GitList

libclamav/yara_clam.h

ec768c6f	/* * Main YARA header file for ClamAV *
e1cbc270	* Copyright (C) 2014-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
ec768c6f	* * Authors: Steven Morgan * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License version 2 as published by the * Free Software Foundation. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * more details. * * You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 51 * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
27948a03	/* Most of this file was derived from Yara 2.1.0 libyara/yara.h and * other YARA header files. Following is the YARA copyright. */
ec768c6f	/* Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ #ifndef _YARA_CLAM_H_ #define _YARA_CLAM_H_
6e767879	#include "shared/queue.h"
3ca6d4c0	#include "yara_hash.h"
d03c18be	#include "others.h"
d18d7221	#include "str.h"
ec768c6f
27948a03	// clang-format off /* * From libyara/include/yara/types.h */
88c4a39f	#define DECLARE_REFERENCE(type, name) \ union { type name; int64_t name##_; }
ec768c6f
88c4a39f	#define META_TYPE_NULL 0 #define META_TYPE_INTEGER 1 #define META_TYPE_STRING 2 #define META_TYPE_BOOLEAN 3
ec768c6f	#define STRING_GFLAGS_REFERENCED 0x01 #define STRING_GFLAGS_HEXADECIMAL 0x02 #define STRING_GFLAGS_NO_CASE 0x04 #define STRING_GFLAGS_ASCII 0x08 #define STRING_GFLAGS_WIDE 0x10 #define STRING_GFLAGS_REGEXP 0x20 #define STRING_GFLAGS_FAST_HEX_REGEXP 0x40 #define STRING_GFLAGS_FULL_WORD 0x80 #define STRING_GFLAGS_ANONYMOUS 0x100 #define STRING_GFLAGS_SINGLE_MATCH 0x200 #define STRING_GFLAGS_LITERAL 0x400 #define STRING_GFLAGS_FITS_IN_ATOM 0x800 #define STRING_GFLAGS_NULL 0x1000 #define STRING_GFLAGS_CHAIN_PART 0x2000 #define STRING_GFLAGS_CHAIN_TAIL 0x4000 #define STRING_GFLAGS_REGEXP_DOT_ALL 0x8000 #define STRING_IS_HEX(x) \ (((x)->g_flags) & STRING_GFLAGS_HEXADECIMAL) #define STRING_IS_NO_CASE(x) \ (((x)->g_flags) & STRING_GFLAGS_NO_CASE) #define STRING_IS_ASCII(x) \ (((x)->g_flags) & STRING_GFLAGS_ASCII) #define STRING_IS_WIDE(x) \ (((x)->g_flags) & STRING_GFLAGS_WIDE) #define STRING_IS_REGEXP(x) \ (((x)->g_flags) & STRING_GFLAGS_REGEXP) #define STRING_IS_REGEXP_DOT_ALL(x) \ (((x)->g_flags) & STRING_GFLAGS_REGEXP_DOT_ALL) #define STRING_IS_FULL_WORD(x) \ (((x)->g_flags) & STRING_GFLAGS_FULL_WORD) #define STRING_IS_ANONYMOUS(x) \ (((x)->g_flags) & STRING_GFLAGS_ANONYMOUS) #define STRING_IS_REFERENCED(x) \ (((x)->g_flags) & STRING_GFLAGS_REFERENCED) #define STRING_IS_SINGLE_MATCH(x) \ (((x)->g_flags) & STRING_GFLAGS_SINGLE_MATCH) #define STRING_IS_LITERAL(x) \ (((x)->g_flags) & STRING_GFLAGS_LITERAL) #define STRING_IS_FAST_HEX_REGEXP(x) \ (((x)->g_flags) & STRING_GFLAGS_FAST_HEX_REGEXP) #define STRING_IS_CHAIN_PART(x) \ (((x)->g_flags) & STRING_GFLAGS_CHAIN_PART) #define STRING_IS_CHAIN_TAIL(x) \ (((x)->g_flags) & STRING_GFLAGS_CHAIN_TAIL) #define