Magic-Mirror/x64dbg
1
0
Fork 0
mirror of https://github.com/x64dbg/x64dbg.git synced 2024-11-27 06:40:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

DBG+GUI: removed yara

Browse Source
This commit is contained in:
Duncan Ogilvie 2019-04-06 13:06:23 +02:00
parent 7d727d014d
commit 386e242645
No known key found for this signature in database
GPG Key ID: FC89E0AAA0C1AAD8
57 changed files with 4 additions and 6307 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
release.bat
View File

@ -12,8 +12,6 @@ mkdir %RELEASEDIR%\pluginsdk\jansson
mkdir %RELEASEDIR%\pluginsdk\lz4
mkdir %RELEASEDIR%\pluginsdk\TitanEngine
mkdir %RELEASEDIR%\pluginsdk\XEDParse
mkdir %RELEASEDIR%\pluginsdk\yara
mkdir %RELEASEDIR%\pluginsdk\yara\yara
xcopy src\dbg\dbghelp %RELEASEDIR%\pluginsdk\dbghelp /S /Y
xcopy src\dbg\DeviceNameResolver %RELEASEDIR%\pluginsdk\DeviceNameResolver /S /Y
@ -22,7 +20,6 @@ xcopy src\dbg\lz4 %RELEASEDIR%\pluginsdk\lz4 /S /Y
xcopy src\dbg\TitanEngine %RELEASEDIR%\pluginsdk\TitanEngine /S /Y
del %RELEASEDIR%\pluginsdk\TitanEngine\TitanEngine.txt /F /Q
xcopy src\dbg\XEDParse %RELEASEDIR%\pluginsdk\XEDParse /S /Y
xcopy src\dbg\yara %RELEASEDIR%\pluginsdk\yara /S /Y
copy src\dbg\_plugin_types.h %RELEASEDIR%\pluginsdk\_plugin_types.h
copy src\dbg\_plugins.h %RELEASEDIR%\pluginsdk\_plugins.h
copy src\dbg\_scriptapi*.h %RELEASEDIR%\pluginsdk\_scriptapi*.h

294
src/dbg/commands/cmd-searching.cpp
View File

@ -7,7 +7,6 @@
#include "debugger.h"
#include "filehelper.h"
#include "label.h"
#include "yara/yara.h"
#include "stringformat.h"
#include "disasm_helper.h"
#include "symbolinfo.h"
@ -947,299 +946,6 @@ bool cbInstrGUIDFind(int argc, char* argv[])
return true;
}
static void yaraCompilerCallback(int error_level, const char* file_name, int line_number, const char* message, void* user_data)
{
switch(error_level)
{
case YARA_ERROR_LEVEL_ERROR:
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA ERROR] "));
break;
case YARA_ERROR_LEVEL_WARNING:
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA WARNING] "));
break;
}
dprintf(QT_TRANSLATE_NOOP("DBG", "File: \"%s\", Line: %d, Message: \"%s\"\n"), file_name, line_number, message);
}
static String yara_print_string(const uint8_t* data, int length)
{
String result = "\"";
const char* str = (const char*)data;
for(int i = 0; i < length; i++)
{
char cur[16] = "";
if(str[i] >= 32 && str[i] <= 126)
sprintf_s(cur, "%c", str[i]);
else
sprintf_s(cur, "\\x%02X", (uint8_t)str[i]);
result += cur;
}
result += "\"";
return result;
}
static String yara_print_hex_string(const uint8_t* data, int length)
{
String result = "";
for(int i = 0; i < length; i++)
{
if(i)
result += " ";
char cur[16] = "";
sprintf_s(cur, "%02X", (uint8_t)data[i]);
result += cur;
}
return result;
}
struct YaraScanInfo
{
duint base;
int index;
bool rawFile;
const char* modname;
bool debug;
YaraScanInfo(duint base, bool rawFile, const char* modname, bool debug)
: base(base), index(0), rawFile(rawFile), modname(modname), debug(debug)
{
}
};
static int yaraScanCallback(int message, void* message_data, void* user_data)
{
YaraScanInfo* scanInfo = (YaraScanInfo*)user_data;
bool debug = scanInfo->debug;
switch(message)
{
case CALLBACK_MSG_RULE_MATCHING:
{
duint base = scanInfo->base;
YR_RULE* yrRule = (YR_RULE*)message_data;
auto addReference = [scanInfo, yrRule](duint addr, const char* identifier, const std::string & pattern)
{
auto index = scanInfo->index;
GuiReferenceSetRowCount(index + 1);
scanInfo->index++;
char addr_text[deflen] = "";
sprintf_s(addr_text, "%p", addr);
GuiReferenceSetCellContent(index, 0, addr_text); //Address
String ruleFullName = "";
ruleFullName += yrRule->identifier;
if(identifier)
{
ruleFullName += ".";
ruleFullName += identifier;
}
GuiReferenceSetCellContent(index, 1, ruleFullName.c_str()); //Rule
GuiReferenceSetCellContent(index, 2, pattern.c_str()); //Data
};
if(STRING_IS_NULL(yrRule->strings))
{
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Global rule \"%s\" matched!\n"), yrRule->identifier);
addReference(base, nullptr, "");
}
else
{
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Rule \"%s\" matched:\n"), yrRule->identifier);
YR_STRING* string;
yr_rule_strings_foreach(yrRule, string)
{
YR_MATCH* match;
yr_string_matches_foreach(string, match)
{
String pattern;
if(STRING_IS_HEX(string))
pattern = yara_print_hex_string(match->data, match->match_length);
else
pattern = yara_print_string(match->data, match->match_length);
auto offset = duint(match->base + match->offset);
duint addr;
if(scanInfo->rawFile) //convert raw offset to virtual offset
addr = valfileoffsettova(scanInfo->modname, offset);
else
addr = base + offset;
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] String \"%s\" : %s on %p\n"), string->identifier, pattern.c_str(), addr);
addReference(addr, string->identifier, pattern);
}
}
}
}
break;
case CALLBACK_MSG_RULE_NOT_MATCHING:
{
YR_RULE* yrRule = (YR_RULE*)message_data;
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Rule \"%s\" did not match!\n"), yrRule->identifier);
}
break;
case CALLBACK_MSG_SCAN_FINISHED:
{
if(debug)
dputs(QT_TRANSLATE_NOOP("DBG", "[YARA] Scan finished!"));
}
break;
case CALLBACK_MSG_IMPORT_MODULE:
{
YR_MODULE_IMPORT* yrModuleImport = (YR_MODULE_IMPORT*)message_data;
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Imported module \"%s\"!\n"), yrModuleImport->module_name);
}
break;
}
return ERROR_SUCCESS; //nicely undocumented what this should be
}
bool cbInstrYara(int argc, char* argv[])
{
if(IsArgumentsLessThan(argc, 2))
return false;
duint addr = 0;
SELECTIONDATA sel;
GuiSelectionGet(GUI_DISASSEMBLY, &sel);
addr = sel.start;
duint base = 0;
duint size = 0;
duint mod = argc > 2 ? ModBaseFromName(argv[2]) : 0;
bool rawFile = false;
if(mod)
{
base = mod;
size = ModSizeFromAddr(base);
rawFile = argc > 3 && *argv[3] == '1';
}
else
{
if(argc > 2 && !valfromstring(argv[2], &addr))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Invalid value \"%s\"!\n"), argv[2]);
return false;
}
size = 0;
if(argc > 3)
if(!valfromstring(argv[3], &size))
size = 0;
if(!size)
addr = MemFindBaseAddr(addr, &size);
base = addr;
}
std::vector<unsigned char> rawFileData;
if(rawFile) //read the file from disk
{
char modPath[MAX_PATH] = "";
if(!ModPathFromAddr(base, modPath, MAX_PATH))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to get module path for %p!\n"), base);
return false;
}
if(!FileHelper::ReadAllData(modPath, rawFileData))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to read file \"%s\"!\n"), modPath);
return false;
}
size = rawFileData.size();
}
Memory<uint8_t*> data(size);
if(rawFile)
memcpy(data(), rawFileData.data(), size);
else
{
memset(data(), 0xCC, data.size());
MemReadDumb(base, data(), size);
}
String rulesContent;
if(!FileHelper::ReadAllText(argv[1], rulesContent))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to read the rules file \"%s\"\n"), argv[1]);
return false;
}
bool bSuccess = false;
YR_COMPILER* yrCompiler;
if(yr_compiler_create(&yrCompiler) == ERROR_SUCCESS)
{
yr_compiler_set_callback(yrCompiler, yaraCompilerCallback, 0);
if(yr_compiler_add_string(yrCompiler, rulesContent.c_str(), nullptr) == 0) //no errors found
{
YR_RULES* yrRules;
if(yr_compiler_get_rules(yrCompiler, &yrRules) == ERROR_SUCCESS)
{
//initialize new reference tab
char modname[MAX_MODULE_SIZE] = "";
if(!ModNameFromAddr(base, modname, true))
sprintf_s(modname, "%p", base);
String fullName;
const char* fileName = strrchr(argv[1], '\\');
if(fileName)
fullName = fileName + 1;
else
fullName = argv[1];
fullName += " (";
fullName += modname;
fullName += ")"; //nanana, very ugly code (long live open source)
GuiReferenceInitialize(fullName.c_str());
GuiReferenceAddColumn(sizeof(duint) * 2, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Address")));
GuiReferenceAddColumn(48, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Rule")));
GuiReferenceAddColumn(10, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Data")));
GuiReferenceSetRowCount(0);
GuiReferenceReloadData();
YaraScanInfo scanInfo(base, rawFile, argc > 2 ? argv[2] : modname, settingboolget("Engine", "YaraDebug"));
duint ticks = GetTickCount();
dputs(QT_TRANSLATE_NOOP("DBG", "[YARA] Scan started..."));
int err = yr_rules_scan_mem(yrRules, data(), size, 0, yaraScanCallback, &scanInfo, 0);
GuiReferenceReloadData();
switch(err)
{
case ERROR_SUCCESS:
dprintf(QT_TRANSLATE_NOOP("DBG", "%u scan results in %ums...\n"), DWORD(scanInfo.index), GetTickCount() - DWORD(ticks));
bSuccess = true;
break;
case ERROR_TOO_MANY_MATCHES:
dputs(QT_TRANSLATE_NOOP("DBG", "Too many matches!"));
break;
default:
dputs(QT_TRANSLATE_NOOP("DBG", "Error while scanning memory!"));
break;
}
yr_rules_destroy(yrRules);
}
else
dputs(QT_TRANSLATE_NOOP("DBG", "Error while getting the rules!"));
}
else
dputs(QT_TRANSLATE_NOOP("DBG", "Errors in the rules file!"));
yr_compiler_destroy(yrCompiler);
}
else
dputs(QT_TRANSLATE_NOOP("DBG", "yr_compiler_create failed!"));
return bSuccess;
}
bool cbInstrYaramod(int argc, char* argv[])
{
if(IsArgumentsLessThan(argc, 3))
return false;
if(!ModBaseFromName(argv[2]))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Invalid module \"%s\"!\n"), argv[2]);
return false;
}
return cmddirectexec(StringUtils::sprintf("yara \"%s\",\"%s\",%s", argv[1], argv[2], argc > 3 && *argv[3] == '1' ? "1" : "0").c_str());
}
bool cbInstrSetMaxFindResult(int argc, char* argv[])
{
if(IsArgumentsLessThan(argc, 2))

2
src/dbg/commands/cmd-searching.h
View File

@ -12,6 +12,4 @@ bool cbInstrRefStr(int argc, char* argv[]);
bool cbInstrRefFuncionPointer(int argc, char* argv[]);
bool cbInstrModCallFind(int argc, char* argv[]);
bool cbInstrGUIDFind(int argc, char* argv[]);
bool cbInstrYara(int argc, char* argv[]);
bool cbInstrYaramod(int argc, char* argv[]);
bool cbInstrSetMaxFindResult(int argc, char* argv[]);

7
src/dbg/x64dbg.cpp
View File

@ -26,7 +26,6 @@
#include "expressionfunctions.h"
#include "formatfunctions.h"
#include "stringformat.h"
#include "yara/yara.h"
#include "dbghelp_safe.h"
static MESSAGE_STACK* gMsgStack = 0;
@ -275,8 +274,6 @@ static void registercommands()
dbgcmdnew("refstr,strref", cbInstrRefStr, true); //find string references
dbgcmdnew("reffunctionpointer", cbInstrRefFuncionPointer, true); //find function pointers
dbgcmdnew("modcallfind", cbInstrModCallFind, true); //find intermodular calls
dbgcmdnew("yara", cbInstrYara, true); //yara test command
dbgcmdnew("yaramod", cbInstrYaramod, true); //yara rule on module
dbgcmdnew("setmaxfindresult,findsetmaxresult", cbInstrSetMaxFindResult, false); //set the maximum number of occurences found
dbgcmdnew("guidfind,findguid", cbInstrGUIDFind, true); //find GUID references TODO: undocumented
@ -648,9 +645,6 @@ extern "C" DLL_EXPORT const char* _dbg_dbginit()
//#endif //ENABLE_MEM_TRACE
dputs(QT_TRANSLATE_NOOP("DBG", "Initializing Zydis..."));
Zydis::GlobalInitialize();
dputs(QT_TRANSLATE_NOOP("DBG", "Initializing Yara..."));
if(yr_initialize() != ERROR_SUCCESS)
return "Failed to initialize Yara!";
dputs(QT_TRANSLATE_NOOP("DBG", "Getting directory information..."));
strcpy_s(scriptDllDir, szProgramDir);
@ -778,7 +772,6 @@ extern "C" DLL_EXPORT void _dbg_dbgexitsignal()
dputs(QT_TRANSLATE_NOOP("DBG", "Cleaning up allocated data..."));
cmdfree();
varfree();
yr_finalize();
Zydis::GlobalFinalize();
dputs(QT_TRANSLATE_NOOP("DBG", "Cleaning up wait objects..."));
waitdeinitialize();

41
src/dbg/x64dbg_dbg.vcxproj
View File

@ -247,9 +247,6 @@
<ClInclude Include="watch.h" />
<ClInclude Include="WinInet-Downloader\downslib.h" />
<ClInclude Include="xrefs.h" />
<ClInclude Include="yara\yara\integers.h" />
<ClInclude Include="yara\yara\stream.h" />
<ClInclude Include="yara\yara\threading.h" />
<ClInclude Include="_scriptapi.h" />
<ClInclude Include="simplescript.h" />
<ClInclude Include="stackinfo.h" />
@ -264,36 +261,6 @@
<ClInclude Include="variable.h" />
<ClInclude Include="x64dbg.h" />
<ClInclude Include="XEDParse\XEDParse.h" />
<ClInclude Include="yara\yara.h" />
<ClInclude Include="yara\yara\ahocorasick.h" />
<ClInclude Include="yara\yara\arena.h" />
<ClInclude Include="yara\yara\atoms.h" />
<ClInclude Include="yara\yara\compiler.h" />
<ClInclude Include="yara\yara\elf.h" />
<ClInclude Include="yara\yara\error.h" />
<ClInclude Include="yara\yara\exec.h" />
<ClInclude Include="yara\yara\exefiles.h" />
<ClInclude Include="yara\yara\filemap.h" />
<ClInclude Include="yara\yara\globals.h" />
<ClInclude Include="yara\yara\hash.h" />
<ClInclude Include="yara\yara\hex_lexer.h" />
<ClInclude Include="yara\yara\lexer.h" />
<ClInclude Include="yara\yara\libyara.h" />
<ClInclude Include="yara\yara\limits.h" />
<ClInclude Include="yara\yara\mem.h" />
<ClInclude Include="yara\yara\modules.h" />
<ClInclude Include="yara\yara\object.h" />
<ClInclude Include="yara\yara\parser.h" />
<ClInclude Include="yara\yara\pe.h" />
<ClInclude Include="yara\yara\proc.h" />
<ClInclude Include="yara\yara\re.h" />
<ClInclude Include="yara\yara\re_lexer.h" />
<ClInclude Include="yara\yara\rules.h" />
<ClInclude Include="yara\yara\scan.h" />
<ClInclude Include="yara\yara\sizedstr.h" />
<ClInclude Include="yara\yara\strutils.h" />
<ClInclude Include="yara\yara\types.h" />
<ClInclude Include="yara\yara\utils.h" />
<ClInclude Include="_exports.h" />
<ClInclude Include="_dbgfunctions.h" />
<ClInclude Include="_global.h" />
@ -416,7 +383,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>ntdll\ntdll_x86.lib;$(ProjectDir)..\zydis_wrapper\bin\x32\zydis_wrapper.lib;yara\yara_x86.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32\x32bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;ws2_32.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>ntdll\ntdll_x86.lib;$(ProjectDir)..\zydis_wrapper\bin\x32\zydis_wrapper.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32\x32bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;ws2_32.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
@ -437,7 +404,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>false</EnableCOMDATFolding>
<OptimizeReferences>false</OptimizeReferences>
<AdditionalDependencies>ntdll\ntdll_x86.lib;$(ProjectDir)..\zydis_wrapper\bin\x32d\zydis_wrapper.lib;yara\yara_x86.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32d\x32bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;ws2_32.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>ntdll\ntdll_x86.lib;$(ProjectDir)..\zydis_wrapper\bin\x32d\zydis_wrapper.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32d\x32bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;ws2_32.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@ -464,7 +431,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>$(ProjectDir)..\zydis_wrapper\bin\x64\zydis_wrapper.lib;ntdll\ntdll_x64.lib;yara\yara_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64\x64bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;ws2_32.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>$(ProjectDir)..\zydis_wrapper\bin\x64\zydis_wrapper.lib;ntdll\ntdll_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64\x64bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;ws2_32.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@ -488,7 +455,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>false</EnableCOMDATFolding>
<OptimizeReferences>false</OptimizeReferences>
<AdditionalDependencies>$(ProjectDir)..\zydis_wrapper\bin\x64d\zydis_wrapper.lib;ntdll\ntdll_x64.lib;yara\yara_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64d\x64bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;ws2_32.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>$(ProjectDir)..\zydis_wrapper\bin\x64d\zydis_wrapper.lib;ntdll\ntdll_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64d\x64bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;ws2_32.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

105
src/dbg/x64dbg_dbg.vcxproj.filters
View File

@ -63,12 +63,6 @@
<Filter Include="Header Files\Information">
<UniqueIdentifier>{b006b04c-d7ea-49cb-b097-0cac1388f98e}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Third Party\yara">
<UniqueIdentifier>{efe5d058-e77c-49e9-a25b-75b90346dbf2}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Third Party\yara\yara">
<UniqueIdentifier>{f79c5166-e315-44ca-9e93-dabc9f00fa78}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Analysis">
<UniqueIdentifier>{3aba2399-cfdf-40be-9265-2062f983bbfd}</UniqueIdentifier>
</Filter>
@ -604,96 +598,6 @@
<ClInclude Include="dbghelp_safe.h">
<Filter>Header Files\Utilities</Filter>
</ClInclude>
<ClInclude Include="yara\yara.h">
<Filter>Header Files\Third Party\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\ahocorasick.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\arena.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\atoms.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\compiler.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\elf.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\error.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\exec.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\exefiles.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\filemap.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\globals.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\hash.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\hex_lexer.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\lexer.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\libyara.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\limits.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\mem.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\modules.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\object.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\parser.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\pe.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\proc.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\re.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\re_lexer.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\rules.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\scan.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\sizedstr.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\strutils.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\types.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\utils.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="stringformat.h">
<Filter>Header Files\Utilities</Filter>
</ClInclude>
@ -748,9 +652,6 @@
<ClInclude Include="jit.h">
<Filter>Header Files\Debugger Core</Filter>
</ClInclude>
<ClInclude Include="yara\yara\stream.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="commandline.h">
<Filter>Header Files\Information</Filter>
</ClInclude>
@ -856,12 +757,6 @@
<ClInclude Include="exprfunc.h">
<Filter>Header Files\Debugger Core</Filter>
</ClInclude>
<ClInclude Include="yara\yara\integers.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="yara\yara\threading.h">
<Filter>Header Files\Third Party\yara\yara</Filter>
</ClInclude>
<ClInclude Include="animate.h">
<Filter>Header Files\Utilities</Filter>
</ClInclude>

