | 84 | 85 | YR_API int yr_set_configuration(YR_CONFIG_NAME, void*); 86 | 87 | 88 | YR_API int yr_get_configuration(YR_CONFIG_NAME, void*); 89 | 90 | 91 | #endif 92 | -------------------------------------------------------------------------------- /libyara/include/yara/mem.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_MEM_H 31 | #define YR_MEM_H 32 | 33 | #include 34 | 35 | #ifdef DMALLOC 36 | 37 | #define yr_malloc malloc 38 | #define yr_calloc calloc 39 | #define yr_realloc realloc 40 | #define yr_free free 41 | #define yr_strdup strdup 42 | #define yr_strndup strndup 43 | 44 | #include 45 | 46 | #else 47 | 48 | void* yr_calloc( 49 | size_t count, 50 | size_t size); 51 | 52 | void* yr_malloc( 53 | size_t size); 54 | 55 | void* yr_realloc( 56 | void* ptr, 57 | size_t size); 58 | 59 | void yr_free( 60 | void *ptr); 61 | 62 | char* yr_strdup( 63 | const char *str); 64 | 65 | char* yr_strndup( 66 | const char *str, size_t n); 67 | 68 | #endif 69 | 70 | int yr_heap_alloc(void); 71 | 72 | int yr_heap_free(void); 73 | 74 | #endif 75 | -------------------------------------------------------------------------------- /libyara/include/yara/pe_utils.h: -------------------------------------------------------------------------------- 1 | #ifndef YR_PE_UTILS_H 2 | #define YR_PE_UTILS_H 3 | 4 | #include 5 | 6 | #define MAX_PE_SECTIONS 96 7 | 8 | 9 | #define IS_64BITS_PE(pe) \ 10 | (yr_le16toh(pe->header64->OptionalHeader.Magic) == IMAGE_NT_OPTIONAL_HDR64_MAGIC) 11 | 12 | 13 | #define OptionalHeader(pe,field) \ 14 | (IS_64BITS_PE(pe) ? \ 15 | pe->header64->OptionalHeader.field : \ 16 | pe->header->OptionalHeader.field) 17 | 18 | 19 | // 20 | // Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the 21 | // name of the DLL and a pointer to another linked list of 22 | // IMPORT_EXPORT_FUNCTION structures containing the details of imported 23 | // functions. 24 | // 25 | 26 | typedef struct _IMPORTED_DLL 27 | { 28 | char *name; 29 | 30 | struct _IMPORT_FUNCTION *functions; 31 | struct _IMPORTED_DLL *next; 32 | 33 | } IMPORTED_DLL, *PIMPORTED_DLL; 34 | 35 | 36 | // 37 | // This is used to track imported and exported functions. The "has_ordinal" 38 | // field is only used in the case of imports as those are optional. Every export 39 | // has an ordinal so we don't need the field there, but in the interest of 40 | // keeping duplicate code to a minimum we use this function for both imports and 41 | // exports. 42 | // 43 | 44 | typedef struct _IMPORT_FUNCTION 45 | { 46 | char *name; 47 | uint8_t has_ordinal; 48 | uint16_t ordinal; 49 | 50 | struct _IMPORT_FUNCTION *next; 51 | 52 | } IMPORT_FUNCTION, *PIMPORT_FUNCTION; 53 | 54 | 55 | typedef struct _EXPORT_FUNCTION 56 | { 57 | char *name; 58 | uint16_t ordinal; 59 | } EXPORT_FUNCTION, *PEXPORT_FUNCTION; 60 | 61 | 62 | typedef struct _EXPORT_FUNCTIONS 63 | { 64 | uint32_t number_of_exports; 65 | EXPORT_FUNCTION* functions; 66 | } EXPORT_FUNCTIONS, *PEXPORT_FUNCTIONS; 67 | 68 | 69 | typedef struct _PE 70 | { 71 | const uint8_t* data; 72 | size_t data_size; 73 | 74 | union { 75 | PIMAGE_NT_HEADERS32 header; 76 | PIMAGE_NT_HEADERS64 header64; 77 | }; 78 | 79 | YR_HASH_TABLE* hash_table; 80 | YR_OBJECT* object; 81 | IMPORTED_DLL* imported_dlls; 82 | EXPORT_FUNCTIONS* exported_functions; 83 | 84 | uint32_t resources; 85 | 86 | } PE; 87 | 88 | 89 | #define fits_in_pe(pe, pointer, size) \ 90 | ((size_t) size <= pe->data_size && \ 91 | (uint8_t*) (pointer) >= pe->data && \ 92 | (uint8_t*) (pointer) <= pe->data + pe->data_size - size) 93 | 94 | #define struct_fits_in_pe(pe, pointer, struct_type) \ 95 | fits_in_pe(pe, pointer, sizeof(struct_type)) 96 | 97 | 98 | PIMAGE_NT_HEADERS32 pe_get_header( 99 | const uint8_t* data, 100 | size_t data_size); 101 | 102 | 103 | PIMAGE_DATA_DIRECTORY pe_get_directory_entry( 104 | PE* pe, 105 | int entry); 106 | 107 | 108 | int64_t pe_rva_to_offset( 109 | PE* pe, 110 | uint64_t rva); 111 | 112 | 113 | char *ord_lookup( 114 | char *dll, 115 | uint16_t ord); 116 | 117 | 118 | #if HAVE_LIBCRYPTO 119 | #include 120 | time_t ASN1_get_time_t(ASN1_TIME* time); 121 | #endif 122 | 123 | #endif 124 | -------------------------------------------------------------------------------- /libyara/include/yara/proc.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_PROC_H 31 | #define YR_PROC_H 32 | 33 | #include 34 | 35 | typedef struct _YR_PROC_ITERATOR_CTX { 36 | const uint8_t* buffer; 37 | size_t buffer_size; 38 | YR_MEMORY_BLOCK current_block; 39 | void* proc_info; 40 | } YR_PROC_ITERATOR_CTX; 41 | 42 | YR_API int yr_process_open_iterator( 43 | int pid, 44 | YR_MEMORY_BLOCK_ITERATOR* iterator); 45 | 46 | YR_API int yr_process_close_iterator( 47 | YR_MEMORY_BLOCK_ITERATOR* iterator); 48 | 49 | YR_API YR_MEMORY_BLOCK* yr_process_get_first_memory_block( 50 | YR_MEMORY_BLOCK_ITERATOR* iterator); 51 | 52 | YR_API YR_MEMORY_BLOCK* yr_process_get_next_memory_block( 53 | YR_MEMORY_BLOCK_ITERATOR* iterator); 54 | 55 | YR_API const uint8_t* yr_process_fetch_memory_block_data( 56 | YR_MEMORY_BLOCK* block); 57 | 58 | #endif 59 | -------------------------------------------------------------------------------- /libyara/include/yara/re_lexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #undef yyparse 31 | #undef yylex 32 | #undef yyerror 33 | #undef yyfatal 34 | #undef yychar 35 | #undef yydebug 36 | #undef yynerrs 37 | #undef yyget_extra 38 | #undef yyget_lineno 39 | 40 | #undef YY_FATAL_ERROR 41 | #undef YY_DECL 42 | #undef LEX_ENV 43 | 44 | 45 | #define yyparse re_yyparse 46 | #define yylex re_yylex 47 | #define yyerror re_yyerror 48 | #define yyfatal re_yyfatal 49 | #define yychar re_yychar 50 | #define yydebug re_yydebug 51 | #define yynerrs re_yynerrs 52 | #define yyget_extra re_yyget_extra 53 | #define yyget_lineno re_yyget_lineno 54 | 55 | 56 | #ifndef YY_TYPEDEF_YY_SCANNER_T 57 | #define YY_TYPEDEF_YY_SCANNER_T 58 | typedef void* yyscan_t; 59 | #endif 60 | 61 | #define YY_EXTRA_TYPE RE_AST* 62 | #define YY_USE_CONST 63 | 64 | 65 | typedef struct _RE_LEX_ENVIRONMENT 66 | { 67 | RE_CLASS re_class; 68 | int last_error; 69 | char last_error_message[256]; 70 | 71 | } RE_LEX_ENVIRONMENT; 72 | 73 | 74 | #define LEX_ENV ((RE_LEX_ENVIRONMENT*) lex_env) 75 | 76 | #define YY_FATAL_ERROR(msg) re_yyfatal(yyscanner, msg) 77 | 78 | #include 79 | 80 | #define YY_DECL int re_yylex \ 81 | (YYSTYPE * yylval_param , yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env) 82 | 83 | 84 | YY_EXTRA_TYPE yyget_extra( 85 | yyscan_t yyscanner); 86 | 87 | int yylex( 88 | YYSTYPE* yylval_param, 89 | yyscan_t yyscanner, 90 | RE_LEX_ENVIRONMENT* lex_env); 91 | 92 | int yyparse( 93 | void *yyscanner, 94 | RE_LEX_ENVIRONMENT *lex_env); 95 | 96 | void yyerror( 97 | yyscan_t yyscanner, 98 | RE_LEX_ENVIRONMENT* lex_env, 99 | const char *error_message); 100 | 101 | void yyfatal( 102 | yyscan_t yyscanner, 103 | const char *error_message); 104 | 105 | int yr_parse_re_string( 106 | const char* re_string, 107 | RE_AST** re_ast, 108 | RE_ERROR* error); 109 | -------------------------------------------------------------------------------- /libyara/include/yara/scan.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_SCAN_H 31 | #define YR_SCAN_H 32 | 33 | #include 34 | 35 | // Bitmasks for flags. 36 | #define SCAN_FLAGS_FAST_MODE 1 37 | #define SCAN_FLAGS_PROCESS_MEMORY 2 38 | #define SCAN_FLAGS_NO_TRYCATCH 4 39 | 40 | 41 | int yr_scan_verify_match( 42 | YR_SCAN_CONTEXT* context, 43 | YR_AC_MATCH* ac_match, 44 | const uint8_t* data, 45 | size_t data_size, 46 | uint64_t data_base, 47 | size_t offset); 48 | 49 | #endif 50 | -------------------------------------------------------------------------------- /libyara/include/yara/scanner.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_SCANNER_H 31 | #define YR_SCANNER_H 32 | 33 | #include 34 | #include 35 | 36 | 37 | typedef YR_SCAN_CONTEXT YR_SCANNER; 38 | 39 | 40 | YR_API int yr_scanner_create( 41 | YR_RULES* rules, 42 | YR_SCANNER** scanner); 43 | 44 | 45 | YR_API void yr_scanner_destroy( 46 | YR_SCANNER* scanner); 47 | 48 | 49 | YR_API void yr_scanner_set_callback( 50 | YR_SCANNER* scanner, 51 | YR_CALLBACK_FUNC callback, 52 | void* user_data); 53 | 54 | 55 | YR_API void yr_scanner_set_timeout( 56 | YR_SCANNER* scanner, 57 | int timeout); 58 | 59 | 60 | YR_API void yr_scanner_set_flags( 61 | YR_SCANNER* scanner, 62 | int flags); 63 | 64 | 65 | YR_API int yr_scanner_define_integer_variable( 66 | YR_SCANNER* scanner, 67 | const char* identifier, 68 | int64_t value); 69 | 70 | 71 | YR_API int yr_scanner_define_boolean_variable( 72 | YR_SCANNER* scanner, 73 | const char* identifier, 74 | int value); 75 | 76 | 77 | YR_API int yr_scanner_define_float_variable( 78 | YR_SCANNER* scanner, 79 | const char* identifier, 80 | double value); 81 | 82 | 83 | YR_API int yr_scanner_define_string_variable( 84 | YR_SCANNER* scanner, 85 | const char* identifier, 86 | const char* value); 87 | 88 | 89 | YR_API int yr_scanner_scan_mem_blocks( 90 | YR_SCANNER* scanner, 91 | YR_MEMORY_BLOCK_ITERATOR* iterator); 92 | 93 | 94 | YR_API int yr_scanner_scan_mem( 95 | YR_SCANNER* scanner, 96 | const uint8_t* buffer, 97 | size_t buffer_size); 98 | 99 | 100 | YR_API int yr_scanner_scan_file( 101 | YR_SCANNER* scanner, 102 | const char* filename); 103 | 104 | 105 | YR_API int yr_scanner_scan_fd( 106 | YR_SCANNER* scanner, 107 | YR_FILE_DESCRIPTOR fd); 108 | 109 | 110 | YR_API int yr_scanner_scan_proc( 111 | YR_SCANNER* scanner, 112 | int pid); 113 | 114 | 115 | YR_API YR_RULE* yr_scanner_last_error_rule( 116 | YR_SCANNER* scanner); 117 | 118 | 119 | YR_API YR_STRING* yr_scanner_last_error_string( 120 | YR_SCANNER* scanner); 121 | 122 | #endif 123 | -------------------------------------------------------------------------------- /libyara/include/yara/sizedstr.