void moloch_yara_exit()
{
if (yRules)
yr_rules_destroy(yRules);
if (yEmailRules)
yr_rules_destroy(yEmailRules);
if (yCompiler)
yr_compiler_destroy(yCompiler);
if (yEmailCompiler)
yr_compiler_destroy(yEmailCompiler);
yr_finalize();
}
YR_RULES* compile_rule(
char* string)
{
YR_COMPILER* compiler = NULL;
YR_RULES* rules = NULL;
compile_error[0] = '\0';
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
{
perror("yr_compiler_create");
goto _exit;
}
yr_compiler_set_callback(compiler, callback_function, NULL);
if (yr_compiler_add_string(compiler, string, NULL) != 0)
{
goto _exit;
}
if (yr_compiler_get_rules(compiler, &rules) != ERROR_SUCCESS)
{
goto _exit;
}
_exit:
yr_compiler_destroy(compiler);
return rules;
}
int compile_rule(
char* string,
YR_RULES** rules)
{
YR_COMPILER* compiler = NULL;
int result = ERROR_SUCCESS;
compile_error[0] = '\0';
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
{
perror("yr_compiler_create");
goto _exit;
}
yr_compiler_set_callback(compiler, callback_function, NULL);
if (yr_compiler_add_string(compiler, string, NULL) != 0)
{
result = compiler->last_error;
goto _exit;
}
result = yr_compiler_get_rules(compiler, rules);
_exit:
yr_compiler_destroy(compiler);
return result;
}
void Yara::_clean_compiler_and_rules() const
{
if (_compiler != nullptr) {
yr_compiler_destroy(_compiler);
}
if (_rules != nullptr) {
yr_rules_destroy(_rules);
}
}
YR_API int yr_compiler_create(
YR_COMPILER** compiler)
{
int result;
YR_COMPILER* new_compiler;
new_compiler = (YR_COMPILER*) yr_calloc(1, sizeof(YR_COMPILER));
if (new_compiler == NULL)
return ERROR_INSUFICIENT_MEMORY;
new_compiler->errors = 0;
new_compiler->callback = NULL;
new_compiler->last_error = ERROR_SUCCESS;
new_compiler->last_error_line = 0;
new_compiler->error_line = 0;
new_compiler->last_result = ERROR_SUCCESS;
new_compiler->file_stack_ptr = 0;
new_compiler->file_name_stack_ptr = 0;
new_compiler->fixup_stack_head = NULL;
new_compiler->allow_includes = 1;
new_compiler->loop_depth = 0;
new_compiler->loop_for_of_mem_offset = -1;
new_compiler->compiled_rules_arena = NULL;
new_compiler->namespaces_count = 0;
new_compiler->current_rule = NULL;
result = yr_hash_table_create(10007, &new_compiler->rules_table);
if (result == ERROR_SUCCESS)
result = yr_hash_table_create(10007, &new_compiler->objects_table);
if (result == ERROR_SUCCESS)
result = yr_hash_table_create(101, &new_compiler->strings_table);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->sz_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->rules_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->strings_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->code_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->re_code_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->externals_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->namespaces_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->metas_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->automaton_arena);
if (result == ERROR_SUCCESS)
result = yr_arena_create(65536, 0, &new_compiler->matches_arena);
if (result == ERROR_SUCCESS)
result = yr_ac_automaton_create(&new_compiler->automaton);
if (result == ERROR_SUCCESS)
{
*compiler = new_compiler;
}
else // if error, do cleanup
{
yr_compiler_destroy(new_compiler);
}
return result;
}
/**
* Compile a single rule file and load it into rule pointer.
*/
Status compileSingleFile(const std::string& file, YR_RULES** rules) {
YR_COMPILER *compiler = nullptr;
int result = yr_compiler_create(&compiler);
if (result != ERROR_SUCCESS) {
VLOG(1) << "Could not create compiler: " + std::to_string(result);
return Status(1, "Could not create compiler: " + std::to_string(result));
}
yr_compiler_set_callback(compiler, YARACompilerCallback, nullptr);
bool compiled = false;
YR_RULES *tmp_rules;
VLOG(1) << "Loading " << file;
// First attempt to load the file, in case it is saved (pre-compiled)
// rules.
