/* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ #include #include #include #if REAL_YARA #include #include #include #include #include #include #include #else #include //Temp for ClamAV compilation typedef struct _YR_MATCH { int64_t base; int64_t offset; int32_t length; union { uint8_t* data; // Confirmed matches use "data", int32_t chain_length; // unconfirmed ones use "chain_length" }; struct _YR_MATCH* prev; struct _YR_MATCH* next; } YR_MATCH; // End of temp for clamAV #include "matcher.h" #include "matcher-ac.h" #include "yara_clam.h" #include "yara_exec.h" #endif #define STACK_SIZE 16384 #define MEM_SIZE MAX_LOOP_NESTING * LOOP_LOCAL_VARS #define push(x) \ do { \ if (sp < STACK_SIZE) stack[sp++] = (x); \ else return ERROR_EXEC_STACK_OVERFLOW; \ } while(0) #define pop(x) x = stack[--sp] #define operation(operator, op1, op2) \ (IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (UNDEFINED) : (op1 operator op2) #define comparison(operator, op1, op2) \ (IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (0) : (op1 operator op2) #if REAL_YARA #define function_read(type) \ int64_t read_##type(YR_MEMORY_BLOCK* block, size_t offset) \ { \ while (block != NULL) \ { \ if (offset >= block->base && \ block->size >= sizeof(type) && \ offset <= block->base + block->size - sizeof(type)) \ { \ return *((type *) (block->data + offset - block->base)); \ } \ block = block->next; \ } \ return UNDEFINED; \ }; #else #define function_read(type) \ int64_t read_##type(fmap_t * fmap, size_t offset) \ { \ const void *data; \ if (offset + sizeof(type) >= fmap->len) \ return UNDEFINED; \ data = fmap_need_off_once(fmap, offset, sizeof(type)); \ if (!data) \ return UNDEFINED; \ return *((type *) data); \ }; #endif function_read(uint8_t) function_read(uint16_t) function_read(uint32_t) function_read(int8_t) function_read(int16_t) function_read(int32_t) int yr_execute_code( #if REAL_YARA YR_RULES* rules, #else struct cli_ac_lsig * aclsig, struct cli_ac_data * acdata, #endif YR_SCAN_CONTEXT* context, int timeout, time_t start_time) { int64_t r1; int64_t r2; int64_t r3; int64_t mem[MEM_SIZE]; int64_t stack[STACK_SIZE]; int64_t args[MAX_FUNCTION_ARGS]; int32_t sp = 0; #if REAL_YARA uint8_t* ip = rules->code_start; #else uint8_t* ip = aclsig->u.code_start; uint32_t lsig_id; uint32_t rule_matches = 0; struct cli_lsig_matches * ls_matches; struct cli_subsig_matches * ss_matches; uint32_t * offs; #endif YR_RULE* rule; YR_STRING* string; YR_MATCH* match; YR_OBJECT* object; YR_OBJECT_FUNCTION* function; char* identifier; int i; int found; int count; int result = -1; int cycle = 0; #if REAL_YARA int tidx = yr_get_tidx(); #else cli_dbgmsg("yara_exec: beginning execution for lsig %i\n", aclsig->id); #endif #ifdef PROFILING_ENABLED clock_t start = clock(); #endif while(1) { cli_dbgmsg("yara_exec: executing %i\n", *ip); switch(*ip) { case OP_HALT: // When the halt instruction is reached the stack // should be empty. assert(sp == 0); #if REAL_YARA return ERROR_SUCCESS; #else if (rule_matches != 0) return CL_VIRUS; return CL_SUCCESS; #endif case OP_PUSH: memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); push(r1); break; case OP_POP: pop(r1); break; case OP_CLEAR_M: memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); mem[r1] = 0; break; case OP_ADD_M: memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); pop(r2); mem[r1] += r2; break; case