STRING_IS_NULL(x) \ ((x) == NULL \|\| ((x)->g_flags) & STRING_GFLAGS_NULL) #define STRING_FITS_IN_ATOM(x) \ (((x)->g_flags) & STRING_GFLAGS_FITS_IN_ATOM) #define STRING_FOUND(x) \ ((x)->matches[yr_get_tidx()].tail != NULL) #define RULE_TFLAGS_MATCH 0x01 #define RULE_GFLAGS_PRIVATE 0x01 #define RULE_GFLAGS_GLOBAL 0x02 #define RULE_GFLAGS_REQUIRE_EXECUTABLE 0x04 #define RULE_GFLAGS_REQUIRE_FILE 0x08 #define RULE_GFLAGS_NULL 0x1000 #define RULE_IS_PRIVATE(x) \ (((x)->g_flags) & RULE_GFLAGS_PRIVATE) #define RULE_IS_GLOBAL(x) \ (((x)->g_flags) & RULE_GFLAGS_GLOBAL) #define RULE_IS_NULL(x) \ (((x)->g_flags) & RULE_GFLAGS_NULL) #define RULE_MATCHES(x) \ ((x)->t_flags[yr_get_tidx()] & RULE_TFLAGS_MATCH)
88c4a39f	#define EXTERNAL_VARIABLE_TYPE_NULL 0 #define EXTERNAL_VARIABLE_TYPE_ANY 1 #define EXTERNAL_VARIABLE_TYPE_INTEGER 2 #define EXTERNAL_VARIABLE_TYPE_BOOLEAN 3 #define EXTERNAL_VARIABLE_TYPE_FIXED_STRING 4 #define EXTERNAL_VARIABLE_TYPE_MALLOC_STRING 5
ec768c6f
88c4a39f	#define EXTERNAL_VARIABLE_IS_NULL(x) \ ((x) != NULL ? (x)->type == EXTERNAL_VARIABLE_TYPE_NULL : TRUE)
ec768c6f
88c4a39f	#define OBJECT_COMMON_FIELDS \ int8_t type; \ const char* identifier; \ void* data; \ struct _YR_OBJECT* parent; typedef struct _YR_OBJECT {
27948a03	OBJECT_COMMON_FIELDS
88c4a39f	} YR_OBJECT;
ebf3953f	typedef struct _YR_OBJECT_INTEGER {
27948a03	OBJECT_COMMON_FIELDS int64_t value;
ebf3953f	} YR_OBJECT_INTEGER; typedef struct _YR_OBJECT_STRING {
27948a03	OBJECT_COMMON_FIELDS char* value;
ebf3953f	} YR_OBJECT_STRING;
324fabbb	typedef struct _YR_OBJECT_ARRAY {
27948a03	OBJECT_COMMON_FIELDS struct _YR_ARRAY_ITEMS* items;
324fabbb	} YR_OBJECT_ARRAY;
ebf3953f	typedef struct _YR_SCAN_CONTEXT {
27948a03	uint64_t file_size; uint64_t entry_point;
ebf3953f
27948a03	int flags; void* user_data;
ebf3953f
27948a03	//YR_MEMORY_BLOCK* mem_block; YR_HASH_TABLE* objects_table; //YR_CALLBACK_FUNC callback; fmap_t * fmap;
ebf3953f	} YR_SCAN_CONTEXT; struct _YR_OBJECT_FUNCTION; typedef int (YR_MODULE_FUNC)( void args, YR_SCAN_CONTEXT* context, struct _YR_OBJECT_FUNCTION* function_obj);
88c4a39f	typedef struct _YR_OBJECT_FUNCTION {
27948a03	OBJECT_COMMON_FIELDS
88c4a39f
27948a03	const char* arguments_fmt;
88c4a39f
27948a03	YR_OBJECT* return_obj; YR_MODULE_FUNC code;
88c4a39f	} YR_OBJECT_FUNCTION;
324fabbb	typedef struct _YR_ARRAY_ITEMS {
27948a03	int count; YR_OBJECT* objects[1];
324fabbb	} YR_ARRAY_ITEMS;
27948a03	/* * From libyara/include/yara/sizedstr.h */
ec768c6f	#define SIZED_STRING_FLAGS_NO_CASE 1 #define SIZED_STRING_FLAGS_DOT_ALL 2 typedef struct _SIZED_STRING { int length; int flags; char c_string[1]; } SIZED_STRING;
abf7d877
27948a03	/* * From libyara/include/yara/error.h */