//
// If you want to use saved rule files you must have them all in a single
// file. This is easy to accomplish with yarac(1).
result = yr_rules_load(file.c_str(), &tmp_rules);
if (result != ERROR_SUCCESS && result != ERROR_INVALID_FILE) {
yr_compiler_destroy(compiler);
return Status(1, "Error loading YARA rules: " + std::to_string(result));
} else if (result == ERROR_SUCCESS) {
*rules = tmp_rules;
} else {
compiled = true;
// Try to compile the rules.
FILE *rule_file = fopen(file.c_str(), "r");
if (rule_file == nullptr) {
yr_compiler_destroy(compiler);
return Status(1, "Could not open file: " + file);
}
int errors =
yr_compiler_add_file(compiler, rule_file, nullptr, file.c_str());
fclose(rule_file);
rule_file = nullptr;
if (errors > 0) {
yr_compiler_destroy(compiler);
// Errors printed via callback.
return Status(1, "Compilation errors");
}
}
if (compiled) {
// All the rules for this category have been compiled, save them in the map.
result = yr_compiler_get_rules(compiler, *(&rules));
if (result != ERROR_SUCCESS) {
yr_compiler_destroy(compiler);
return Status(1, "Insufficient memory to get YARA rules");
}
}
if (compiler != nullptr) {
yr_compiler_destroy(compiler);
compiler = nullptr;
}
return Status(0, "OK");
}
/**
* Given a vector of strings, attempt to compile them and store the result
* in the map under the given category.
*/
Status handleRuleFiles(const std::string& category,
const pt::ptree& rule_files,
std::map<std::string, YR_RULES*>* rules) {
YR_COMPILER *compiler = nullptr;
int result = yr_compiler_create(&compiler);
if (result != ERROR_SUCCESS) {
VLOG(1) << "Could not create compiler: " + std::to_string(result);
return Status(1, "Could not create compiler: " + std::to_string(result));
}
yr_compiler_set_callback(compiler, YARACompilerCallback, nullptr);
bool compiled = false;
for (const auto& item : rule_files) {
YR_RULES *tmp_rules;
const auto rule = item.second.get("", "");
VLOG(1) << "Loading " << rule;
std::string full_path;
if (rule[0] != '/') {
full_path = std::string("/etc/osquery/yara/") + rule;
} else {
full_path = rule;
}
// First attempt to load the file, in case it is saved (pre-compiled)
// rules. Sadly there is no way to load multiple compiled rules in
// succession. This means that:
//
// saved1, saved2
// results in saved2 being the only file used.
//
// Also, mixing source and saved rules results in the saved rules being
// overridden by the combination of the source rules once compiled, e.g.:
//
// file1, saved1
// result in file1 being the only file used.
//
// If you want to use saved rule files you must have them all in a single
// file. This is easy to accomplish with yarac(1).
result = yr_rules_load(full_path.c_str(), &tmp_rules);
if (result != ERROR_SUCCESS && result != ERROR_INVALID_FILE) {
yr_compiler_destroy(compiler);
return Status(1, "Error loading YARA rules: " + std::to_string(result));
} else if (result == ERROR_SUCCESS) {
// If there are already rules there, destroy them and put new ones in.
if (rules->count(category) > 0) {
yr_rules_destroy((*rules)[category]);
}
(*rules)[category] = tmp_rules;
} else {
compiled = true;
// Try to compile the rules.
FILE *rule_file = fopen(full_path.c_str(), "r");
if (rule_file == nullptr) {
yr_compiler_destroy(compiler);
return Status(1, "Could not open file: " + full_path);
}
int errors =
yr_compiler_add_file(compiler, rule_file, nullptr, full_path.c_str());
fclose(rule_file);
rule_file = nullptr;
if (errors > 0) {
yr_compiler_destroy(compiler);
// Errors printed via callback.
return Status(1, "Compilation errors");
}
}
}
if (compiled) {
// All the rules for this category have been compiled, save them in the map.
