YR_API int yr_finalize(void) { #if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L int i; #endif // yr_finalize shouldn't be called without calling yr_initialize first if (init_count == 0) return ERROR_INTERNAL_FATAL_ERROR; yr_re_finalize_thread(); init_count--; if (init_count > 0) return ERROR_SUCCESS; #if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L for (i = 0; i < CRYPTO_num_locks(); i ++) yr_mutex_destroy(&openssl_locks[i]); OPENSSL_free(openssl_locks); #endif FAIL_ON_ERROR(yr_thread_storage_destroy(&tidx_key)); FAIL_ON_ERROR(yr_thread_storage_destroy(&recovery_state_key)); FAIL_ON_ERROR(yr_re_finalize()); FAIL_ON_ERROR(yr_modules_finalize()); FAIL_ON_ERROR(yr_heap_free()); return ERROR_SUCCESS; }
int yr_initialize(void) { int i; for (i = 0; i < 256; i++) { if (i >= 'a' && i <= 'z') altercase[i] = (char)i - 32; else if (i >= 'A' && i <= 'Z') altercase[i] = (char)i + 32; else altercase[i] = (char)i; lowercase[i] = (char)tolower(i); } FAIL_ON_ERROR(yr_heap_alloc()); #ifdef _WIN32 tidx_key = TlsAlloc(); recovery_state_key = TlsAlloc(); #else pthread_key_create(&tidx_key, NULL); pthread_key_create(&recovery_state_key, NULL); #endif FAIL_ON_ERROR(yr_re_initialize()); FAIL_ON_ERROR(yr_modules_initialize()); return ERROR_SUCCESS; }
void UnregisterShellMenu(std::wstring opt, wchar_t* keyBaseName) { HKEY root = GetRootKey(opt); HKEY cmderKey; FAIL_ON_ERROR( RegCreateKeyEx(root, keyBaseName, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &cmderKey, NULL)); #ifdef XP FAIL_ON_ERROR(SHDeleteKey(cmderKey, NULL)); FAIL_ON_ERROR(SHDeleteKey(root, SHELL_MENU_REGISTRY_PATH)); #else FAIL_ON_ERROR(RegDeleteTree(cmderKey, NULL)););
int yr_arena_append( YR_ARENA* target_arena, YR_ARENA* source_arena) { uint8_t padding_data[15]; size_t padding_size = 16 - target_arena->current_page->used % 16; if (padding_size < 16) { memset(&padding_data, 0xCC, padding_size); FAIL_ON_ERROR(yr_arena_write_data( target_arena, padding_data, padding_size, NULL)); } target_arena->current_page->next = source_arena->page_list_head; source_arena->page_list_head->prev = target_arena->current_page; target_arena->current_page = source_arena->current_page; yr_free(source_arena); return ERROR_SUCCESS; }
int _yr_re_fiber_split( RE_FIBER* fiber, RE_FIBER_LIST* fiber_list, RE_FIBER_POOL* fiber_pool, RE_FIBER** new_fiber) { int32_t i; FAIL_ON_ERROR(_yr_re_fiber_create(fiber_pool, new_fiber)); (*new_fiber)->sp = fiber->sp; (*new_fiber)->ip = fiber->ip; for (i = 0; i <= fiber->sp; i++) (*new_fiber)->stack[i] = fiber->stack[i]; (*new_fiber)->next = fiber->next; (*new_fiber)->prev = fiber; if (fiber->next != NULL) fiber->next->prev = *new_fiber; fiber->next = *new_fiber; if (fiber_list->tail == fiber) fiber_list->tail = *new_fiber; assert(fiber_list->tail->next == NULL); assert(fiber_list->head->prev == NULL); return ERROR_SUCCESS; }
