YR_EXTERNAL_VARIABLE* yr_parser_lookup_external_variable(
yyscan_t yyscanner,
const char* identifier)
{
YR_EXTERNAL_VARIABLE* external;
YR_COMPILER* compiler = yyget_extra(yyscanner);
int i;
external = (YR_EXTERNAL_VARIABLE*) yr_arena_base_address(
compiler->externals_arena);
for (i = 0; i < compiler->externals_count; i++)
{
if (strcmp(external->identifier, identifier) == 0)
return external;
external = yr_arena_next_address(
compiler->externals_arena,
external,
sizeof(YR_EXTERNAL_VARIABLE));
}
yr_compiler_set_error_extra_info(compiler, identifier);
compiler->last_result = ERROR_UNDEFINED_IDENTIFIER;
return NULL;
}
int _yr_compiler_set_namespace(
YR_COMPILER* compiler,
const char* namespace_)
{
YR_NAMESPACE* ns;
char* ns_name;
int result;
int i;
int found;
ns = (YR_NAMESPACE*) yr_arena_base_address(compiler->namespaces_arena);
found = FALSE;
for (i = 0; i < compiler->namespaces_count; i++)
{
if (strcmp(ns->name, namespace_) == 0)
{
found = TRUE;
break;
}
ns = (YR_NAMESPACE*) yr_arena_next_address(
compiler->namespaces_arena,
ns,
sizeof(YR_NAMESPACE));
}
if (!found)
{
result = yr_arena_write_string(
compiler->sz_arena,
namespace_,
&ns_name);
if (result == ERROR_SUCCESS)
result = yr_arena_allocate_struct(
compiler->namespaces_arena,
sizeof(YR_NAMESPACE),
(void**) &ns,
offsetof(YR_NAMESPACE, name),
EOL);
if (result != ERROR_SUCCESS)
return result;
ns->name = ns_name;
for (i = 0; i < MAX_THREADS; i++)
ns->t_flags[i] = 0;
compiler->namespaces_count++;
}
compiler->current_namespace = ns;
return ERROR_SUCCESS;
}
int yr_rules_load(
const char* filename,
YR_RULES** rules)
{
YR_RULES* new_rules;
YARA_RULES_FILE_HEADER* header;
YR_RULE* rule;
int result;
new_rules = yr_malloc(sizeof(YR_RULES));
if (new_rules == NULL)
return ERROR_INSUFICIENT_MEMORY;
result = yr_arena_load(filename, &new_rules->arena);
if (result != ERROR_SUCCESS)
{
yr_free(new_rules);
return result;
}
header = (YARA_RULES_FILE_HEADER*) yr_arena_base_address(new_rules->arena);
new_rules->automaton = header->automaton;
new_rules->code_start = header->code_start;
new_rules->externals_list_head = header->externals_list_head;
new_rules->rules_list_head = header->rules_list_head;
new_rules->tidx_mask = 0;
#if WIN32
new_rules->mutex = CreateMutex(NULL, FALSE, NULL);
if (new_rules->mutex == NULL)
return ERROR_INTERNAL_FATAL_ERROR;
#else
result = pthread_mutex_init(&new_rules->mutex, NULL);
if (result != 0)
return ERROR_INTERNAL_FATAL_ERROR;
#endif
rule = new_rules->rules_list_head;
*rules = new_rules;
return ERROR_SUCCESS;
}
YR_API int yr_compiler_get_rules(
YR_COMPILER* compiler,
YR_RULES** rules)
{
YR_RULES* yara_rules;
YARA_RULES_FILE_HEADER* rules_file_header;
*rules = NULL;
if (compiler->compiled_rules_arena == NULL)
FAIL_ON_ERROR(_yr_compiler_compile_rules(compiler));
yara_rules = (YR_RULES*) yr_malloc(sizeof(YR_RULES));
if (yara_rules == NULL)
return ERROR_INSUFICIENT_MEMORY;
FAIL_ON_ERROR_WITH_CLEANUP(
yr_arena_duplicate(compiler->compiled_rules_arena, &yara_rules->arena),
yr_free(yara_rules));
rules_file_header = (YARA_RULES_FILE_HEADER*) yr_arena_base_address(
yara_rules->arena);
yara_rules->externals_list_head = rules_file_header->externals_list_head;
yara_rules->rules_list_head = rules_file_header->rules_list_head;
yara_rules->match_table = rules_file_header->match_table;
yara_rules->transition_table = rules_file_header->transition_table;
yara_rules->code_start = rules_file_header->code_start;
yara_rules->tidx_mask = 0;
FAIL_ON_ERROR_WITH_CLEANUP(
yr_mutex_create(&yara_rules->mutex),
// cleanup
yr_arena_destroy(yara_rules->arena);
yr_free(yara_rules));
*rules = yara_rules;
return ERROR_SUCCESS;
}
int yr_compiler_get_rules(
YR_COMPILER* compiler,
YR_RULES** rules)
{
YR_RULES* yara_rules;
YARA_RULES_FILE_HEADER* rules_file_header;
*rules = NULL;
if (compiler->compiled_rules_arena == NULL)
FAIL_ON_ERROR(_yr_compiler_compile_rules(compiler));
yara_rules = yr_malloc(sizeof(YR_RULES));
if (yara_rules == NULL)
return ERROR_INSUFICIENT_MEMORY;
FAIL_ON_ERROR_WITH_CLEANUP(
yr_arena_duplicate(compiler->compiled_rules_arena, &yara_rules->arena),
yr_free(yara_rules));
rules_file_header = (YARA_RULES_FILE_HEADER*) yr_arena_base_address(
yara_rules->arena);
yara_rules->externals_list_head = rules_file_header->externals_list_head;
yara_rules->rules_list_head = rules_file_header->rules_list_head;
yara_rules->automaton = rules_file_header->automaton;
yara_rules->code_start = rules_file_header->code_start;
yara_rules->tidx_mask = 0;
#if _WIN32
yara_rules->mutex = CreateMutex(NULL, FALSE, NULL);
#else
pthread_mutex_init(&yara_rules->mutex, NULL);
#endif
*rules = yara_rules;
return ERROR_SUCCESS;
}
int _yr_compiler_compile_rules(
YR_COMPILER* compiler)
{
YARA_RULES_FILE_HEADER* rules_file_header = NULL;
YR_ARENA* arena = NULL;
YR_RULE null_rule;
YR_EXTERNAL_VARIABLE null_external;
YR_AC_TABLES tables;
int8_t halt = OP_HALT;
int result;
// Write halt instruction at the end of code.