43
src/dbg/yara/yara.h
View File

@ -1,43 +0,0 @@
/*
Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_YARA_H
#define YR_YARA_H
#include "yara/utils.h"
#include "yara/filemap.h"
#include "yara/compiler.h"
#include "yara/modules.h"
#include "yara/object.h"
#include "yara/libyara.h"
#include "yara/error.h"
#include "yara/stream.h"
#include "yara/hash.h"
#endif

84
src/dbg/yara/yara/ahocorasick.h
View File

@ -1,84 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _AHOCORASICK_H
#define _AHOCORASICK_H
#include "limits.h"
#include "atoms.h"
#include "types.h"
#define YR_AC_ROOT_STATE 0
#define YR_AC_NEXT_STATE(t) (t >> 32)
#define YR_AC_INVALID_TRANSITION(t, c) (((t) & 0xFFFF) != c)
#define YR_AC_MAKE_TRANSITION(state, code, flags) \
((uint64_t)((((uint64_t) state) << 32) | ((flags) << 16) | (code)))
#define YR_AC_USED_FLAG 0x1
#define YR_AC_USED_TRANSITION_SLOT(x) ((x) & (YR_AC_USED_FLAG << 16))
#define YR_AC_UNUSED_TRANSITION_SLOT(x) (!YR_AC_USED_TRANSITION_SLOT(x))
typedef struct _YR_AC_TABLES
{
YR_AC_TRANSITION* transitions;
YR_AC_MATCH_TABLE_ENTRY* matches;
} YR_AC_TABLES;
int yr_ac_automaton_create(
YR_AC_AUTOMATON** automaton);
int yr_ac_automaton_destroy(
YR_AC_AUTOMATON* automaton);
int yr_ac_add_string(
YR_AC_AUTOMATON* automaton,
YR_STRING* string,
YR_ATOM_LIST_ITEM* atom,
YR_ARENA* matches_arena);
int yr_ac_compile(
YR_AC_AUTOMATON* automaton,
YR_ARENA* arena,
YR_AC_TABLES* tables);
void yr_ac_print_automaton(
YR_AC_AUTOMATON* automaton);
#endif

165
src/dbg/yara/yara/arena.h
View File

@ -1,165 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_ARENA_H
#define YR_ARENA_H
#include <stddef.h>
#include "integers.h"
#include "stream.h"
#define ARENA_FLAGS_FIXED_SIZE 1
#define ARENA_FLAGS_COALESCED 2
#define ARENA_FILE_VERSION ((13 << 16) | MAX_THREADS)
#define EOL ((size_t) -1)
typedef struct _YR_RELOC
{
uint32_t offset;
struct _YR_RELOC* next;
} YR_RELOC;
typedef struct _YR_ARENA_PAGE
{
uint8_t* new_address;
uint8_t* address;
size_t size;
size_t used;
YR_RELOC* reloc_list_head;
YR_RELOC* reloc_list_tail;
struct _YR_ARENA_PAGE* next;
struct _YR_ARENA_PAGE* prev;
} YR_ARENA_PAGE;
typedef struct _YR_ARENA
{
int flags;
YR_ARENA_PAGE* page_list_head;
YR_ARENA_PAGE* current_page;
} YR_ARENA;
int yr_arena_create(
size_t initial_size,
int flags,
YR_ARENA** arena);
void yr_arena_destroy(
YR_ARENA* arena);
void* yr_arena_base_address(
YR_ARENA* arena);
void* yr_arena_next_address(
YR_ARENA* arena,
void* address,
size_t offset);
int yr_arena_coalesce(
YR_ARENA* arena);
int yr_arena_reserve_memory(
YR_ARENA* arena,
size_t size);
int yr_arena_allocate_memory(
YR_ARENA* arena,
size_t size,
void** allocated_memory);
int yr_arena_allocate_struct(
YR_ARENA* arena,
size_t size,
void** allocated_memory,
...);
int yr_arena_make_relocatable(
YR_ARENA* arena,
void* base,
...);
int yr_arena_write_data(
YR_ARENA* arena,
void* data,
size_t size,
void** written_data);
int yr_arena_write_string(
YR_ARENA* arena,
const char* string,
char** written_string);
int yr_arena_append(
YR_ARENA* target_arena,
YR_ARENA* source_arena);
int yr_arena_load_stream(
YR_STREAM* stream,
YR_ARENA** arena);
int yr_arena_save_stream(
YR_ARENA* arena,
YR_STREAM* stream);
int yr_arena_duplicate(
YR_ARENA* arena,
YR_ARENA** duplicated);
void yr_arena_print(
YR_ARENA* arena);
#endif

102
src/dbg/yara/yara/atoms.h
View File

@ -1,102 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_ATOMS_H
#define YR_ATOMS_H
#include "limits.h"
#include "re.h"
#define ATOM_TREE_LEAF 1
#define ATOM_TREE_AND 2
#define ATOM_TREE_OR 3
typedef struct _ATOM_TREE_NODE
{
uint8_t type;
uint8_t atom_length;
uint8_t atom[MAX_ATOM_LENGTH];
uint8_t* forward_code;
uint8_t* backward_code;
RE_NODE* recent_nodes[MAX_ATOM_LENGTH];
struct _ATOM_TREE_NODE* children_head;
struct _ATOM_TREE_NODE* children_tail;
struct _ATOM_TREE_NODE* next_sibling;
} ATOM_TREE_NODE;
typedef struct _ATOM_TREE
{
ATOM_TREE_NODE* current_leaf;
ATOM_TREE_NODE* root_node;
} ATOM_TREE;
typedef struct _YR_ATOM_LIST_ITEM
{
uint8_t atom_length;
uint8_t atom[MAX_ATOM_LENGTH];
uint16_t backtrack;
uint8_t* forward_code;
uint8_t* backward_code;
struct _YR_ATOM_LIST_ITEM* next;
} YR_ATOM_LIST_ITEM;
int yr_atoms_extract_from_re(
RE_AST* re_ast,
int flags,
YR_ATOM_LIST_ITEM** atoms);
int yr_atoms_extract_from_string(
uint8_t* string,
int string_length,
int flags,
YR_ATOM_LIST_ITEM** atoms);
int yr_atoms_min_quality(
YR_ATOM_LIST_ITEM* atom_list);
void yr_atoms_list_destroy(
YR_ATOM_LIST_ITEM* list_head);
#endif

228
src/dbg/yara/yara/compiler.h
View File

@ -1,228 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_COMPILER_H
#define YR_COMPILER_H
#include <stdio.h>
#include <setjmp.h>
#include "ahocorasick.h"
#include "arena.h"
#include "hash.h"
#include "utils.h"
#include "filemap.h"
#define YARA_ERROR_LEVEL_ERROR 0
#define YARA_ERROR_LEVEL_WARNING 1
typedef void (*YR_COMPILER_CALLBACK_FUNC)(
int error_level,
const char* file_name,
int line_number,
const char* message,
void* user_data);
typedef struct _YR_FIXUP
{
void* address;
struct _YR_FIXUP* next;
} YR_FIXUP;
typedef struct _YR_COMPILER
{
int errors;
int current_line;
int last_error;
int last_error_line;
int last_result;
jmp_buf error_recovery;
YR_ARENA* sz_arena;
YR_ARENA* rules_arena;
YR_ARENA* strings_arena;
YR_ARENA* code_arena;
YR_ARENA* re_code_arena;
YR_ARENA* compiled_rules_arena;
YR_ARENA* externals_arena;
YR_ARENA* namespaces_arena;
YR_ARENA* metas_arena;
YR_ARENA* matches_arena;
YR_ARENA* automaton_arena;
YR_AC_AUTOMATON* automaton;
YR_HASH_TABLE* rules_table;
YR_HASH_TABLE* objects_table;
YR_HASH_TABLE* strings_table;
YR_NAMESPACE* current_namespace;
YR_RULE* current_rule;
YR_FIXUP* fixup_stack_head;
int namespaces_count;
uint8_t* loop_address[MAX_LOOP_NESTING];
char* loop_identifier[MAX_LOOP_NESTING];
int loop_depth;
int loop_for_of_mem_offset;
int allow_includes;
char* file_name_stack[MAX_INCLUDE_DEPTH];
int file_name_stack_ptr;
FILE* file_stack[MAX_INCLUDE_DEPTH];
int file_stack_ptr;
char last_error_extra_info[MAX_COMPILER_ERROR_EXTRA_INFO];
char lex_buf[LEX_BUF_SIZE];
char* lex_buf_ptr;
unsigned short lex_buf_len;
char include_base_dir[MAX_PATH];
void* user_data;
YR_COMPILER_CALLBACK_FUNC callback;
} YR_COMPILER;
#define yr_compiler_set_error_extra_info(compiler, info) \
strlcpy( \
compiler->last_error_extra_info, \
info, \
sizeof(compiler->last_error_extra_info)); \
#define yr_compiler_set_error_extra_info_fmt(compiler, fmt, ...) \
snprintf( \
compiler->last_error_extra_info, \
sizeof(compiler->last_error_extra_info), \
fmt, __VA_ARGS__);
int _yr_compiler_push_file(
YR_COMPILER* compiler,
FILE* fh);
FILE* _yr_compiler_pop_file(
YR_COMPILER* compiler);
int _yr_compiler_push_file_name(
YR_COMPILER* compiler,
const char* file_name);
void _yr_compiler_pop_file_name(
YR_COMPILER* compiler);
YR_API int yr_compiler_create(
YR_COMPILER** compiler);
YR_API void yr_compiler_destroy(
YR_COMPILER* compiler);
YR_API void yr_compiler_set_callback(
YR_COMPILER* compiler,
YR_COMPILER_CALLBACK_FUNC callback,
void* user_data);
YR_API int yr_compiler_add_file(
YR_COMPILER* compiler,
FILE* rules_file,
const char* namespace_,
const char* file_name);
YR_API int yr_compiler_add_fd(
YR_COMPILER* compiler,
YR_FILE_DESCRIPTOR rules_fd,
const char* namespace_,
const char* file_name);
YR_API int yr_compiler_add_string(
YR_COMPILER* compiler,
const char* rules_string,
const char* namespace_);
YR_API char* yr_compiler_get_error_message(
YR_COMPILER* compiler,
char* buffer,
int buffer_size);
YR_API char* yr_compiler_get_current_file_name(
YR_COMPILER* context);
YR_API int yr_compiler_define_integer_variable(
YR_COMPILER* compiler,
const char* identifier,
int64_t value);
YR_API int yr_compiler_define_boolean_variable(
YR_COMPILER* compiler,
const char* identifier,
int value);
YR_API int yr_compiler_define_float_variable(
YR_COMPILER* compiler,
const char* identifier,
double value);
YR_API int yr_compiler_define_string_variable(
YR_COMPILER* compiler,
const char* identifier,
const char* value);
YR_API int yr_compiler_get_rules(
YR_COMPILER* compiler,
YR_RULES** rules);
#endif

365
src/dbg/yara/yara/dotnet.h
View File

@ -1,365 +0,0 @@
#ifndef YR_DOTNET_H
#define YR_DOTNET_H
//
// CLI header.
// ECMA-335 Section II.25.3.3
//
typedef struct _CLI_HEADER
{
DWORD Size; // Called "Cb" in documentation.
WORD MajorRuntimeVersion;
WORD MinorRuntimeVersion;
IMAGE_DATA_DIRECTORY MetaData;
DWORD Flags;
DWORD EntryPointToken;
IMAGE_DATA_DIRECTORY Resources;
IMAGE_DATA_DIRECTORY StrongNameSignature;
ULONGLONG CodeManagerTable;
IMAGE_DATA_DIRECTORY VTableFixups;
ULONGLONG ExportAddressTableJumps;
ULONGLONG ManagedNativeHeader;
} CLI_HEADER, *PCLI_HEADER;
#define NET_METADATA_MAGIC 0x424a5342
//
// CLI MetaData
// ECMA-335 Section II.24.2.1
//
// Note: This is only part of the struct, as the rest of it is variable length.
//
typedef struct _NET_METADATA
{
DWORD Magic;
WORD MajorVersion;
WORD MinorVersion;
DWORD Reserved;
DWORD Length;
char Version[0];
} NET_METADATA, *PNET_METADATA;
#define DOTNET_STREAM_NAME_SIZE 32
//
// CLI Stream Header
// ECMA-335 Section II.24.2.2
//
typedef struct _STREAM_HEADER
{
DWORD Offset;
DWORD Size;
char Name[0];
} STREAM_HEADER, *PSTREAM_HEADER;
//
// CLI #~ Stream Header
// ECMA-335 Section II.24.2.6
//
typedef struct _TILDE_HEADER
{
DWORD Reserved1;
BYTE MajorVersion;
BYTE MinorVersion;
BYTE HeapSizes;
BYTE Reserved2;
ULONGLONG Valid;
ULONGLONG Sorted;
} TILDE_HEADER, *PTILDE_HEADER;
// These are the bit positions in Valid which will be set if the table
// exists.
#define BIT_MODULE 0x00
#define BIT_TYPEREF 0x01
#define BIT_TYPEDEF 0x02
#define BIT_FIELDPTR 0x03 // Not documented in ECMA-335
#define BIT_FIELD 0x04
#define BIT_METHODDEFPTR 0x05 // Not documented in ECMA-335
#define BIT_METHODDEF 0x06
#define BIT_PARAMPTR 0x07 // Not documented in ECMA-335
#define BIT_PARAM 0x08
#define BIT_INTERFACEIMPL 0x09
#define BIT_MEMBERREF 0x0A
#define BIT_CONSTANT 0x0B
#define BIT_CUSTOMATTRIBUTE 0x0C
#define BIT_FIELDMARSHAL 0x0D
#define BIT_DECLSECURITY 0x0E
#define BIT_CLASSLAYOUT 0x0F
#define BIT_FIELDLAYOUT 0x10
#define BIT_STANDALONESIG 0x11
#define BIT_EVENTMAP 0x12
#define BIT_EVENTPTR 0x13 // Not documented in ECMA-335
#define BIT_EVENT 0x14
#define BIT_PROPERTYMAP 0x15
#define BIT_PROPERTYPTR 0x16 // Not documented in ECMA-335
#define BIT_PROPERTY 0x17
#define BIT_METHODSEMANTICS 0x18
#define BIT_METHODIMPL 0x19
#define BIT_MODULEREF 0x1A
#define BIT_TYPESPEC 0x1B
#define BIT_IMPLMAP 0x1C
#define BIT_FIELDRVA 0x1D
#define BIT_ENCLOG 0x1E // Not documented in ECMA-335
#define BIT_ENCMAP 0x1F // Not documented in ECMA-335
#define BIT_ASSEMBLY 0x20
#define BIT_ASSEMBLYPROCESSOR 0x21
#define BIT_ASSEMBLYOS 0x22
#define BIT_ASSEMBLYREF 0x23
#define BIT_ASSEMBLYREFPROCESSOR 0x24
#define BIT_ASSEMBLYREFOS 0x25
#define BIT_FILE 0x26
#define BIT_EXPORTEDTYPE 0x27
#define BIT_MANIFESTRESOURCE 0x28
#define BIT_NESTEDCLASS 0x29
#define BIT_GENERICPARAM 0x2A
#define BIT_METHODSPEC 0x2B
#define BIT_GENERICPARAMCONSTRAINT 0x2C
// These are not documented in ECMA-335 nor is it clear what the format is.
// They are for debugging information as far as I can tell.
//#define BIT_DOCUMENT 0x30
//#define BIT_METHODDEBUGINFORMATION 0x31
//#define BIT_LOCALSCOPE 0x32
//#define BIT_LOCALVARIABLE 0x33
//#define BIT_LOCALCONSTANT 0x34
//#define BIT_IMPORTSCOPE 0x35
//#define BIT_STATEMACHINEMETHOD 0x36
//
// Element types. Note this is not a complete list as we aren't parsing all of
// them. This only includes the ones we care about.
// ECMA-335 Section II.23.1.16
//
#define ELEMENT_TYPE_STRING 0x0E
// The string length of a typelib attribute is at most 0xFF.
#define MAX_TYPELIB_SIZE 0xFF
//
// Module table
// ECMA-335 Section II.22.30
//
typedef struct _MODULE_TABLE
{
WORD Generation;
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
union
{
WORD Mvid_Short;
DWORD Mvid_Long;
} Mvid;
union
{
WORD EncId_Short;
DWORD EncId_Long;
} EncId;
union
{
WORD EncBaseId_Short;
DWORD EncBaseId_Long;
} EncBaseId;
} MODULE_TABLE, *PMODULE_TABLE;
//
// Assembly Table
// ECMA-335 Section II.22.2
//
typedef struct _ASSEMBLY_TABLE
{
DWORD HashAlgId;
WORD MajorVersion;
WORD MinorVersion;
WORD BuildNumber;
WORD RevisionNumber;
DWORD Flags;
union
{
WORD PublicKey_Short;
DWORD PublicKey_Long;
} PublicKey;
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
} ASSEMBLY_TABLE, *PASSEMBLY_TABLE;
//
// Assembly Reference Table
// ECMA-335 Section II.22.5
//
typedef struct _ASSEMBLYREF_TABLE
{
WORD MajorVersion;
WORD MinorVersion;
WORD BuildNumber;
WORD RevisionNumber;
DWORD Flags;
union
{
WORD PublicKeyOrToken_Short;
DWORD PublicKeyOrToken_Long;
} PublicKeyOrToken;
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
} ASSEMBLYREF_TABLE, *PASSEMBLYREF_TABLE;
//
// Manifest Resource Table
// ECMA-335 Section II.22.24
//
typedef struct _MANIFESTRESOURCE_TABLE
{
DWORD Offset;
DWORD Flags;
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
union
{
WORD Implementation_Short;
DWORD Implementation_Long;
} Implementation;
} MANIFESTRESOURCE_TABLE, *PMANIFESTRESOURCE_TABLE;
//
// ModuleRef Table
// ECMA-335 Section II.22.31
//
// This is a short table, but necessary because the field size can change.
//
typedef struct _MODULEREF_TABLE
{
union
{
WORD Name_Short;
DWORD Name_Long;
} Name;
} MODULEREF_TABLE, *PMODULEREF_TABLE;
//
// CustomAttribute Table
// ECMA-335 Section II.22.10
//
typedef struct _CUSTOMATTRIBUTE_TABLE
{
union
{
WORD Parent_Short;
DWORD Parent_Long;
} Parent;
union
{
WORD Type_Short;
DWORD Type_Long;
} Type;
union
{
WORD Value_Short;
DWORD Value_Long;
} Value;
} CUSTOMATTRIBUTE_TABLE, *PCUSTOMATTRIBUTE_TABLE;
//
// Constant TAble
// ECMA-335 Section II.22.9
//
typedef struct _CONSTANT_TABLE
{
WORD Type;
union
{
WORD Parent_Short;
DWORD Parent_Long;
} Parent;
union
{
WORD Value_Short;
DWORD Value_Long;
} Value;
} CONSTANT_TABLE, *PCONSTANT_TABLE;
// Used to return offsets to the various headers.
typedef struct _STREAMS
{
PSTREAM_HEADER guid;
PSTREAM_HEADER tilde;
PSTREAM_HEADER string;
PSTREAM_HEADER blob;
PSTREAM_HEADER us;
} STREAMS, *PSTREAMS;
// Used to return the value of parsing a #US or #Blob entry.
// ECMA-335 Section II.24.2.4
typedef struct _BLOB_PARSE_RESULT
{
uint8_t size; // Number of bytes parsed. This is the new offset.
DWORD length; // Value of the bytes parsed. This is the blob length.
} BLOB_PARSE_RESULT, *PBLOB_PARSE_RESULT;
// Used to store the number of rows of each table.
typedef struct _ROWS
{
uint32_t module;
uint32_t moduleref;
uint32_t assemblyref;
uint32_t typeref;
uint32_t methoddef;
uint32_t memberref;
uint32_t typedef_;
uint32_t typespec;
uint32_t field;
uint32_t param;
uint32_t property;
uint32_t interfaceimpl;
uint32_t event;
uint32_t standalonesig;
uint32_t assembly;
uint32_t file;
uint32_t exportedtype;
uint32_t manifestresource;
uint32_t genericparam;
uint32_t genericparamconstraint;
uint32_t methodspec;
uint32_t assemblyrefprocessor;
} ROWS, *PROWS;
// Used to store the index sizes for the various tables.
typedef struct _INDEX_SIZES
{
uint8_t string;
uint8_t guid;
uint8_t blob;
uint8_t field;
uint8_t methoddef;
uint8_t memberref;
uint8_t param;
uint8_t event;
uint8_t typedef_;
uint8_t property;
uint8_t moduleref;
uint8_t assemblyrefprocessor;
uint8_t assemblyref;
uint8_t genericparam;
} INDEX_SIZES, *PINDEX_SIZES;
#endif