int yr_finalize(void) { yr_re_finalize_thread(); #ifdef _WIN32 TlsFree(tidx_key); TlsFree(recovery_state_key); #else pthread_key_delete(tidx_key); pthread_key_delete(recovery_state_key); #endif FAIL_ON_ERROR(yr_re_finalize()); FAIL_ON_ERROR(yr_modules_finalize()); FAIL_ON_ERROR(yr_heap_free()); return ERROR_SUCCESS; }
int yr_scan_verify_match( YR_AC_MATCH* ac_match, uint8_t* data, size_t data_size, size_t data_base, size_t offset, YR_ARENA* matches_arena, int flags) { YR_STRING* string = ac_match->string; #ifdef PROFILING_ENABLED clock_t start = clock(); #endif if (data_size - offset <= 0) return ERROR_SUCCESS; if (flags & SCAN_FLAGS_FAST_MODE && STRING_IS_SINGLE_MATCH(string) && STRING_FOUND(string)) return ERROR_SUCCESS; if (STRING_IS_FIXED_OFFSET(string) && string->fixed_offset != data_base + offset) return ERROR_SUCCESS; if (STRING_IS_LITERAL(string)) { FAIL_ON_ERROR(_yr_scan_verify_literal_match( ac_match, data, data_size, data_base, offset, matches_arena)); } else { FAIL_ON_ERROR(_yr_scan_verify_re_match( ac_match, data, data_size, data_base, offset, matches_arena)); } #ifdef PROFILING_ENABLED string->clock_ticks += clock() - start; #endif return ERROR_SUCCESS; }
int yr_scan_verify_match( YR_SCAN_CONTEXT* context, YR_AC_MATCH* ac_match, uint8_t* data, size_t data_size, size_t data_base, size_t offset) { YR_STRING* string = ac_match->string; #ifdef PROFILING_ENABLED clock_t start = clock(); #endif if (data_size - offset <= 0) return ERROR_SUCCESS; if (context->flags & SCAN_FLAGS_FAST_MODE && STRING_IS_SINGLE_MATCH(string) && string->matches[context->tidx].head != NULL) return ERROR_SUCCESS; if (STRING_IS_FIXED_OFFSET(string) && string->fixed_offset != data_base + offset) return ERROR_SUCCESS; if (STRING_IS_LITERAL(string)) { FAIL_ON_ERROR(_yr_scan_verify_literal_match( context, ac_match, data, data_size, data_base, offset)); } else { FAIL_ON_ERROR(_yr_scan_verify_re_match( context, ac_match, data, data_size, data_base, offset)); } #ifdef PROFILING_ENABLED string->clock_ticks += clock() - start; #endif return ERROR_SUCCESS; }
int yr_parser_reduce_meta_declaration( yyscan_t yyscanner, int32_t type, const char* identifier, const char* string, int64_t integer, YR_META** meta) { YR_COMPILER* compiler = yyget_extra(yyscanner); FAIL_ON_ERROR(yr_arena_allocate_struct( compiler->metas_arena, sizeof(YR_META), (void**) meta, offsetof(YR_META, identifier), offsetof(YR_META, string), EOL)); FAIL_ON_ERROR(yr_arena_write_string( compiler->sz_arena, identifier, (char**) &(*meta)->identifier)); if (string != NULL) { FAIL_ON_ERROR(yr_arena_write_string( compiler->sz_arena, string, &(*meta)->string)); } else { (*meta)->string = NULL; } (*meta)->integer = integer; (*meta)->type = type; return ERROR_SUCCESS; }
inline int _yr_scan_verify_match( YR_AC_MATCH* ac_match, uint8_t* data, size_t data_size, size_t offset, YR_ARENA* matches_arena, int fast_scan_mode) { YR_STRING* string = ac_match->string; #ifdef PROFILING_ENABLED clock_t start = clock(); #endif if (data_size - offset <= 0) return ERROR_SUCCESS; if (fast_scan_mode && STRING_IS_SINGLE_MATCH(string) && STRING_FOUND(string)) return ERROR_SUCCESS; if (STRING_IS_LITERAL(string)) { FAIL_ON_ERROR(_yr_scan_verify_literal_match( ac_match, data, data_size, offset, matches_arena)); } else { FAIL_ON_ERROR(_yr_scan_verify_re_match( ac_match, data, data_size, offset, matches_arena)); } #ifdef PROFILING_ENABLED string->clock_ticks += clock() - start; #endif return ERROR_SUCCESS; }
