YR_API int yr_finalize(void)
{
#if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L
int i;
#endif
// yr_finalize shouldn't be called without calling yr_initialize first
if (init_count == 0)
return ERROR_INTERNAL_FATAL_ERROR;
yr_re_finalize_thread();
init_count--;
if (init_count > 0)
return ERROR_SUCCESS;
#if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L
for (i = 0; i < CRYPTO_num_locks(); i ++)
yr_mutex_destroy(&openssl_locks[i]);
OPENSSL_free(openssl_locks);
#endif
FAIL_ON_ERROR(yr_thread_storage_destroy(&tidx_key));
FAIL_ON_ERROR(yr_thread_storage_destroy(&recovery_state_key));
FAIL_ON_ERROR(yr_re_finalize());
FAIL_ON_ERROR(yr_modules_finalize());
FAIL_ON_ERROR(yr_heap_free());
return ERROR_SUCCESS;
}
int yr_initialize(void)
{
int i;
for (i = 0; i < 256; i++)
{
if (i >= 'a' && i <= 'z')
altercase[i] = (char)i - 32;
else if (i >= 'A' && i <= 'Z')
altercase[i] = (char)i + 32;
else
altercase[i] = (char)i;
lowercase[i] = (char)tolower(i);
}
FAIL_ON_ERROR(yr_heap_alloc());
#ifdef _WIN32
tidx_key = TlsAlloc();
recovery_state_key = TlsAlloc();
#else
pthread_key_create(&tidx_key, NULL);
pthread_key_create(&recovery_state_key, NULL);
#endif
FAIL_ON_ERROR(yr_re_initialize());
FAIL_ON_ERROR(yr_modules_initialize());
return ERROR_SUCCESS;
}
void UnregisterShellMenu(std::wstring opt, wchar_t* keyBaseName)
{
HKEY root = GetRootKey(opt);
HKEY cmderKey;
FAIL_ON_ERROR(
RegCreateKeyEx(root, keyBaseName, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &cmderKey, NULL));
#ifdef XP
FAIL_ON_ERROR(SHDeleteKey(cmderKey, NULL));
FAIL_ON_ERROR(SHDeleteKey(root, SHELL_MENU_REGISTRY_PATH));
#else
FAIL_ON_ERROR(RegDeleteTree(cmderKey, NULL)););
int yr_arena_append(
YR_ARENA* target_arena,
YR_ARENA* source_arena)
{
uint8_t padding_data[15];
size_t padding_size = 16 - target_arena->current_page->used % 16;
if (padding_size < 16)
{
memset(&padding_data, 0xCC, padding_size);
FAIL_ON_ERROR(yr_arena_write_data(
target_arena,
padding_data,
padding_size,
NULL));
}
target_arena->current_page->next = source_arena->page_list_head;
source_arena->page_list_head->prev = target_arena->current_page;
target_arena->current_page = source_arena->current_page;
yr_free(source_arena);
return ERROR_SUCCESS;
}
int _yr_re_fiber_split(
RE_FIBER* fiber,
RE_FIBER_LIST* fiber_list,
RE_FIBER_POOL* fiber_pool,
RE_FIBER** new_fiber)
{
int32_t i;
FAIL_ON_ERROR(_yr_re_fiber_create(fiber_pool, new_fiber));
(*new_fiber)->sp = fiber->sp;
(*new_fiber)->ip = fiber->ip;
for (i = 0; i <= fiber->sp; i++)
(*new_fiber)->stack[i] = fiber->stack[i];
(*new_fiber)->next = fiber->next;
(*new_fiber)->prev = fiber;
if (fiber->next != NULL)
fiber->next->prev = *new_fiber;
fiber->next = *new_fiber;
if (fiber_list->tail == fiber)
fiber_list->tail = *new_fiber;
assert(fiber_list->tail->next == NULL);
assert(fiber_list->head->prev == NULL);
return ERROR_SUCCESS;
}
int yr_finalize(void)
{
yr_re_finalize_thread();
#ifdef _WIN32
TlsFree(tidx_key);
TlsFree(recovery_state_key);
#else
pthread_key_delete(tidx_key);
pthread_key_delete(recovery_state_key);
#endif
FAIL_ON_ERROR(yr_re_finalize());
FAIL_ON_ERROR(yr_modules_finalize());
FAIL_ON_ERROR(yr_heap_free());
return ERROR_SUCCESS;
}