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef _SIZEDSTR_H 31 | #define _SIZEDSTR_H 32 | 33 | #include 34 | 35 | #include 36 | 37 | // 38 | // This struct is used to support strings containing null chars. The length of 39 | // the string is stored along the string data. However the string data is also 40 | // terminated with a null char. 41 | // 42 | 43 | #define SIZED_STRING_FLAGS_NO_CASE 1 44 | #define SIZED_STRING_FLAGS_DOT_ALL 2 45 | 46 | #pragma pack(push) 47 | #pragma pack(8) 48 | 49 | 50 | typedef struct _SIZED_STRING 51 | { 52 | uint32_t length; 53 | uint32_t flags; 54 | 55 | char c_string[1]; 56 | 57 | } SIZED_STRING; 58 | 59 | #pragma pack(pop) 60 | 61 | 62 | int sized_string_cmp( 63 | SIZED_STRING* s1, 64 | SIZED_STRING* s2); 65 | 66 | 67 | SIZED_STRING* sized_string_dup( 68 | SIZED_STRING* s); 69 | 70 | #endif 71 | -------------------------------------------------------------------------------- /libyara/include/yara/stack.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STACK_H 31 | #define YR_STACK_H 32 | 33 | typedef struct YR_STACK YR_STACK; 34 | 35 | struct YR_STACK 36 | { 37 | // Pointer to a heap-allocated array containing the void* values put in 38 | // in the stack. This array starts with a fixed size and it's grown as 39 | // required when new items are pushed into the stack. 40 | void* items; 41 | 42 | // Current capacity (i.e: the number of items that fit into the array) 43 | int capacity; 44 | 45 | // Size of each individual item in the stack. 46 | int item_size; 47 | 48 | // Index of the stack's top in the items array. 49 | int top; 50 | }; 51 | 52 | 53 | int yr_stack_create( 54 | int initial_capacity, 55 | int item_size, 56 | YR_STACK** stack); 57 | 58 | 59 | void yr_stack_destroy( 60 | YR_STACK* stack); 61 | 62 | 63 | int yr_stack_push( 64 | YR_STACK* stack, 65 | void* item); 66 | 67 | 68 | int yr_stack_pop( 69 | YR_STACK* stack, 70 | void* item); 71 | 72 | #endif -------------------------------------------------------------------------------- /libyara/include/yara/stopwatch.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STOPWATCH_H 31 | #define YR_STOPWATCH_H 32 | 33 | #include 34 | #include 35 | 36 | #if defined(_WIN32) 37 | 38 | #include 39 | 40 | typedef struct _YR_STOPWATCH 41 | { 42 | LARGE_INTEGER frequency; 43 | LARGE_INTEGER start; 44 | 45 | } YR_STOPWATCH; 46 | 47 | #elif defined(__MACH__) 48 | 49 | #include 50 | 51 | typedef struct _YR_STOPWATCH 52 | { 53 | mach_timebase_info_data_t timebase; 54 | uint64_t start; 55 | 56 | } YR_STOPWATCH; 57 | 58 | #else 59 | 60 | #include 61 | 62 | typedef struct _YR_STOPWATCH 63 | { 64 | union { 65 | struct timeval tv_start; 66 | struct timespec ts_start; 67 | }; 68 | 69 | } YR_STOPWATCH; 70 | 71 | #endif 72 | 73 | 74 | // yr_stopwatch_start starts measuring time. 75 | void yr_stopwatch_start( 76 | YR_STOPWATCH* stopwatch); 77 | 78 | // yr_stopwatch_elapsed_us returns the number of microseconds elapsed 79 | // since the last call to yr_stopwatch_start. 80 | uint64_t yr_stopwatch_elapsed_us( 81 | YR_STOPWATCH* stopwatch); 82 | 83 | #endif 84 | -------------------------------------------------------------------------------- /libyara/include/yara/stream.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STREAM_H 31 | #define YR_STREAM_H 32 | 33 | #include 34 | 35 | typedef size_t (*YR_STREAM_READ_FUNC)( 36 | void* ptr, 37 | size_t size, 38 | size_t count, 39 | void* user_data); 40 | 41 | 42 | typedef size_t (*YR_STREAM_WRITE_FUNC)( 43 | const void* ptr, 44 | size_t size, 45 | size_t count, 46 | void* user_data); 47 | 48 | 49 | typedef struct _YR_STREAM 50 | { 51 | void* user_data; 52 | 53 | YR_STREAM_READ_FUNC read; 54 | YR_STREAM_WRITE_FUNC write; 55 | 56 | } YR_STREAM; 57 | 58 | 59 | size_t yr_stream_read( 60 | void* ptr, 61 | size_t size, 62 | size_t count, 63 | YR_STREAM* stream); 64 | 65 | 66 | size_t yr_stream_write( 67 | const void* ptr, 68 | size_t size, 69 | size_t count, 70 | YR_STREAM* stream); 71 | 72 | #endif 73 | -------------------------------------------------------------------------------- /libyara/include/yara/strutils.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STRUTILS_H 31 | #define YR_STRUTILS_H 32 | 33 | #include 34 | #include 35 | #include 36 | 37 | #include 38 | 39 | 40 | #if defined(_WIN32) || defined(__CYGWIN__) 41 | 42 | #if !defined(PRIu64) 43 | #define PRIu64 "I64u" 44 | #endif 45 | 46 | #if !defined(PRIx64) 47 | #define PRIx64 "I64x" 48 | #endif 49 | 50 | #if !defined(PRId64) 51 | #define PRId64 "I64d" 52 | #endif 53 | 54 | #else 55 | #include 56 | #endif 57 | 58 | 59 | // Cygwin already has these functions. 60 | #if defined(_WIN32) && !defined(__CYGWIN__) 61 | #if defined(_MSC_VER) && _MSC_VER < 1900 62 | 63 | #if !defined(snprintf) 64 | #define snprintf _snprintf 65 | #endif 66 | 67 | #endif 68 | #define strcasecmp _stricmp 69 | #define strncasecmp _strnicmp 70 | #endif 71 | 72 | 73 | uint64_t xtoi( 74 | const char* hexstr); 75 | 76 | 77 | #if !HAVE_STRLCPY && !defined(strlcpy) 78 | size_t strlcpy( 79 | char *dst, 80 | const char *src, 81 | size_t size); 82 | #endif 83 | 84 | 85 | #if !HAVE_STRLCAT && !defined(strlcat) 86 | size_t strlcat( 87 | char *dst, 88 | const char *src, 89 | size_t size); 90 | #endif 91 | 92 | 93 | #if !HAVE_MEMMEM && !defined(memmem) 94 | void* memmem( 95 | const void *haystack, 96 | size_t haystack_size, 97 | const void *needle, 98 | size_t needle_size); 99 | #endif 100 | 101 | 102 | int strnlen_w( 103 | const char* w_str); 104 | 105 | 106 | int strcmp_w( 107 | const char* w_str, 108 | const char* str); 109 | 110 | 111 | size_t strlcpy_w( 112 | char* dst, 113 | const char* w_src, 114 | size_t n); 115 | 116 | #endif 117 | -------------------------------------------------------------------------------- /libyara/include/yara/threading.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_MUTEX_H 31 | #define YR_MUTEX_H 32 | 33 | 34 | 35 | #if defined(_WIN32) || defined(__CYGWIN__) 36 | 37 | #include 38 | 39 | typedef DWORD YR_THREAD_ID; 40 | typedef DWORD YR_THREAD_STORAGE_KEY; 41 | typedef HANDLE YR_MUTEX; 42 | 43 | #else 44 | 45 | #include 46 | 47 | typedef pthread_t YR_THREAD_ID; 48 | typedef pthread_key_t YR_THREAD_STORAGE_KEY; 49 | typedef pthread_mutex_t YR_MUTEX; 50 | 51 | #endif 52 | 53 | YR_THREAD_ID yr_current_thread_id(void); 54 | 55 | int yr_mutex_create(YR_MUTEX*); 56 | int yr_mutex_destroy(YR_MUTEX*); 57 | int yr_mutex_lock(YR_MUTEX*); 58 | int yr_mutex_unlock(YR_MUTEX*); 59 | 60 | int yr_thread_storage_create(YR_THREAD_STORAGE_KEY*); 61 | int yr_thread_storage_destroy(YR_THREAD_STORAGE_KEY*); 62 | int yr_thread_storage_set_value(YR_THREAD_STORAGE_KEY*, void*); 63 | void* yr_thread_storage_get_value(YR_THREAD_STORAGE_KEY*); 64 | 65 | #endif 66 | -------------------------------------------------------------------------------- /libyara/mem.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | #if defined(_WIN32) || defined(__CYGWIN__) 34 | 35 | #include 36 | #include 37 | 38 | static HANDLE hHeap; 39 | 40 | int yr_heap_alloc(void) 41 | { 42 | hHeap = HeapCreate(0, 0x8000, 0); 43 | 44 | if (hHeap == NULL) 45 | return ERROR_INTERNAL_FATAL_ERROR; 46 | 47 | return ERROR_SUCCESS; 48 | } 49 | 50 | 51 | int yr_heap_free(void) 52 | { 53 | if (HeapDestroy(hHeap)) 54 | return ERROR_SUCCESS; 55 | else 56 | return ERROR_INTERNAL_FATAL_ERROR; 57 | } 58 | 59 | 60 | void* yr_calloc(size_t count, size_t size) 61 | { 62 | return (void*) HeapAlloc(hHeap, HEAP_ZERO_MEMORY, count * size); 63 | } 64 | 65 | 66 | void* yr_malloc(size_t size) 67 | { 68 | return (void*) HeapAlloc(hHeap, HEAP_ZERO_MEMORY, size); 69 | } 70 | 71 | 72 | void* yr_realloc(void* ptr, size_t size) 73 | { 74 | return (void*) HeapReAlloc(hHeap, HEAP_ZERO_MEMORY, ptr, size); 75 | } 76 | 77 | 78 | void yr_free(void* ptr) 79 | { 80 | HeapFree(hHeap, 0, ptr); 81 | } 82 | 83 | 84 | char* yr_strdup(const char *str) 85 | { 86 | size_t len = strlen(str); 87 | char *dup = (char*) yr_malloc(len + 1); 88 | 89 | if (dup == NULL) 90 | return NULL; 91 | 92 | memcpy(dup, str, len); 93 | dup[len] = '\0'; 94 | 95 | return (char*) dup; 96 | } 97 | 98 | 99 | char* yr_strndup(const char *str, size_t n) 100 | { 101 | size_t len = strnlen(str, n); 102 | char *dup = (char*) yr_malloc(len + 1); 103 | 104 | if (dup == NULL) 105 | return NULL; 106 | 107 | memcpy(dup, str, len); 108 | dup[len] = '\0'; 109 | 110 | return (char *) dup; 111 | } 112 | 113 | #else 114 | 115 | #include 116 | #include 117 | #include 118 | 119 | int yr_heap_alloc(void) 120 | { 121 | return ERROR_SUCCESS; 122 | } 123 | 124 | 125 | int yr_heap_free(void) 126 | { 127 | return ERROR_SUCCESS; 128 | } 129 | 130 | 131 | void* yr_calloc(size_t count, size_t size) 132 | { 133 | return calloc(count, size); 134 | } 135 | 136 | 137 | void* yr_malloc(size_t size) 138 | { 139 | return malloc(size); 140 | } 141 | 142 | 143 | void* yr_realloc(void* ptr, size_t size) 144 | { 145 | return realloc(ptr, size); 146 | } 147 | 148 | 149 | void yr_free(void *ptr) 150 | { 151 | free(ptr); 152 | } 153 | 154 | 155 | char* yr_strdup(const char *str) 156 | { 157 | return strdup(str); 158 | } 159 | 160 | 161 | char* yr_strndup(const char *str, size_t n) 162 | { 163 | return strndup(str, n); 164 | } 165 | 166 | #endif 167 | -------------------------------------------------------------------------------- /libyara/modules/demo/demo.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | 32 | #define MODULE_NAME demo 33 | 34 | begin_declarations; 35 | 36 | declare_string("greeting"); 37 | 38 | end_declarations; 39 | 40 | 41 | int module_initialize( 42 | YR_MODULE* module) 43 | { 44 | return ERROR_SUCCESS; 45 | } 46 | 47 | 48 | int module_finalize( 49 | YR_MODULE* module) 50 | { 51 | return ERROR_SUCCESS; 52 | } 53 | 54 | 55 | int module_load( 56 | YR_SCAN_CONTEXT* context, 57 | YR_OBJECT* module_object, 58 | void* module_data, 59 | size_t module_data_size) 60 | { 61 | set_string("Hello World!", module_object, "greeting"); 62 | 63 | return ERROR_SUCCESS; 64 | } 65 | 66 | 67 | int module_unload( 68 | YR_OBJECT* module_object) 69 | { 70 | return ERROR_SUCCESS; 71 | } 72 | -------------------------------------------------------------------------------- /libyara/modules/module_list: -------------------------------------------------------------------------------- 1 | MODULE(tests) 2 | MODULE(pe) 3 | MODULE(elf) 4 | MODULE(math) 5 | MODULE(time) 6 | 7 | #ifdef DOTNET_MODULE 8 | MODULE(dotnet) 9 | #endif 10 | 11 | #ifdef CUCKOO_MODULE 12 | MODULE(cuckoo) 13 | #endif 14 | 15 | #ifdef MAGIC_MODULE 16 | MODULE(magic) 17 | #endif 18 | 19 | #ifdef HASH_MODULE 20 | MODULE(hash) 21 | #endif 22 | 23 | #ifdef MACHO_MODULE 24 | MODULE(macho) 25 | #endif 26 | 27 | #ifdef DEX_MODULE 28 | MODULE(dex) 29 | #endif 30 | -------------------------------------------------------------------------------- /libyara/modules/time/time.