int _yr_ac_optimize_failure_links( YR_AC_AUTOMATON* automaton) { QUEUE queue = { NULL, NULL}; // Push root's children. YR_AC_STATE* root_state = automaton->root; YR_AC_STATE* state = root_state->first_child; while (state != NULL) { FAIL_ON_ERROR(_yr_ac_queue_push(&queue, state)); state = state->siblings; } while (!_yr_ac_queue_is_empty(&queue)) { YR_AC_STATE* current_state = _yr_ac_queue_pop(&queue); if (current_state->failure != root_state) { if (_yr_ac_transitions_subset(current_state, current_state->failure)) current_state->failure = current_state->failure->failure; } // Push childrens of current_state state = current_state->first_child; while (state != NULL) { FAIL_ON_ERROR(_yr_ac_queue_push(&queue, state)); state = state->siblings; } } return ERROR_SUCCESS; }
int module_load( YR_SCAN_CONTEXT* context, YR_OBJECT* module_object, void* module_data, size_t module_data_size) { YR_HASH_TABLE* hash_table; FAIL_ON_ERROR(yr_hash_table_create(17, &hash_table)); module_object->data = hash_table; return ERROR_SUCCESS; }
int yr_arena_allocate_memory( YR_ARENA* arena, size_t size, void** allocated_memory) { FAIL_ON_ERROR(yr_arena_reserve_memory(arena, size)); *allocated_memory = arena->current_page->address + \ arena->current_page->used; arena->current_page->used += size; return ERROR_SUCCESS; }
int _yr_emit_split( RE_EMIT_CONTEXT* emit_context, uint8_t opcode, int16_t argument, uint8_t** instruction_addr, int16_t** argument_addr, int* code_size) { assert(opcode == RE_OPCODE_SPLIT_A || opcode == RE_OPCODE_SPLIT_B); if (emit_context->next_split_id == RE_MAX_SPLIT_ID) return ERROR_REGULAR_EXPRESSION_TOO_COMPLEX; FAIL_ON_ERROR(yr_arena_write_data( emit_context->arena, &opcode, sizeof(uint8_t), (void**) instruction_addr)); FAIL_ON_ERROR(yr_arena_write_data( emit_context->arena, &emit_context->next_split_id, sizeof(RE_SPLIT_ID_TYPE), NULL)); emit_context->next_split_id++; FAIL_ON_ERROR(yr_arena_write_data( emit_context->arena, &argument, sizeof(int16_t), (void**) argument_addr)); *code_size = sizeof(uint8_t) + sizeof(RE_SPLIT_ID_TYPE) + sizeof(int16_t); return ERROR_SUCCESS; }
int _yr_emit_inst_arg_int16( RE_EMIT_CONTEXT* emit_context, uint8_t opcode, int16_t argument, uint8_t** instruction_addr, int16_t** argument_addr, int* code_size) { FAIL_ON_ERROR(yr_arena_write_data( emit_context->arena, &opcode, sizeof(uint8_t), (void**) instruction_addr)); FAIL_ON_ERROR(yr_arena_write_data( emit_context->arena, &argument, sizeof(int16_t), (void**) argument_addr)); *code_size = sizeof(uint8_t) + sizeof(int16_t); return ERROR_SUCCESS; }