yr_arena_write_data(
compiler->code_arena,
&halt,
sizeof(int8_t),
NULL);
// Write a null rule indicating the end.
memset(&null_rule, 0xFA, sizeof(YR_RULE));
null_rule.g_flags = RULE_GFLAGS_NULL;
yr_arena_write_data(
compiler->rules_arena,
&null_rule,
sizeof(YR_RULE),
NULL);
// Write a null external the end.
memset(&null_external, 0xFA, sizeof(YR_EXTERNAL_VARIABLE));
null_external.type = EXTERNAL_VARIABLE_TYPE_NULL;
yr_arena_write_data(
compiler->externals_arena,
&null_external,
sizeof(YR_EXTERNAL_VARIABLE),
NULL);
// Write Aho-Corasick automaton to arena.
result = yr_ac_compile(
compiler->automaton,
compiler->automaton_arena,
&tables);
if (result == ERROR_SUCCESS)
result = yr_arena_create(1024, 0, &arena);
if (result == ERROR_SUCCESS)
result = yr_arena_allocate_struct(
arena,
sizeof(YARA_RULES_FILE_HEADER),
(void**) &rules_file_header,
offsetof(YARA_RULES_FILE_HEADER, rules_list_head),
offsetof(YARA_RULES_FILE_HEADER, externals_list_head),
offsetof(YARA_RULES_FILE_HEADER, code_start),
offsetof(YARA_RULES_FILE_HEADER, match_table),
offsetof(YARA_RULES_FILE_HEADER, transition_table),
EOL);
if (result == ERROR_SUCCESS)
{
rules_file_header->rules_list_head = (YR_RULE*) yr_arena_base_address(
compiler->rules_arena);
rules_file_header->externals_list_head = (YR_EXTERNAL_VARIABLE*)
yr_arena_base_address(compiler->externals_arena);
rules_file_header->code_start = (uint8_t*) yr_arena_base_address(
compiler->code_arena);
rules_file_header->match_table = tables.matches;
rules_file_header->transition_table = tables.transitions;
}
if (result == ERROR_SUCCESS)
{
result = yr_arena_append(
arena,
compiler->code_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->code_arena = NULL;
result = yr_arena_append(
arena,
compiler->re_code_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->re_code_arena = NULL;
result = yr_arena_append(
arena,
compiler->rules_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->rules_arena = NULL;
result = yr_arena_append(
arena,
compiler->strings_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->strings_arena = NULL;
result = yr_arena_append(
arena,
compiler->externals_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->externals_arena = NULL;
result = yr_arena_append(
arena,
compiler->namespaces_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->namespaces_arena = NULL;
result = yr_arena_append(
arena,
compiler->metas_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->metas_arena = NULL;
result = yr_arena_append(
arena,
compiler->sz_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->sz_arena = NULL;
result = yr_arena_append(
arena,
compiler->automaton_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->automaton_arena = NULL;
result = yr_arena_append(
arena,
compiler->matches_arena);
}
if (result == ERROR_SUCCESS)
{
compiler->matches_arena = NULL;
compiler->compiled_rules_arena = arena;
result = yr_arena_coalesce(arena);
}
else
{
yr_arena_destroy(arena);
}
return result;
}
if (elapsed_time > context->timeout)
{
#ifdef PROFILING_ENABLED
assert(current_rule != NULL);
current_rule->time_cost_per_thread[tidx] += elapsed_time - start_time;
#endif
result = ERROR_SCAN_TIMEOUT;
stop = true;
}
cycle = 0;
}
}
obj_ptr = (YR_OBJECT**) yr_arena_base_address(obj_arena);
while (obj_ptr != NULL)
{
yr_object_destroy(*obj_ptr);
obj_ptr = (YR_OBJECT**) yr_arena_next_address(
obj_arena, obj_ptr, sizeof(YR_OBJECT*));
}
yr_arena_destroy(obj_arena);
yr_modules_unload_all(context);
yr_free(stack);
return result;
}