323
src/dbg/yara/yara/elf.h
View File

@ -1,323 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _ELF_H
#define _ELF_H
#include "integers.h"
// 32-bit ELF base types
typedef uint32_t elf32_addr_t;
typedef uint16_t elf32_half_t;
typedef uint32_t elf32_off_t;
typedef uint32_t elf32_word_t;
// 64-bit ELF base types
typedef uint64_t elf64_addr_t;
typedef uint16_t elf64_half_t;
typedef uint64_t elf64_off_t;
typedef uint32_t elf64_word_t;
typedef uint64_t elf64_xword_t;
#define ELF_MAGIC 0x464C457F
#define ELF_ET_NONE 0x0000 // no type
#define ELF_ET_REL 0x0001 // relocatable
#define ELF_ET_EXEC 0x0002 // executable
#define ELF_ET_DYN 0x0003 // Shared-Object-File
#define ELF_ET_CORE 0x0004 // Corefile
#define ELF_ET_LOPROC 0xFF00 // Processor-specific
#define ELF_ET_HIPROC 0x00FF // Processor-specific
#define ELF_EM_NONE 0x0000 // no type
#define ELF_EM_M32 0x0001 // AT&T WE 32100
#define ELF_EM_SPARC 0x0002 // SPARC
#define ELF_EM_386 0x0003 // Intel 80386
#define ELF_EM_68K 0x0004 // Motorola 68000
#define ELF_EM_88K 0x0005 // Motorola 88000
#define ELF_EM_860 0x0007 // Intel 80860
#define ELF_EM_MIPS 0x0008 // MIPS I Architecture
#define ELF_EM_MIPS_RS3_LE 0x000A // MIPS RS3000 Little-endian
#define ELF_EM_PPC 0x0014 // PowerPC
#define ELF_EM_PPC64 0x0015 // 64-bit PowerPC
#define ELF_EM_ARM 0x0028 // ARM
#define ELF_EM_X86_64 0x003E // AMD/Intel x86_64
#define ELF_EM_AARCH64 0x00B7 // 64-bit ARM
#define ELF_CLASS_NONE 0x0000
#define ELF_CLASS_32 0x0001 // 32bit file
#define ELF_CLASS_64 0x0002 // 64bit file
#define ELF_DATA_NONE 0x0000
#define ELF_DATA_2LSB 0x0001
#define ELF_DATA_2MSB 0x002
#define ELF_SHT_NULL 0 // Section header table entry unused
#define ELF_SHT_PROGBITS 1 // Program data
#define ELF_SHT_SYMTAB 2 // Symbol table
#define ELF_SHT_STRTAB 3 // String table
#define ELF_SHT_RELA 4 // Relocation entries with addends
#define ELF_SHT_HASH 5 // Symbol hash table
#define ELF_SHT_DYNAMIC 6 // Dynamic linking information
#define ELF_SHT_NOTE 7 // Notes
#define ELF_SHT_NOBITS 8 // Program space with no data (bss)
#define ELF_SHT_REL 9 // Relocation entries, no addends
#define ELF_SHT_SHLIB 10 // Reserved
#define ELF_SHT_DYNSYM 11 // Dynamic linker symbol table
#define ELF_SHT_NUM 12 // Number of defined types
#define ELF_SHF_WRITE 0x1 // Section is writable
#define ELF_SHF_ALLOC 0x2 // Section is present during execution
#define ELF_SHF_EXECINSTR 0x4 // Section contains executable instructions
#define ELF_SHN_LORESERVE 0xFF00
#define ELF_PT_NULL 0 // The array element is unused
#define ELF_PT_LOAD 1 // Loadable segment
#define ELF_PT_DYNAMIC 2 // Segment contains dynamic linking info
#define ELF_PT_INTERP 3 // Contains interpreter pathname
#define ELF_PT_NOTE 4 // Location & size of auxiliary info
#define ELF_PT_SHLIB 5 // Reserved, unspecified semantics
#define ELF_PT_PHDR 6 // Location and size of program header table
#define ELF_PT_TLS 7 // Thread-Local Storage
#define ELF_PT_GNU_EH_FRAME 0x6474e550
#define ELF_PT_GNU_STACK 0x6474e551
#define ELF_DT_NULL 0 // End of the dynamic entries
#define ELF_DT_NEEDED 1 // Name of needed library
#define ELF_DT_PLTRELSZ 2 // Size in bytes of PLT relocs
#define ELF_DT_PLTGOT 3 // Processor defined value */
#define ELF_DT_HASH 4 // Address of symbol hash table
#define ELF_DT_STRTAB 5 // Address of string table
#define ELF_DT_SYMTAB 6 // Address of symbol table
#define ELF_DT_RELA 7 // Address of Rela relocs
#define ELF_DT_RELASZ 8 // Total size of Rela relocs
#define ELF_DT_RELAENT 9 // Size of one Rela reloc
#define ELF_DT_STRSZ 10 // Size of string table
#define ELF_DT_SYMENT 11 // Size of one symbol table entry
#define ELF_DT_INIT 12 // Address of init function
#define ELF_DT_FINI 13 // Address of termination function
#define ELF_DT_SONAME 14 // Name of shared object
#define ELF_DT_RPATH 15 // Library search path (deprecated)
#define ELF_DT_SYMBOLIC 16 // Start symbol search here
#define ELF_DT_REL 17 // Address of Rel relocs
#define ELF_DT_RELSZ 18 // Total size of Rel relocs
#define ELF_DT_RELENT 19 // Size of one Rel reloc
#define ELF_DT_PLTREL 20 // Type of reloc in PLT
#define ELF_DT_DEBUG 21 // For debugging; unspecified
#define ELF_DT_TEXTREL 22 // Reloc might modify .text
#define ELF_DT_JMPREL 23 // Address of PLT relocs
#define ELF_DT_BIND_NOW 24 // Process relocations of object
#define ELF_DT_INIT_ARRAY 25 // Array with addresses of init fct
#define ELF_DT_FINI_ARRAY 26 // Array with addresses of fini fct
#define ELF_DT_INIT_ARRAYSZ 27 // Size in bytes of DT_INIT_ARRAY
#define ELF_DT_FINI_ARRAYSZ 28 // Size in bytes of DT_FINI_ARRAY
#define ELF_DT_RUNPATH 29 // Library search path
#define ELF_DT_FLAGS 30 // Flags for the object being loaded
#define ELF_DT_ENCODING 32 // Start of encoded range
#define ELF_STT_NOTYPE 0 // Symbol type is unspecified
#define ELF_STT_OBJECT 1 // Symbol is a data object
#define ELF_STT_FUNC 2 // Symbol is a code object
#define ELF_STT_SECTION 3 // Symbol associated with a section
#define ELF_STT_FILE 4 // Symbol's name is file name
#define ELF_STT_COMMON 5 // Symbol is a common data object
#define ELF_STT_TLS 6 // Symbol is thread-local data object
#define ELF_STB_LOCAL 0 // Local symbol
#define ELF_STB_GLOBAL 1 // Global symbol
#define ELF_STB_WEAK 2 // Weak symbol
#define ELF_PF_X 0x1 // Segment is executable
#define ELF_PF_W 0x2 // Segment is writable
#define ELF_PF_R 0x4 // Segment is readable
#define ELF_PN_XNUM 0xffff
#pragma pack(push,1)
typedef struct
{
uint32_t magic;
uint8_t _class;
uint8_t data;
uint8_t version;
uint8_t pad[8];
uint8_t nident;
} elf_ident_t;
typedef struct
{
elf_ident_t ident;
elf32_half_t type;
elf32_half_t machine;
elf32_word_t version;
elf32_addr_t entry;
elf32_off_t ph_offset;
elf32_off_t sh_offset;
elf32_word_t flags;
elf32_half_t header_size;
elf32_half_t ph_entry_size;
elf32_half_t ph_entry_count;
elf32_half_t sh_entry_size;
elf32_half_t sh_entry_count;
elf32_half_t sh_str_table_index;
} elf32_header_t;
typedef struct
{
elf_ident_t ident;
elf64_half_t type;
elf64_half_t machine;
elf64_word_t version;
elf64_addr_t entry;
elf64_off_t ph_offset;
elf64_off_t sh_offset;
elf64_word_t flags;
elf64_half_t header_size;
elf64_half_t ph_entry_size;
elf64_half_t ph_entry_count;
elf64_half_t sh_entry_size;
elf64_half_t sh_entry_count;
elf64_half_t sh_str_table_index;
} elf64_header_t;
typedef struct
{
elf32_word_t type;
elf32_off_t offset;
elf32_addr_t virt_addr;
elf32_addr_t phys_addr;
elf32_word_t file_size;
elf32_word_t mem_size;
elf32_word_t flags;
elf32_word_t alignment;
} elf32_program_header_t;
typedef struct
{
elf64_word_t type;
elf64_word_t flags;
elf64_off_t offset;
elf64_addr_t virt_addr;
elf64_addr_t phys_addr;
elf64_xword_t file_size;
elf64_xword_t mem_size;
elf64_xword_t alignment;
} elf64_program_header_t;
typedef struct
{
elf32_word_t name;
elf32_word_t type;
elf32_word_t flags;
elf32_addr_t addr;
elf32_off_t offset;
elf32_word_t size;
elf32_word_t link;
elf32_word_t info;
elf32_word_t align;
elf32_word_t entry_size;
} elf32_section_header_t;
typedef struct
{
elf64_word_t name;
elf64_word_t type;
elf64_xword_t flags;
elf64_addr_t addr;
elf64_off_t offset;
elf64_xword_t size;
elf64_word_t link;
elf64_word_t info;
elf64_xword_t align;
elf64_xword_t entry_size;
} elf64_section_header_t;
typedef struct
{
elf32_word_t tag;
elf32_word_t val;
} elf32_dyn_t;
typedef struct
{
elf64_xword_t tag;
elf64_xword_t val;
} elf64_dyn_t;
typedef struct
{
elf32_word_t name;
elf32_addr_t value;
elf32_word_t size;
unsigned char info;
unsigned char other;
elf32_half_t shndx;
} elf32_sym_t;
typedef struct
{
elf32_word_t name;
unsigned char info;
unsigned char other;
elf32_half_t shndx;
elf64_addr_t value;
elf64_xword_t size;
} elf64_sym_t;
#pragma pack(pop)
#endif

100
src/dbg/yara/yara/endian.h
View File

@ -1,100 +0,0 @@
/*
Copyright (c) 2016. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_ENDIAN_H
#define YR_ENDIAN_H
#include <yara/integers.h>
#if defined(__has_builtin)
# if __has_builtin(__builtin_bswap16)
# define yr_bswap16(x) __builtin_bswap16(x)
# endif
#endif
#if !defined(yr_bswap16) && defined(_MSC_VER)
# define yr_bswap16(x) _byteswap_ushort(x)
#endif
#if !defined(yr_bswap16)
uint16_t _yr_bswap16(uint16_t x);
# define yr_bswap16(x) _yr_bswap16(x)
#endif
#if defined(__has_builtin)
# if __has_builtin(__builtin_bswap32)
# define yr_bswap32(x) __builtin_bswap32(x)
# endif
#endif
#if !defined(yr_bswap32) && defined(_MSC_VER)
# define yr_bswap32(x) _byteswap_ulong(x)
#endif
#if !defined(yr_bswap32)
uint32_t _yr_bswap32(uint32_t x);
#define yr_bswap32(x) _yr_bswap32(x)
#endif
#if defined(__has_builtin)
# if __has_builtin(__builtin_bswap64)
# define yr_bswap64(x) __builtin_bswap64(x)
# endif
#endif
#if !defined(yr_bswap64) && defined(_MSC_VER)
# define yr_bswap64(x) _byteswap_uint64(x)
#endif
#if !defined(yr_bswap64)
uint64_t _yr_bswap64(uint64_t x);
#define yr_bswap64(x) _yr_bswap64(x)
#endif
#if defined(WORDS_BIGENDIAN)
#define yr_le16toh(x) yr_bswap16(x)
#define yr_le32toh(x) yr_bswap32(x)
#define yr_le64toh(x) yr_bswap64(x)
#define yr_be16toh(x) (x)
#define yr_be32toh(x) (x)
#define yr_be64toh(x) (x)
#else
#define yr_le16toh(x) (x)
#define yr_le32toh(x) (x)
#define yr_le64toh(x) (x)
#define yr_be16toh(x) yr_bswap16(x)
#define yr_be32toh(x) yr_bswap32(x)
#define yr_be64toh(x) yr_bswap64(x)
#endif
#endif

129
src/dbg/yara/yara/error.h
View File

@ -1,129 +0,0 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_ERROR_H
#define YR_ERROR_H
#include <string.h>
#if defined(_WIN32) || defined(__CYGWIN__)
#include <windows.h>
#endif
#ifndef ERROR_SUCCESS
#define ERROR_SUCCESS 0
#endif
// ERROR_INSUFICIENT_MEMORY is misspelled but it's kept for backward
// compatibility, as some other programs can be using it in this form.
#define ERROR_INSUFICIENT_MEMORY 1
#define ERROR_INSUFFICIENT_MEMORY 1
#define ERROR_COULD_NOT_ATTACH_TO_PROCESS 2
#define ERROR_COULD_NOT_OPEN_FILE 3
#define ERROR_COULD_NOT_MAP_FILE 4
#define ERROR_INVALID_FILE 6
#define ERROR_CORRUPT_FILE 7
#define ERROR_UNSUPPORTED_FILE_VERSION 8
#define ERROR_INVALID_REGULAR_EXPRESSION 9
#define ERROR_INVALID_HEX_STRING 10
#define ERROR_SYNTAX_ERROR 11
#define ERROR_LOOP_NESTING_LIMIT_EXCEEDED 12
#define ERROR_DUPLICATED_LOOP_IDENTIFIER 13
#define ERROR_DUPLICATED_IDENTIFIER 14
#define ERROR_DUPLICATED_TAG_IDENTIFIER 15
#define ERROR_DUPLICATED_META_IDENTIFIER 16
#define ERROR_DUPLICATED_STRING_IDENTIFIER 17
#define ERROR_UNREFERENCED_STRING 18
#define ERROR_UNDEFINED_STRING 19
#define ERROR_UNDEFINED_IDENTIFIER 20
#define ERROR_MISPLACED_ANONYMOUS_STRING 21
#define ERROR_INCLUDES_CIRCULAR_REFERENCE 22
#define ERROR_INCLUDE_DEPTH_EXCEEDED 23
#define ERROR_WRONG_TYPE 24
#define ERROR_EXEC_STACK_OVERFLOW 25
#define ERROR_SCAN_TIMEOUT 26
#define ERROR_TOO_MANY_SCAN_THREADS 27
#define ERROR_CALLBACK_ERROR 28
#define ERROR_INVALID_ARGUMENT 29
#define ERROR_TOO_MANY_MATCHES 30
#define ERROR_INTERNAL_FATAL_ERROR 31
#define ERROR_NESTED_FOR_OF_LOOP 32
#define ERROR_INVALID_FIELD_NAME 33
#define ERROR_UNKNOWN_MODULE 34
#define ERROR_NOT_A_STRUCTURE 35
#define ERROR_NOT_INDEXABLE 36
#define ERROR_NOT_A_FUNCTION 37
#define ERROR_INVALID_FORMAT 38
#define ERROR_TOO_MANY_ARGUMENTS 39
#define ERROR_WRONG_ARGUMENTS 40
#define ERROR_WRONG_RETURN_TYPE 41
#define ERROR_DUPLICATED_STRUCTURE_MEMBER 42
#define ERROR_EMPTY_STRING 43
#define ERROR_DIVISION_BY_ZERO 44
#define ERROR_REGULAR_EXPRESSION_TOO_LARGE 45
#define ERROR_TOO_MANY_RE_FIBERS 46
#define ERROR_COULD_NOT_READ_PROCESS_MEMORY 47
#define ERROR_INVALID_EXTERNAL_VARIABLE_TYPE 48
#define ERROR_REGULAR_EXPRESSION_TOO_COMPLEX 49
#define ERROR_INVALID_MODULE_NAME 50
#define FAIL_ON_ERROR(x) { \
int result = (x); \
if (result != ERROR_SUCCESS) \
return result; \
}
#define FAIL_ON_ERROR_WITH_CLEANUP(x, cleanup) { \
int result = (x); \
if (result != ERROR_SUCCESS) { \
cleanup; \
return result; \
} \
}
#define FAIL_ON_COMPILER_ERROR(x) { \
compiler->last_result = (x); \
if (compiler->last_result != ERROR_SUCCESS) \
return compiler->last_result; \
}
#ifdef NDEBUG
#define assertf(expr, msg, ...) ((void)0)
#else
#define assertf(expr, msg, ...) \
if(!(expr)) { \
fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \
abort(); \
}
#endif
#endif