result = yr_compiler_get_rules(compiler, &((*rules)[category]));
if (result != ERROR_SUCCESS) {
yr_compiler_destroy(compiler);
return Status(1, "Insufficient memory to get YARA rules");
}
}
if (compiler != nullptr) {
yr_compiler_destroy(compiler);
compiler = nullptr;
}
return Status(0, "OK");
}
int main(
int argc,
const char** argv)
{
COMPILER_RESULTS cr;
YR_COMPILER* compiler = NULL;
YR_RULES* rules = NULL;
int result;
argc = args_parse(options, argc, argv);
if (show_version)
{
printf("%s\n", YR_VERSION);
return EXIT_SUCCESS;
}
if (show_help)
{
printf("%s\n\n", USAGE_STRING);
args_print_usage(options, 35);
printf("\nSend bug reports and suggestions to: [email protected]\n");
return EXIT_SUCCESS;
}
if (argc < 2)
{
fprintf(stderr, "yarac: wrong number of arguments\n");
fprintf(stderr, "%s\n\n", USAGE_STRING);
fprintf(stderr, "Try `--help` for more options\n");
exit_with_code(EXIT_FAILURE);
}
result = yr_initialize();
if (result != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (!define_external_variables(compiler))
exit_with_code(EXIT_FAILURE);
cr.errors = 0;
cr.warnings = 0;
yr_set_configuration(YR_CONFIG_MAX_STRINGS_PER_RULE, &max_strings_per_rule);
yr_compiler_set_callback(compiler, report_error, &cr);
if (!compile_files(compiler, argc, argv))
exit_with_code(EXIT_FAILURE);
if (cr.errors > 0)
exit_with_code(EXIT_FAILURE);
if (fail_on_warnings && cr.warnings > 0)
exit_with_code(EXIT_FAILURE);
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = EXIT_SUCCESS;
_exit:
if (compiler != NULL)
yr_compiler_destroy(compiler);
if (rules != NULL)
yr_rules_destroy(rules);
yr_finalize();
return result;
}
int main(
int argc,
char const* argv[])
{
YR_COMPILER* compiler;
YR_RULES* rules;
FILE* rule_file;
EXTERNAL* external;
int pid;
int i;
int errors;
int result;
THREAD thread[MAX_THREADS];
if (!process_cmd_line(argc, argv))
return 0;
if (argc == 1 || optind == argc)
{
show_help();
return 0;
}
yr_initialize();
result = yr_rules_load(argv[optind], &rules);
if (result == ERROR_UNSUPPORTED_FILE_VERSION ||
result == ERROR_CORRUPT_FILE)
{
print_scanning_error(result);
return;
}
if (result == ERROR_SUCCESS)
{
external = externals_list;
while (external != NULL)
{
switch (external->type)
{
case EXTERNAL_TYPE_INTEGER:
yr_rules_define_integer_variable(
rules,
external->name,
external->integer);
break;
case EXTERNAL_TYPE_BOOLEAN:
yr_rules_define_boolean_variable(
rules,
external->name,
external->boolean);
break;
case EXTERNAL_TYPE_STRING:
yr_rules_define_string_variable(
rules,
external->name,
external->string);
break;
}
external = external->next;
}
}
else
{
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
return 0;
external = externals_list;
while (external != NULL)
{
switch (external->type)
{
case EXTERNAL_TYPE_INTEGER:
yr_compiler_define_integer_variable(
compiler,
external->name,
external->integer);
break;
case EXTERNAL_TYPE_BOOLEAN:
yr_compiler_define_boolean_variable(
compiler,
external->name,
external->boolean);
break;
case EXTERNAL_TYPE_STRING:
yr_compiler_define_string_variable(
compiler,
external->name,
external->string);
break;
}
external = external->next;
}
compiler->error_report_function = print_compiler_error;
rule_file = fopen(argv[optind], "r");
if (rule_file != NULL)
{
yr_compiler_push_file_name(compiler, argv[optind]);
errors = yr_compiler_add_file(compiler, rule_file, NULL);
fclose(rule_file);
if (errors == 0)
yr_compiler_get_rules(compiler, &rules);
yr_compiler_destroy(compiler);
if (errors > 0)
{
yr_finalize();
return 0;
}
}
else
{
fprintf(stderr, "could not open file: %s\n", argv[optind]);
return 0;
}
}
mutex_init(&output_mutex);
if (is_numeric(argv[argc - 1]))
{