int yr_scan_verify_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t data_base,
size_t offset,
YR_ARENA* matches_arena,
int flags)
{
YR_STRING* string = ac_match->string;
#ifdef PROFILING_ENABLED
clock_t start = clock();
#endif
if (data_size - offset <= 0)
return ERROR_SUCCESS;
if (flags & SCAN_FLAGS_FAST_MODE &&
STRING_IS_SINGLE_MATCH(string) &&
STRING_FOUND(string))
return ERROR_SUCCESS;
if (STRING_IS_FIXED_OFFSET(string) &&
string->fixed_offset != data_base + offset)
return ERROR_SUCCESS;
if (STRING_IS_LITERAL(string))
{
FAIL_ON_ERROR(_yr_scan_verify_literal_match(
ac_match, data, data_size, data_base, offset, matches_arena));
}
else
{
FAIL_ON_ERROR(_yr_scan_verify_re_match(
ac_match, data, data_size, data_base, offset, matches_arena));
}
#ifdef PROFILING_ENABLED
string->clock_ticks += clock() - start;
#endif
return ERROR_SUCCESS;
}
int yr_scan_verify_match(
YR_SCAN_CONTEXT* context,
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t data_base,
size_t offset)
{
YR_STRING* string = ac_match->string;
#ifdef PROFILING_ENABLED
clock_t start = clock();
#endif
if (data_size - offset <= 0)
return ERROR_SUCCESS;
if (context->flags & SCAN_FLAGS_FAST_MODE &&
STRING_IS_SINGLE_MATCH(string) &&
string->matches[context->tidx].head != NULL)
return ERROR_SUCCESS;
if (STRING_IS_FIXED_OFFSET(string) &&
string->fixed_offset != data_base + offset)
return ERROR_SUCCESS;
if (STRING_IS_LITERAL(string))
{
FAIL_ON_ERROR(_yr_scan_verify_literal_match(
context, ac_match, data, data_size, data_base, offset));
}
else
{
FAIL_ON_ERROR(_yr_scan_verify_re_match(
context, ac_match, data, data_size, data_base, offset));
}
#ifdef PROFILING_ENABLED
string->clock_ticks += clock() - start;
#endif
return ERROR_SUCCESS;
}
int yr_parser_reduce_meta_declaration(
yyscan_t yyscanner,
int32_t type,
const char* identifier,
const char* string,
int64_t integer,
YR_META** meta)
{
YR_COMPILER* compiler = yyget_extra(yyscanner);
FAIL_ON_ERROR(yr_arena_allocate_struct(
compiler->metas_arena,
sizeof(YR_META),
(void**) meta,
offsetof(YR_META, identifier),
offsetof(YR_META, string),
EOL));
FAIL_ON_ERROR(yr_arena_write_string(
compiler->sz_arena,
identifier,
(char**) &(*meta)->identifier));
if (string != NULL)
{
FAIL_ON_ERROR(yr_arena_write_string(
compiler->sz_arena,
string,
&(*meta)->string));
}
else
{
(*meta)->string = NULL;
}
(*meta)->integer = integer;
(*meta)->type = type;
return ERROR_SUCCESS;
}
inline int _yr_scan_verify_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t offset,
YR_ARENA* matches_arena,
int fast_scan_mode)
{
YR_STRING* string = ac_match->string;
#ifdef PROFILING_ENABLED
clock_t start = clock();
#endif
if (data_size - offset <= 0)
return ERROR_SUCCESS;
if (fast_scan_mode &&
STRING_IS_SINGLE_MATCH(string) &&
STRING_FOUND(string))
return ERROR_SUCCESS;
if (STRING_IS_LITERAL(string))
{
FAIL_ON_ERROR(_yr_scan_verify_literal_match(
ac_match, data, data_size, offset, matches_arena));
}
else
{
FAIL_ON_ERROR(_yr_scan_verify_re_match(
ac_match, data, data_size, offset, matches_arena));
}
#ifdef PROFILING_ENABLED
string->clock_ticks += clock() - start;
#endif
return ERROR_SUCCESS;
}
int _yr_ac_optimize_failure_links(
YR_AC_AUTOMATON* automaton)
{
QUEUE queue = { NULL, NULL};
// Push root's children.