176
src/dbg/yara/yara/exec.h
View File

@ -1,176 +0,0 @@
/*
Copyright (c) 2013-2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_EXEC_H
#define YR_EXEC_H
#include "hash.h"
#include "scan.h"
#include "types.h"
#include "rules.h"
#define UNDEFINED 0xFFFABADAFABADAFFLL
#define IS_UNDEFINED(x) ((size_t)(x) == (size_t) UNDEFINED)
#define OP_ERROR 0
#define OP_HALT 255
#define OP_NOP 254
#define OP_AND 1
#define OP_OR 2
#define OP_NOT 3
#define OP_BITWISE_NOT 4
#define OP_BITWISE_AND 5
#define OP_BITWISE_OR 6
#define OP_BITWISE_XOR 7
#define OP_SHL 8
#define OP_SHR 9
#define OP_MOD 10
#define OP_INT_TO_DBL 11
#define OP_STR_TO_BOOL 12
#define OP_PUSH 13
#define OP_POP 14
#define OP_CALL 15
#define OP_OBJ_LOAD 16
#define OP_OBJ_VALUE 17
#define OP_OBJ_FIELD 18
#define OP_INDEX_ARRAY 19
#define OP_COUNT 20
#define OP_LENGTH 21
#define OP_FOUND 22
#define OP_FOUND_AT 23
#define OP_FOUND_IN 24
#define OP_OFFSET 25
#define OP_OF 26
#define OP_PUSH_RULE 27
#define OP_INIT_RULE 28
#define OP_MATCH_RULE 29
#define OP_INCR_M 30
#define OP_CLEAR_M 31
#define OP_ADD_M 32
#define OP_POP_M 33
#define OP_PUSH_M 34
#define OP_SWAPUNDEF 35
#define OP_JNUNDEF 36
#define OP_JLE 37
#define OP_FILESIZE 38
#define OP_ENTRYPOINT 39
#define OP_CONTAINS 40
#define OP_MATCHES 41
#define OP_IMPORT 42
#define OP_LOOKUP_DICT 43
#define OP_JFALSE 44
#define OP_JTRUE 45
#define _OP_EQ 0
#define _OP_NEQ 1
#define _OP_LT 2
#define _OP_GT 3
#define _OP_LE 4
#define _OP_GE 5
#define _OP_ADD 6
#define _OP_SUB 7
#define _OP_MUL 8
#define _OP_DIV 9
#define _OP_MINUS 10
#define OP_INT_BEGIN 100
#define OP_INT_EQ (OP_INT_BEGIN + _OP_EQ)
#define OP_INT_NEQ (OP_INT_BEGIN + _OP_NEQ)
#define OP_INT_LT (OP_INT_BEGIN + _OP_LT)
#define OP_INT_GT (OP_INT_BEGIN + _OP_GT)
#define OP_INT_LE (OP_INT_BEGIN + _OP_LE)
#define OP_INT_GE (OP_INT_BEGIN + _OP_GE)
#define OP_INT_ADD (OP_INT_BEGIN + _OP_ADD)
#define OP_INT_SUB (OP_INT_BEGIN + _OP_SUB)
#define OP_INT_MUL (OP_INT_BEGIN + _OP_MUL)
#define OP_INT_DIV (OP_INT_BEGIN + _OP_DIV)
#define OP_INT_MINUS (OP_INT_BEGIN + _OP_MINUS)
#define OP_INT_END OP_INT_MINUS
#define OP_DBL_BEGIN 120
#define OP_DBL_EQ (OP_DBL_BEGIN + _OP_EQ)
#define OP_DBL_NEQ (OP_DBL_BEGIN + _OP_NEQ)
#define OP_DBL_LT (OP_DBL_BEGIN + _OP_LT)
#define OP_DBL_GT (OP_DBL_BEGIN + _OP_GT)
#define OP_DBL_LE (OP_DBL_BEGIN + _OP_LE)
#define OP_DBL_GE (OP_DBL_BEGIN + _OP_GE)
#define OP_DBL_ADD (OP_DBL_BEGIN + _OP_ADD)
#define OP_DBL_SUB (OP_DBL_BEGIN + _OP_SUB)
#define OP_DBL_MUL (OP_DBL_BEGIN + _OP_MUL)
#define OP_DBL_DIV (OP_DBL_BEGIN + _OP_DIV)
#define OP_DBL_MINUS (OP_DBL_BEGIN + _OP_MINUS)
#define OP_DBL_END OP_DBL_MINUS
#define OP_STR_BEGIN 140
#define OP_STR_EQ (OP_STR_BEGIN + _OP_EQ)
#define OP_STR_NEQ (OP_STR_BEGIN + _OP_NEQ)
#define OP_STR_LT (OP_STR_BEGIN + _OP_LT)
#define OP_STR_GT (OP_STR_BEGIN + _OP_GT)
#define OP_STR_LE (OP_STR_BEGIN + _OP_LE)
#define OP_STR_GE (OP_STR_BEGIN + _OP_GE)
#define OP_STR_END OP_STR_GE
#define IS_INT_OP(x) ((x) >= OP_INT_BEGIN && (x) <= OP_INT_END)
#define IS_DBL_OP(x) ((x) >= OP_DBL_BEGIN && (x) <= OP_DBL_END)
#define IS_STR_OP(x) ((x) >= OP_STR_BEGIN && (x) <= OP_STR_END)
#define OP_READ_INT 240
#define OP_INT8 (OP_READ_INT + 0)
#define OP_INT16 (OP_READ_INT + 1)
#define OP_INT32 (OP_READ_INT + 2)
#define OP_UINT8 (OP_READ_INT + 3)
#define OP_UINT16 (OP_READ_INT + 4)
#define OP_UINT32 (OP_READ_INT + 5)
#define OP_INT8BE (OP_READ_INT + 6)
#define OP_INT16BE (OP_READ_INT + 7)
#define OP_INT32BE (OP_READ_INT + 8)
#define OP_UINT8BE (OP_READ_INT + 9)
#define OP_UINT16BE (OP_READ_INT + 10)
#define OP_UINT32BE (OP_READ_INT + 11)
#define OPERATION(operator, op1, op2) \
(IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (UNDEFINED) : (op1 operator op2)
#define COMPARISON(operator, op1, op2) \
(IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (0) : (op1 operator op2)
int yr_execute_code(
YR_RULES* rules,
YR_SCAN_CONTEXT* context,
int timeout,
time_t start_time);
#endif

43
src/dbg/yara/yara/exefiles.h
View File

@ -1,43 +0,0 @@
/*
Copyright (c) 2007. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_EXEFILES_H
#define YR_EXEFILES_H
uint64_t yr_get_entry_point_offset(
uint8_t* buffer,
size_t buffer_length);
uint64_t yr_get_entry_point_address(
uint8_t* buffer,
size_t buffer_length,
size_t base_address);
#endif

90
src/dbg/yara/yara/filemap.h
View File

@ -1,90 +0,0 @@
/*
Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_FILEMAP_H
#define YR_FILEMAP_H
#ifdef _MSC_VER
#define off_t int64_t
#else
#include <sys/types.h>
#endif
#if defined(_WIN32) || defined(__CYGWIN__)
#include <windows.h>
#define YR_FILE_DESCRIPTOR HANDLE
#else
#define YR_FILE_DESCRIPTOR int
#endif
#include <stdlib.h>
#include "integers.h"
#include "utils.h"
typedef struct _YR_MAPPED_FILE
{
YR_FILE_DESCRIPTOR file;
size_t size;
uint8_t* data;
#if defined(_WIN32) || defined(__CYGWIN__)
HANDLE mapping;
#endif
} YR_MAPPED_FILE;
YR_API int yr_filemap_map(
const char* file_path,
YR_MAPPED_FILE* pmapped_file);
YR_API int yr_filemap_map_fd(
YR_FILE_DESCRIPTOR file,
off_t offset,
size_t size,
YR_MAPPED_FILE* pmapped_file);
YR_API int yr_filemap_map_ex(
const char* file_path,
off_t offset,
size_t size,
YR_MAPPED_FILE* pmapped_file);
YR_API void yr_filemap_unmap(
YR_MAPPED_FILE* pmapped_file);
YR_API void yr_filemap_unmap_fd(
YR_MAPPED_FILE* pmapped_file);
#endif

41
src/dbg/yara/yara/globals.h
View File

@ -1,41 +0,0 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_GLOBALS_H
#define YR_GLOBALS_H
#include "threading.h"
extern char yr_lowercase[256];
extern char yr_altercase[256];
extern YR_THREAD_STORAGE_KEY yr_tidx_key;
extern YR_THREAD_STORAGE_KEY yr_recovery_state_key;
#endif

103
src/dbg/yara/yara/hash.h
View File

@ -1,103 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_HASH_H
#define YR_HASH_H
#include <stddef.h>
#include "utils.h"
typedef struct _YR_HASH_TABLE_ENTRY
{
void* key;
size_t key_length;
char* ns;
void* value;
struct _YR_HASH_TABLE_ENTRY* next;
} YR_HASH_TABLE_ENTRY;
typedef struct _YR_HASH_TABLE
{
int size;
YR_HASH_TABLE_ENTRY* buckets[1];
} YR_HASH_TABLE;
typedef int (*YR_HASH_TABLE_FREE_VALUE_FUNC)(void* value);
YR_API int yr_hash_table_create(
int size,
YR_HASH_TABLE** table);
YR_API void yr_hash_table_clean(
YR_HASH_TABLE* table,
YR_HASH_TABLE_FREE_VALUE_FUNC free_value);
YR_API void yr_hash_table_destroy(
YR_HASH_TABLE* table,
YR_HASH_TABLE_FREE_VALUE_FUNC free_value);
YR_API void* yr_hash_table_lookup(
YR_HASH_TABLE* table,
const char* key,
const char* ns);
YR_API int yr_hash_table_add(
YR_HASH_TABLE* table,
const char* key,
const char* ns,
void* value);
YR_API void* yr_hash_table_lookup_raw_key(
YR_HASH_TABLE* table,
const void* key,
size_t key_length,
const char* ns);
YR_API int yr_hash_table_add_raw_key(
YR_HASH_TABLE* table,
const void* key,
size_t key_length,
const char* ns,
void* value);
#endif

110
src/dbg/yara/yara/hex_lexer.h
View File

@ -1,110 +0,0 @@
/*
Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com].
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "re.h"
#undef yyparse
#undef yylex
#undef yyerror
#undef yyfatal
#undef yychar
#undef yydebug
#undef yynerrs
#undef yyget_extra
#undef yyget_lineno
#undef YY_FATAL_ERROR
#undef YY_DECL
#undef LEX_ENV
#define yyparse hex_yyparse
#define yylex hex_yylex
#define yyerror hex_yyerror
#define yyfatal hex_yyfatal
#define yychar hex_yychar
#define yydebug hex_yydebug
#define yynerrs hex_yynerrs
#define yyget_extra hex_yyget_extra
#define yyget_lineno hex_yyget_lineno
#ifndef YY_TYPEDEF_YY_SCANNER_T
#define YY_TYPEDEF_YY_SCANNER_T
typedef void* yyscan_t;
#endif
#define YY_EXTRA_TYPE RE_AST*
#define YY_USE_CONST
typedef struct _HEX_LEX_ENVIRONMENT
{
int token_count;
int inside_or;
int last_error_code;
char last_error_message[256];
} HEX_LEX_ENVIRONMENT;
#define YY_FATAL_ERROR(msg) hex_yyfatal(yyscanner, msg)
#define LEX_ENV ((HEX_LEX_ENVIRONMENT*) lex_env)
#include <hex_grammar.h>
#define YY_DECL int hex_yylex \
(YYSTYPE * yylval_param , yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env)
YY_EXTRA_TYPE yyget_extra(
yyscan_t yyscanner);
int yylex(
YYSTYPE* yylval_param,
yyscan_t yyscanner,
HEX_LEX_ENVIRONMENT* lex_env);
int yyparse(
void* yyscanner,
HEX_LEX_ENVIRONMENT* lex_env);
void yyerror(
yyscan_t yyscanner,
HEX_LEX_ENVIRONMENT* lex_env,
const char* error_message);
void yyfatal(
yyscan_t yyscanner,
const char* error_message);
int yr_parse_hex_string(
const char* hex_string,
RE_AST** re_ast,
RE_ERROR* error);

66
src/dbg/yara/yara/integers.h
View File

@ -1,66 +0,0 @@
/*
Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_INTEGERS_H
#define YR_INTEGERS_H
/* Integer type definitions
*/
#if ( defined( _MSC_VER ) && ( _MSC_VER < 1600 ) ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) )
#ifdef __cplusplus
extern "C" {
#endif
/* Microsoft Visual Studio C++ before Visual Studio 2010 or earlier versions of the Borland C++ Builder
* do not support the (u)int#_t type definitions but have __int# definitions instead
*/
typedef __int8 int8_t;
typedef unsigned __int8 uint8_t;
typedef __int16 int16_t;
typedef unsigned __int16 uint16_t;
typedef __int32 int32_t;
typedef unsigned __int32 uint32_t;
typedef __int64 int64_t;
typedef unsigned __int64 uint64_t;
#ifdef __cplusplus
}
#endif
#else
/* Other "compilers" and later versions of Microsoft Visual Studio C++ and
* Borland C/C++ define the types in <stdint.h>
*/
#include <stdint.h>
#endif
#endif

150
src/dbg/yara/yara/lexer.h
View File

@ -1,150 +0,0 @@
/*
Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com].
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "compiler.h"
#undef yyparse
#undef yylex
#undef yyerror
#undef yyfatal
#undef yychar
#undef yydebug
#undef yynerrs
#undef yyget_extra
#undef yyget_lineno
#undef YY_DECL
#undef YY_FATAL_ERROR
#undef YY_EXTRA_TYPE
#define yyparse yara_yyparse
#define yylex yara_yylex
#define yyerror yara_yyerror
#define yyfatal yara_yyfatal
#define yywarning yara_yywarning
#define yychar yara_yychar
#define yydebug yara_yydebug
#define yynerrs yara_yynerrs
#define yyget_extra yara_yyget_extra
#define yyget_lineno yara_yyget_lineno
#ifndef YY_TYPEDEF_YY_SCANNER_T
#define YY_TYPEDEF_YY_SCANNER_T
typedef void* yyscan_t;
#endif
#ifndef YY_TYPEDEF_EXPRESSION_T
#define YY_TYPEDEF_EXPRESSION_T
// Expression type constants are powers of two because they are used as flags.
// For example:
// CHECK_TYPE(whatever, EXPRESSION_TYPE_INTEGER | EXPRESSION_TYPE_FLOAT)
// The expression above is used to ensure that the type of "whatever" is either
// integer or float.
#define EXPRESSION_TYPE_BOOLEAN 1
#define EXPRESSION_TYPE_INTEGER 2
#define EXPRESSION_TYPE_STRING 4
#define EXPRESSION_TYPE_REGEXP 8
#define EXPRESSION_TYPE_OBJECT 16
#define EXPRESSION_TYPE_FLOAT 32
typedef struct _EXPRESSION
{
int type;
union
{
int64_t integer;
YR_OBJECT* object;
SIZED_STRING* sized_string;
} value;
const char* identifier;
} EXPRESSION;
union YYSTYPE;
#endif
#define YY_DECL int yylex( \
union YYSTYPE* yylval_param, yyscan_t yyscanner, YR_COMPILER* compiler)
#define YY_FATAL_ERROR(msg) yara_yyfatal(yyscanner, msg)
#define YY_EXTRA_TYPE YR_COMPILER*
#define YY_USE_CONST
int yyget_lineno(yyscan_t yyscanner);
int yylex(
union YYSTYPE* yylval_param,
yyscan_t yyscanner,
YR_COMPILER* compiler);
int yyparse(
void* yyscanner,
YR_COMPILER* compiler);
void yyerror(
yyscan_t yyscanner,
YR_COMPILER* compiler,
const char* error_message);
void yywarning(
yyscan_t yyscanner,
const char* message_fmt,
...);
void yyfatal(
yyscan_t yyscanner,
const char* error_message);
YY_EXTRA_TYPE yyget_extra(
yyscan_t yyscanner);
int yr_lex_parse_rules_string(
const char* rules_string,
YR_COMPILER* compiler);
int yr_lex_parse_rules_file(
FILE* rules_file,
YR_COMPILER* compiler);
int yr_lex_parse_rules_fd(
YR_FILE_DESCRIPTOR rules_fd,
YR_COMPILER* compiler);

85
src/dbg/yara/yara/libyara.h
View File

@ -1,85 +0,0 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_LIBYARA_H
#define YR_LIBYARA_H
#include "utils.h"
#define YR_MAJOR_VERSION 3
#define YR_MINOR_VERSION 6
#define YR_MICRO_VERSION 0
#define version_str(s) _version_str(s)
#define _version_str(s) #s
// Version as a string
#define YR_VERSION version_str(YR_MAJOR_VERSION) \
"." version_str(YR_MINOR_VERSION) \
"." version_str(YR_MICRO_VERSION)
// Version as a single 4-byte hex number, e.g. 0x030401 == 3.4.1.
#define YR_VERSION_HEX ((YR_MAJOR_VERSION << 16) | \
(YR_MINOR_VERSION << 8) | \
(YR_MICRO_VERSION << 0))
// Enumerated type listing configuration options
typedef enum _YR_CONFIG_NAME
{
YR_CONFIG_STACK_SIZE,
YR_CONFIG_MAX
} YR_CONFIG_NAME;
#define DEFAULT_STACK_SIZE 16384
YR_API int yr_initialize(void);
YR_API int yr_finalize(void);
YR_API void yr_finalize_thread(void);
YR_API int yr_get_tidx(void);
YR_API void yr_set_tidx(int);
YR_API int yr_set_configuration(YR_CONFIG_NAME, void*);
YR_API int yr_get_configuration(YR_CONFIG_NAME, void*);
#endif

68
src/dbg/yara/yara/limits.h
View File

@ -1,68 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_LIMITS_H
#define YR_LIMITS_H
#if defined(_WIN32) || defined(__CYGWIN__)
#include <windows.h>
#endif
#include "utils.h"
// MAX_THREADS is the number of threads that can use a YR_RULES
// object simultaneously.
#ifndef MAX_THREADS
#define MAX_THREADS 32
#endif
#ifndef MAX_PATH
#define MAX_PATH 1024
#endif
#define MAX_COMPILER_ERROR_EXTRA_INFO 256
#define MAX_ATOM_LENGTH 4
#define MAX_LOOP_NESTING 4
#define MAX_ARENA_PAGES 32
#define MAX_INCLUDE_DEPTH 16
#define MAX_STRING_MATCHES 1000000
#define MAX_FUNCTION_ARGS 128
#define MAX_FAST_RE_STACK 300
#define MAX_OVERLOADED_FUNCTIONS 10
#define MAX_HEX_STRING_TOKENS 10000
#define MAX_MATCH_DATA 4096
#define LOOP_LOCAL_VARS 4
#define STRING_CHAINING_THRESHOLD 200
#define LEX_BUF_SIZE 8192
#endif

74
src/dbg/yara/yara/mem.h
View File

@ -1,74 +0,0 @@
/*
Copyright (c) 2007. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_MEM_H
#define YR_MEM_H
#include <stdio.h>
#ifdef DMALLOC
#define yr_malloc malloc
#define yr_calloc calloc
#define yr_realloc realloc
#define yr_free free
#define yr_strdup strdup
#define yr_strndup strndup
#include <dmalloc.h>
#else
void* yr_calloc(
size_t count,
size_t size);
void* yr_malloc(
size_t size);
void* yr_realloc(
void* ptr,
size_t size);
void yr_free(
void* ptr);
char* yr_strdup(
const char* str);
char* yr_strndup(
const char* str, size_t n);
#endif
int yr_heap_alloc(void);
int yr_heap_free(void);
#endif