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014-2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | 32 | #include 33 | 34 | #define MODULE_NAME time 35 | 36 | 37 | define_function(now) 38 | { 39 | time_t now = time(NULL); 40 | if (now == -1) 41 | return_integer(UNDEFINED); 42 | return_integer((long) now); 43 | } 44 | 45 | 46 | begin_declarations; 47 | 48 | declare_function("now", "", "i", now); 49 | 50 | end_declarations; 51 | 52 | 53 | int module_initialize( 54 | YR_MODULE* module) 55 | { 56 | return ERROR_SUCCESS; 57 | } 58 | 59 | 60 | int module_finalize( 61 | YR_MODULE* module) 62 | { 63 | return ERROR_SUCCESS; 64 | } 65 | 66 | 67 | int module_load( 68 | YR_SCAN_CONTEXT* context, 69 | YR_OBJECT* module_object, 70 | void* module_data, 71 | size_t module_data_size) 72 | { 73 | return ERROR_SUCCESS; 74 | } 75 | 76 | 77 | int module_unload( 78 | YR_OBJECT* module_object) 79 | { 80 | return ERROR_SUCCESS; 81 | } 82 | -------------------------------------------------------------------------------- /libyara/proc.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | #include 33 | 34 | int _yr_process_attach(int, YR_PROC_ITERATOR_CTX*); 35 | int _yr_process_detach(YR_PROC_ITERATOR_CTX*); 36 | 37 | YR_API int yr_process_open_iterator( 38 | int pid, 39 | YR_MEMORY_BLOCK_ITERATOR* iterator) 40 | { 41 | YR_PROC_ITERATOR_CTX* context = (YR_PROC_ITERATOR_CTX*) \ 42 | yr_malloc(sizeof(YR_PROC_ITERATOR_CTX)); 43 | 44 | if (context == NULL) 45 | return ERROR_INSUFFICIENT_MEMORY; 46 | 47 | iterator->context = context; 48 | iterator->first = yr_process_get_first_memory_block; 49 | iterator->next = yr_process_get_next_memory_block; 50 | 51 | context->buffer = NULL; 52 | context->buffer_size = 0; 53 | context->current_block.base = 0; 54 | context->current_block.size = 0; 55 | context->current_block.context = context; 56 | context->current_block.fetch_data = yr_process_fetch_memory_block_data; 57 | context->proc_info = NULL; 58 | 59 | FAIL_ON_ERROR_WITH_CLEANUP( 60 | _yr_process_attach(pid, context), 61 | yr_free(context)); 62 | 63 | return ERROR_SUCCESS; 64 | } 65 | 66 | 67 | YR_API int yr_process_close_iterator( 68 | YR_MEMORY_BLOCK_ITERATOR* iterator) 69 | { 70 | YR_PROC_ITERATOR_CTX* context = (YR_PROC_ITERATOR_CTX*) iterator->context; 71 | 72 | if (context != NULL) 73 | { 74 | _yr_process_detach(context); 75 | 76 | if (context->buffer != NULL) 77 | yr_free((void*) context->buffer); 78 | 79 | yr_free(context->proc_info); 80 | yr_free(context); 81 | 82 | iterator->context = NULL; 83 | } 84 | 85 | return ERROR_SUCCESS; 86 | } 87 | -------------------------------------------------------------------------------- /libyara/proc/none.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #if defined(USE_NO_PROC) 31 | 32 | #include 33 | #include 34 | 35 | int _yr_process_attach( 36 | int pid, 37 | YR_PROC_ITERATOR_CTX* context) 38 | { 39 | return ERROR_COULD_NOT_ATTACH_TO_PROCESS; 40 | } 41 | 42 | int _yr_process_detach( 43 | YR_PROC_ITERATOR_CTX* context) 44 | { 45 | return ERROR_INVALID_ARGUMENT; 46 | } 47 | 48 | YR_API const uint8_t* yr_process_fetch_memory_block_data( 49 | YR_MEMORY_BLOCK* block) 50 | { 51 | return NULL; 52 | } 53 | 54 | YR_API YR_MEMORY_BLOCK* yr_process_get_next_memory_block( 55 | YR_MEMORY_BLOCK_ITERATOR* iterator) 56 | { 57 | return NULL; 58 | } 59 | 60 | YR_API YR_MEMORY_BLOCK* yr_process_get_first_memory_block( 61 | YR_MEMORY_BLOCK_ITERATOR* iterator) 62 | { 63 | return NULL; 64 | } 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /libyara/re_grammar.h: -------------------------------------------------------------------------------- 1 | /* A Bison parser, made by GNU Bison 3.0.5. */ 2 | 3 | /* Bison interface for Yacc-like parsers in C 4 | 5 | Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc. 6 | 7 | This program is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 3 of the License, or 10 | (at your option) any later version. 11 | 12 | This program is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with this program. If not, see . */ 19 | 20 | /* As a special exception, you may create a larger work that contains 21 | part or all of the Bison parser skeleton and distribute that work 22 | under terms of your choice, so long as that work isn't itself a 23 | parser generator using the skeleton or a modified version thereof 24 | as a parser skeleton. Alternatively, if you modify or redistribute 25 | the parser skeleton itself, you may (at your option) remove this 26 | special exception, which will cause the skeleton and the resulting 27 | Bison output files to be licensed under the GNU General Public 28 | License without this special exception. 29 | 30 | This special exception was added by the Free Software Foundation in 31 | version 2.2 of Bison. */ 32 | 33 | #ifndef YY_RE_YY_RE_GRAMMAR_H_INCLUDED 34 | # define YY_RE_YY_RE_GRAMMAR_H_INCLUDED 35 | /* Debug traces. */ 36 | #ifndef YYDEBUG 37 | # define YYDEBUG 0 38 | #endif 39 | #if YYDEBUG 40 | extern int re_yydebug; 41 | #endif 42 | 43 | /* Token type. */ 44 | #ifndef YYTOKENTYPE 45 | # define YYTOKENTYPE 46 | enum yytokentype 47 | { 48 | _CHAR_ = 258, 49 | _ANY_ = 259, 50 | _RANGE_ = 260, 51 | _CLASS_ = 261, 52 | _WORD_CHAR_ = 262, 53 | _NON_WORD_CHAR_ = 263, 54 | _SPACE_ = 264, 55 | _NON_SPACE_ = 265, 56 | _DIGIT_ = 266, 57 | _NON_DIGIT_ = 267, 58 | _WORD_BOUNDARY_ = 268, 59 | _NON_WORD_BOUNDARY_ = 269 60 | }; 61 | #endif 62 | /* Tokens. */ 63 | #define _CHAR_ 258 64 | #define _ANY_ 259 65 | #define _RANGE_ 260 66 | #define _CLASS_ 261 67 | #define _WORD_CHAR_ 262 68 | #define _NON_WORD_CHAR_ 263 69 | #define _SPACE_ 264 70 | #define _NON_SPACE_ 265 71 | #define _DIGIT_ 266 72 | #define _NON_DIGIT_ 267 73 | #define _WORD_BOUNDARY_ 268 74 | #define _NON_WORD_BOUNDARY_ 269 75 | 76 | /* Value type. */ 77 | #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED 78 | 79 | union YYSTYPE 80 | { 81 | #line 73 "re_grammar.y" /* yacc.c:1916 */ 82 | 83 | int integer; 84 | uint32_t range; 85 | RE_NODE* re_node; 86 | RE_CLASS* re_class; 87 | 88 | #line 89 "re_grammar.h" /* yacc.c:1916 */ 89 | }; 90 | 91 | typedef union YYSTYPE YYSTYPE; 92 | # define YYSTYPE_IS_TRIVIAL 1 93 | # define YYSTYPE_IS_DECLARED 1 94 | #endif 95 | 96 | 97 | 98 | int re_yyparse (void *yyscanner, RE_LEX_ENVIRONMENT *lex_env); 99 | 100 | #endif /* !YY_RE_YY_RE_GRAMMAR_H_INCLUDED */ 101 | -------------------------------------------------------------------------------- /libyara/sizedstr.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | #include 33 | 34 | 35 | int sized_string_cmp( 36 | SIZED_STRING* s1, 37 | SIZED_STRING* s2) 38 | { 39 | size_t i = 0; 40 | 41 | while (s1->length > i && 42 | s2->length > i && 43 | s1->c_string[i] == s2->c_string[i]) 44 | { 45 | i++; 46 | } 47 | 48 | if (i == s1->length && i == s2->length) 49 | return 0; 50 | else if (i == s1->length) 51 | return -1; 52 | else if (i == s2->length) 53 | return 1; 54 | else if (s1->c_string[i] < s2->c_string[i]) 55 | return -1; 56 | else 57 | return 1; 58 | } 59 | 60 | 61 | SIZED_STRING* sized_string_dup( 62 | SIZED_STRING* s) 63 | { 64 | SIZED_STRING* result = (SIZED_STRING*) yr_malloc( 65 | sizeof(SIZED_STRING) + s->length); 66 | 67 | if (result == NULL) 68 | return NULL; 69 | 70 | result->length = s->length; 71 | result->flags = s->flags; 72 | 73 | strncpy(result->c_string, s->c_string, s->length + 1); 74 | 75 | return result; 76 | } 77 | -------------------------------------------------------------------------------- /libyara/stino.settings: -------------------------------------------------------------------------------- 1 | { 2 | "baudrate": 4, 3 | "line_ending": 1, 4 | "serial_port": 1 5 | } -------------------------------------------------------------------------------- /libyara/stream.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | 34 | size_t yr_stream_read( 35 | void* ptr, 36 | size_t size, 37 | size_t count, 38 | YR_STREAM* stream) 39 | { 40 | if (stream->read == NULL) 41 | return 0; 42 | 43 | return stream->read(ptr, size, count, stream->user_data); 44 | } 45 | 46 | 47 | size_t yr_stream_write( 48 | const void* ptr, 49 | size_t size, 50 | size_t count, 51 | YR_STREAM* stream) 52 | { 53 | if (stream->write == NULL) 54 | return 0; 55 | 56 | return stream->write(ptr, size, count, stream->user_data); 57 | } 58 | -------------------------------------------------------------------------------- /libyara/yara.pc.in: -------------------------------------------------------------------------------- 1 | prefix=@prefix@ 2 | exec_prefix=@exec_prefix@ 3 | includedir=@includedir@ 4 | libdir=@libdir@ 5 | 6 | Name: yara 7 | Description: YARA library 8 | URL: https://virustotal.github.io/yara/ 9 | Version: @PACKAGE_VERSION@ 10 | Requires.private: @PC_REQUIRES_PRIVATE@ 11 | Cflags: -I${includedir} 12 | Libs: -L${libdir} -lyara 13 | Libs.private: @PC_LIBS_PRIVATE@ @PTHREAD_LIBS@ 14 | -------------------------------------------------------------------------------- /sample.file: -------------------------------------------------------------------------------- 1 | abbbb 2 | -------------------------------------------------------------------------------- /sample.rules: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule UPX : Packer 4 | { 5 | strings: 6 | $a = {60 