YR_AC_STATE* root_state = automaton->root;
YR_AC_STATE* state = root_state->first_child;
while (state != NULL)
{
FAIL_ON_ERROR(_yr_ac_queue_push(&queue, state));
state = state->siblings;
}
while (!_yr_ac_queue_is_empty(&queue))
{
YR_AC_STATE* current_state = _yr_ac_queue_pop(&queue);
if (current_state->failure != root_state)
{
if (_yr_ac_transitions_subset(current_state, current_state->failure))
current_state->failure = current_state->failure->failure;
}
// Push childrens of current_state
state = current_state->first_child;
while (state != NULL)
{
FAIL_ON_ERROR(_yr_ac_queue_push(&queue, state));
state = state->siblings;
}
}
return ERROR_SUCCESS;
}
int module_load(
YR_SCAN_CONTEXT* context,
YR_OBJECT* module_object,
void* module_data,
size_t module_data_size)
{
YR_HASH_TABLE* hash_table;
FAIL_ON_ERROR(yr_hash_table_create(17, &hash_table));
module_object->data = hash_table;
return ERROR_SUCCESS;
}
int yr_arena_allocate_memory(
YR_ARENA* arena,
size_t size,
void** allocated_memory)
{
FAIL_ON_ERROR(yr_arena_reserve_memory(arena, size));
*allocated_memory = arena->current_page->address + \
arena->current_page->used;
arena->current_page->used += size;
return ERROR_SUCCESS;
}
int _yr_emit_split(
RE_EMIT_CONTEXT* emit_context,
uint8_t opcode,
int16_t argument,
uint8_t** instruction_addr,
int16_t** argument_addr,
int* code_size)
{
assert(opcode == RE_OPCODE_SPLIT_A || opcode == RE_OPCODE_SPLIT_B);
if (emit_context->next_split_id == RE_MAX_SPLIT_ID)
return ERROR_REGULAR_EXPRESSION_TOO_COMPLEX;
FAIL_ON_ERROR(yr_arena_write_data(
emit_context->arena,
&opcode,
sizeof(uint8_t),
(void**) instruction_addr));
FAIL_ON_ERROR(yr_arena_write_data(
emit_context->arena,
&emit_context->next_split_id,
sizeof(RE_SPLIT_ID_TYPE),
NULL));
emit_context->next_split_id++;
FAIL_ON_ERROR(yr_arena_write_data(
emit_context->arena,
&argument,
sizeof(int16_t),
(void**) argument_addr));
*code_size = sizeof(uint8_t) + sizeof(RE_SPLIT_ID_TYPE) + sizeof(int16_t);
return ERROR_SUCCESS;
}
int _yr_emit_inst_arg_int16(
RE_EMIT_CONTEXT* emit_context,
uint8_t opcode,
int16_t argument,
uint8_t** instruction_addr,
int16_t** argument_addr,
int* code_size)
{
FAIL_ON_ERROR(yr_arena_write_data(
emit_context->arena,
&opcode,
sizeof(uint8_t),
(void**) instruction_addr));
FAIL_ON_ERROR(yr_arena_write_data(
emit_context->arena,
&argument,
sizeof(int16_t),
(void**) argument_addr));
*code_size = sizeof(uint8_t) + sizeof(int16_t);
return ERROR_SUCCESS;
}
int yr_re_emit_code(
RE* re,
YR_ARENA* arena)
{
int code_size;
// Emit code for matching the regular expressions forwards.