abf7d877	#ifndef ERROR_SUCCESS #define ERROR_SUCCESS 0 #endif #define ERROR_INSUFICIENT_MEMORY 1 #define ERROR_COULD_NOT_ATTACH_TO_PROCESS 2 #define ERROR_COULD_NOT_OPEN_FILE 3 #define ERROR_COULD_NOT_MAP_FILE 4 #define ERROR_INVALID_FILE 6 #define ERROR_CORRUPT_FILE 7 #define ERROR_UNSUPPORTED_FILE_VERSION 8 #define ERROR_INVALID_REGULAR_EXPRESSION 9 #define ERROR_INVALID_HEX_STRING 10 #define ERROR_SYNTAX_ERROR 11 #define ERROR_LOOP_NESTING_LIMIT_EXCEEDED 12 #define ERROR_DUPLICATE_LOOP_IDENTIFIER 13 #define ERROR_DUPLICATE_IDENTIFIER 14 #define ERROR_DUPLICATE_TAG_IDENTIFIER 15 #define ERROR_DUPLICATE_META_IDENTIFIER 16 #define ERROR_DUPLICATE_STRING_IDENTIFIER 17 #define ERROR_UNREFERENCED_STRING 18 #define ERROR_UNDEFINED_STRING 19 #define ERROR_UNDEFINED_IDENTIFIER 20 #define ERROR_MISPLACED_ANONYMOUS_STRING 21 #define ERROR_INCLUDES_CIRCULAR_REFERENCE 22 #define ERROR_INCLUDE_DEPTH_EXCEEDED 23 #define ERROR_WRONG_TYPE 24 #define ERROR_EXEC_STACK_OVERFLOW 25 #define ERROR_SCAN_TIMEOUT 26 #define ERROR_TOO_MANY_SCAN_THREADS 27 #define ERROR_CALLBACK_ERROR 28 #define ERROR_INVALID_ARGUMENT 29 #define ERROR_TOO_MANY_MATCHES 30 #define ERROR_INTERNAL_FATAL_ERROR 31 #define ERROR_NESTED_FOR_OF_LOOP 32 #define ERROR_INVALID_FIELD_NAME 33 #define ERROR_UNKNOWN_MODULE 34 #define ERROR_NOT_A_STRUCTURE 35 #define ERROR_NOT_AN_ARRAY 36 #define ERROR_NOT_A_FUNCTION 37 #define ERROR_INVALID_FORMAT 38 #define ERROR_TOO_MANY_ARGUMENTS 39 #define ERROR_WRONG_NUMBER_OF_ARGUMENTS 40
3ca6d4c0	#define FAIL_ON_ERROR(x) { \
27948a03	int result = (x); \ if (result != ERROR_SUCCESS) \ return result; \
3ca6d4c0	}
7f749109	#define FAIL_ON_COMPILER_ERROR(x) { \
27948a03	compiler->last_result = (x); \ if (compiler->last_result != ERROR_SUCCESS) { \ if (compiler->last_result == ERROR_INSUFICIENT_MEMORY) \ yyfatal(yyscanner, "YARA fatal error: terminating rule parse\n"); \ return compiler->last_result; \ } \
7f749109	}
27948a03	/* * From libyara/include/yara/re.h */
a3c5f974	#define RE_FLAGS_FAST_HEX_REGEXP 0x02 #define RE_FLAGS_BACKWARDS 0x04 #define RE_FLAGS_EXHAUSTIVE 0x08 #define RE_FLAGS_WIDE 0x10 #define RE_FLAGS_NO_CASE 0x20 #define RE_FLAGS_SCAN 0x40 #define RE_FLAGS_DOT_ALL 0x80
27948a03	#define RE_FLAGS_NOT_AT_START 0x100
a3c5f974
ec768c6f	typedef struct _YR_META {
27948a03	int32_t type; int32_t integer;
ec768c6f
27948a03	DECLARE_REFERENCE(char, identifier); DECLARE_REFERENCE(char, string);
ec768c6f	} YR_META;
6e767879	#if REAL_YARA
ec768c6f	typedef struct _YR_STRING {
27948a03	int32_t g_flags; int32_t length;
ec768c6f
27948a03	DECLARE_REFERENCE(char, identifier); DECLARE_REFERENCE(uint8_t, string); DECLARE_REFERENCE(struct _YR_STRING*, chained_to);
ec768c6f
27948a03	int32_t chain_gap_min; int32_t chain_gap_max;
ec768c6f
27948a03	// YR_MATCHES matches[MAX_THREADS]; // YR_MATCHES unconfirmed_matches[MAX_THREADS];
ec768c6f	} YR_STRING;
6e767879	#endif
ec768c6f	typedef struct _YR_EXTERNAL_VARIABLE {
27948a03	int32_t type; int64_t integer;
