Browse code
YARA: enable filesize and entrypoint keywords.
Steven Morgan authored on 2015/03/21 01:31:13Showing 1 changed files
| ... | ... |
@@ -755,8 +755,14 @@ static int yara_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data |
| 755 | 755 |
struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsid]; |
| 756 | 756 |
uint8_t * code_start = ac_lsig->u.code_start; |
| 757 | 757 |
int rc = 0; |
| 758 |
- YR_SCAN_CONTEXT context = {0}; //FIXME (populate from ldb)
|
|
| 759 |
- |
|
| 758 |
+ YR_SCAN_CONTEXT context = {0};
|
|
| 759 |
+ |
|
| 760 |
+ if (target_info != NULL) {
|
|
| 761 |
+ context.file_size = target_info->fsize; |
|
| 762 |
+ if (target_info->status == 1) |
|
| 763 |
+ context.entry_point = target_info->exeinfo.ep; |
|
| 764 |
+ } |
|
| 765 |
+ |
|
| 760 | 766 |
rc = yr_execute_code(ac_lsig, acdata, &context, 0, 0); |
| 761 | 767 |
|
| 762 | 768 |
if (rc == CL_VIRUS) |