FAIL_ON_ERROR(_yr_re_emit(
re->root_node,
arena,
0,
NULL,
&code_size));
FAIL_ON_ERROR(_yr_emit_inst(
arena,
RE_OPCODE_MATCH,
NULL,
&code_size));
// Emit code for matching the regular expressions backwards.
FAIL_ON_ERROR(_yr_re_emit(
re->root_node,
arena,
EMIT_FLAGS_BACKWARDS,
NULL,
&code_size));
FAIL_ON_ERROR(_yr_emit_inst(
arena,
RE_OPCODE_MATCH,
NULL,
&code_size));
return ERROR_SUCCESS;
}
int _yr_emit_inst_arg_int16(
YR_ARENA* arena,
uint8_t opcode,
int16_t argument,
uint8_t** instruction_addr,
int16_t** argument_addr,
int* code_size)
{
FAIL_ON_ERROR(yr_arena_write_data(
arena,
&opcode,
sizeof(uint8_t),
(void**) instruction_addr));
FAIL_ON_ERROR(yr_arena_write_data(
arena,
&argument,
sizeof(int16_t),
(void**) argument_addr));
*code_size = sizeof(uint8_t) + sizeof(int16_t);
return ERROR_SUCCESS;
}
HKEY GetRootKey(std::wstring opt)
{
HKEY root;
if (IsUserOnly(opt))
{
FAIL_ON_ERROR(RegCreateKeyEx(HKEY_CURRENT_USER, L"Software\\Classes", 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &root, NULL));
}
else
{
root = HKEY_CLASSES_ROOT;
}
return root;
}
static void do_get(void* arg)
{
PortState* state = (PortState*)arg;
// Unpack key from work buffer
// table - 8 bytes
// keysz - 1 byte
// key - variable
ib_id_t table ; UNPACK_INT(state->work_buffer, 0, &table);
unsigned char keysz = UNPACK_BYTE(state->work_buffer, sizeof(table));
char* key = UNPACK_BLOB(state->work_buffer, sizeof(table)+1);
ib_trx_t txn = ib_trx_begin(IB_TRX_REPEATABLE_READ);
ib_crsr_t cursor;
FAIL_ON_ERROR(ib_cursor_open_table_using_id(table, txn, &cursor),
ROLLBACK_RETURN(txn));
ib_tpl_t key_tuple = ib_clust_search_tuple_create(cursor);
ib_col_set_value(key_tuple, KEY_COL, key, keysz);
int searchloc;
ib_err_t error = ib_cursor_moveto(cursor, key_tuple, IB_CUR_GE, &searchloc);
// Drop the key tuple -- cursor is at desired location
ib_tuple_delete(key_tuple);
// If we encountered an error, bail
if (error != DB_SUCCESS && error != DB_RECORD_NOT_FOUND && error != DB_END_OF_INDEX)
{
ib_cursor_close(cursor);
send_error_str(state, ib_strerror(error));
ROLLBACK_RETURN(txn);
}
// Found it, read the value and send back to caller
if (searchloc == 0)
{
ib_tpl_t tuple = ib_clust_read_tuple_create(cursor);
// TODO: May need better error handling here
FAIL_ON_ERROR(ib_cursor_read_row(cursor, tuple),
{
ib_tuple_delete(tuple);
ib_cursor_close(cursor);
ROLLBACK_RETURN(txn);
});
int yr_object_function_create(
const char* identifier,
const char* arguments_fmt,
const char* return_fmt,
YR_MODULE_FUNC code,
YR_OBJECT* parent,
YR_OBJECT** function)
{
YR_OBJECT* return_obj;
YR_OBJECT* f;
int8_t return_type;
switch (*return_fmt)
{
case 'i':
return_type = OBJECT_TYPE_INTEGER;
break;
case 's':
return_type = OBJECT_TYPE_STRING;
break;
default:
return ERROR_INVALID_FORMAT;
}
FAIL_ON_ERROR(yr_object_create(
OBJECT_TYPE_FUNCTION,
identifier,
parent,
&f));
FAIL_ON_ERROR_WITH_CLEANUP(
yr_object_create(return_type, "result", f, &return_obj),
yr_object_destroy(f));
((YR_OBJECT_FUNCTION* )f)->arguments_fmt = arguments_fmt;
((YR_OBJECT_FUNCTION* )f)->return_obj = return_obj;
((YR_OBJECT_FUNCTION* )f)->code = code;
if (function != NULL)
*function = f;
return ERROR_SUCCESS;
}
YR_API int yr_compiler_get_rules(
YR_COMPILER* compiler,
YR_RULES** rules)
{
YR_RULES* yara_rules;
YARA_RULES_FILE_HEADER* rules_file_header;
*rules = NULL;
if (compiler->compiled_rules_arena == NULL)
FAIL_ON_ERROR(_yr_compiler_compile_rules(compiler));
yara_rules = (YR_RULES*) yr_malloc(sizeof(YR_RULES));
if (yara_rules == NULL)
return ERROR_INSUFICIENT_MEMORY;
FAIL_ON_ERROR_WITH_CLEANUP(
yr_arena_duplicate(compiler->compiled_rules_arena, &yara_rules->arena),
yr_free(yara_rules));
rules_file_header = (YARA_RULES_FILE_HEADER*) yr_arena_base_address(
yara_rules->arena);
yara_rules->externals_list_head = rules_file_header->externals_list_head;
yara_rules->rules_list_head = rules_file_header->rules_list_head;
yara_rules->match_table = rules_file_header->match_table;
yara_rules->transition_table = rules_file_header->transition_table;
yara_rules->code_start = rules_file_header->code_start;
yara_rules->tidx_mask = 0;
FAIL_ON_ERROR_WITH_CLEANUP(
yr_mutex_create(&yara_rules->mutex),
// cleanup
yr_arena_destroy(yara_rules->arena);
yr_free(yara_rules));
*rules = yara_rules;
return ERROR_SUCCESS;
}
int yr_compiler_get_rules(
YR_COMPILER* compiler,
YR_RULES** rules)
{
YR_RULES* yara_rules;
YARA_RULES_FILE_HEADER* rules_file_header;
*rules = NULL;
if (compiler->compiled_rules_arena == NULL)
FAIL_ON_ERROR(_yr_compiler_compile_rules(compiler));
yara_rules = yr_malloc(sizeof(YR_RULES));
if (yara_rules == NULL)
return ERROR_INSUFICIENT_MEMORY;
FAIL_ON_ERROR_WITH_CLEANUP(
yr_arena_duplicate(compiler->compiled_rules_arena, &yara_rules->arena),
yr_free(yara_rules));
rules_file_header = (YARA_RULES_FILE_HEADER*) yr_arena_base_address(
yara_rules->arena);
yara_rules->externals_list_head = rules_file_header->externals_list_head;
yara_rules->rules_list_head = rules_file_header->rules_list_head;
yara_rules->automaton = rules_file_header->automaton;
yara_rules->code_start = rules_file_header->code_start;
yara_rules->tidx_mask = 0;
#if _WIN32
yara_rules->mutex = CreateMutex(NULL, FALSE, NULL);
#else
pthread_mutex_init(&yara_rules->mutex, NULL);
#endif
*rules = yara_rules;
return ERROR_SUCCESS;
}
YR_API int yr_initialize(void)
{
uint32_t def_stack_size = DEFAULT_STACK_SIZE;
int i;
init_count++;
if (init_count > 1)
return ERROR_SUCCESS;
for (i = 0; i < 256; i++)
{
if (i >= 'a' && i <= 'z')