E8 00 00 00 00 58 83 E8 3D 50 8D B8} 7 | 8 | condition: 9 | $a at pe.entry_point 10 | 11 | } 12 | 13 | -------------------------------------------------------------------------------- /sandbox/collect_matches.cc: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include "sandbox/collect_matches.h" 31 | 32 | #include "libyara/include/yara.h" 33 | #include "sandbox/yara_matches.pb.h" 34 | 35 | namespace yara { 36 | 37 | int CollectMatches(int message, void* message_data, void* user_data) { 38 | if (message != CALLBACK_MSG_RULE_MATCHING) { 39 | return ERROR_SUCCESS; // There are no matching rules, simply return 40 | } 41 | 42 | auto* rule = static_cast(message_data); 43 | YR_META* rule_meta = rule->metas; 44 | 45 | auto* match = reinterpret_cast(user_data)->add_match(); 46 | if (rule->ns != nullptr && rule->ns->name != nullptr) { 47 | match->mutable_id()->set_rule_namespace(rule->ns->name); 48 | } 49 | match->mutable_id()->set_rule_name(rule->identifier); 50 | while (!META_IS_NULL(rule_meta)) { 51 | auto* meta = match->add_meta(); 52 | meta->set_identifier(rule_meta->identifier); 53 | switch (rule_meta->type) { 54 | case META_TYPE_BOOLEAN: 55 | case META_TYPE_INTEGER: 56 | meta->set_int_value(rule_meta->integer); 57 | break; 58 | case META_TYPE_STRING: 59 | meta->set_bytes_value(rule_meta->string); 60 | break; 61 | } 62 | ++rule_meta; 63 | } 64 | 65 | return ERROR_SUCCESS; 66 | } 67 | 68 | } // namespace yara 69 | -------------------------------------------------------------------------------- /sandbox/collect_matches.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef SANDBOX_COLLECT_MATCHES_H_ 31 | #define SANDBOX_COLLECT_MATCHES_H_ 32 | 33 | namespace yara { 34 | 35 | // Callback function for yr_scan_mem() that collects YARA matches in a 36 | // YaraMatches proto given in user_data. 37 | int CollectMatches(int message, void* message_data, void* user_data); 38 | 39 | } // namespace yara 40 | 41 | #endif // SANDBOX_COLLECT_MATCHES_H_ 42 | -------------------------------------------------------------------------------- /sandbox/yara_matches.proto: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | syntax = "proto3"; 31 | 32 | package yara; 33 | 34 | // Identifies a single rule inside a namespace 35 | message YaraRuleId { 36 | string rule_namespace = 1; // Currently unused by yara_entrypoints.cc 37 | string rule_name = 2; 38 | } 39 | 40 | // Holds N mappings for the matches. 41 | message YaraMatches { 42 | // Holds one mapping from (namespace, name) --> N key-value entries. 43 | message Match { 44 | message Meta { 45 | string identifier = 1; 46 | oneof value { 47 | bytes bytes_value = 2; 48 | int64 int_value = 3; 49 | } 50 | } 51 | 52 | YaraRuleId id = 1; 53 | repeated Meta meta = 2; 54 | } 55 | 56 | repeated Match match = 1; 57 | } 58 | 59 | message YaraStatus { 60 | int64 code = 1; 61 | int64 line_number = 2; 62 | string message = 3; 63 | } 64 | -------------------------------------------------------------------------------- /tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885 -------------------------------------------------------------------------------- /tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171 -------------------------------------------------------------------------------- /tests/data/baz.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Add padding for making the file large enough to trigger issue #884 3 | 4 | pading pading pading pading pading pading pading pading pading pading 5 | pading pading pading pading pading pading pading pading pading pading 6 | pading pading pading pading pading pading pading pading pading pading 7 | pading pading pading pading pading pading pading pading pading pading 8 | pading pading pading pading pading pading pading pading pading pading 9 | pading pading pading pading pading pading pading pading pading pading 10 | pading pading pading pading pading pading pading pading pading pading 11 | pading pading pading pading pading pading pading pading pading pading 12 | pading pading pading pading pading pading pading pading pading pading 13 | pading pading pading pading pading pading pading pading pading pading 14 | pading pading pading pading pading pading pading pading pading pading 15 | pading pading pading pading pading pading pading pading pading pading 16 | pading pading pading pading pading pading pading pading pading pading 17 | pading pading pading pading pading pading pading pading pading pading 18 | pading pading pading pading pading pading pading pading pading pading 19 | pading pading pading pading pading pading pading pading pading pading 20 | pading pading pading pading pading pading pading pading pading pading 21 | pading pading pading pading pading pading pading pading pading pading 22 | */ 23 | 24 | rule baz { condition: true } 25 | -------------------------------------------------------------------------------- /tests/data/foo.yar: -------------------------------------------------------------------------------- 1 | include "include/bar.yar" 2 | 3 | rule foo { condition: bar } 4 | -------------------------------------------------------------------------------- /tests/data/include/bar.yar: -------------------------------------------------------------------------------- 1 | include "../baz.yar" 2 | 3 | rule bar { condition: baz } 4 | -------------------------------------------------------------------------------- /tests/data/tiny: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/tiny -------------------------------------------------------------------------------- /tests/data/tiny-idata-51ff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/tiny-idata-51ff -------------------------------------------------------------------------------- /tests/data/tiny-idata-5200: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/tiny-idata-5200 -------------------------------------------------------------------------------- /tests/data/tiny-overlay: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/tiny-overlay -------------------------------------------------------------------------------- /tests/data/tiny-universal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/tiny-universal -------------------------------------------------------------------------------- /tests/data/tiny.notes: -------------------------------------------------------------------------------- 1 | tiny.exe was compiled from a simple oneliner, 2 | 3 | int main() { return 42; } 4 | 5 | $ i686-w64-mingw32-gcc -s -Wl,--file-alignment=4096 -o tiny.exe tiny.c 6 | 7 | To demonstrate issue #429, two patched executables have been generated 8 | where the PointerToRawData for the .idata section (offset 0x22c) was 9 | changed from 0x5000 to 0x51ff (tiny-idata-51ff.exe) and 0x5200 10 | (tiny-idata-5200.exe), respectively. While tiny-idata-51ff.exe can be 11 | executed in Windows XP, tiny-idata-5200.exe can not. 12 | 13 | 14 | 15 | Compiler version used to produce tiny.exe: 16 | 17 | $ i686-w64-mingw32-gcc --version 18 | i686-w64-mingw32-gcc (GCC) 5.3.1 20160205 19 | Copyright (C) 2015 Free Software Foundation, Inc. 20 | This is free software; see the source for copying conditions. There is NO 21 | warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 | 23 | -------------------------------------------------------------------------------- /tests/data/xor.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/xor.out -------------------------------------------------------------------------------- /tests/data/xorwide.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/xorwide.out -------------------------------------------------------------------------------- /tests/data/xorwideandascii.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/data/xorwideandascii.out -------------------------------------------------------------------------------- /tests/oss-fuzz/dex_fuzzer.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include 5 | 6 | 7 | YR_RULES* rules = NULL; 8 | 9 | 10 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) 11 | { 12 | YR_COMPILER* compiler; 13 | 14 | if (yr_initialize() != ERROR_SUCCESS) 15 | return 0; 16 | 17 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS) 18 | return 0; 19 | 20 | if (yr_compiler_add_string(compiler, "import \"dex\"", NULL) == 0) 21 | yr_compiler_get_rules(compiler, &rules); 22 | 23 | yr_compiler_destroy(compiler); 24 | 25 | return 0; 26 | } 27 | 28 | 29 | int callback(int message, void* message_data, void* user_data) 30 | { 31 | return CALLBACK_CONTINUE; 32 | } 33 | 34 | 35 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) 36 | { 37 | if (rules == NULL) 38 | return 0; 39 | 40 | yr_rules_scan_mem( 41 | rules, 42 | data, 43 | size, 44 | SCAN_FLAGS_NO_TRYCATCH, 45 | callback, 46 | NULL, 47 | 0); 48 | 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /tests/oss-fuzz/dex_fuzzer_corpus/1cf540db2f048bb21bd89379a57279b9ff4c308558715a3baee666a47393d86e: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dex_fuzzer_corpus/1cf540db2f048bb21bd89379a57279b9ff4c308558715a3baee666a47393d86e -------------------------------------------------------------------------------- /tests/oss-fuzz/dex_fuzzer_corpus/25ef27f9543444652f0c68fe412d3da627a1d2a590b0a2b30e47466c1e962136: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dex_fuzzer_corpus/25ef27f9543444652f0c68fe412d3da627a1d2a590b0a2b30e47466c1e962136 -------------------------------------------------------------------------------- /tests/oss-fuzz/dex_fuzzer_corpus/27fb31059503773723597edb875c937af971a6c15f91aac8c03c1fbdfa9e918c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dex_fuzzer_corpus/27fb31059503773723597edb875c937af971a6c15f91aac8c03c1fbdfa9e918c -------------------------------------------------------------------------------- /tests/oss-fuzz/dex_fuzzer_corpus/3ba9c082050f62e725c87ce4cf9f592fe9f177faf3a0c879f8fbe87312ca4b2c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dex_fuzzer_corpus/3ba9c082050f62e725c87ce4cf9f592fe9f177faf3a0c879f8fbe87312ca4b2c -------------------------------------------------------------------------------- /tests/oss-fuzz/dex_fuzzer_corpus/b1203d95c56f02e7e6dbea714275cc05b47ac2510958b85f436571b801af44e7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dex_fuzzer_corpus/b1203d95c56f02e7e6dbea714275cc05b47ac2510958b85f436571b801af44e7 -------------------------------------------------------------------------------- /tests/oss-fuzz/dex_fuzzer_corpus/b343d1058063e6e4b652ccf0589f93d0dbb6b092960e4aebc3c3c58894831359: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dex_fuzzer_corpus/b343d1058063e6e4b652ccf0589f93d0dbb6b092960e4aebc3c3c58894831359 -------------------------------------------------------------------------------- /tests/oss-fuzz/dex_fuzzer_corpus/crash.poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dex_fuzzer_corpus/crash.poc -------------------------------------------------------------------------------- /tests/oss-fuzz/dotnet_fuzzer.cc: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | #include 34 | 35 | const char* RULES = \ 36 | "import \"dotnet\"" 37 | "rule test {" 38 | " condition:" 39 | " dotnet.module_name == \"foo.exe\"" 40 | "}"; 41 | 42 | YR_RULES* rules = NULL; 43 | 44 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) 45 | { 46 | YR_COMPILER* compiler; 47 | 48 | if (yr_initialize() != ERROR_SUCCESS) 49 | return 0; 50 | 51 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS) 52 | return 0; 53 | 54 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0) 55 | yr_compiler_get_rules(compiler, &rules); 56 | 57 | yr_compiler_destroy(compiler); 58 | 59 | return 0; 60 | } 61 | 62 | 63 | int callback(int message, void* message_data, void* user_data) 64 | { 65 | return CALLBACK_CONTINUE; 66 | } 67 | 68 | 69 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) 70 | { 71 | if (rules == NULL) 72 | return 0; 73 | 74 | yr_rules_scan_mem( 75 | rules, 76 | data, 77 | size, 78 | SCAN_FLAGS_NO_TRYCATCH, 79 | callback, 80 | NULL, 81 | 0); 82 | 83 | return 0; 84 | } 85 | -------------------------------------------------------------------------------- /tests/oss-fuzz/dotnet_fuzzer_corpus/buggy_stream_names: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dotnet_fuzzer_corpus/buggy_stream_names -------------------------------------------------------------------------------- /tests/oss-fuzz/dotnet_fuzzer_corpus/clusterfuzz-testcase-minimized-dotnet_fuzzer-5105966966636544: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dotnet_fuzzer_corpus/clusterfuzz-testcase-minimized-dotnet_fuzzer-5105966966636544 -------------------------------------------------------------------------------- /tests/oss-fuzz/dotnet_fuzzer_corpus/clusterfuzz-testcase-minimized-dotnet_fuzzer-5725060321509376: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dotnet_fuzzer_corpus/clusterfuzz-testcase-minimized-dotnet_fuzzer-5725060321509376 -------------------------------------------------------------------------------- /tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer.cc: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | #include 34 | 35 | 36 | YR_RULES* rules = NULL; 37 | 38 | 39 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) 40 | { 41 | YR_COMPILER* compiler; 42 | 43 | if (yr_initialize() != ERROR_SUCCESS) 44 | return 0; 45 | 46 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS) 47 | return 0; 48 | 49 | if (yr_compiler_add_string(compiler, "import \"elf\"", NULL) == 0) 50 | yr_compiler_get_rules(compiler, &rules); 51 | 52 | yr_compiler_destroy(compiler); 53 | 54 | return 0; 55 | } 56 | 57 | 58 | int callback(int message, void* message_data, void* user_data) 59 | { 60 | return CALLBACK_CONTINUE; 61 | } 62 | 63 | 64 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) 65 | { 66 | if (rules == NULL) 67 | return 0; 68 | 69 | yr_rules_scan_mem( 70 | rules, 71 | data, 72 | size, 73 | SCAN_FLAGS_NO_TRYCATCH, 74 | callback, 75 | NULL, 76 | 0); 77 | 78 | return 0; 79 | } -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-03bca75466ee42801a8bff280de04afc3d1a3637: -------------------------------------------------------------------------------- 1 | ELFELF -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-086300bbce1c6537573057336a343a82d483e2c0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-086300bbce1c6537573057336a343a82d483e2c0 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-2cafe4de66d87a83d83aaf65d8e4cea48f2c1144: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-2cafe4de66d87a83d83aaf65d8e4cea48f2c1144 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-370485c5b087f780a2447a03d775f7188e323d31: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-370485c5b087f780a2447a03d775f7188e323d31 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-49bb55d669fda0683f945b89396a6bd458caf2d8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-49bb55d669fda0683f945b89396a6bd458caf2d8 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-49d00b6b033eaeb07cd39809dbc1d7ba2df196ec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-49d00b6b033eaeb07cd39809dbc1d7ba2df196ec -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-723296cdc1c0dba83ea767d69286429e608c46c3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-723296cdc1c0dba83ea767d69286429e608c46c3 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-7dc27920ae1cb85333e7f2735a45014488134673: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-7dc27920ae1cb85333e7f2735a45014488134673 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-7e945ce5f43f515ea078c558a2e3205089d414e5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-7e945ce5f43f515ea078c558a2e3205089d414e5 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-a809561e75b94bd5d4d8cf7488d9e2663fc1ccdc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-a809561e75b94bd5d4d8cf7488d9e2663fc1ccdc -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-a8715a38a94161c9509309f5dbb5a7936aba8376: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-a8715a38a94161c9509309f5dbb5a7936aba8376 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-aee928239444a7b039500d4499035e6d30cb89da: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-aee928239444a7b039500d4499035e6d30cb89da -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-c4002396c52065d21fe1c1f05f8937aab8d59c18: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-c4002396c52065d21fe1c1f05f8937aab8d59c18 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-c610b3036f195ad7fb05248a530278aad37b438d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-c610b3036f195ad7fb05248a530278aad37b438d -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-c6569e6e28f0a18bb2f3bf49c982333a359bed67: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-c6569e6e28f0a18bb2f3bf49c982333a359bed67 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-cc6844f44825a785de1b079c88f728e1c0f779fb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-cc6844f44825a785de1b079c88f728e1c0f779fb -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/crash-f1fd008da535b110853885221ebfaac3f262a1c1e280f10929f7b353c44996c8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/crash-f1fd008da535b110853885221ebfaac3f262a1c1e280f10929f7b353c44996c8 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/poc-6bf54fca69bb5029676d747b12c74b597dd8c5939343ea8f2cbfea9e666dd6b1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/poc-6bf54fca69bb5029676d747b12c74b597dd8c5939343ea8f2cbfea9e666dd6b1 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/poc-789fc6da83de39c3ff394a950b0831f6fe5b63a85a46aaa236048b5c1dcf0e59: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/poc-789fc6da83de39c3ff394a950b0831f6fe5b63a85a46aaa236048b5c1dcf0e59 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/poc-939e9cd87b0d80834210fbf54edc66341aebf416d7509f6633f1d49766978b22: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/poc-939e9cd87b0d80834210fbf54edc66341aebf416d7509f6633f1d49766978b22 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/poc-93a9fd1909dd49fc2a9b654333504f249cdac58126d3cfc4728577e78cb3eb89: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/poc-93a9fd1909dd49fc2a9b654333504f249cdac58126d3cfc4728577e78cb3eb89 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/poc-b5b03a1f305b2cc1c158e01fee6c08c65145325d4e073f04d969329577077862: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/poc-b5b03a1f305b2cc1c158e01fee6c08c65145325d4e073f04d969329577077862 -------------------------------------------------------------------------------- /tests/oss-fuzz/elf_fuzzer_corpus/poc-fa8bbacb5a12f057a0ed3999c37d78b4991e6b201bda4dc9a75a7c7970c7690d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/elf_fuzzer_corpus/poc-fa8bbacb5a12f057a0ed3999c37d78b4991e6b201bda4dc9a75a7c7970c7690d -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer.cc: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | #include 34 | 35 | const char* RULES = \ 36 | "import \"macho\"" 37 | "rule test {" 38 | " condition:" 39 | " macho.segments[1].sections[0].segname == \"__TEXT\"" 40 | "}"; 41 | 42 | YR_RULES* rules = NULL; 43 | 44 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) 45 | { 46 | YR_COMPILER* compiler; 47 | 48 | if (yr_initialize() != ERROR_SUCCESS) 49 | return 0; 50 | 51 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS) 52 | return 0; 53 | 54 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0) 55 | yr_compiler_get_rules(compiler, &rules); 56 | 57 | yr_compiler_destroy(compiler); 58 | 59 | return 0; 60 | } 61 | 62 | 63 | int callback(int message, void* message_data, void* user_data) 64 | { 65 | return CALLBACK_CONTINUE; 66 | } 67 | 68 | 69 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) 70 | { 71 | if (rules == NULL) 72 | return 0; 73 | 74 | yr_rules_scan_mem( 75 | rules, 76 | data, 77 | size, 78 | SCAN_FLAGS_NO_TRYCATCH, 79 | callback, 80 | NULL, 81 | 0); 82 | 83 | return 0; 84 | } 85 | -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/1443c3cfb47c5eb41022a7063c24ab1bc9e45bfc31e98d5e6d3aa8377599b983: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/1443c3cfb47c5eb41022a7063c24ab1bc9e45bfc31e98d5e6d3aa8377599b983 -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/589f7b0e30d885ed91229646e58ccc7615007d2fab06451fef8785c6126adba7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/589f7b0e30d885ed91229646e58ccc7615007d2fab06451fef8785c6126adba7 -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/5eefacbe52990526e4953802249447dd8c0a4b537459ca41e005a7173ca46138: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/5eefacbe52990526e4953802249447dd8c0a4b537459ca41e005a7173ca46138 -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/6164a837fd33574f37464a765ab461fff94b52e659b114fb6109f2635678c564: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/6164a837fd33574f37464a765ab461fff94b52e659b114fb6109f2635678c564 -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/66528aeb35dd705cc26a7daf4b8eda684f620efebfa0740fab84043e371ed566: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/66528aeb35dd705cc26a7daf4b8eda684f620efebfa0740fab84043e371ed566 -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/6af5d157184d9144f86668f83e81760898df5db3c9e209596eb5fd9a91a7eeba: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/6af5d157184d9144f86668f83e81760898df5db3c9e209596eb5fd9a91a7eeba -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/797d1d450421b771482c0cc03f472e4eccbc9e4f544b6c12c1d4f070dec3c381: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/797d1d450421b771482c0cc03f472e4eccbc9e4f544b6c12c1d4f070dec3c381 -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/85494d8cb5753f1ad09be39428135feb35eb4ef44f39d6e1e75e2ad30d93e158: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/85494d8cb5753f1ad09be39428135feb35eb4ef44f39d6e1e75e2ad30d93e158 -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/b225048e85b14f08a43dd4752b9bb4b20840f5a8726eac0ff765d45c9e619828: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/b225048e85b14f08a43dd4752b9bb4b20840f5a8726eac0ff765d45c9e619828 -------------------------------------------------------------------------------- /tests/oss-fuzz/macho_fuzzer_corpus/fda81421d7403180923717a94e77aade8c9286d5b8de3ae0e2812343b666c6a7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/macho_fuzzer_corpus/fda81421d7403180923717a94e77aade8c9286d5b8de3ae0e2812343b666c6a7 -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer.cc: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | #include 34 | 35 | const char* RULES = \ 36 | "import \"pe\"" 37 | "rule test {" 38 | " condition:" 39 | " pe.rva_to_offset(pe.sections[0].virtual_address) == pe.sections[0].raw_data_offset" 40 | "}"; 41 | 42 | YR_RULES* rules = NULL; 43 | 44 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) 45 | { 46 | YR_COMPILER* compiler; 47 | 48 | if (yr_initialize() != ERROR_SUCCESS) 49 | return 0; 50 | 51 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS) 52 | return 0; 53 | 54 | if (yr_compiler_add_string(compiler, RULES, NULL) == 0) 55 | yr_compiler_get_rules(compiler, &rules); 56 | 57 | yr_compiler_destroy(compiler); 58 | 59 | return 0; 60 | } 61 | 62 | 63 | int callback(int message, void* message_data, void* user_data) 64 | { 65 | return CALLBACK_CONTINUE; 66 | } 67 | 68 | 69 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) 70 | { 71 | if (rules == NULL) 72 | return 0; 73 | 74 | yr_rules_scan_mem( 75 | rules, 76 | data, 77 | size, 78 | SCAN_FLAGS_NO_TRYCATCH, 79 | callback, 80 | NULL, 81 | 0); 82 | 83 | return 0; 84 | } -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer_corpus/00388b550a2603a9e219bcb48acaf8cc115653cb1ea84cb4bccceb1aabe755b6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/pe_fuzzer_corpus/00388b550a2603a9e219bcb48acaf8cc115653cb1ea84cb4bccceb1aabe755b6 -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer_corpus/12f50a7dbf0c42f61ae1c351b2a9f75e8edb3bb55e582619edc7ece4eb0a3094: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/pe_fuzzer_corpus/12f50a7dbf0c42f61ae1c351b2a9f75e8edb3bb55e582619edc7ece4eb0a3094 -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer_corpus/967af267b4124bada8f507cebf25f2192d146a4d63be71b45bfc03c5da7f21a7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/pe_fuzzer_corpus/967af267b4124bada8f507cebf25f2192d146a4d63be71b45bfc03c5da7f21a7 -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer_corpus/99e98cb7096dee974e28fea0f76f1c30bc44fd5762cb12b2702910a28b28f95f: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/pe_fuzzer_corpus/99e98cb7096dee974e28fea0f76f1c30bc44fd5762cb12b2702910a28b28f95f -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer_corpus/clusterfuzz-testcase-minimized-5211130361282560: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/pe_fuzzer_corpus/clusterfuzz-testcase-minimized-5211130361282560 -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer_corpus/clusterfuzz-testcase-minimized-5839717883969536: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/pe_fuzzer_corpus/clusterfuzz-testcase-minimized-5839717883969536 -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer_corpus/clusterfuzz-testcase-minimized-pe_fuzzer-5741846293643264: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/pe_fuzzer_corpus/clusterfuzz-testcase-minimized-pe_fuzzer-5741846293643264 -------------------------------------------------------------------------------- /tests/oss-fuzz/pe_fuzzer_corpus/e5af0352010b1879ac1c63a69d3d9a02d577fa834165f855bd5ebee0f1105de1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/pe_fuzzer_corpus/e5af0352010b1879ac1c63a69d3d9a02d577fa834165f855bd5ebee0f1105de1 -------------------------------------------------------------------------------- /tests/oss-fuzz/rules_fuzzer.cc: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | #include 33 | 34 | #include 35 | 36 | 37 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) 38 | { 39 | yr_initialize(); 40 | return 0; 41 | } 42 | 43 | 44 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) 45 | { 46 | YR_RULES* rules; 47 | YR_COMPILER* compiler; 48 | 49 | char* buffer = (char*) malloc(size + 1); 50 | 51 | if (!buffer) 52 | return 0; 53 | 54 | strncpy(buffer, (const char *) data, size); 55 | buffer[size] = 0; 56 | 57 | if (yr_compiler_create(&compiler) != ERROR_SUCCESS) 58 | { 59 | free(buffer); 60 | return 0; 61 | } 62 | 63 | if (yr_compiler_add_string(compiler, (const char*) buffer, NULL) == 0) 64 | { 65 | if (yr_compiler_get_rules(compiler, &rules) == ERROR_SUCCESS) 66 | yr_rules_destroy(rules); 67 | } 68 | 69 | yr_compiler_destroy(compiler); 70 | free(buffer); 71 | 72 | return 0; 73 | } 74 | -------------------------------------------------------------------------------- /tests/oss-fuzz/rules_fuzzer.dict: -------------------------------------------------------------------------------- 1 | # Lines starting with '#' and empty lines are ignored. 2 | 3 | "all" 4 | "and" 5 | "any" 6 | "ascii" 7 | "at" 8 | "condition" 9 | "contains" 10 | "entrypoint" 11 | "false" 12 | "filesize" 13 | "fullword" 14 | "for" 15 | "global" 16 | "in" 17 | "import" 18 | "include" 19 | "int8" 20 | "int16" 21 | "int32" 22 | "int8be" 23 | "int16be" 24 | "int32be" 25 | "matches" 26 | "meta" 27 | "nocase" 28 | "not" 29 | "or" 30 | "of" 31 | "private" 32 | "rule" 33 | "strings" 34 | "them" 35 | "true" 36 | "uint8" 37 | "uint16" 38 | "uint32" 39 | "uint8be" 40 | "uint16be" 41 | "uint32be" 42 | "wide" -------------------------------------------------------------------------------- /tests/oss-fuzz/rules_fuzzer.options: -------------------------------------------------------------------------------- 1 | [libfuzzer] 2 | max_len = 50000 3 | -------------------------------------------------------------------------------- /tests/oss-fuzz/rules_fuzzer_corpus/1: -------------------------------------------------------------------------------- 1 | rule test { condition: false } -------------------------------------------------------------------------------- /tests/oss-fuzz/rules_fuzzer_corpus/2: -------------------------------------------------------------------------------- 1 | rule r1 { condition: true or false } 2 | 3 | rule r2 { condition: 0x1 and 0x2} 4 | 5 | rule r3 { condition: 2 > 1 } 6 | 7 | rule r4 { condition: 1.5 >= 1.0} 8 | 9 | rule r5 { condition: 0.5 <= 1} 10 | 11 | rule r6 { condition: "abc" == "abc"} 12 | 13 | rule r7 { condition: "ab" < "abc"} 14 | 15 | rule r8 { condition: (1 + 1) * 2 == (9 - 1) \ 2 } 16 | 17 | rule r9 { condition: 1.5 + 1.5 == 3} 18 | 19 | rule r10 { condition: -2.0-3.0 == -5} 20 | 21 | rule r11 { condition: ~0xAA ^ 0x5A & 0xFF == (~0xAA) ^ (0x5A & 0xFF) } 22 | 23 | rule r12 { strings: $a = "abc" wide nocase fullword condition: $a } 24 | 25 | rule r13 { 26 | strings: 27 | $a = "abcdef" 28 | $b = "cdef" 29 | $c = "ef" 30 | condition: 31 | all of them 32 | } 33 | 34 | rule r14 { 35 | strings: 36 | $a = "abcdef" 37 | $b = "cdef" 38 | $c = "ef" 39 | condition: 40 | for all of ($*) : ($) 41 | } 42 | 43 | rule r15 { 44 | strings: 45 | $a = { 64 01 00 00 60 01 } 46 | condition: 47 | $a 48 | } 49 | 50 | rule r16 { 51 | strings: 52 | $a = { 64 01 [1-3] (60|61) 01 } 53 | condition: 54 | $a 55 | } 56 | 57 | rule r17 { 58 | strings: 59 | $a = { 4D 5A [-] 6A 2A [-] 58 C3 } 60 | condition: 61 | $a 62 | } 63 | 64 | rule r18 { 65 | strings: 66 | $a = { 4D 5A [300-] 6A 2A [-] 58 C3} 67 | condition: 68 | $a 69 | } 70 | 71 | rule r19 { 72 | strings: 73 | $a = { 2e 7? (65 | ?? ) 78 } 74 | condition: 75 | $a 76 | } 77 | 78 | rule r21 { 79 | strings: 80 | $a = /a.*efg/ 81 | condition: 82 | $a 83 | } 84 | 85 | rule r22 { 86 | strings: 87 | $a = /abc[^D]/ nocase 88 | condition: 89 | $a 90 | } 91 | 92 | rule r23 { 93 | strings: 94 | $a = /a[-]?c/ 95 | condition: 96 | $a 97 | } 98 | 99 | rule r24 { 100 | strings: 101 | $a = /[0-9a-f]+/ 102 | condition: 103 | $a 104 | } 105 | 106 | rule r25 { 107 | strings: 108 | $a = /[\\da-fA-F]+/ 109 | condition: 110 | $a 111 | } 112 | 113 | rule r26 { 114 | strings: 115 | $a = /(bc+d$|ef*g.