pid = atoi(argv[argc - 1]);
result = yr_rules_scan_proc(
rules,
pid,
callback,
(void*) argv[argc - 1],
fast_scan,
timeout);
if (result != ERROR_SUCCESS)
print_scanning_error(result);
}
else if (is_directory(argv[argc - 1]))
{
file_queue_init();
for (i = 0; i < threads; i++)
{
if (create_thread(&thread[i], scanning_thread, (void*) rules) != 0)
return ERROR_COULD_NOT_CREATE_THREAD;
}
scan_dir(
argv[argc - 1],
recursive_search,
rules,
callback);
file_queue_finish();
// Wait for scan threads to finish
for (i = 0; i < threads; i++)
thread_join(&thread[i]);
file_queue_destroy();
}
else
{
result = yr_rules_scan_file(
rules,
argv[argc - 1],
callback,
(void*) argv[argc - 1],
fast_scan,
timeout);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "Error scanning %s: ", argv[argc - 1]);
print_scanning_error(result);
}
}
yr_rules_destroy(rules);
yr_finalize();
mutex_destroy(&output_mutex);
cleanup();
return 1;
}
int main(
int argc,
const char** argv)
{
YR_COMPILER* compiler = NULL;
YR_RULES* rules = NULL;
int result;
argc = args_parse(options, argc, argv);
if (show_version)
{
printf("%s\n", PACKAGE_STRING);
printf("\nSend bug reports and suggestions to: %s.\n", PACKAGE_BUGREPORT);
return EXIT_FAILURE;
}
if (show_help)
{
printf("%s\n\n", USAGE_STRING);
args_print_usage(options, 25);
printf("\nSend bug reports and suggestions to: %s.\n", PACKAGE_BUGREPORT);
return EXIT_FAILURE;
}
if (argc < 2)
{
fprintf(stderr, "yarac: wrong number of arguments\n");
fprintf(stderr, "%s\n\n", USAGE_STRING);
fprintf(stderr, "Try `--help` for more options\n");
exit_with_code(EXIT_FAILURE);
}
result = yr_initialize();
if (result != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (!define_external_variables(compiler))
exit_with_code(EXIT_FAILURE);
yr_compiler_set_callback(compiler, report_error, NULL);
for (int i = 0; i < argc - 1; i++)
{
const char* ns;
const char* file_name;
char* colon = (char*) strchr(argv[i], ':');
if (colon)
{
file_name = colon + 1;
*colon = '\0';
ns = argv[i];
}
else
{
file_name = argv[i];
ns = NULL;
}
FILE* rule_file = fopen(file_name, "r");
if (rule_file != NULL)
{
int errors = yr_compiler_add_file(
compiler, rule_file, ns, file_name);
fclose(rule_file);
if (errors) // errors during compilation
exit_with_code(EXIT_FAILURE);
}
else
{
fprintf(stderr, "error: could not open file: %s\n", file_name);
}
}
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = EXIT_SUCCESS;
_exit:
if (compiler != NULL)
yr_compiler_destroy(compiler);
if (rules != NULL)
yr_rules_destroy(rules);
yr_finalize();
return result;
}
int main(
int argc,
char const* argv[])
{
int i, result, errors;
YR_COMPILER* compiler;
YR_RULES* rules;
FILE* rule_file;
yr_initialize();
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
{
yr_finalize();
return EXIT_FAILURE;
}
if (!process_cmd_line(compiler, argc, argv))
{
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
if (argc == 1 || optind == argc)
{
show_help();
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
compiler->error_report_function = report_error;
for (i = optind; i < argc - 1; i++)
{
rule_file = fopen(argv[i], "r");
if (rule_file != NULL)
{
yr_compiler_push_file_name(compiler, argv[i]);
errors = yr_compiler_add_file(compiler, rule_file, NULL);
fclose(rule_file);
if (errors) // errors during compilation
{
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
}
else
{
fprintf(stderr, "could not open file: %s\n", argv[i]);
}
}
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
return EXIT_FAILURE;
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
return EXIT_FAILURE;
}
yr_rules_destroy(rules);
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_SUCCESS;
}