altercase[i] = i - 32;
else if (i >= 'A' && i <= 'Z')
altercase[i] = i + 32;
else
altercase[i] = i;
lowercase[i] = tolower(i);
}
FAIL_ON_ERROR(yr_heap_alloc());
FAIL_ON_ERROR(yr_thread_storage_create(&tidx_key));
FAIL_ON_ERROR(yr_thread_storage_create(&recovery_state_key));
#if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L
openssl_locks = (YR_MUTEX*) OPENSSL_malloc(
CRYPTO_num_locks() * sizeof(YR_MUTEX));
for (i = 0; i < CRYPTO_num_locks(); i++)
yr_mutex_create(&openssl_locks[i]);
CRYPTO_set_id_callback(thread_id);
CRYPTO_set_locking_callback(locking_function);
#endif
FAIL_ON_ERROR(yr_re_initialize());
FAIL_ON_ERROR(yr_modules_initialize());
// Initialize default configuration options
FAIL_ON_ERROR(yr_set_configuration(YR_CONFIG_STACK_SIZE, &def_stack_size));
return ERROR_SUCCESS;
}
GLboolean
test_GetSynciv(GLsync sync, GLenum pname, GLint expect)
{
GLboolean pass = GL_TRUE;
GLint val;
GLsizei len;
glGetSynciv(sync, pname, 1, & len, & val);
FAIL_ON_ERROR("glGetSynciv");
if (len != 1) {
fprintf(stderr, "glGetSynciv length of 0x%04x was %d\n",
pname, len);
pass = GL_FALSE;
} else if (val != expect) {
fprintf(stderr, "glGetSynciv of 0x%04x expected 0x%08x, "
"got 0x%08x\n", pname, expect, val);
pass = GL_FALSE;
}
done:
return pass;
}
int yr_re_compile(
const char* re_string,
int flags,
YR_ARENA* code_arena,
RE** re,
RE_ERROR* error)
{
RE* compiled_re;
YR_ARENA* arena;
*re = NULL;
FAIL_ON_ERROR(yr_re_parse(re_string, flags, &compiled_re, error));
if (code_arena == NULL)
{
FAIL_ON_ERROR_WITH_CLEANUP(
yr_arena_create(
RE_MAX_CODE_SIZE,
ARENA_FLAGS_FIXED_SIZE,
&arena),
yr_re_destroy(compiled_re));
compiled_re->code_arena = arena;
}
else
{
arena = code_arena;
}
FAIL_ON_ERROR_WITH_CLEANUP(
yr_re_emit_code(compiled_re, arena),
yr_re_destroy(compiled_re));
*re = compiled_re;
return ERROR_SUCCESS;
}
int _yr_re_alloc_storage(
RE_THREAD_STORAGE** storage)
{
*storage = (RE_THREAD_STORAGE*) yr_thread_storage_get_value(
&thread_storage_key);
if (*storage == NULL)
{
*storage = (RE_THREAD_STORAGE*) yr_malloc(sizeof(RE_THREAD_STORAGE));
if (*storage == NULL)
return ERROR_INSUFICIENT_MEMORY;
(*storage)->fiber_pool.fiber_count = 0;
(*storage)->fiber_pool.fibers.head = NULL;
(*storage)->fiber_pool.fibers.tail = NULL;
FAIL_ON_ERROR(
yr_thread_storage_set_value(&thread_storage_key, *storage));
}
return ERROR_SUCCESS;
}
void RegisterShellMenu(std::wstring opt, wchar_t* keyBaseName)
{
// First, get the paths we will use
wchar_t exePath[MAX_PATH] = { 0 };
wchar_t icoPath[MAX_PATH] = { 0 };
GetModuleFileName(NULL, exePath, sizeof(exePath));
wchar_t commandStr[MAX_PATH + 20] = { 0 };
swprintf_s(commandStr, L"\"%s\" \"%%V\"", exePath);
// Now that we have `commandStr`, it's OK to change `exePath`...