447
src/dbg/yara/yara/modules.h
View File

@ -1,447 +0,0 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_MODULES_H
#define YR_MODULES_H
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <math.h>
#include "utils.h"
#include "limits.h"
#include "error.h"
#include "exec.h"
#include "types.h"
#include "object.h"
#include "libyara.h"
// Concatenation that macro-expands its arguments.
#define YR_CONCAT(arg1, arg2) _YR_CONCAT(arg1, arg2) // expands the arguments.
#define _YR_CONCAT(arg1, arg2) arg1 ## arg2 // do the actual concatenation.
#define module_declarations YR_CONCAT(MODULE_NAME, __declarations)
#define module_load YR_CONCAT(MODULE_NAME, __load)
#define module_unload YR_CONCAT(MODULE_NAME, __unload)
#define module_initialize YR_CONCAT(MODULE_NAME, __initialize)
#define module_finalize YR_CONCAT(MODULE_NAME, __finalize)
#define begin_declarations \
int module_declarations(YR_OBJECT* module) { \
YR_OBJECT* stack[64]; \
int stack_top = 0; \
stack[stack_top] = module;
#define end_declarations \
return ERROR_SUCCESS; }
#define begin_struct(name) { \
YR_OBJECT* structure; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRUCTURE, \
name, \
stack[stack_top], \
&structure)); \
assertf( \
stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \
"too many nested structures"); \
stack[++stack_top] = structure; \
}
#define begin_struct_array(name) { \
YR_OBJECT* structure; \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_ARRAY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRUCTURE, \
name, \
array, \
&structure)); \
assertf( \
stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \
"too many nested structures"); \
stack[++stack_top] = structure; \
}
#define begin_struct_dictionary(name) { \
YR_OBJECT* structure; \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_DICTIONARY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRUCTURE, \
name, \
array, \
&structure)); \
assertf( \
stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \
"too many nested structures"); \
stack[++stack_top] = structure; \
}
#define end_struct(name) { \
assert(stack[stack_top]->type == OBJECT_TYPE_STRUCTURE); \
assertf( \
strcmp(stack[stack_top]->identifier, name) == 0, \
"unbalanced begin_struct/end_struct"); \
stack_top--; \
}
#define end_struct_array(name) end_struct(name)
#define end_struct_dictionary(name) end_struct(name)
#define declare_integer(name) { \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_INTEGER, \
name, \
stack[stack_top], \
NULL)); \
}
#define declare_integer_array(name) { \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_ARRAY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_INTEGER, \
name, \
array, \
NULL)); \
}
#define declare_integer_dictionary(name) { \
YR_OBJECT* dict; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_DICTIONARY, \
name, \
stack[stack_top], \
&dict)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_INTEGER, \
name, \
dict, \
NULL)); \
}
#define declare_float(name) { \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_FLOAT, \
name, \
stack[stack_top], \
NULL)); \
}
#define declare_float_array(name) { \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_ARRAY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_FLOAT, \
name, \
array, \
NULL)); \
}
#define declare_float_dictionary(name) { \
YR_OBJECT* dict; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_DICTIONARY, \
name, \
stack[stack_top], \
&dict)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_FLOAT, \
name, \
dict, \
NULL)); \
}
#define declare_string(name) { \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRING, \
name, \
stack[stack_top], \
NULL)); \
}
#define declare_string_array(name) { \
YR_OBJECT* array; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_ARRAY, \
name, \
stack[stack_top], \
&array)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRING, \
name, \
array, \
NULL)); \
}
#define declare_string_dictionary(name) { \
YR_OBJECT* dict; \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_DICTIONARY, \
name, \
stack[stack_top], \
&dict)); \
FAIL_ON_ERROR(yr_object_create( \
OBJECT_TYPE_STRING, \
name, \
dict, \
NULL)); \
}
#define declare_function(name, args_fmt, ret_fmt, func) { \
YR_OBJECT* function; \
FAIL_ON_ERROR(yr_object_function_create( \
name, \
args_fmt, \
ret_fmt, \
func, \
stack[stack_top], \
&function)); \
}
#define define_function(func) \
int func ( \
YR_VALUE* __args, \
YR_SCAN_CONTEXT* __context, \
YR_OBJECT_FUNCTION* __function_obj)
#define sized_string_argument(n) \
(__args[n-1].ss)
#define string_argument(n) \
(sized_string_argument(n)->c_string)
#define integer_argument(n) \
(__args[n-1].i)
#define float_argument(n) \
(__args[n-1].d)
#define regexp_argument(n) \
((RE*)(__args[n-1].re))
#define module() yr_object_get_root((YR_OBJECT*) __function_obj)
#define parent() (__function_obj->parent)
#define scan_context() (__context)
#define foreach_memory_block(iterator, block) \
for (block = iterator->first(iterator); \
block != NULL; \
block = iterator->next(iterator)) \
#define first_memory_block(context) \
(context)->iterator->first((context)->iterator)
#define is_undefined(object, ...) \
yr_object_has_undefined_value(object, __VA_ARGS__)
#define get_object(object, ...) \
yr_object_lookup(object, 0, __VA_ARGS__)
#define get_integer(object, ...) \
yr_object_get_integer(object, __VA_ARGS__)
#define get_float(object, ...) \
yr_object_get_float(object, __VA_ARGS__)
#define get_string(object, ...) \
yr_object_get_string(object, __VA_ARGS__)
#define set_integer(value, object, ...) \
yr_object_set_integer(value, object, __VA_ARGS__)
#define set_float(value, object, ...) \
yr_object_set_float(value, object, __VA_ARGS__)
#define set_sized_string(value, len, object, ...) \
yr_object_set_string(value, len, object, __VA_ARGS__)
#define set_string(value, object, ...) \
set_sized_string(value, strlen(value), object, __VA_ARGS__)
#define return_integer(integer) { \
assertf( \
__function_obj->return_obj->type == OBJECT_TYPE_INTEGER, \
"return type differs from function declaration"); \
yr_object_set_integer( \
(integer), \
__function_obj->return_obj, \
NULL); \
return ERROR_SUCCESS; \
}
#define return_float(double_) { \
double d = (double) (double_); \
assertf( \
__function_obj->return_obj->type == OBJECT_TYPE_FLOAT, \
"return type differs from function declaration"); \
yr_object_set_float( \
(d != (double) UNDEFINED) ? d : NAN, \
__function_obj->return_obj, \
NULL); \
return ERROR_SUCCESS; \
}
#define return_string(string) { \
char* s = (char*) (string); \
assertf( \
__function_obj->return_obj->type == OBJECT_TYPE_STRING, \
"return type differs from function declaration"); \
yr_object_set_string( \
(s != (char*) UNDEFINED) ? s : NULL, \
(s != (char*) UNDEFINED) ? strlen(s) : 0, \
__function_obj->return_obj, \
NULL); \
return ERROR_SUCCESS; \
}
struct _YR_MODULE;
typedef int (*YR_EXT_INITIALIZE_FUNC)(
struct _YR_MODULE* module);
typedef int (*YR_EXT_FINALIZE_FUNC)(
struct _YR_MODULE* module);
typedef int (*YR_EXT_DECLARATIONS_FUNC)(
YR_OBJECT* module_object);
typedef int (*YR_EXT_LOAD_FUNC)(
YR_SCAN_CONTEXT* context,
YR_OBJECT* module_object,
void* module_data,
size_t module_data_size);
typedef int (*YR_EXT_UNLOAD_FUNC)(
YR_OBJECT* module_object);
typedef struct _YR_MODULE
{
char* name;
YR_EXT_DECLARATIONS_FUNC declarations;
YR_EXT_LOAD_FUNC load;
YR_EXT_UNLOAD_FUNC unload;
YR_EXT_INITIALIZE_FUNC initialize;
YR_EXT_FINALIZE_FUNC finalize;
} YR_MODULE;
typedef struct _YR_MODULE_IMPORT
{
const char* module_name;
void* module_data;
size_t module_data_size;
} YR_MODULE_IMPORT;
int yr_modules_initialize(void);
int yr_modules_finalize(void);
int yr_modules_do_declarations(
const char* module_name,
YR_OBJECT* main_structure);
int yr_modules_load(
const char* module_name,
YR_SCAN_CONTEXT* context);
int yr_modules_unload_all(
YR_SCAN_CONTEXT* context);
#endif

184
src/dbg/yara/yara/object.h
View File

@ -1,184 +0,0 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_OBJECT_H
#define YR_OBJECT_H
#ifdef _MSC_VER
#include <float.h>
#ifndef isnan
#define isnan _isnan
#endif
#ifndef INFINITY
#define INFINITY (DBL_MAX + DBL_MAX)
#endif
#ifndef NAN
#define NAN (INFINITY-INFINITY)
#endif
#endif
#include "types.h"
#define OBJECT_CREATE 1
#define OBJECT_TYPE_INTEGER 1
#define OBJECT_TYPE_STRING 2
#define OBJECT_TYPE_STRUCTURE 3
#define OBJECT_TYPE_ARRAY 4
#define OBJECT_TYPE_FUNCTION 5
#define OBJECT_TYPE_DICTIONARY 6
#define OBJECT_TYPE_FLOAT 7
int yr_object_create(
int8_t type,
const char* identifier,
YR_OBJECT* parent,
YR_OBJECT** object);
int yr_object_function_create(
const char* identifier,
const char* arguments_fmt,
const char* return_fmt,
YR_MODULE_FUNC func,
YR_OBJECT* parent,
YR_OBJECT** function);
int yr_object_from_external_variable(
YR_EXTERNAL_VARIABLE* external,
YR_OBJECT** object);
void yr_object_destroy(
YR_OBJECT* object);
int yr_object_copy(
YR_OBJECT* object,
YR_OBJECT** object_copy);
YR_OBJECT* yr_object_lookup_field(
YR_OBJECT* object,
const char* field_name);
YR_OBJECT* yr_object_lookup(
YR_OBJECT* root,
int flags,
const char* pattern,
...);
int yr_object_has_undefined_value(
YR_OBJECT* object,
const char* field,
...);
int64_t yr_object_get_integer(
YR_OBJECT* object,
const char* field,
...);
SIZED_STRING* yr_object_get_string(
YR_OBJECT* object,
const char* field,
...);
int yr_object_set_integer(
int64_t value,
YR_OBJECT* object,
const char* field,
...);
int yr_object_set_float(
double value,
YR_OBJECT* object,
const char* field,
...);
int yr_object_set_string(
const char* value,
size_t len,
YR_OBJECT* object,
const char* field,
...);
YR_OBJECT* yr_object_array_get_item(
YR_OBJECT* object,
int flags,
int index);
int yr_object_array_set_item(
YR_OBJECT* object,
YR_OBJECT* item,
int index);
YR_OBJECT* yr_object_dict_get_item(
YR_OBJECT* object,
int flags,
const char* key);
int yr_object_dict_set_item(
YR_OBJECT* object,
YR_OBJECT* item,
const char* key);
int yr_object_structure_set_member(
YR_OBJECT* object,
YR_OBJECT* member);
YR_OBJECT* yr_object_get_root(
YR_OBJECT* object);
YR_API void yr_object_print_data(
YR_OBJECT* object,
int indent,
int print_identifier);
#endif

138
src/dbg/yara/yara/parser.h
View File

@ -1,138 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_PARSER_H
#define YR_PARSER_H
#include "lexer.h"
int yr_parser_emit(
yyscan_t yyscanner,
uint8_t instruction,
uint8_t** instruction_address);
int yr_parser_emit_with_arg(
yyscan_t yyscanner,
uint8_t instruction,
int64_t argument,
uint8_t** instruction_address,
int64_t** argument_address);
int yr_parser_emit_with_arg_double(
yyscan_t yyscanner,
uint8_t instruction,
double argument,
uint8_t** instruction_address,
double** argument_address);
int yr_parser_emit_with_arg_reloc(
yyscan_t yyscanner,
uint8_t instruction,
void* argument,
uint8_t** instruction_address,
void** argument_address);
int yr_parser_check_types(
YR_COMPILER* compiler,
YR_OBJECT_FUNCTION* function,
const char* actual_args_fmt);
YR_STRING* yr_parser_lookup_string(
yyscan_t yyscanner,
const char* identifier);
int yr_parser_lookup_loop_variable(
yyscan_t yyscanner,
const char* identifier);
YR_RULE* yr_parser_reduce_rule_declaration_phase_1(
yyscan_t yyscanner,
int32_t flags,
const char* identifier);
int yr_parser_reduce_rule_declaration_phase_2(
yyscan_t yyscanner,
YR_RULE* rule);
YR_STRING* yr_parser_reduce_string_declaration(
yyscan_t yyscanner,
int32_t flags,
const char* identifier,
SIZED_STRING* str);
YR_META* yr_parser_reduce_meta_declaration(
yyscan_t yyscanner,
int32_t type,
const char* identifier,
const char* string,
int64_t integer);
int yr_parser_reduce_string_identifier(
yyscan_t yyscanner,
const char* identifier,
uint8_t instruction,
uint64_t at_offset);
int yr_parser_emit_pushes_for_strings(
yyscan_t yyscanner,
const char* identifier);
int yr_parser_reduce_external(
yyscan_t yyscanner,
const char* identifier,
uint8_t instruction);
int yr_parser_reduce_import(
yyscan_t yyscanner,
SIZED_STRING* module_name);
int yr_parser_reduce_operation(
yyscan_t yyscanner,
const char* operation,
EXPRESSION left_operand,
EXPRESSION right_operand);
#endif

533
src/dbg/yara/yara/pe.h
View File

@ -1,533 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_PE_H
#define YR_PE_H
#include "endian.h"
#include "types.h"
#pragma pack(push, 1)
#if defined(_WIN32) || defined(__CYGWIN__)
#include <windows.h>
// These definitions are not present in older Windows headers.
#ifndef IMAGE_FILE_MACHINE_ARMNT
#define IMAGE_FILE_MACHINE_ARMNT 0x01c4
#endif
#ifndef IMAGE_FILE_MACHINE_ARM64
#define IMAGE_FILE_MACHINE_ARM64 0xaa64
#endif
#else
#include <stdlib.h>
#include "integers.h"
typedef uint8_t BYTE;
typedef uint16_t WORD;
typedef uint32_t DWORD;
typedef int32_t LONG;
typedef uint32_t ULONG;
typedef uint64_t ULONGLONG;
#define FIELD_OFFSET(type, field) ((size_t)&(((type *)0)->field))
#ifndef _MAC
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_OS2_SIGNATURE 0x454E // NE
#define IMAGE_OS2_SIGNATURE_LE 0x454C // LE
#define IMAGE_VXD_SIGNATURE 0x454C // LE
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
#else
#define IMAGE_DOS_SIGNATURE 0x4D5A // MZ
#define IMAGE_OS2_SIGNATURE 0x4E45 // NE
#define IMAGE_OS2_SIGNATURE_LE 0x4C45 // LE
#define IMAGE_NT_SIGNATURE 0x50450000 // PE00
#endif
#pragma pack(push, 2)
typedef struct _IMAGE_DOS_HEADER // DOS .EXE header
{
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
#pragma pack(pop)
//
// File header format.
//
#pragma pack(push,4)
typedef struct _IMAGE_FILE_HEADER
{
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
#define IMAGE_SIZEOF_FILE_HEADER 20
#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved external references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line numbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Aggressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
#define IMAGE_FILE_MACHINE_UNKNOWN 0x0000
#define IMAGE_FILE_MACHINE_AM33 0x01d3
#define IMAGE_FILE_MACHINE_AMD64 0x8664
#define IMAGE_FILE_MACHINE_ARM 0x01c0
#define IMAGE_FILE_MACHINE_ARMNT 0x01c4
#define IMAGE_FILE_MACHINE_ARM64 0xaa64
#define IMAGE_FILE_MACHINE_EBC 0x0ebc
#define IMAGE_FILE_MACHINE_I386 0x014c
#define IMAGE_FILE_MACHINE_IA64 0x0200
#define IMAGE_FILE_MACHINE_M32R 0x9041
#define IMAGE_FILE_MACHINE_MIPS16 0x0266
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466
#define IMAGE_FILE_MACHINE_POWERPC 0x01f0
#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
#define IMAGE_FILE_MACHINE_R4000 0x0166
#define IMAGE_FILE_MACHINE_SH3 0x01a2
#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
#define IMAGE_FILE_MACHINE_SH4 0x01a6
#define IMAGE_FILE_MACHINE_SH5 0x01a8
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169
// Section characteristics
#define IMAGE_SCN_CNT_CODE 0x00000020
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080
#define IMAGE_SCN_GPREL 0x00008000
#define IMAGE_SCN_MEM_16BIT 0x00020000
#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000
#define IMAGE_SCN_MEM_SHARED 0x10000000
#define IMAGE_SCN_MEM_EXECUTE 0x20000000
#define IMAGE_SCN_MEM_READ 0x40000000
#define IMAGE_SCN_MEM_WRITE 0x80000000
//
// Directory format.
//
typedef struct _IMAGE_DATA_DIRECTORY
{
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
#define IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
//
// Optional header format.
//
typedef struct _IMAGE_OPTIONAL_HEADER32
{
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER64
{
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
typedef struct _IMAGE_NT_HEADERS32
{
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_NT_HEADERS64
{
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
// IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is
// the same either way.
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((BYTE*)ntheader + \
FIELD_OFFSET( IMAGE_NT_HEADERS32, OptionalHeader ) + \
yr_le16toh(((PIMAGE_NT_HEADERS32)(ntheader))->FileHeader.SizeOfOptionalHeader) \
))
// Subsystem Values
#define IMAGE_SUBSYSTEM_UNKNOWN 0
#define IMAGE_SUBSYSTEM_NATIVE 1
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3
#define IMAGE_SUBSYSTEM_OS2_CUI 5
#define IMAGE_SUBSYSTEM_POSIX_CUI 7
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12
#define IMAGE_SUBSYSTEM_EFI_ROM_IMAGE 13
#define IMAGE_SUBSYSTEM_XBOX 14
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
// DllCharacteristics values
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800
#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
//
// Section header format.
//
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER
{
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union
{
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
#define IMAGE_SIZEOF_SECTION_HEADER 40
typedef struct _IMAGE_EXPORT_DIRECTORY
{
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions;
DWORD AddressOfNames;
DWORD AddressOfNameOrdinals;
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
typedef struct _IMAGE_IMPORT_DESCRIPTOR
{
union
{
DWORD Characteristics;
DWORD OriginalFirstThunk;
} ;
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR, *PIMAGE_IMPORT_DESCRIPTOR;
typedef struct _IMAGE_IMPORT_BY_NAME
{
WORD Hint;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
typedef struct _IMAGE_THUNK_DATA32
{
union
{
DWORD ForwarderString;
DWORD Function;
DWORD Ordinal;
DWORD AddressOfData;
} u1;
} IMAGE_THUNK_DATA32, *PIMAGE_THUNK_DATA32;
#define IMAGE_ORDINAL_FLAG32 0x80000000
#define IMAGE_ORDINAL_FLAG64 0x8000000000000000L
typedef struct _IMAGE_THUNK_DATA64
{
union
{
ULONGLONG ForwarderString;
ULONGLONG Function;
ULONGLONG Ordinal;
ULONGLONG AddressOfData;
} u1;
} IMAGE_THUNK_DATA64, *PIMAGE_THUNK_DATA64;
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY
{
DWORD Name;
DWORD OffsetToData;
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
typedef struct _IMAGE_RESOURCE_DATA_ENTRY
{
DWORD OffsetToData;
DWORD Size;
DWORD CodePage;
DWORD Reserved;
} IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
typedef struct _IMAGE_RESOURCE_DIRECTORY
{
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
WORD NumberOfNamedEntries;
WORD NumberOfIdEntries;
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
#pragma pack(pop)
#endif // _WIN32
typedef struct _VERSION_INFO
{
WORD Length;
WORD ValueLength;
WORD Type;
char Key[0];
} VERSION_INFO, *PVERSION_INFO;
#define WIN_CERT_REVISION_1_0 0x0100
#define WIN_CERT_REVISION_2_0 0x0200
#define WIN_CERT_TYPE_X509 0x0001
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
#define WIN_CERT_TYPE_RESERVED_1 0x0003
#define WIN_CERT_TYPE_TS_STACK_SIGNED 0x0004
typedef struct _WIN_CERTIFICATE
{
DWORD Length;
WORD Revision;
WORD CertificateType;
BYTE Certificate[0];
} WIN_CERTIFICATE, *PWIN_CERTIFICATE;
//
// Rich signature.
// http://www.ntcore.com/files/richsign.htm
//
#define RICH_VERSION_ID(id_version) (id_version >> 16)
#define RICH_VERSION_VERSION(id_version) (id_version & 0xFFFF)
typedef struct _RICH_VERSION_INFO
{
DWORD id_version; //tool id and version (use RICH_VERSION_ID and RICH_VERSION_VERSION macros)
DWORD times; //number of times this tool was used
} RICH_VERSION_INFO, *PRICH_VERSION_INFO;
typedef struct _RICH_SIGNATURE
{
DWORD dans;
DWORD key1;
DWORD key2;
DWORD key3;
RICH_VERSION_INFO versions[0];
} RICH_SIGNATURE, *PRICH_SIGNATURE;
#define RICH_DANS 0x536e6144 // "DanS"
#define RICH_RICH 0x68636952 // "Rich"
#pragma pack(pop)
#endif