OP_INCR_M: memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); mem[r1]++; break; case OP_PUSH_M: memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); push(mem[r1]); break; case OP_POP_M: memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); pop(mem[r1]); break; case OP_SWAPUNDEF: memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); pop(r2); if (r2 != UNDEFINED) push(r2); else push(mem[r1]); break; case OP_JNUNDEF: pop(r1); push(r1); if (r1 != UNDEFINED) { ip = *(uint8_t**)(ip + 1); // ip will be incremented at the end of the loop, // decrement it here to compensate. ip--; } else { ip += sizeof(uint64_t); } break; case OP_JLE: pop(r2); pop(r1); push(r1); push(r2); if (r1 <= r2) { ip = *(uint8_t**)(ip + 1); // ip will be incremented at the end of the loop, // decrement it here to compensate. ip--; } else { ip += sizeof(uint64_t); } break; case OP_AND: pop(r2); pop(r1); if (IS_UNDEFINED(r1) || IS_UNDEFINED(r2)) push(0); else push(r1 & r2); break; case OP_OR: pop(r2); pop(r1); if (IS_UNDEFINED(r1)) push(r2); else if (IS_UNDEFINED(r2)) push(r1); else push(r1 | r2); break; case OP_NOT: pop(r1); if (IS_UNDEFINED(r1)) push(UNDEFINED); else push(!r1); break; case OP_LT: pop(r2); pop(r1); push(comparison(<, r1, r2)); break; case OP_GT: pop(r2); pop(r1); push(comparison(>, r1, r2)); break; case OP_LE: pop(r2); pop(r1); push(comparison(<=, r1, r2)); break; case OP_GE: pop(r2); pop(r1); push(comparison(>=, r1, r2)); break; case OP_EQ: pop(r2); pop(r1); push(comparison(==, r1, r2)); break; case OP_NEQ: pop(r2); pop(r1); push(comparison(!=, r1, r2)); break; case OP_SZ_EQ: pop(r2); pop(r1); if (IS_UNDEFINED(r1) || IS_UNDEFINED(r2)) push(UNDEFINED); else push(strcmp(UINT64_TO_PTR(char*, r1), UINT64_TO_PTR(char*, r2)) == 0); break; case OP_SZ_NEQ: pop(r2); pop(r1); if (IS_UNDEFINED(r1) || IS_UNDEFINED(r2)) push(UNDEFINED); else push(strcmp(UINT64_TO_PTR(char*, r1), UINT64_TO_PTR(char*, r2)) != 0); break; case OP_SZ_TO_BOOL: pop(r1); if (IS_UNDEFINED(r1)) push(UNDEFINED); else push(strlen(UINT64_TO_PTR(char*, r1)) > 0); break; case OP_ADD: pop(r2); pop(r1); push(operation(+, r1, r2)); break; case OP_SUB: pop(r2); pop(r1); push(operation(-, r1, r2)); break; case OP_MUL: pop(r2); pop(r1); push(operation(*, r1, r2)); break; case OP_DIV: pop(r2); pop(r1); push(operation(/, r1, r2)); break; case OP_MOD: pop(r2); pop(r1); push(operation(%, r1, r2)); break; case OP_NEG: pop(r1); push(IS_UNDEFINED(r1) ? UNDEFINED : ~r1); break; case OP_SHR: pop(r2); pop(r1); push(operation(>>, r1, r2)); break; case OP_SHL: pop(r2); pop(r1); push(operation(<<, r1, r2)); break; case OP_XOR: pop(r2); pop(r1); push(operation(^, r1, r2)); break; case OP_PUSH_RULE: rule = *(YR_RULE**)(ip + 1); ip += sizeof(uint64_t); #if REAL_YARA push(rule->t_flags[tidx] & RULE_TFLAGS_MATCH ? 1 : 0); #else push(acdata->yr_matches[rule->lsigid]); #endif break; case OP_MATCH_RULE: pop(r1); rule = *(YR_RULE**)(ip + 1); ip += sizeof(uint64_t); if (!IS_UNDEFINED(r1) && r1) #if REAL_YARA rule->t_flags[tidx] |= RULE_TFLAGS_MATCH; #else { rule_matches++; acdata->yr_matches[aclsig->id] = 1; } #endif #ifdef PROFILING_ENABLED rule->clock_ticks += clock() - start; start = clock(); #endif break; case OP_OBJ_LOAD: identifier = *(char**)(ip + 1); ip += sizeof(uint64_t); object = (YR_OBJECT*) yr_hash_table_lookup( context->objects_table, identifier, NULL); assert(object != NULL); push(PTR_TO_UINT64(object)); break; #if REAL_YARA case OP_OBJ_FIELD: pop(r1); identifier = *(char**)(ip + 1); ip += sizeof(uint64_t); if (IS_UNDEFINED(r1)) { push(UNDEFINED); break; } object = UINT64_TO_PTR(YR_OBJECT*, r1); object = yr_object_lookup_field(object, identifier); assert(object != NULL); push(PTR_TO_UINT64(object)); break; #endif case OP_OBJ_VALUE: pop(r1); if (IS_UNDEFINED(r1)) { push(UNDEFINED); break; } object = UINT64_TO_PTR(YR_OBJECT*, r1); switch(object->type) { case OBJECT_TYPE_INTEGER: push(((YR_OBJECT_INTEGER*) object)->value); break; case OBJECT_TYPE_STRING: if (((YR_OBJECT_STRING*) object)->value != NULL) push(PTR_TO_UINT64(((YR_OBJECT_STRING*) object)->value)); else push(UNDEFINED); break; default: assert(FALSE); } break; #if REAL_YARA case OP_INDEX_ARRAY: pop(r1); pop(r2); if (r1 == UNDEFINED) { push(UNDEFINED); break; } object = UINT64_TO_PTR(YR_OBJECT*, r2); assert(object->type == OBJECT_TYPE_ARRAY); object = yr_object_array_get_item(object, 0, r1); if (object != NULL) push(PTR_TO_UINT64(object)); else push(UNDEFINED); break; #endif case OP_CALL: // r1 = number of arguments memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); // pop arguments from stack and copy them to args array while (r1 > 0) { pop(args[r1 - 1]); r1--; } pop(r2); function = UINT64_TO_PTR(YR_OBJECT_FUNCTION*, r2); result = function->code((void*) args, context, function); if (result == ERROR_SUCCESS) push(PTR_TO_UINT64(function->return_obj)); else return result; break; case OP_STR_FOUND: pop(r1); string = UINT64_TO_PTR(YR_STRING*, r1); #if REAL_YARA push(string->matches[tidx].tail != NULL ? 1 : 0); #else push(acdata->lsigsuboff_first[aclsig->id][string->subsig_id] != CLI_OFF_NONE ? 1 : 0); #endif break; case OP_STR_FOUND_AT: pop(r2); pop(r1); if (IS_UNDEFINED(r1)) { push(0); break; } string = UINT64_TO_PTR(YR_STRING*, r2); #if REAL_YARA match = string->matches[tidx].head; found = 0; while (match != NULL) { if (r1 == match->base + match->offset) { push(1); found = 1; break; } if (r1 < match->base + match->offset) break; match = match->next; } #else found = 0; ls_matches = acdata->lsig_matches[aclsig->id]; if (ls_matches != NULL) { ss_matches = ls_matches->matches[string->subsig_id]; if (ss_matches != NULL) { offs = ss_matches->offsets; for (i = 0; i < ss_matches->next; i++) { if (offs[i] == r1) { push(1); found = 1; break; } if (r1 < offs[i]) break; } } } #endif if (!found) push(0); break; case OP_STR_FOUND_IN: pop(r3); pop(r2); pop(r1); if (IS_UNDEFINED(r1) || IS_UNDEFINED(r2)) { push(0); break; } string = UINT64_TO_PTR(YR_STRING*, r3); #if REAL_YARA match = string->matches[tidx].head; found = FALSE; while (match != NULL && !found) { if (match->base + match->offset >= r1 && match->base + match->offset <= r2) { push(1); found = TRUE; } if (match->base + match->offset > r2) break; match = match->next; } #else found = FALSE; ls_matches = acdata->lsig_matches[aclsig->id]; if (ls_matches != NULL) { ss_matches = ls_matches->matches[string->subsig_id]; if (ss_matches != NULL) { offs = ss_matches->offsets; for (i = 0; i < ss_matches->next; i++) { if (offs[i] >= r1 && offs[i] <= r2) { push(1); found = TRUE; break; } if (r2 < offs[i]) break; } } } #endif if (!found) push(0); break; case OP_STR_COUNT: pop(r1); string = UINT64_TO_PTR(YR_STRING*, r1); #if REAL_YARA push(string->matches[tidx].count); #else push(acdata->lsigcnt[aclsig->id][string->subsig_id]); #endif break; case OP_STR_OFFSET: pop(r2); pop(r1); if (IS_UNDEFINED(r1)) { push(UNDEFINED); break; } string = UINT64_TO_PTR(YR_STRING*, r2); #if REAL_YARA match = string->matches[tidx].head; i = 1; found = FALSE; while (match != NULL && !found) { if (r1 == i) { push(match->base + match->offset); found = TRUE; } i++; match = match->next; } #else i = r1 - 1; found = FALSE; ls_matches = acdata->lsig_matches[aclsig->id]; if (ls_matches != NULL && i >= 0) { ss_matches = ls_matches->matches[string->subsig_id]; if (ss_matches != NULL) { if (i < ss_matches->next) { push(ss_matches->offsets[i]); found = TRUE; } } } #endif if (!found) push(UNDEFINED); break; case OP_OF: found = 0; count = 0; pop(r1); #if REAL_YARA while (r1 != UNDEFINED) { string = UINT64_TO_PTR(YR_STRING*, r1); if (string->matches[tidx].tail != NULL) found++; count++; pop(r1); } #else while (r1 != UNDEFINED) { string = UINT64_TO_PTR(YR_STRING*, r1); lsig_id = string->subsig_id; if (acdata->lsigsuboff_first[aclsig->id][lsig_id] != CLI_OFF_NONE) found++; count++; pop(r1); } #endif pop(r2); if (r2 != UNDEFINED) push(found >= r2 ? 1 : 0); else push(found >= count ? 1 : 0); break; case OP_FILESIZE: push(context->file_size); break; case OP_ENTRYPOINT: push(context->entry_point); break; #if REAL_YARA case OP_INT8: pop(r1); push(read_int8_t(context->mem_block, r1)); break; case OP_INT16: pop(r1); push(read_int16_t(context->mem_block, r1)); break; case OP_INT32: pop(r1); push(read_int32_t(context->mem_block, r1)); break; case OP_UINT8: pop(r1); push(read_uint8_t(context->mem_block, r1)); break; case OP_UINT16: pop(r1); push(read_uint16_t(context->mem_block, r1)); break; case OP_UINT32: pop(r1); push(read_uint32_t(context->mem_block, r1)); break; #else case OP_INT8: pop(r1); push(read_int8_t(context->fmap, r1)); break; case OP_INT16: pop(r1); push(read_int16_t(context->fmap, r1)); break; case OP_INT32: pop(r1); push(read_int32_t(context->fmap, r1)); break; case OP_UINT8: pop(r1); push(read_uint8_t(context->fmap, r1)); break; case OP_UINT16: pop(r1); push(read_uint16_t(context->fmap, r1)); break; case OP_UINT32: pop(r1); push(read_uint32_t(context->fmap, r1)); break; #endif case OP_CONTAINS: pop(r2); pop(r1); push(strstr(UINT64_TO_PTR(char*, r1), UINT64_TO_PTR(char*, r2)) != NULL); break; #if REAL_YARA //not supported ClamAV case OP_IMPORT: memcpy(&r1, ip + 1, sizeof(uint64_t)); ip += sizeof(uint64_t); FAIL_ON_ERROR(yr_modules_load( UINT64_TO_PTR(char*, r1), context)); break; #endif case OP_MATCHES: pop(r2); pop(r1); count = strlen(UINT64_TO_PTR(char*, r1)); if (count == 0) { push(FALSE); break; } #if REAL_YARA result = yr_re_exec( UINT64_TO_PTR(uint8_t*, r2), UINT64_TO_PTR(uint8_t*, r1), count, RE_FLAGS_SCAN, NULL, NULL); #else result = -1; //matches not currently supported in ClamAV. push(FALSE). #endif push(result >= 0); break; default: // Unknown instruction, this shouldn't happen. assert(FALSE); } if (timeout > 0) // timeout == 0 means no timeout { // Check for timeout every 10 instruction cycles. if (++cycle == 10) { if (difftime(time(NULL), start_time) > timeout) return ERROR_SCAN_TIMEOUT; cycle = 0; } } ip++; } // After executing the code the stack should be empty. assert(sp == 0); return ERROR_SUCCESS; }