PathRemoveFileSpec(exePath);
PathCombine(icoPath, exePath, L"icons\\cmder.ico");
// Now set the registry keys
HKEY root = GetRootKey(opt);
HKEY cmderKey;
FAIL_ON_ERROR(
RegCreateKeyEx(root, keyBaseName, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &cmderKey, NULL));
FAIL_ON_ERROR(RegSetValue(cmderKey, L"", REG_SZ, L"Cmder Here", NULL));
FAIL_ON_ERROR(RegSetValueEx(cmderKey, L"NoWorkingDirectory", 0, REG_SZ, (BYTE *)L"", 2));
FAIL_ON_ERROR(RegSetValueEx(cmderKey, L"Icon", 0, REG_SZ, (BYTE *)icoPath, wcslen(icoPath) * sizeof(wchar_t)));
HKEY command;
FAIL_ON_ERROR(
RegCreateKeyEx(cmderKey, L"command", 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &command, NULL));
FAIL_ON_ERROR(RegSetValue(command, L"", REG_SZ, commandStr, NULL));
RegCloseKey(command);
RegCloseKey(cmderKey);
RegCloseKey(root);
}
int _yr_scan_verify_literal_match(
YR_SCAN_CONTEXT* context,
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t data_base,
size_t offset)
{
int flags = 0;
int forward_matches = 0;
CALLBACK_ARGS callback_args;
YR_STRING* string = ac_match->string;
if (STRING_FITS_IN_ATOM(string))
{
forward_matches = ac_match->backtrack;
}
else if (STRING_IS_NO_CASE(string))
{
if (STRING_IS_ASCII(string))
{
forward_matches = _yr_scan_icompare(
data + offset,
data_size - offset,
string->string,
string->length);
}
if (STRING_IS_WIDE(string) && forward_matches == 0)
{
forward_matches = _yr_scan_wicompare(
data + offset,
data_size - offset,
string->string,
string->length);
}
}
else
{
if (STRING_IS_ASCII(string))
{
forward_matches = _yr_scan_compare(
data + offset,
data_size - offset,
string->string,
string->length);
}
if (STRING_IS_WIDE(string) && forward_matches == 0)
{
forward_matches = _yr_scan_wcompare(
data + offset,
data_size - offset,
string->string,
string->length);
}
}
if (forward_matches == 0)
return ERROR_SUCCESS;
if (forward_matches == string->length * 2)
flags |= RE_FLAGS_WIDE;
if (STRING_IS_NO_CASE(string))
flags |= RE_FLAGS_NO_CASE;
callback_args.context = context;
callback_args.string = string;
callback_args.data = data;
callback_args.data_size = data_size;
callback_args.data_base = data_base;
callback_args.forward_matches = forward_matches;
callback_args.full_word = STRING_IS_FULL_WORD(string);
FAIL_ON_ERROR(_yr_scan_match_callback(
data + offset, 0, flags, &callback_args));
return ERROR_SUCCESS;
}
int _yr_scan_verify_re_match(
YR_SCAN_CONTEXT* context,
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t data_base,
size_t offset)
{
CALLBACK_ARGS callback_args;
RE_EXEC_FUNC exec;
int forward_matches = -1;
int backward_matches = -1;
int flags = 0;
if (STRING_IS_GREEDY_REGEXP(ac_match->string))
flags |= RE_FLAGS_GREEDY;
if (STRING_IS_FAST_HEX_REGEXP(ac_match->string))
exec = _yr_scan_fast_hex_re_exec;
else
exec = yr_re_exec;
if (STRING_IS_ASCII(ac_match->string))
{
forward_matches = exec(
ac_match->forward_code,
data + offset,
data_size - offset,
offset > 0 ? flags | RE_FLAGS_NOT_AT_START : flags,
NULL,
NULL);
}
if (STRING_IS_WIDE(ac_match->string) && forward_matches == -1)
{
flags |= RE_FLAGS_WIDE;
forward_matches = exec(
ac_match->forward_code,
data + offset,
data_size - offset,