114
src/dbg/yara/yara/pe_utils.h
View File

@ -1,114 +0,0 @@
#ifndef YR_PE_UTILS_H
#define YR_PE_UTILS_H
#include <yara/pe.h>
#define MAX_PE_SECTIONS 96
#define IS_64BITS_PE(pe) \
(yr_le16toh(pe->header64->OptionalHeader.Magic) == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
#define OptionalHeader(pe,field) \
(IS_64BITS_PE(pe) ? \
pe->header64->OptionalHeader.field : \
pe->header->OptionalHeader.field)
//
// Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the
// name of the DLL and a pointer to another linked list of
// IMPORT_EXPORT_FUNCTION structures containing the details of imported
// functions.
//
typedef struct _IMPORTED_DLL
{
char* name;
struct _IMPORT_EXPORT_FUNCTION* functions;
struct _IMPORTED_DLL* next;
} IMPORTED_DLL, *PIMPORTED_DLL;
//
// This is used to track imported and exported functions. The "has_ordinal"
// field is only used in the case of imports as those are optional. Every export
// has an ordinal so we don't need the field there, but in the interest of
// keeping duplicate code to a minimum we use this function for both imports and
// exports.
//
typedef struct _IMPORT_EXPORT_FUNCTION
{
char* name;
uint8_t has_ordinal;
uint16_t ordinal;
struct _IMPORT_EXPORT_FUNCTION* next;
} IMPORT_EXPORT_FUNCTION, *PIMPORT_EXPORT_FUNCTION;
typedef struct _PE
{
uint8_t* data;
size_t data_size;
union
{
PIMAGE_NT_HEADERS32 header;
PIMAGE_NT_HEADERS64 header64;
};
YR_OBJECT* object;
IMPORTED_DLL* imported_dlls;
IMPORT_EXPORT_FUNCTION* exported_functions;
uint32_t resources;
} PE;
#define fits_in_pe(pe, pointer, size) \
((size_t) size <= pe->data_size && \
(uint8_t*) (pointer) >= pe->data && \
(uint8_t*) (pointer) <= pe->data + pe->data_size - size)
#define struct_fits_in_pe(pe, pointer, struct_type) \
fits_in_pe(pe, pointer, sizeof(struct_type))
PIMAGE_NT_HEADERS32 pe_get_header(
uint8_t* data,
size_t data_size);
PIMAGE_DATA_DIRECTORY pe_get_directory_entry(
PE* pe,
int entry);
PIMAGE_DATA_DIRECTORY pe_get_directory_entry(
PE* pe,
int entry);
int64_t pe_rva_to_offset(
PE* pe,
uint64_t rva);
char* ord_lookup(
char* dll,
uint16_t ord);
#if HAVE_LIBCRYPTO
#include <openssl/asn1.h>
time_t ASN1_get_time_t(ASN1_TIME* time);
#endif
#endif

42
src/dbg/yara/yara/proc.h
View File

@ -1,42 +0,0 @@
/*
Copyright (c) 2007. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_PROC_H
#define YR_PROC_H
#include "types.h"
int yr_process_open_iterator(
int pid,
YR_MEMORY_BLOCK_ITERATOR* iterator);
int yr_process_close_iterator(
YR_MEMORY_BLOCK_ITERATOR* iterator);
#endif

272
src/dbg/yara/yara/re.h
View File

@ -1,272 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_RE_H
#define YR_RE_H
#include <ctype.h>
#include "arena.h"
#include "sizedstr.h"
#define RE_NODE_LITERAL 1
#define RE_NODE_MASKED_LITERAL 2
#define RE_NODE_ANY 3
#define RE_NODE_CONCAT 4
#define RE_NODE_ALT 5
#define RE_NODE_RANGE 6
#define RE_NODE_STAR 7
#define RE_NODE_PLUS 8
#define RE_NODE_CLASS 9
#define RE_NODE_WORD_CHAR 10
#define RE_NODE_NON_WORD_CHAR 11
#define RE_NODE_SPACE 12
#define RE_NODE_NON_SPACE 13
#define RE_NODE_DIGIT 14
#define RE_NODE_NON_DIGIT 15
#define RE_NODE_EMPTY 16
#define RE_NODE_ANCHOR_START 17
#define RE_NODE_ANCHOR_END 18
#define RE_NODE_WORD_BOUNDARY 19
#define RE_NODE_NON_WORD_BOUNDARY 20
#define RE_NODE_RANGE_ANY 21
#define RE_OPCODE_ANY 0xA0
#define RE_OPCODE_ANY_EXCEPT_NEW_LINE 0xA1
#define RE_OPCODE_LITERAL 0xA2
#define RE_OPCODE_MASKED_LITERAL 0xA4
#define RE_OPCODE_CLASS 0xA5
#define RE_OPCODE_WORD_CHAR 0xA7
#define RE_OPCODE_NON_WORD_CHAR 0xA8
#define RE_OPCODE_SPACE 0xA9
#define RE_OPCODE_NON_SPACE 0xAA
#define RE_OPCODE_DIGIT 0xAB
#define RE_OPCODE_NON_DIGIT 0xAC
#define RE_OPCODE_MATCH 0xAD
#define RE_OPCODE_MATCH_AT_END 0xB0
#define RE_OPCODE_MATCH_AT_START 0xB1
#define RE_OPCODE_WORD_BOUNDARY 0xB2
#define RE_OPCODE_NON_WORD_BOUNDARY 0xB3
#define RE_OPCODE_REPEAT_ANY_GREEDY 0xB4
#define RE_OPCODE_REPEAT_ANY_UNGREEDY 0xB5
#define RE_OPCODE_SPLIT_A 0xC0
#define RE_OPCODE_SPLIT_B 0xC1
#define RE_OPCODE_JUMP 0xC2
#define RE_OPCODE_REPEAT_START_GREEDY 0xC3
#define RE_OPCODE_REPEAT_END_GREEDY 0xC4
#define RE_OPCODE_REPEAT_START_UNGREEDY 0xC5
#define RE_OPCODE_REPEAT_END_UNGREEDY 0xC6
#define RE_FLAGS_FAST_REGEXP 0x02
#define RE_FLAGS_BACKWARDS 0x04
#define RE_FLAGS_EXHAUSTIVE 0x08
#define RE_FLAGS_WIDE 0x10
#define RE_FLAGS_NO_CASE 0x20
#define RE_FLAGS_SCAN 0x40
#define RE_FLAGS_DOT_ALL 0x80
#define RE_FLAGS_GREEDY 0x400
#define RE_FLAGS_UNGREEDY 0x800
typedef struct RE RE;
typedef struct RE_AST RE_AST;
typedef struct RE_NODE RE_NODE;
typedef struct RE_ERROR RE_ERROR;
typedef uint8_t RE_SPLIT_ID_TYPE;
struct RE_NODE
{
int type;
union
{
int value;
int count;
int start;
};
union
{
int mask;
int end;
};
int greedy;
uint8_t* class_vector;
RE_NODE* left;
RE_NODE* right;
uint8_t* forward_code;
uint8_t* backward_code;
};
struct RE_AST
{
uint32_t flags;
RE_NODE* root_node;
};
// Disable warning due to zero length array in Microsoft's compiler
#ifdef _MSC_VER
#pragma warning(push)
#pragma warning(disable:4200)
#endif
struct RE
{
uint32_t flags;
uint8_t code[0];
};
#ifdef _MSC_VER
#pragma warning(pop)
#endif
struct RE_ERROR
{
char message[512];
};
typedef int RE_MATCH_CALLBACK_FUNC(
uint8_t* match,
int match_length,
int flags,
void* args);
int yr_re_ast_create(
RE_AST** re_ast);
void yr_re_ast_destroy(
RE_AST* re_ast);
void yr_re_ast_print(
RE_AST* re_ast);
SIZED_STRING* yr_re_ast_extract_literal(
RE_AST* re_ast);
int yr_re_ast_contains_dot_star(
RE_AST* re_ast);
int yr_re_ast_split_at_chaining_point(
RE_AST* re_ast,
RE_AST** result_re_ast,
RE_AST** remainder_re_ast,
int32_t* min_gap,
int32_t* max_gap);
int yr_re_ast_emit_code(
RE_AST* re_ast,
YR_ARENA* arena,
int backwards_code);
RE_NODE* yr_re_node_create(
int type,
RE_NODE* left,
RE_NODE* right);
void yr_re_node_destroy(
RE_NODE* node);
int yr_re_exec(
uint8_t* re_code,
uint8_t* input,
size_t input_forwards_size,
size_t input_backwards_size,
int flags,
RE_MATCH_CALLBACK_FUNC callback,
void* callback_args,
int* matches);
int yr_re_fast_exec(
uint8_t* code,
uint8_t* input_data,
size_t input_forwards_size,
size_t input_backwards_size,
int flags,
RE_MATCH_CALLBACK_FUNC callback,
void* callback_args,
int* matches);
int yr_re_parse(
const char* re_string,
RE_AST** re_ast,
RE_ERROR* error);
int yr_re_parse_hex(
const char* hex_string,
RE_AST** re_ast,
RE_ERROR* error);
int yr_re_compile(
const char* re_string,
int flags,
YR_ARENA* code_arena,
RE** re,
RE_ERROR* error);
int yr_re_match(
RE* re,
const char* target);
int yr_re_initialize(void);
int yr_re_finalize(void);
int yr_re_finalize_thread(void);
#endif

109
src/dbg/yara/yara/re_lexer.h
View File

@ -1,109 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#undef yyparse
#undef yylex
#undef yyerror
#undef yyfatal
#undef yychar
#undef yydebug
#undef yynerrs
#undef yyget_extra
#undef yyget_lineno
#undef YY_FATAL_ERROR
#undef YY_DECL
#undef LEX_ENV
#define yyparse re_yyparse
#define yylex re_yylex
#define yyerror re_yyerror
#define yyfatal re_yyfatal
#define yychar re_yychar
#define yydebug re_yydebug
#define yynerrs re_yynerrs
#define yyget_extra re_yyget_extra
#define yyget_lineno re_yyget_lineno
#ifndef YY_TYPEDEF_YY_SCANNER_T
#define YY_TYPEDEF_YY_SCANNER_T
typedef void* yyscan_t;
#endif
#define YY_EXTRA_TYPE RE_AST*
#define YY_USE_CONST
typedef struct _RE_LEX_ENVIRONMENT
{
int negated_class;
uint8_t class_vector[32];
int last_error_code;
char last_error_message[256];
} RE_LEX_ENVIRONMENT;
#define LEX_ENV ((RE_LEX_ENVIRONMENT*) lex_env)
#define YY_FATAL_ERROR(msg) re_yyfatal(yyscanner, msg)
#include <re_grammar.h>
#define YY_DECL int re_yylex \
(YYSTYPE * yylval_param , yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env)
YY_EXTRA_TYPE yyget_extra(
yyscan_t yyscanner);
int yylex(
YYSTYPE* yylval_param,
yyscan_t yyscanner,
RE_LEX_ENVIRONMENT* lex_env);
int yyparse(
void* yyscanner,
RE_LEX_ENVIRONMENT* lex_env);
void yyerror(
yyscan_t yyscanner,
RE_LEX_ENVIRONMENT* lex_env,
const char* error_message);
void yyfatal(
yyscan_t yyscanner,
const char* error_message);
int yr_parse_re_string(
const char* re_string,
RE_AST** re_ast,
RE_ERROR* error);

159
src/dbg/yara/yara/rules.h
View File

@ -1,159 +0,0 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_RULES_H
#define YR_RULES_H
#include "types.h"
#include "utils.h"
#include "filemap.h"
#define CALLBACK_MSG_RULE_MATCHING 1
#define CALLBACK_MSG_RULE_NOT_MATCHING 2
#define CALLBACK_MSG_SCAN_FINISHED 3
#define CALLBACK_MSG_IMPORT_MODULE 4
#define CALLBACK_MSG_MODULE_IMPORTED 5
#define CALLBACK_CONTINUE 0
#define CALLBACK_ABORT 1
#define CALLBACK_ERROR 2
#define yr_rule_tags_foreach(rule, tag_name) \
for (tag_name = rule->tags; \
tag_name != NULL && *tag_name != '\0'; \
tag_name += strlen(tag_name) + 1)
#define yr_rule_metas_foreach(rule, meta) \
for (meta = rule->metas; !META_IS_NULL(meta); meta++)
#define yr_rule_strings_foreach(rule, string) \
for (string = rule->strings; !STRING_IS_NULL(string); string++)
#define yr_string_matches_foreach(string, match) \
for (match = STRING_MATCHES(string).head; match != NULL; match = match->next)
#define yr_rules_foreach(rules, rule) \
for (rule = rules->rules_list_head; !RULE_IS_NULL(rule); rule++)
YR_API int yr_rules_scan_mem(
YR_RULES* rules,
uint8_t* buffer,
size_t buffer_size,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
int timeout);
YR_API int yr_rules_scan_file(
YR_RULES* rules,
const char* filename,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
int timeout);
YR_API int yr_rules_scan_fd(
YR_RULES* rules,
YR_FILE_DESCRIPTOR fd,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
int timeout);
YR_API int yr_rules_scan_proc(
YR_RULES* rules,
int pid,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
int timeout);
YR_API int yr_rules_save(
YR_RULES* rules,
const char* filename);
YR_API int yr_rules_save_stream(
YR_RULES* rules,
YR_STREAM* stream);
YR_API int yr_rules_load(
const char* filename,
YR_RULES** rules);
YR_API int yr_rules_load_stream(
YR_STREAM* stream,
YR_RULES** rules);
YR_API int yr_rules_destroy(
YR_RULES* rules);
YR_API int yr_rules_define_integer_variable(
YR_RULES* rules,
const char* identifier,
int64_t value);
YR_API int yr_rules_define_boolean_variable(
YR_RULES* rules,
const char* identifier,
int value);
YR_API int yr_rules_define_float_variable(
YR_RULES* rules,
const char* identifier,
double value);
YR_API int yr_rules_define_string_variable(
YR_RULES* rules,
const char* identifier,
const char* value);
YR_API void yr_rules_print_profiling_info(
YR_RULES* rules);
#endif

49
src/dbg/yara/yara/scan.h
View File

@ -1,49 +0,0 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_SCAN_H
#define YR_SCAN_H
#include "types.h"
// Bitmasks for flags.
#define SCAN_FLAGS_FAST_MODE 1
#define SCAN_FLAGS_PROCESS_MEMORY 2
#define SCAN_FLAGS_NO_TRYCATCH 4
int yr_scan_verify_match(
YR_SCAN_CONTEXT* context,
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t data_base,
size_t offset);
#endif

70
src/dbg/yara/yara/sizedstr.h
View File

@ -1,70 +0,0 @@
/*
Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _SIZEDSTR_H
#define _SIZEDSTR_H
#include <stddef.h>
#include "integers.h"
//
// This struct is used to support strings containing null chars. The length of
// the string is stored along the string data. However the string data is also
// terminated with a null char.
//
#define SIZED_STRING_FLAGS_NO_CASE 1
#define SIZED_STRING_FLAGS_DOT_ALL 2
#pragma pack(push)
#pragma pack(8)
typedef struct _SIZED_STRING
{
uint32_t length;
uint32_t flags;
char c_string[1];
} SIZED_STRING;
#pragma pack(pop)
int sized_string_cmp(
SIZED_STRING* s1,
SIZED_STRING* s2);
SIZED_STRING* sized_string_dup(
SIZED_STRING* s);
#endif

72
src/dbg/yara/yara/stream.h
View File

@ -1,72 +0,0 @@
/*
Copyright (c) 2015. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_STREAM_H
#define YR_STREAM_H
#include <stddef.h>
typedef size_t (*YR_STREAM_READ_FUNC)(
void* ptr,
size_t size,
size_t count,
void* user_data);
typedef size_t (*YR_STREAM_WRITE_FUNC)(
const void* ptr,
size_t size,
size_t count,
void* user_data);
typedef struct _YR_STREAM
{
void* user_data;
YR_STREAM_READ_FUNC read;
YR_STREAM_WRITE_FUNC write;
} YR_STREAM;
size_t yr_stream_read(
void* ptr,
size_t size,
size_t count,
YR_STREAM* stream);
size_t yr_stream_write(
const void* ptr,
size_t size,
size_t count,
YR_STREAM* stream);
#endif

91
src/dbg/yara/yara/strutils.h
View File

@ -1,91 +0,0 @@
/*
Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_STRUTILS_H
#define YR_STRUTILS_H
#include <assert.h>
#include <stdlib.h>
#include "integers.h"
// Cygwin already has these functions.
#if defined(_WIN32) && !defined(__CYGWIN__)
#if defined(_MSC_VER) && _MSC_VER < 1900
#define snprintf _snprintf
#endif
#define strcasecmp _stricmp
#define strncasecmp _strnicmp
#endif
uint64_t xtoi(
const char* hexstr);
#if !HAVE_STRLCPY && !defined(strlcpy)
size_t strlcpy(
char* dst,
const char* src,
size_t size);
#endif
#if !HAVE_STRLCAT && !defined(strlcat)
size_t strlcat(
char* dst,
const char* src,
size_t size);
#endif
#if !HAVE_MEMMEM && !defined(memmem)
void* memmem(
const void* haystack,
size_t haystack_size,
const void* needle,
size_t needle_size);
#endif
int strnlen_w(
const char* w_str);
int strcmp_w(
const char* w_str,
const char* str);
size_t strlcpy_w(
char* dst,
const char* w_src,
size_t n);
#endif

