Browse code
YARA: support condition data access functions int8, int16, int32, uint8, uint16, and uint32.
Steven Morgan authored on 2015/04/01 06:02:51Showing 3 changed files
| ... | ... |
@@ -765,6 +765,7 @@ static int yara_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data |
| 765 | 765 |
if (target_info->status == 1) |
| 766 | 766 |
context.entry_point = target_info->exeinfo.ep; |
| 767 | 767 |
} |
| 768 |
+ context.fmap = *ctx->fmap; |
|
| 768 | 769 |
|
| 769 | 770 |
rc = yr_execute_code(ac_lsig, acdata, &context, 0, 0); |
| 770 | 771 |
|
| ... | ... |
@@ -199,10 +199,10 @@ typedef struct _YR_SCAN_CONTEXT |
| 199 | 199 |
int flags; |
| 200 | 200 |
void* user_data; |
| 201 | 201 |
|
| 202 |
- //YR_MEMORY_BLOCK* mem_block; |
|
| 202 |
+ //YR_MEMORY_BLOCK* mem_block; |
|
| 203 | 203 |
YR_HASH_TABLE* objects_table; |
| 204 |
- //YR_CALLBACK_FUNC callback; |
|
| 205 |
- |
|
| 204 |
+ //YR_CALLBACK_FUNC callback; |
|
| 205 |
+ fmap_t * fmap; |
|
| 206 | 206 |
} YR_SCAN_CONTEXT; |
| 207 | 207 |
#endif |
| 208 | 208 |
|
| ... | ... |
@@ -92,6 +92,19 @@ typedef struct _YR_MATCH |
| 92 | 92 |
} \ |
| 93 | 93 |
return UNDEFINED; \ |
| 94 | 94 |
}; |
| 95 |
+#else |
|
| 96 |
+#define function_read(type) \ |
|
| 97 |
+ int64_t read_##type(fmap_t * fmap, size_t offset) \ |
|
| 98 |
+ { \
|
|
| 99 |
+ const void *data; \ |
|
| 100 |
+ if (offset + sizeof(type) >= fmap->len) \ |
|
| 101 |
+ return UNDEFINED; \ |
|
| 102 |
+ data = fmap_need_off_once(fmap, offset, sizeof(type)); \ |
|
| 103 |
+ if (!data) \ |
|
| 104 |
+ return UNDEFINED; \ |
|
| 105 |
+ return *((type *) data); \ |
|
| 106 |
+ }; |
|
| 107 |
+#endif |
|
| 95 | 108 |
|
| 96 | 109 |
function_read(uint8_t) |
| 97 | 110 |
function_read(uint16_t) |
| ... | ... |
@@ -99,7 +112,6 @@ function_read(uint32_t) |
| 99 | 99 |
function_read(int8_t) |
| 100 | 100 |
function_read(int16_t) |
| 101 | 101 |
function_read(int32_t) |
| 102 |
-#endif |
|
| 103 | 102 |
|
| 104 | 103 |
int yr_execute_code( |
| 105 | 104 |
#if REAL_YARA |
| ... | ... |
@@ -797,6 +809,36 @@ int yr_execute_code( |
| 797 | 797 |
pop(r1); |
| 798 | 798 |
push(read_uint32_t(context->mem_block, r1)); |
| 799 | 799 |
break; |
| 800 |
+#else |
|
| 801 |
+ case OP_INT8: |
|
| 802 |
+ pop(r1); |
|
| 803 |
+ push(read_int8_t(context->fmap, r1)); |
|
| 804 |
+ break; |
|
| 805 |
+ |
|
| 806 |
+ case OP_INT16: |
|
| 807 |
+ pop(r1); |
|
| 808 |
+ push(read_int16_t(context->fmap, r1)); |
|
| 809 |
+ break; |
|
| 810 |
+ |
|
| 811 |
+ case OP_INT32: |
|
| 812 |
+ pop(r1); |
|
| 813 |
+ push(read_int32_t(context->fmap, r1)); |
|
| 814 |
+ break; |
|
| 815 |
+ |
|
| 816 |
+ case OP_UINT8: |
|
| 817 |
+ pop(r1); |
|
| 818 |
+ push(read_uint8_t(context->fmap, r1)); |
|
| 819 |
+ break; |
|
| 820 |
+ |
|
| 821 |
+ case OP_UINT16: |
|
| 822 |
+ pop(r1); |
|
| 823 |
+ push(read_uint16_t(context->fmap, r1)); |
|
| 824 |
+ break; |
|
| 825 |
+ |
|
| 826 |
+ case OP_UINT32: |
|
| 827 |
+ pop(r1); |
|
| 828 |
+ push(read_uint32_t(context->fmap, r1)); |
|
| 829 |
+ break; |
|
| 800 | 830 |
#endif |
| 801 | 831 |
|
| 802 | 832 |
case OP_CONTAINS: |