offset > 0 ? flags | RE_FLAGS_NOT_AT_START : flags,
NULL,
NULL);
}
switch(forward_matches)
{
case -1:
return ERROR_SUCCESS;
case -2:
return ERROR_INSUFICIENT_MEMORY;
case -3:
return ERROR_TOO_MANY_MATCHES;
case -4:
return ERROR_TOO_MANY_RE_FIBERS;
case -5:
return ERROR_INTERNAL_FATAL_ERROR;
}
if (forward_matches == 0 && ac_match->backward_code == NULL)
return ERROR_SUCCESS;
callback_args.string = ac_match->string;
callback_args.context = context;
callback_args.data = data;
callback_args.data_size = data_size;
callback_args.data_base = data_base;
callback_args.forward_matches = forward_matches;
callback_args.full_word = STRING_IS_FULL_WORD(ac_match->string);
if (ac_match->backward_code != NULL)
{
backward_matches = exec(
ac_match->backward_code,
data + offset,
offset,
flags | RE_FLAGS_BACKWARDS | RE_FLAGS_EXHAUSTIVE,
_yr_scan_match_callback,
(void*) &callback_args);
switch(backward_matches)
{
case -2:
return ERROR_INSUFICIENT_MEMORY;
case -3:
return ERROR_TOO_MANY_MATCHES;
case -4:
return ERROR_TOO_MANY_RE_FIBERS;
case -5:
return ERROR_INTERNAL_FATAL_ERROR;
}
}
else
{
FAIL_ON_ERROR(_yr_scan_match_callback(
data + offset, 0, flags, &callback_args));
}
return ERROR_SUCCESS;
}
int _yr_scan_match_callback(
uint8_t* match_data,
int32_t match_length,
int flags,
void* args)
{
CALLBACK_ARGS* callback_args = (CALLBACK_ARGS*) args;
YR_STRING* string = callback_args->string;
YR_MATCH* new_match;
int result = ERROR_SUCCESS;
int tidx = callback_args->context->tidx;
size_t match_offset = match_data - callback_args->data;
// total match length is the sum of backward and forward matches.
match_length += callback_args->forward_matches;
if (callback_args->full_word)
{
if (flags & RE_FLAGS_WIDE)
{
if (match_offset >= 2 &&
*(match_data - 1) == 0 &&
isalnum(*(match_data - 2)))
return ERROR_SUCCESS;
if (match_offset + match_length + 1 < callback_args->data_size &&
*(match_data + match_length + 1) == 0 &&
isalnum(*(match_data + match_length)))
return ERROR_SUCCESS;
}
else
{
if (match_offset >= 1 &&
isalnum(*(match_data - 1)))
return ERROR_SUCCESS;
if (match_offset + match_length < callback_args->data_size &&
isalnum(*(match_data + match_length)))
return ERROR_SUCCESS;
}
}
if (STRING_IS_CHAIN_PART(string))
{
result = _yr_scan_verify_chained_string_match(
string,
callback_args->context,
match_data,
callback_args->data_base,
match_offset,
match_length);
}
else
{
if (string->matches[tidx].count == 0)
{
// If this is the first match for the string, put the string in the
// list of strings whose flags needs to be cleared after the scan.
FAIL_ON_ERROR(yr_arena_write_data(
callback_args->context->matching_strings_arena,
&string,
sizeof(string),
NULL));
}
result = yr_arena_allocate_memory(
callback_args->context->matches_arena,
sizeof(YR_MATCH),
(void**) &new_match);
if (result == ERROR_SUCCESS)
{
new_match->base = callback_args->data_base;
new_match->offset = match_offset;
new_match->length = match_length;
new_match->data = match_data;
new_match->prev = NULL;
new_match->next = NULL;
FAIL_ON_ERROR(_yr_scan_add_match_to_list(
new_match,
&string->matches[tidx],
STRING_IS_GREEDY_REGEXP(string)));
}
}
return result;
}