65
src/dbg/yara/yara/threading.h
View File

@ -1,65 +0,0 @@
/*
Copyright (c) 2016. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_MUTEX_H
#define YR_MUTEX_H
#if defined(_WIN32) || defined(__CYGWIN__)
#include <windows.h>
typedef DWORD YR_THREAD_ID;
typedef DWORD YR_THREAD_STORAGE_KEY;
typedef HANDLE YR_MUTEX;
#else
#include <pthread.h>
typedef pthread_t YR_THREAD_ID;
typedef pthread_key_t YR_THREAD_STORAGE_KEY;
typedef pthread_mutex_t YR_MUTEX;
#endif
YR_THREAD_ID yr_current_thread_id(void);
int yr_mutex_create(YR_MUTEX*);
int yr_mutex_destroy(YR_MUTEX*);
int yr_mutex_lock(YR_MUTEX*);
int yr_mutex_unlock(YR_MUTEX*);
int yr_thread_storage_create(YR_THREAD_STORAGE_KEY*);
int yr_thread_storage_destroy(YR_THREAD_STORAGE_KEY*);
int yr_thread_storage_set_value(YR_THREAD_STORAGE_KEY*, void*);
void* yr_thread_storage_get_value(YR_THREAD_STORAGE_KEY*);
#endif

566
src/dbg/yara/yara/types.h
View File

@ -1,566 +0,0 @@
/*
Copyright (c) 2013. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_TYPES_H
#define YR_TYPES_H
#include "arena.h"
#include "re.h"
#include "limits.h"
#include "hash.h"
#include "utils.h"
#include "threading.h"
#ifdef PROFILING_ENABLED
#include <time.h>
#endif
#define DECLARE_REFERENCE(type, name) \
union { type name; int64_t name##_; } YR_ALIGN(8)
#define NAMESPACE_TFLAGS_UNSATISFIED_GLOBAL 0x01
#define STRING_GFLAGS_REFERENCED 0x01
#define STRING_GFLAGS_HEXADECIMAL 0x02
#define STRING_GFLAGS_NO_CASE 0x04
#define STRING_GFLAGS_ASCII 0x08
#define STRING_GFLAGS_WIDE 0x10
#define STRING_GFLAGS_REGEXP 0x20
#define STRING_GFLAGS_FAST_REGEXP 0x40
#define STRING_GFLAGS_FULL_WORD 0x80
#define STRING_GFLAGS_ANONYMOUS 0x100
#define STRING_GFLAGS_SINGLE_MATCH 0x200
#define STRING_GFLAGS_LITERAL 0x400
#define STRING_GFLAGS_FITS_IN_ATOM 0x800
#define STRING_GFLAGS_NULL 0x1000
#define STRING_GFLAGS_CHAIN_PART 0x2000
#define STRING_GFLAGS_CHAIN_TAIL 0x4000
#define STRING_GFLAGS_FIXED_OFFSET 0x8000
#define STRING_GFLAGS_GREEDY_REGEXP 0x10000
#define STRING_GFLAGS_DOT_ALL 0x20000
#define STRING_IS_HEX(x) \
(((x)->g_flags) & STRING_GFLAGS_HEXADECIMAL)
#define STRING_IS_NO_CASE(x) \
(((x)->g_flags) & STRING_GFLAGS_NO_CASE)
#define STRING_IS_DOT_ALL(x) \
(((x)->g_flags) & STRING_GFLAGS_DOT_ALL)
#define STRING_IS_ASCII(x) \
(((x)->g_flags) & STRING_GFLAGS_ASCII)
#define STRING_IS_WIDE(x) \
(((x)->g_flags) & STRING_GFLAGS_WIDE)
#define STRING_IS_REGEXP(x) \
(((x)->g_flags) & STRING_GFLAGS_REGEXP)
#define STRING_IS_GREEDY_REGEXP(x) \
(((x)->g_flags) & STRING_GFLAGS_GREEDY_REGEXP)
#define STRING_IS_FULL_WORD(x) \
(((x)->g_flags) & STRING_GFLAGS_FULL_WORD)
#define STRING_IS_ANONYMOUS(x) \
(((x)->g_flags) & STRING_GFLAGS_ANONYMOUS)
#define STRING_IS_REFERENCED(x) \
(((x)->g_flags) & STRING_GFLAGS_REFERENCED)
#define STRING_IS_SINGLE_MATCH(x) \
(((x)->g_flags) & STRING_GFLAGS_SINGLE_MATCH)
#define STRING_IS_FIXED_OFFSET(x) \
(((x)->g_flags) & STRING_GFLAGS_FIXED_OFFSET)
#define STRING_IS_LITERAL(x) \
(((x)->g_flags) & STRING_GFLAGS_LITERAL)
#define STRING_IS_FAST_REGEXP(x) \
(((x)->g_flags) & STRING_GFLAGS_FAST_REGEXP)
#define STRING_IS_CHAIN_PART(x) \
(((x)->g_flags) & STRING_GFLAGS_CHAIN_PART)
#define STRING_IS_CHAIN_TAIL(x) \
(((x)->g_flags) & STRING_GFLAGS_CHAIN_TAIL)
#define STRING_IS_NULL(x) \
((x) == NULL || ((x)->g_flags) & STRING_GFLAGS_NULL)
#define STRING_FITS_IN_ATOM(x) \
(((x)->g_flags) & STRING_GFLAGS_FITS_IN_ATOM)
#define STRING_FOUND(x) \
((x)->matches[yr_get_tidx()].tail != NULL)
#define STRING_MATCHES(x) \
((x)->matches[yr_get_tidx()])
#define RULE_TFLAGS_MATCH 0x01
#define RULE_GFLAGS_PRIVATE 0x01
#define RULE_GFLAGS_GLOBAL 0x02
#define RULE_GFLAGS_REQUIRE_EXECUTABLE 0x04
#define RULE_GFLAGS_REQUIRE_FILE 0x08
#define RULE_GFLAGS_NULL 0x1000
#define RULE_IS_PRIVATE(x) \
(((x)->g_flags) & RULE_GFLAGS_PRIVATE)
#define RULE_IS_GLOBAL(x) \
(((x)->g_flags) & RULE_GFLAGS_GLOBAL)
#define RULE_IS_NULL(x) \
(((x)->g_flags) & RULE_GFLAGS_NULL)
#define RULE_MATCHES(x) \
((x)->t_flags[yr_get_tidx()] & RULE_TFLAGS_MATCH)
#define META_TYPE_NULL 0
#define META_TYPE_INTEGER 1
#define META_TYPE_STRING 2
#define META_TYPE_BOOLEAN 3
#define META_IS_NULL(x) \
((x) != NULL ? (x)->type == META_TYPE_NULL : TRUE)
#define EXTERNAL_VARIABLE_TYPE_NULL 0
#define EXTERNAL_VARIABLE_TYPE_FLOAT 1
#define EXTERNAL_VARIABLE_TYPE_INTEGER 2
#define EXTERNAL_VARIABLE_TYPE_BOOLEAN 3
#define EXTERNAL_VARIABLE_TYPE_STRING 4
#define EXTERNAL_VARIABLE_TYPE_MALLOC_STRING 5
#define EXTERNAL_VARIABLE_IS_NULL(x) \
((x) != NULL ? (x)->type == EXTERNAL_VARIABLE_TYPE_NULL : TRUE)
#pragma pack(push)
#pragma pack(8)
typedef struct _YR_NAMESPACE
{
int32_t t_flags[MAX_THREADS]; // Thread-specific flags
DECLARE_REFERENCE(char*, name);
} YR_NAMESPACE;
typedef struct _YR_META
{
int32_t type;
YR_ALIGN(8) int64_t integer;
DECLARE_REFERENCE(const char*, identifier);
DECLARE_REFERENCE(char*, string);
} YR_META;
struct _YR_MATCH;
typedef struct _YR_MATCHES
{
int32_t count;
DECLARE_REFERENCE(struct _YR_MATCH*, head);
DECLARE_REFERENCE(struct _YR_MATCH*, tail);
} YR_MATCHES;
typedef struct _YR_STRING
{
int32_t g_flags;
int32_t length;
DECLARE_REFERENCE(char*, identifier);
DECLARE_REFERENCE(uint8_t*, string);
DECLARE_REFERENCE(struct _YR_STRING*, chained_to);
int32_t chain_gap_min;
int32_t chain_gap_max;
int64_t fixed_offset;
YR_MATCHES matches[MAX_THREADS];
YR_MATCHES unconfirmed_matches[MAX_THREADS];
#ifdef PROFILING_ENABLED
clock_t clock_ticks;
#endif
} YR_STRING;
typedef struct _YR_RULE
{
int32_t g_flags; // Global flags
int32_t t_flags[MAX_THREADS]; // Thread-specific flags
DECLARE_REFERENCE(const char*, identifier);
DECLARE_REFERENCE(const char*, tags);
DECLARE_REFERENCE(YR_META*, metas);
DECLARE_REFERENCE(YR_STRING*, strings);
DECLARE_REFERENCE(YR_NAMESPACE*, ns);
#ifdef PROFILING_ENABLED
clock_t clock_ticks;
#endif
} YR_RULE;
typedef struct _YR_EXTERNAL_VARIABLE
{
int32_t type;
YR_ALIGN(8) union
{
int64_t i;
double f;
char* s;
} value;
DECLARE_REFERENCE(char*, identifier);
} YR_EXTERNAL_VARIABLE;
typedef struct _YR_AC_MATCH
{
uint16_t backtrack;
DECLARE_REFERENCE(YR_STRING*, string);
DECLARE_REFERENCE(uint8_t*, forward_code);
DECLARE_REFERENCE(uint8_t*, backward_code);
DECLARE_REFERENCE(struct _YR_AC_MATCH*, next);
} YR_AC_MATCH;
typedef struct _YR_AC_MATCH_TABLE_ENTRY
{
DECLARE_REFERENCE(YR_AC_MATCH*, match);
} YR_AC_MATCH_TABLE_ENTRY;
typedef uint64_t YR_AC_TRANSITION;
typedef YR_AC_TRANSITION* YR_AC_TRANSITION_TABLE;
typedef YR_AC_MATCH_TABLE_ENTRY* YR_AC_MATCH_TABLE;
typedef struct _YARA_RULES_FILE_HEADER
{
DECLARE_REFERENCE(YR_RULE*, rules_list_head);
DECLARE_REFERENCE(YR_EXTERNAL_VARIABLE*, externals_list_head);
DECLARE_REFERENCE(uint8_t*, code_start);
DECLARE_REFERENCE(YR_AC_MATCH_TABLE, match_table);
DECLARE_REFERENCE(YR_AC_TRANSITION_TABLE, transition_table);
} YARA_RULES_FILE_HEADER;
#pragma pack(pop)
//
// Structs defined below are never stored in the compiled rules file
//
typedef struct _YR_MATCH
{
int64_t base; // Base address for the match
int64_t offset; // Offset relative to base for the match
int32_t match_length; // Match length
int32_t data_length;
// Pointer to a buffer containing a portion of the matched data. The size of
// the buffer is data_length. data_length is always <= length and is limited
// to MAX_MATCH_DATA bytes.
uint8_t* data;
// If the match belongs to a chained string chain_length contains the
// length of the chain. This field is used only in unconfirmed matches.
int32_t chain_length;
struct _YR_MATCH* prev;
struct _YR_MATCH* next;
} YR_MATCH;
struct _YR_AC_STATE;
typedef struct _YR_AC_STATE
{
uint8_t depth;
uint8_t input;
uint32_t t_table_slot;
struct _YR_AC_STATE* failure;
struct _YR_AC_STATE* first_child;
struct _YR_AC_STATE* siblings;
YR_AC_MATCH* matches;
} YR_AC_STATE;
typedef struct _YR_AC_AUTOMATON
{
// Both m_table and t_table have the same number of elements, which is
// stored in tables_size.
uint32_t tables_size;
uint32_t t_table_unused_candidate;
YR_AC_TRANSITION_TABLE t_table;
YR_AC_MATCH_TABLE m_table;
YR_AC_STATE* root;
} YR_AC_AUTOMATON;
typedef struct _YR_RULES
{
unsigned char tidx_mask[YR_BITARRAY_NCHARS(MAX_THREADS)];
uint8_t* code_start;
YR_MUTEX mutex;
YR_ARENA* arena;
YR_RULE* rules_list_head;
YR_EXTERNAL_VARIABLE* externals_list_head;
YR_AC_TRANSITION_TABLE transition_table;
YR_AC_MATCH_TABLE match_table;
} YR_RULES;
struct _YR_MEMORY_BLOCK;
struct _YR_MEMORY_BLOCK_ITERATOR;
typedef uint8_t* (*YR_MEMORY_BLOCK_FETCH_DATA_FUNC)(
struct _YR_MEMORY_BLOCK* self);
typedef struct _YR_MEMORY_BLOCK* (*YR_MEMORY_BLOCK_ITERATOR_FUNC)(
struct _YR_MEMORY_BLOCK_ITERATOR* self);
typedef struct _YR_MEMORY_BLOCK
{
size_t size;
size_t base;
void* context;
YR_MEMORY_BLOCK_FETCH_DATA_FUNC fetch_data;
} YR_MEMORY_BLOCK;
typedef struct _YR_MEMORY_BLOCK_ITERATOR
{
void* context;
YR_MEMORY_BLOCK_ITERATOR_FUNC first;
YR_MEMORY_BLOCK_ITERATOR_FUNC next;
} YR_MEMORY_BLOCK_ITERATOR;
typedef int (*YR_CALLBACK_FUNC)(
int message,
void* message_data,
void* user_data);
typedef struct _YR_SCAN_CONTEXT
{
uint64_t file_size;
uint64_t entry_point;
int flags;
int tidx;
void* user_data;
YR_MEMORY_BLOCK_ITERATOR* iterator;
YR_HASH_TABLE* objects_table;
YR_CALLBACK_FUNC callback;
YR_ARENA* matches_arena;
YR_ARENA* matching_strings_arena;
} YR_SCAN_CONTEXT;
struct _YR_OBJECT;
typedef union _YR_VALUE
{
int64_t i;
double d;
void* p;
struct _YR_OBJECT* o;
YR_STRING* s;
SIZED_STRING* ss;
RE* re;
} YR_VALUE;
#define OBJECT_COMMON_FIELDS \
int8_t type; \
const char* identifier; \
struct _YR_OBJECT* parent; \
void* data;
typedef struct _YR_OBJECT
{
OBJECT_COMMON_FIELDS
YR_VALUE value;
} YR_OBJECT;
typedef struct _YR_OBJECT_STRUCTURE
{
OBJECT_COMMON_FIELDS
struct _YR_STRUCTURE_MEMBER* members;
} YR_OBJECT_STRUCTURE;
typedef struct _YR_OBJECT_ARRAY
{
OBJECT_COMMON_FIELDS
YR_OBJECT* prototype_item;
struct _YR_ARRAY_ITEMS* items;
} YR_OBJECT_ARRAY;
typedef struct _YR_OBJECT_DICTIONARY
{
OBJECT_COMMON_FIELDS
YR_OBJECT* prototype_item;
struct _YR_DICTIONARY_ITEMS* items;
} YR_OBJECT_DICTIONARY;
struct _YR_OBJECT_FUNCTION;
typedef int (*YR_MODULE_FUNC)(
YR_VALUE* args,
YR_SCAN_CONTEXT* context,
struct _YR_OBJECT_FUNCTION* function_obj);
typedef struct _YR_OBJECT_FUNCTION
{
OBJECT_COMMON_FIELDS
YR_OBJECT* return_obj;
struct
{
const char* arguments_fmt;
YR_MODULE_FUNC code;
} prototypes[MAX_OVERLOADED_FUNCTIONS];
} YR_OBJECT_FUNCTION;
#define object_as_structure(obj) ((YR_OBJECT_STRUCTURE*) (obj))
#define object_as_array(obj) ((YR_OBJECT_ARRAY*) (obj))
#define object_as_dictionary(obj) ((YR_OBJECT_DICTIONARY*) (obj))
#define object_as_function(obj) ((YR_OBJECT_FUNCTION*) (obj))
typedef struct _YR_STRUCTURE_MEMBER
{
YR_OBJECT* object;
struct _YR_STRUCTURE_MEMBER* next;
} YR_STRUCTURE_MEMBER;
typedef struct _YR_ARRAY_ITEMS
{
int count;
YR_OBJECT* objects[1];
} YR_ARRAY_ITEMS;
typedef struct _YR_DICTIONARY_ITEMS
{
int used;
int free;
struct
{
char* key;
YR_OBJECT* obj;
} objects[1];
} YR_DICTIONARY_ITEMS;
#endif

109
src/dbg/yara/yara/utils.h
View File

@ -1,109 +0,0 @@
/*
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef YR_UTILS_H
#define YR_UTILS_H
#include <limits.h>
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
#ifndef NULL
#define NULL 0
#endif
#ifdef __cplusplus
#define EXTERNC extern "C"
#else
#define EXTERNC
#endif
#if defined(__GNUC__)
#define YR_API EXTERNC __attribute__((visibility("default")))
#elif defined(_MSC_VER)
#define YR_API EXTERNC __declspec(dllexport)
#else
#define YR_API EXTERNC
#endif
#if defined(__GNUC__)
#define YR_ALIGN(n) __attribute__((aligned(n)))
#elif defined(_MSC_VER)
#define YR_ALIGN(n) __declspec(align(n))
#else
#define YR_ALIGN(n)
#endif
#define yr_min(x, y) ((x < y) ? (x) : (y))
#define yr_max(x, y) ((x > y) ? (x) : (y))
#define yr_swap(x, y, T) do { T temp = x; x = y; y = temp; } while (0)
#ifdef NDEBUG
#define assertf(expr, msg, ...) ((void)0)
#else
#include <stdlib.h>
#define assertf(expr, msg, ...) \
if(!(expr)) { \
fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \
abort(); \
}
#endif
// Set, unset, and test bits in an array of unsigned characters by integer
// index. The underlying array must be of type char or unsigned char to
// ensure compatibility with the CHAR_BIT constant used in these definitions.
#define YR_BITARRAY_SET(uchar_array_base, bitnum) \
(((uchar_array_base)[(bitnum)/CHAR_BIT]) = \
((uchar_array_base)[(bitnum)/CHAR_BIT] | (1 << ((bitnum) % CHAR_BIT))))
#define YR_BITARRAY_UNSET(uchar_array_base, bitnum) \
(((uchar_array_base)[(bitnum)/CHAR_BIT]) = \
((uchar_array_base)[(bitnum)/CHAR_BIT] & (~(1 << ((bitnum) % CHAR_BIT)))))
#define YR_BITARRAY_TEST(uchar_array_base, bitnum) \
(((uchar_array_base)[(bitnum)/CHAR_BIT] & (1 << ((bitnum) % CHAR_BIT))) != 0)
#define YR_BITARRAY_NCHARS(bitnum) \
(((bitnum)+(CHAR_BIT-1))/CHAR_BIT)
#endif

BIN
src/dbg/yara/yara_x64.lib
View File

Binary file not shown.