|h?i(j|k))/ 116 | condition: 117 | $a 118 | } 119 | 120 | rule r27 { 121 | condition: 122 | "xxFoOxx" matches /fOo/i 123 | } 124 | 125 | rule r28 { 126 | condition: 127 | uint32be(0) == 0xAABBCCDD 128 | } 129 | -------------------------------------------------------------------------------- /tests/oss-fuzz/rules_fuzzer_corpus/3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eset/yara/f57ddb3984c326dd9b283bc6f617bf36e9189520/tests/oss-fuzz/rules_fuzzer_corpus/3 -------------------------------------------------------------------------------- /tests/test-dex.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "util.h" 3 | #include "blob.h" 4 | 5 | int main(int argc, char** argv) 6 | { 7 | yr_initialize(); 8 | 9 | assert_true_rule_blob( 10 | "import \"dex\" rule test { condition: dex.header.magic == \ 11 | dex.DEX_FILE_MAGIC_035 }", 12 | DEX_FILE); 13 | 14 | assert_true_rule_blob( 15 | "import \"dex\" rule test { condition: dex.header.checksum == \ 16 | 0x3F9C602F }", 17 | DEX_FILE); 18 | 19 | assert_true_rule_blob( 20 | "import \"dex\" rule test { condition: dex.header.data_size == \ 21 | 0x18C }", 22 | DEX_FILE); 23 | 24 | assert_true_rule_blob( 25 | "import \"dex\" rule test { condition: dex.string_ids[0].value ==\ 26 | \"\" }", 27 | DEX_FILE); 28 | 29 | assert_true_rule_blob( 30 | "import \"dex\" rule test { condition: dex.string_ids[8].value == \ 31 | \"com.google.helloyara\" }", 32 | DEX_FILE); 33 | 34 | assert_true_rule_blob( 35 | "import \"dex\" rule test { condition: dex.type_ids[0].descriptor_idx == \ 36 | 0x2 }", 37 | DEX_FILE); 38 | 39 | assert_true_rule_blob( 40 | "import \"dex\" rule test { condition: dex.proto_ids[0].shorty_idx == \ 41 | 0x6 }", 42 | DEX_FILE); 43 | 44 | assert_true_rule_blob( 45 | "import \"dex\" rule test { condition: dex.field_ids[0].class_idx == \ 46 | 0x1 }", 47 | DEX_FILE); 48 | 49 | assert_true_rule_blob( 50 | "import \"dex\" rule test { condition: dex.method_ids[0].class_idx == \ 51 | 0x1 }", 52 | DEX_FILE); 53 | 54 | assert_true_rule_blob( 55 | "import \"dex\" rule test { condition: dex.class_defs[0].class_idx == \ 56 | 0x1 }", 57 | DEX_FILE); 58 | 59 | assert_true_rule_blob( 60 | "import \"dex\" rule test { condition: dex.number_of_fields == 2 }", 61 | DEX_FILE); 62 | 63 | assert_true_rule_blob( 64 | "import \"dex\" rule test { condition: dex.field[0].class_name == \ 65 | \"Lcom/android/tools/ir/server/AppInfo;\" }", 66 | DEX_FILE); 67 | 68 | assert_true_rule_blob( 69 | "import \"dex\" rule test { condition: dex.field[0].name == \ 70 | \"applicationId\" }", 71 | DEX_FILE); 72 | 73 | assert_true_rule_blob( 74 | "import \"dex\" rule test { condition: dex.number_of_methods == 2 }", 75 | DEX_FILE); 76 | 77 | assert_true_rule_blob( 78 | "import \"dex\" rule test { condition: dex.method[0].class_name == \ 79 | \"Lcom/android/tools/ir/server/AppInfo;\" }", 80 | DEX_FILE); 81 | 82 | assert_true_rule_blob( 83 | "import \"dex\" rule test { condition: dex.method[0].proto == \"V\" }", 84 | DEX_FILE); 85 | 86 | assert_true_rule_blob( 87 | "import \"dex\" rule test { condition: dex.method[0].name == \ 88 | \"\" }", 89 | DEX_FILE); 90 | 91 | assert_true_rule_blob( 92 | "import \"dex\" rule test { condition: dex.method[1].name == \ 93 | \"\" }", 94 | DEX_FILE); 95 | 96 | assert_true_rule_blob( 97 | "import \"dex\" rule test { condition: dex.map_list.size == 12 }", 98 | DEX_FILE); 99 | 100 | assert_true_rule_blob( 101 | "import \"dex\" rule test { condition: \ 102 | dex.map_list.map_item[0].type == dex.TYPE_HEADER_ITEM \ 103 | }", 104 | DEX_FILE); 105 | 106 | yr_finalize(); 107 | return 0; 108 | } 109 | -------------------------------------------------------------------------------- /tests/test-dotnet.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "util.h" 6 | 7 | int main(int argc, char** argv) 8 | { 9 | char *top_srcdir = getenv("TOP_SRCDIR"); 10 | if (top_srcdir) 11 | chdir(top_srcdir); 12 | 13 | yr_initialize(); 14 | 15 | assert_true_rule_file( 16 | "import \"dotnet\" \ 17 | rule test { \ 18 | condition: \ 19 | dotnet.assembly.name == \"hpjsoaputility.Sv.resources\" \ 20 | }", 21 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171"); 22 | 23 | assert_true_rule_file( 24 | "import \"dotnet\" \ 25 | rule test { \ 26 | condition: \ 27 | dotnet.number_of_resources == 1 and \ 28 | dotnet.resources[0].offset == 724 and \ 29 | dotnet.resources[0].length == 180 and \ 30 | dotnet.resources[0].name == \"hpjsoaputility.XmlStreamSoapExtension.pt.resources\" \ 31 | }", 32 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171"); 33 | 34 | assert_true_rule_file( 35 | "import \"dotnet\" \ 36 | rule test { \ 37 | condition: \ 38 | dotnet.number_of_guids == 1 and \ 39 | dotnet.guids[0] == \"3764d539-e21a-4366-bc7c-b56fa67efbb0\" \ 40 | }", 41 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171"); 42 | 43 | assert_true_rule_file( 44 | "import \"dotnet\" \ 45 | rule test { \ 46 | condition: \ 47 | dotnet.number_of_streams == 5 and \ 48 | dotnet.streams[0].name == \"#~\" and \ 49 | dotnet.streams[1].name == \"#Strings\" and \ 50 | dotnet.streams[2].name == \"#US\" and \ 51 | dotnet.streams[3].name == \"#GUID\" and \ 52 | dotnet.streams[4].name == \"#Blob\" \ 53 | }", 54 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171"); 55 | 56 | assert_true_rule_file( 57 | "import \"dotnet\" \ 58 | rule test { \ 59 | condition: \ 60 | dotnet.module_name == \"hpjsoaputility.Sv.resources.dll\" and \ 61 | dotnet.version == \"v2.0.50727\" \ 62 | }", 63 | "tests/data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171"); 64 | 65 | yr_finalize(); 66 | return 0; 67 | } 68 | -------------------------------------------------------------------------------- /tests/test-math.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "util.h" 4 | 5 | int main(int argc, char** argv) 6 | { 7 | yr_initialize(); 8 | 9 | assert_true_rule_blob( 10 | "import \"math\" \ 11 | rule test { \ 12 | condition: \ 13 | math.min(0, 1) == 0 \ 14 | }", 15 | "A"); 16 | 17 | assert_true_rule_blob( 18 | "import \"math\" \ 19 | rule test { \ 20 | condition: \ 21 | math.max(0, 1) == 1 \ 22 | }", 23 | "A"); 24 | 25 | yr_finalize(); 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /tests/test-re-split.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2019. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | #include "util.h" 33 | 34 | 35 | int main(int argc, char** argv) 36 | { 37 | RE_AST* re_ast; 38 | RE_AST* re_ast_remain; 39 | 40 | RE_ERROR re_error; 41 | 42 | int32_t min_gap; 43 | int32_t max_gap; 44 | 45 | yr_initialize(); 46 | yr_re_parse_hex( 47 | "{ 01 02 03 04 [0-300] 05 06 07 08 [1-400] 09 0A 0B 0C }", 48 | &re_ast, &re_error); 49 | 50 | assert(re_ast != NULL); 51 | 52 | yr_re_ast_split_at_chaining_point( 53 | re_ast, &re_ast_remain, &min_gap, &max_gap); 54 | 55 | assert(re_ast != NULL); 56 | assert(re_ast_remain != NULL); 57 | assert(min_gap == 0); 58 | assert(max_gap == 300); 59 | 60 | yr_re_ast_destroy(re_ast); 61 | re_ast = re_ast_remain; 62 | 63 | yr_re_ast_split_at_chaining_point( 64 | re_ast, &re_ast_remain, &min_gap, &max_gap); 65 | 66 | assert(re_ast != NULL); 67 | assert(re_ast_remain != NULL); 68 | assert(min_gap == 1); 69 | assert(max_gap == 400); 70 | 71 | yr_re_ast_destroy(re_ast); 72 | re_ast = re_ast_remain; 73 | 74 | yr_re_ast_split_at_chaining_point( 75 | re_ast, &re_ast_remain, &min_gap, &max_gap); 76 | 77 | assert(re_ast != NULL); 78 | assert(re_ast_remain == NULL); 79 | 80 | yr_re_ast_destroy(re_ast); 81 | yr_finalize(); 82 | return 0; 83 | } 84 | -------------------------------------------------------------------------------- /tests/test-stack.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | 31 | #include 32 | #include 33 | #include "util.h" 34 | 35 | 36 | int main(int argc, char** argv) 37 | { 38 | YR_STACK* stack; 39 | 40 | int item; 41 | 42 | yr_initialize(); 43 | yr_stack_create(1, sizeof(item), &stack); 44 | 45 | item = 1; 46 | 47 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS) 48 | exit(EXIT_FAILURE); 49 | 50 | item = 2; 51 | 52 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS) 53 | exit(EXIT_FAILURE); 54 | 55 | item = 3; 56 | 57 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS) 58 | exit(EXIT_FAILURE); 59 | 60 | item = 4; 61 | 62 | if (yr_stack_push(stack, &item) != ERROR_SUCCESS) 63 | exit(EXIT_FAILURE); 64 | 65 | if (!yr_stack_pop(stack, &item) || item != 4) 66 | exit(EXIT_FAILURE); 67 | 68 | if (!yr_stack_pop(stack, &item) || item != 3) 69 | exit(EXIT_FAILURE); 70 | 71 | if (!yr_stack_pop(stack, &item) || item != 2) 72 | exit(EXIT_FAILURE); 73 | 74 | if (!yr_stack_pop(stack, &item) || item != 1) 75 | exit(EXIT_FAILURE); 76 | 77 | if (yr_stack_pop(stack, &item) || item != 1) 78 | exit(EXIT_FAILURE); 79 | 80 | yr_stack_destroy(stack); 81 | yr_finalize(); 82 | return 0; 83 | } 84 | -------------------------------------------------------------------------------- /tests/test-version.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | int main (int argc, char **argv) 34 | { 35 | // make sure that versions defined in configure.ac and in 36 | // libyara/include/yara/libyara.h are in sync. 37 | 38 | return strcmp(PACKAGE_VERSION, YR_VERSION); 39 | } 40 | -------------------------------------------------------------------------------- /threading.