ec768c6f
27948a03	DECLARE_REFERENCE(char, identifier); DECLARE_REFERENCE(char, string);
ec768c6f	} YR_EXTERNAL_VARIABLE;
324fabbb	typedef struct _YR_NAMESPACE {
27948a03	DECLARE_REFERENCE(char*, name);
324fabbb	} YR_NAMESPACE;
ec768c6f
27948a03	/* * From libyara/include/yara/exec.h */
ec768c6f	typedef struct RE RE; typedef struct RE_NODE RE_NODE; struct RE_NODE {
27948a03	int type;
ec768c6f
27948a03	union { int value; int count; int start; };
ec768c6f
27948a03	union { int mask; int end; };
ec768c6f
27948a03	int greedy;
ec768c6f
27948a03	uint8_t* class_vector;
ec768c6f
27948a03	RE_NODE* left; RE_NODE* right;
ec768c6f
27948a03	void* forward_code; void* backward_code;
ec768c6f	}; struct RE {
27948a03	uint32_t flags; RE_NODE* root_node;
ec768c6f
27948a03	const char* error_message; int error_code;
ec768c6f	};
27948a03	/* * From libyara/include/yara/limits.h */
88c4a39f	#define MAX_COMPILER_ERROR_EXTRA_INFO 256
3ca6d4c0	#define MAX_LOOP_NESTING 4
88c4a39f	#define MAX_FUNCTION_ARGS 128
3ca6d4c0	#define LOOP_LOCAL_VARS 4
88c4a39f	#define LEX_BUF_SIZE 1024
5842265f	#define MAX_INCLUDE_DEPTH 16 #ifndef MAX_PATH
27948a03	#define MAX_PATH 1024
5842265f	#endif
88c4a39f
27948a03	/* * From libyara/include/yara/object.h */
88c4a39f	#define OBJECT_TYPE_INTEGER 1 #define OBJECT_TYPE_STRING 2 #define OBJECT_TYPE_STRUCTURE 3 #define OBJECT_TYPE_ARRAY 4 #define OBJECT_TYPE_FUNCTION 5 #define OBJECT_TYPE_REGEXP 6
27948a03	/* * From libyara/include/yara/utils.h */
ebf3953f	#define UINT64_TO_PTR(type, x) ((type)(size_t) x)
88c4a39f	#define PTR_TO_UINT64(x) ((uint64_t) (size_t) x)
93ff0dad	#define YARA_PROTO #ifdef YARA_PROTO
b7999b89	#define RULE_ANY 1 #define RULE_ALL 2 #define RULE_ONE 4 #define RULE_THEM 8 #define RULE_EP 16 #define RULE_OFFSETS 32
93ff0dad	#endif
27948a03	/* * YARA to ClamAV function mappings */
ec768c6f	#define yr_strdup cli_strdup #define yr_malloc cli_malloc
3ca6d4c0	#define yr_realloc cli_realloc
ec768c6f	#define yr_free free
a5bde84c	#define xtoi cli_xtoi
15809b78	#undef strlcpy #undef strlcat
abf7d877	#define strlcpy cli_strlcpy
bf80cd4e	#define strlcat cli_strlcat
ec768c6f
27948a03	/* * YARA-defined structure replacements for ClamAV */
6e767879	struct _yc_rule { STAILQ_ENTRY(_yc_rule) link; STAILQ_HEAD(sq, _yc_string) strings;
7f749109	char * identifier;
b9af0434	uint32_t g_flags;
b7999b89	uint32_t cl_flags;
f51f42e9	uint8_t * code_start;
7665e02d	uint32_t lsigid;
6e767879	}; typedef struct _yc_rule yc_rule; typedef struct _yc_string { STAILQ_ENTRY(_yc_string) link; int32_t g_flags; int32_t length;
d2554980
3ca6d4c0	DECLARE_REFERENCE(char, identifier); DECLARE_REFERENCE(uint8_t, string); DECLARE_REFERENCE(struct _YR_STRING*, chained_to);
d2554980	int32_t subsig_id;
6e767879	} yc_string; typedef yc_rule YR_RULE; typedef yc_string YR_STRING;
ec768c6f
27948a03	// clang-format on
ec768c6f	#endif