BIN
src/dbg/yara/yara_x86.lib
View File

Binary file not shown.

13
src/gui/Src/Gui/CPUDisassembly.cpp
View File

@ -16,7 +16,6 @@
#include "WordEditDialog.h"
#include "GotoDialog.h"
#include "HexEditDialog.h"
#include "YaraRuleSelectionDialog.h"
#include "AssembleDialog.h"
#include "StringUtil.h"
#include "Breakpoints.h"
@ -512,7 +511,6 @@ void CPUDisassembly::setupRightClickContextMenu()
mMenuBuilder->addAction(makeShortcutAction(DIcon("compile.png"), tr("Assemble"), SLOT(assembleSlot()), "ActionAssemble"));
removeAction(mMenuBuilder->addAction(makeShortcutAction(DIcon("patch.png"), tr("Patches"), SLOT(showPatchesSlot()), "ViewPatches"))); //prevent conflicting shortcut with the MainWindow
mMenuBuilder->addAction(makeShortcutAction(DIcon("yara.png"), tr("&Yara..."), SLOT(yaraSlot()), "ActionYara"));
mMenuBuilder->addSeparator();
mMenuBuilder->addAction(makeShortcutAction(DIcon("neworigin.png"), tr("Set New Origin Here"), SLOT(setNewOriginHereActionSlot()), "ActionSetNewOriginHere"));
@ -1445,17 +1443,6 @@ void CPUDisassembly::showPatchesSlot()
emit showPatches();
}
void CPUDisassembly::yaraSlot()
{
YaraRuleSelectionDialog yaraDialog(this);
if(yaraDialog.exec() == QDialog::Accepted)
{
QString addrText = ToPtrString(rvaToVa(getInitialSelection()));
DbgCmdExec(QString("yara \"%0\",%1").arg(yaraDialog.getSelectedFile()).arg(addrText).toUtf8().constData());
emit displayReferencesWidget();
}
}
void CPUDisassembly::copySelectionSlot(bool copyBytes)
{
QString selectionString = "";

1
src/gui/Src/Gui/CPUDisassembly.h
View File

@ -78,7 +78,6 @@ public slots:
void binaryPasteIgnoreSizeSlot();
void undoSelectionSlot();
void showPatchesSlot();
void yaraSlot();
void copySelectionSlot();
void copySelectionToFileSlot();
void copySelectionNoBytesSlot();

13
src/gui/Src/Gui/CPUDump.cpp
View File

@ -7,7 +7,6 @@
#include "Bridge.h"
#include "LineEditDialog.h"
#include "HexEditDialog.h"
#include "YaraRuleSelectionDialog.h"
#include "CPUMultiDump.h"
#include "GotoDialog.h"
#include "CPUDisassembly.h"
@ -186,7 +185,6 @@ void CPUDump::setupContextMenu()
mMenuBuilder->addAction(makeShortcutAction(DIcon("search-for.png"), tr("&Find Pattern..."), SLOT(findPattern()), "ActionFindPattern"));
mMenuBuilder->addAction(makeShortcutAction(DIcon("find.png"), tr("Find &References"), SLOT(findReferencesSlot()), "ActionFindReferences"));
mMenuBuilder->addAction(makeShortcutAction(DIcon("yara.png"), tr("&Yara..."), SLOT(yaraSlot()), "ActionYara"));
mMenuBuilder->addAction(makeShortcutAction(DIcon("sync.png"), tr("&Sync with expression"), SLOT(syncWithExpressionSlot()), "ActionSyncWithExpression"));
mMenuBuilder->addAction(makeShortcutAction(DIcon("animal-dog.png"), ArchValue(tr("Watch DWORD"), tr("Watch QWORD")), SLOT(watchSlot()), "ActionWatchDwordQword"));
@ -1683,17 +1681,6 @@ void CPUDump::selectionUpdatedSlot()
GuiAddStatusBarMessage(QString(info + ": " + selStart + " -> " + selEnd + QString().sprintf(" (0x%.8X bytes)\n", getSelectionEnd() - getSelectionStart() + 1)).toUtf8().constData());
}
void CPUDump::yaraSlot()
{
YaraRuleSelectionDialog yaraDialog(this);
if(yaraDialog.exec() == QDialog::Accepted)
{
QString addrText = ToPtrString(rvaToVa(getSelectionStart()));
DbgCmdExec(QString("yara \"%0\",%1").arg(yaraDialog.getSelectedFile()).arg(addrText).toUtf8().constData());
emit displayReferencesWidget();
}
}
void CPUDump::syncWithExpressionSlot()
{
if(!DbgIsDebugging())

1
src/gui/Src/Gui/CPUDump.h
View File

@ -105,7 +105,6 @@ public slots:
void watchSlot();
void selectionUpdatedSlot();
void yaraSlot();
void syncWithExpressionSlot();
void followInDumpNSlot();
void allocMemorySlot();

21
src/gui/Src/Gui/MemoryMapView.cpp
View File

@ -5,7 +5,6 @@
#include "Configuration.h"
#include "Bridge.h"
#include "PageMemoryRights.h"
#include "YaraRuleSelectionDialog.h"
#include "HexEditDialog.h"
#include "MiscUtil.h"
#include "GotoDialog.h"
@ -55,12 +54,6 @@ void MemoryMapView::setupContextMenu()
connect(this, SIGNAL(enterPressedSignal()), this, SLOT(doubleClickedSlot()));
connect(this, SIGNAL(doubleClickedSignal()), this, SLOT(doubleClickedSlot()));
//Yara
mYara = new QAction(DIcon("yara.png"), "&Yara...", this);
mYara->setShortcutContext(Qt::WidgetShortcut);
this->addAction(mYara);
connect(mYara, SIGNAL(triggered()), this, SLOT(yaraSlot()));
//Set PageMemory Rights
mPageMemoryRights = new QAction(DIcon("memmap_set_page_memory_rights.png"), tr("Set Page Memory Rights"), this);
connect(mPageMemoryRights, SIGNAL(triggered()), this, SLOT(pageMemoryRights()));
@ -193,7 +186,6 @@ void MemoryMapView::refreshShortcutsSlot()
mGotoExpression->setShortcut(ConfigShortcut("ActionGotoExpression"));
mMemoryFree->setShortcut(ConfigShortcut("ActionFreeMemory"));
mMemoryAllocate->setShortcut(ConfigShortcut("ActionAllocateMemory"));
mYara->setShortcut(ConfigShortcut("ActionYara"));
mComment->setShortcut(ConfigShortcut("ActionSetComment"));
}
@ -206,7 +198,6 @@ void MemoryMapView::contextMenuSlot(const QPoint & pos)
wMenu.addAction(mFollowDump);
wMenu.addAction(mDumpMemory);
wMenu.addAction(mComment);
wMenu.addAction(mYara);
wMenu.addAction(mFindPattern);
wMenu.addAction(mSwitchView);
wMenu.addSeparator();
@ -475,18 +466,6 @@ void MemoryMapView::doubleClickedSlot()
}
}
void MemoryMapView::yaraSlot()
{
YaraRuleSelectionDialog yaraDialog(this);
if(yaraDialog.exec() == QDialog::Accepted)
{
QString addr_text = getCellContent(getInitialSelection(), 0);
QString size_text = getCellContent(getInitialSelection(), 1);
DbgCmdExec(QString("yara \"%0\",%1,%2").arg(yaraDialog.getSelectedFile()).arg(addr_text).arg(size_text).toUtf8().constData());
emit showReferences();
}
}
void MemoryMapView::memoryExecuteSingleshootToggleSlot()
{
for(int i : getSelection())

2
src/gui/Src/Gui/MemoryMapView.h
View File

@ -22,7 +22,6 @@ public slots:
void followDumpSlot();
void followDisassemblerSlot();
void doubleClickedSlot();
void yaraSlot();
void memoryExecuteSingleshootToggleSlot();
void memoryAllocateSlot();
void ExecCommand();
@ -48,7 +47,6 @@ private:
QAction* mFollowDump;
QAction* mFollowDisassembly;
QAction* mYara;
QAction* mSwitchView;
QAction* mPageMemoryRights;
QAction* mDumpMemory;

31
src/gui/Src/Gui/SymbolView.cpp
View File

@ -3,7 +3,6 @@
#include <QMessageBox>
#include "Configuration.h"
#include "Bridge.h"
#include "YaraRuleSelectionDialog.h"
#include "BrowseDialog.h"
#include "StdSearchListView.h"
#include "ZehSymbolTable.h"
@ -286,12 +285,6 @@ void SymbolView::setupContextMenu()
mModuleList->addAction(mFreeLib);
connect(mFreeLib, SIGNAL(triggered()), this, SLOT(moduleFree()));
mYaraAction = new QAction(DIcon("yara.png"), tr("&Yara Memory..."), this);
connect(mYaraAction, SIGNAL(triggered()), this, SLOT(moduleYara()));
mYaraFileAction = new QAction(DIcon("yara.png"), tr("&Yara File..."), this);
connect(mYaraFileAction, SIGNAL(triggered()), this, SLOT(moduleYaraFile()));
mModSetUserAction = new QAction(DIcon("markasuser.png"), tr("Mark as &user module"), this);
mModSetUserAction->setShortcutContext(Qt::WidgetWithChildrenShortcut);
this->addAction(mModSetUserAction);
@ -523,8 +516,6 @@ void SymbolView::moduleContextMenu(QMenu* wMenu)
}
wMenu->addAction(mLoadLib);
wMenu->addAction(mFreeLib);
wMenu->addAction(mYaraAction);
wMenu->addAction(mYaraFileAction);
wMenu->addSeparator();
int party = DbgFunctions()->ModGetParty(modbase);
if(party != 0)
@ -571,28 +562,6 @@ void SymbolView::moduleBrowse()
}
}
void SymbolView::moduleYara()
{
QString modname = mModuleList->mCurList->getCellContent(mModuleList->mCurList->getInitialSelection(), 1);
YaraRuleSelectionDialog yaraDialog(this, QString("Yara (%1)").arg(modname));
if(yaraDialog.exec() == QDialog::Accepted)
{
DbgCmdExec(QString("yaramod \"%0\",\"%1\"").arg(yaraDialog.getSelectedFile()).arg(modname).toUtf8().constData());
emit showReferences();
}
}
void SymbolView::moduleYaraFile()
{
QString modname = mModuleList->mCurList->getCellContent(mModuleList->mCurList->getInitialSelection(), 1);
YaraRuleSelectionDialog yaraDialog(this, QString("Yara (%1)").arg(modname));
if(yaraDialog.exec() == QDialog::Accepted)
{
DbgCmdExec(QString("yaramod \"%0\",\"%1\",1").arg(yaraDialog.getSelectedFile()).arg(modname).toUtf8().constData());
emit showReferences();
}
}
void SymbolView::moduleDownloadSymbols()
{
DbgCmdExec(QString("symdownload \"%0\"").arg(mModuleList->mCurList->getCellContent(mModuleList->mCurList->getInitialSelection(), 1)).toUtf8().constData());

4
src/gui/Src/Gui/SymbolView.h
View File

@ -48,8 +48,6 @@ private slots:
void moduleDownloadAllSymbols();
void moduleCopyPath();
void moduleBrowse();
void moduleYara();
void moduleYaraFile();
void moduleSetUser();
void moduleSetSystem();
void moduleSetParty();
@ -84,8 +82,6 @@ private:
QAction* mDownloadSymbolsAction;
QAction* mDownloadAllSymbolsAction;
QAction* mCopyPathAction;
QAction* mYaraAction;
QAction* mYaraFileAction;
QAction* mModSetUserAction;
QAction* mModSetSystemAction;
QAction* mModSetPartyAction;

75
src/gui/Src/Gui/YaraRuleSelectionDialog.cpp
View File

@ -1,75 +0,0 @@
#include "YaraRuleSelectionDialog.h"
#include "ui_YaraRuleSelectionDialog.h"
#include <QMessageBox>
#include <QDir>
#include <QFileDialog>
#include <QDirIterator>
#include "Imports.h"
YaraRuleSelectionDialog::YaraRuleSelectionDialog(QWidget* parent, const QString & title) :
QDialog(parent),
ui(new Ui::YaraRuleSelectionDialog)
{
ui->setupUi(this);
setWindowFlags(windowFlags() & ~Qt::WindowContextHelpButtonHint | Qt::MSWindowsFixedSizeDialogHint);
setWindowTitle(title);
char setting[MAX_SETTING_SIZE] = "";
if(BridgeSettingGet("Misc", "YaraRulesDirectory", setting))
{
rulesDirectory = QString(setting);
enumRulesDirectory();
}
}
YaraRuleSelectionDialog::~YaraRuleSelectionDialog()
{
delete ui;
}
QString YaraRuleSelectionDialog::getSelectedFile()
{
return selectedFile;
}
void YaraRuleSelectionDialog::on_buttonDirectory_clicked()
{
QString dir = QFileDialog::getExistingDirectory(this, tr("Select Yara Rules Directory..."));
if(!dir.length())
return;
rulesDirectory = QDir::toNativeSeparators(dir);
BridgeSettingSet("Misc", "YaraRulesDirectory", dir.toUtf8().constData());
enumRulesDirectory();
}
void YaraRuleSelectionDialog::on_buttonFile_clicked()
{
QString file = QFileDialog::getOpenFileName(this, tr("Select Yara Rule..."), rulesDirectory);
if(!file.length())
return;
selectedFile = QDir::toNativeSeparators(file);
this->accept();
}
void YaraRuleSelectionDialog::on_buttonSelect_clicked()
{
if(!ui->listRules->selectedItems().size()) //no selection
return;
int selectedIndex = ui->listRules->row(ui->listRules->selectedItems().at(0));
selectedFile = ruleFiles.at(selectedIndex).first;
this->accept();
}
void YaraRuleSelectionDialog::enumRulesDirectory()
{
ruleFiles.clear();
ui->listRules->clear();
QDirIterator it(rulesDirectory, QDir::Files, QDirIterator::Subdirectories);
while(it.hasNext())
{
it.next();
ruleFiles.append(QPair<QString, QString>(QDir::toNativeSeparators(it.filePath()), it.fileName()));
ui->listRules->addItem(it.fileName());
}
ui->listRules->setCurrentRow(0);
}

34
src/gui/Src/Gui/YaraRuleSelectionDialog.h
View File

@ -1,34 +0,0 @@
#ifndef YARARULESELECTIONDIALOG_H
#define YARARULESELECTIONDIALOG_H
#include <QDialog>
namespace Ui
{
class YaraRuleSelectionDialog;
}
class YaraRuleSelectionDialog : public QDialog
{
Q_OBJECT
public:
explicit YaraRuleSelectionDialog(QWidget* parent = 0, const QString & title = "Yara");
~YaraRuleSelectionDialog();
QString getSelectedFile();
private slots:
void on_buttonDirectory_clicked();
void on_buttonFile_clicked();
void on_buttonSelect_clicked();
private:
Ui::YaraRuleSelectionDialog* ui;
QList<QPair<QString, QString>> ruleFiles;
QString rulesDirectory;
QString selectedFile;
void enumRulesDirectory();
};
#endif // YARARULESELECTIONDIALOG_H

95
src/gui/Src/Gui/YaraRuleSelectionDialog.ui
View File

@ -1,95 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>YaraRuleSelectionDialog</class>
<widget class="QDialog" name="YaraRuleSelectionDialog">
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>341</width>
<height>361</height>
</rect>
</property>
<property name="windowTitle">
<string>Yara</string>
</property>
<property name="windowIcon">
<iconset resource="../../resource.qrc">
<normaloff>:/icons/images/yara.png</normaloff>:/icons/images/Yara.png</iconset>
</property>
<widget class="QWidget" name="layoutWidget">
<property name="geometry">
<rect>
<x>10</x>
<y>10</y>
<width>322</width>
<height>341</height>
</rect>
</property>
<layout class="QVBoxLayout" name="verticalLayout">
<item>
<widget class="QListWidget" name="listRules"/>
</item>
<item>
<layout class="QHBoxLayout" name="horizontalLayout">
<item>
<widget class="QPushButton" name="buttonDirectory">
<property name="sizePolicy">
<sizepolicy hsizetype="Minimum" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Directory...</string>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="buttonFile">
<property name="text">
<string>&amp;File...</string>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="buttonSelect">
<property name="text">
<string>&amp;Select</string>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="buttonCancel">
<property name="text">
<string>&amp;Cancel</string>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</widget>
<resources>
<include location="../../resource.qrc"/>
</resources>
<connections>
<connection>
<sender>buttonCancel</sender>
<signal>clicked()</signal>
<receiver>YaraRuleSelectionDialog</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel">
<x>341</x>
<y>280</y>
</hint>
<hint type="destinationlabel">
<x>361</x>
<y>246</y>
</hint>
</hints>
</connection>
</connections>
</ui>

1
src/gui/Src/Utils/Configuration.cpp
View File

@ -481,7 +481,6 @@ Configuration::Configuration() : QObject(), noMoreMsgbox(false)
defaultShortcuts.insert("ActionToggleFunction", Shortcut({tr("Actions"), tr("Toggle Function")}, "Shift+F"));
defaultShortcuts.insert("ActionToggleArgument", Shortcut({tr("Actions"), tr("Toggle Argument")}, "Shift+A"));
defaultShortcuts.insert("ActionAssemble", Shortcut({tr("Actions"), tr("Assemble")}, "Space"));
defaultShortcuts.insert("ActionYara", Shortcut({tr("Actions"), tr("Yara")}, "Ctrl+Y"));
defaultShortcuts.insert("ActionSetNewOriginHere", Shortcut({tr("Actions"), tr("Set New Origin Here")}, "Ctrl+*"));
defaultShortcuts.insert("ActionGotoOrigin", Shortcut({tr("Actions"), tr("Goto Origin")}, "*"));
defaultShortcuts.insert("ActionGotoPrevious", Shortcut({tr("Actions"), tr("Goto Previous")}, "-"));

3
src/gui/x64dbg.pro
View File

@ -132,7 +132,6 @@ SOURCES += \
Src/Gui/SelectFields.cpp \
Src/Gui/ReferenceManager.cpp \
Src/Bridge/BridgeResult.cpp \
Src/Gui/YaraRuleSelectionDialog.cpp \
Src/Gui/SourceViewerManager.cpp \
Src/Gui/SourceView.cpp \
Src/Utils/ValidateExpressionThread.cpp \
@ -247,7 +246,6 @@ HEADERS += \
Src/Gui/SelectFields.h \
Src/Gui/ReferenceManager.h \
Src/Bridge/BridgeResult.h \
Src/Gui/YaraRuleSelectionDialog.h \
Src/Gui/SourceViewerManager.h \
Src/Gui/SourceView.h \
Src/Utils/StringUtil.h \
@ -327,7 +325,6 @@ FORMS += \
Src/Gui/AttachDialog.ui \
Src/Gui/PageMemoryRights.ui \
Src/Gui/SelectFields.ui \
Src/Gui/YaraRuleSelectionDialog.ui \
Src/Gui/AssembleDialog.ui \
Src/Gui/EditBreakpointDialog.ui \
Src/Gui/CPUArgumentWidget.ui \