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | 31 | #ifndef THREADING_H 32 | #define THREADING_H 33 | 34 | #if defined(_WIN32) || defined(__CYGWIN__) 35 | #include 36 | #else 37 | #include 38 | #include 39 | #include 40 | #endif 41 | 42 | #if defined(_WIN32) || defined(__CYGWIN__) 43 | 44 | typedef HANDLE SEMAPHORE; 45 | typedef CRITICAL_SECTION MUTEX; 46 | typedef HANDLE THREAD; 47 | 48 | typedef LPTHREAD_START_ROUTINE THREAD_START_ROUTINE; 49 | 50 | #else 51 | 52 | typedef sem_t* SEMAPHORE; 53 | typedef pthread_mutex_t MUTEX; 54 | typedef pthread_t THREAD; 55 | typedef void *(*THREAD_START_ROUTINE) (void *); 56 | 57 | #endif 58 | 59 | int mutex_init( 60 | MUTEX* mutex); 61 | 62 | void mutex_destroy( 63 | MUTEX* mutex); 64 | 65 | void mutex_lock( 66 | MUTEX* mutex); 67 | 68 | void mutex_unlock( 69 | MUTEX* mutex); 70 | 71 | int semaphore_init( 72 | SEMAPHORE* semaphore, 73 | int value); 74 | 75 | void semaphore_destroy( 76 | SEMAPHORE* semaphore); 77 | 78 | void semaphore_wait( 79 | SEMAPHORE* semaphore); 80 | 81 | void semaphore_release( 82 | SEMAPHORE* semaphore); 83 | 84 | int create_thread( 85 | THREAD* thread, 86 | THREAD_START_ROUTINE start_routine, 87 | void* param); 88 | 89 | void thread_join( 90 | THREAD* thread); 91 | 92 | #endif 93 | -------------------------------------------------------------------------------- /windows/vs2015/NuGet.Config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 6 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /windows/vs2015/libyara/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /windows/vs2015/yara.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25123.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libyara", "libyara\libyara.vcxproj", "{E236CE39-D8F3-4DB6-985C-F2794FF17746}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yara", "yara\yara.vcxproj", "{DF8232C7-D8C1-4D05-9921-F8F504134410}" 9 | ProjectSection(ProjectDependencies) = postProject 10 | {E236CE39-D8F3-4DB6-985C-F2794FF17746} = {E236CE39-D8F3-4DB6-985C-F2794FF17746} 11 | EndProjectSection 12 | EndProject 13 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yarac", "yarac\yarac.vcxproj", "{7C72350B-AA5B-41AD-8957-CE3924A7F11B}" 14 | ProjectSection(ProjectDependencies) = postProject 15 | {E236CE39-D8F3-4DB6-985C-F2794FF17746} = {E236CE39-D8F3-4DB6-985C-F2794FF17746} 16 | EndProjectSection 17 | EndProject 18 | Global 19 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 20 | Debug|x64 = Debug|x64 21 | Debug|x86 = Debug|x86 22 | Release|x64 = Release|x64 23 | Release|x86 = Release|x86 24 | EndGlobalSection 25 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 26 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x64.ActiveCfg = Debug|x64 27 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x64.Build.0 = Debug|x64 28 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x86.ActiveCfg = Debug|Win32 29 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x86.Build.0 = Debug|Win32 30 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x64.ActiveCfg = Release|x64 31 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x64.Build.0 = Release|x64 32 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x86.ActiveCfg = Release|Win32 33 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x86.Build.0 = Release|Win32 34 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x64.ActiveCfg = Debug|x64 35 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x64.Build.0 = Debug|x64 36 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x86.ActiveCfg = Debug|Win32 37 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x86.Build.0 = Debug|Win32 38 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x64.ActiveCfg = Release|x64 39 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x64.Build.0 = Release|x64 40 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x86.ActiveCfg = Release|Win32 41 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x86.Build.0 = Release|Win32 42 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x64.ActiveCfg = Debug|x64 43 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x64.Build.0 = Debug|x64 44 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x86.ActiveCfg = Debug|Win32 45 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x86.Build.0 = Debug|Win32 46 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x64.ActiveCfg = Release|x64 47 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x64.Build.0 = Release|x64 48 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x86.ActiveCfg = Release|Win32 49 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x86.Build.0 = Release|Win32 50 | EndGlobalSection 51 | GlobalSection(SolutionProperties) = preSolution 52 | HideSolutionNode = FALSE 53 | EndGlobalSection 54 | EndGlobal 55 | -------------------------------------------------------------------------------- /windows/vs2017/NuGet.Config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 6 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /windows/vs2017/libyara/libyara.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /windows/vs2017/libyara/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /windows/vs2017/yara.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25123.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libyara", "libyara\libyara.vcxproj", "{E236CE39-D8F3-4DB6-985C-F2794FF17746}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yara", "yara\yara.vcxproj", "{DF8232C7-D8C1-4D05-9921-F8F504134410}" 9 | ProjectSection(ProjectDependencies) = postProject 10 | {E236CE39-D8F3-4DB6-985C-F2794FF17746} = {E236CE39-D8F3-4DB6-985C-F2794FF17746} 11 | EndProjectSection 12 | EndProject 13 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yarac", "yarac\yarac.vcxproj", "{7C72350B-AA5B-41AD-8957-CE3924A7F11B}" 14 | ProjectSection(ProjectDependencies) = postProject 15 | {E236CE39-D8F3-4DB6-985C-F2794FF17746} = {E236CE39-D8F3-4DB6-985C-F2794FF17746} 16 | EndProjectSection 17 | EndProject 18 | Global 19 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 20 | Debug|x64 = Debug|x64 21 | Debug|x86 = Debug|x86 22 | Release|x64 = Release|x64 23 | Release|x86 = Release|x86 24 | EndGlobalSection 25 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 26 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x64.ActiveCfg = Debug|x64 27 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x64.Build.0 = Debug|x64 28 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x86.ActiveCfg = Debug|Win32 29 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Debug|x86.Build.0 = Debug|Win32 30 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x64.ActiveCfg = Release|x64 31 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x64.Build.0 = Release|x64 32 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x86.ActiveCfg = Release|Win32 33 | {E236CE39-D8F3-4DB6-985C-F2794FF17746}.Release|x86.Build.0 = Release|Win32 34 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x64.ActiveCfg = Debug|x64 35 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x64.Build.0 = Debug|x64 36 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x86.ActiveCfg = Debug|Win32 37 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Debug|x86.Build.0 = Debug|Win32 38 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x64.ActiveCfg = Release|x64 39 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x64.Build.0 = Release|x64 40 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x86.ActiveCfg = Release|Win32 41 | {DF8232C7-D8C1-4D05-9921-F8F504134410}.Release|x86.Build.0 = Release|Win32 42 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x64.ActiveCfg = Debug|x64 43 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x64.Build.0 = Debug|x64 44 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x86.ActiveCfg = Debug|Win32 45 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Debug|x86.Build.0 = Debug|Win32 46 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x64.ActiveCfg = Release|x64 47 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x64.Build.0 = Release|x64 48 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x86.ActiveCfg = Release|Win32 49 | {7C72350B-AA5B-41AD-8957-CE3924A7F11B}.Release|x86.Build.0 = Release|Win32 50 | EndGlobalSection 51 | GlobalSection(SolutionProperties) = preSolution 52 | HideSolutionNode = FALSE 53 | EndGlobalSection 54 | EndGlobal 55 | -------------------------------------------------------------------------------- /yarac.man: -------------------------------------------------------------------------------- 1 | .\"Text automatically generated by txt2man 2 | .TH YARAC "1" "Jan 2014" "YARAC 2.0" "compile rules to yara" 3 | .SH NAME 4 | \fByarac \fP- compile rules to yara 5 | .SH SYNOPSIS 6 | .nf 7 | .fam C 8 | \fByarac\fP [OPTION]\.\.\. [RULE_FILE]\.\.\. \fIOUTPUT_FILE\fP 9 | .fam T 10 | .fi 11 | .fam T 12 | .fi 13 | .SH DESCRIPTION 14 | To invoke YARA you will need two things: a file with the rules you want to 15 | use (either in source code or compiled form) and the target to be scanned. 16 | The target can be a file, a folder, or a process. 17 | .PP 18 | Rule files can be passed directly in source code form, or can be previously 19 | compiled with the \fByarac\fP tool. You may prefer to use your rules in compiled 20 | form if you are going to invoke YARA multiple times with the same rules. 21 | This way you’ll save time, because for YARA is faster to load compiled rules 22 | than compiling the same rules over and over again. 23 | .PP 24 | The rules will be applied to the target specified as the last argument to YARA, 25 | if it’s a path to a directory all the files contained in it will be scanned. 26 | .SH OPTIONS 27 | .TP 28 | .B 29 | \fB-d\fP = 30 | define external variable. 31 | .TP 32 | .B \-w " --no-warnings" 33 | Disable warnings. 34 | .TP 35 | .B " --fail-on-warnings" 36 | Treat warnings as errors. Has no effect if used with 37 | .B --no-warnings. 38 | .TP 39 | .B \-v " --version" 40 | Show version information. 41 | .SH EXAMPLE 42 | The \fB-d\fP is used to define external variables. For example: 43 | .PP 44 | \fB-d\fP flag=true 45 | .PP 46 | \fB-d\fP beast=666 47 | .PP 48 | \fB-d\fP name="James Bond" 49 | .SH SEE ALSO 50 | \fByara\fP(1) 51 | .SH AUTHOR 52 | \fByarac\fP was written by Victor M. Alvarez . 53 | This manual page was written by Joao Eriberto Mota Filho for the Debian project (but may be used by others). 54 | --------------------------------------------------------------------------------