int yr_re_emit_code( RE* re, YR_ARENA* arena) { int code_size; // Emit code for matching the regular expressions forwards. FAIL_ON_ERROR(_yr_re_emit( re->root_node, arena, 0, NULL, &code_size)); FAIL_ON_ERROR(_yr_emit_inst( arena, RE_OPCODE_MATCH, NULL, &code_size)); // Emit code for matching the regular expressions backwards. FAIL_ON_ERROR(_yr_re_emit( re->root_node, arena, EMIT_FLAGS_BACKWARDS, NULL, &code_size)); FAIL_ON_ERROR(_yr_emit_inst( arena, RE_OPCODE_MATCH, NULL, &code_size)); return ERROR_SUCCESS; }
int _yr_emit_inst_arg_int16( YR_ARENA* arena, uint8_t opcode, int16_t argument, uint8_t** instruction_addr, int16_t** argument_addr, int* code_size) { FAIL_ON_ERROR(yr_arena_write_data( arena, &opcode, sizeof(uint8_t), (void**) instruction_addr)); FAIL_ON_ERROR(yr_arena_write_data( arena, &argument, sizeof(int16_t), (void**) argument_addr)); *code_size = sizeof(uint8_t) + sizeof(int16_t); return ERROR_SUCCESS; }
HKEY GetRootKey(std::wstring opt) { HKEY root; if (IsUserOnly(opt)) { FAIL_ON_ERROR(RegCreateKeyEx(HKEY_CURRENT_USER, L"Software\\Classes", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &root, NULL)); } else { root = HKEY_CLASSES_ROOT; } return root; }
static void do_get(void* arg) { PortState* state = (PortState*)arg; // Unpack key from work buffer // table - 8 bytes // keysz - 1 byte // key - variable ib_id_t table ; UNPACK_INT(state->work_buffer, 0, &table); unsigned char keysz = UNPACK_BYTE(state->work_buffer, sizeof(table)); char* key = UNPACK_BLOB(state->work_buffer, sizeof(table)+1); ib_trx_t txn = ib_trx_begin(IB_TRX_REPEATABLE_READ); ib_crsr_t cursor; FAIL_ON_ERROR(ib_cursor_open_table_using_id(table, txn, &cursor), ROLLBACK_RETURN(txn)); ib_tpl_t key_tuple = ib_clust_search_tuple_create(cursor); ib_col_set_value(key_tuple, KEY_COL, key, keysz); int searchloc; ib_err_t error = ib_cursor_moveto(cursor, key_tuple, IB_CUR_GE, &searchloc); // Drop the key tuple -- cursor is at desired location ib_tuple_delete(key_tuple); // If we encountered an error, bail if (error != DB_SUCCESS && error != DB_RECORD_NOT_FOUND && error != DB_END_OF_INDEX) { ib_cursor_close(cursor); send_error_str(state, ib_strerror(error)); ROLLBACK_RETURN(txn); } // Found it, read the value and send back to caller if (searchloc == 0) { ib_tpl_t tuple = ib_clust_read_tuple_create(cursor); // TODO: May need better error handling here FAIL_ON_ERROR(ib_cursor_read_row(cursor, tuple), { ib_tuple_delete(tuple); ib_cursor_close(cursor); ROLLBACK_RETURN(txn); });
int yr_object_function_create( const char* identifier, const char* arguments_fmt, const char* return_fmt, YR_MODULE_FUNC code, YR_OBJECT* parent, YR_OBJECT** function) { YR_OBJECT* return_obj; YR_OBJECT* f; int8_t return_type; switch (*return_fmt) { case 'i': return_type = OBJECT_TYPE_INTEGER; break; case 's': return_type = OBJECT_TYPE_STRING; break; default: return ERROR_INVALID_FORMAT; } FAIL_ON_ERROR(yr_object_create( OBJECT_TYPE_FUNCTION, identifier, parent, &f)); FAIL_ON_ERROR_WITH_CLEANUP( yr_object_create(return_type, "result", f, &return_obj), yr_object_destroy(f)); ((YR_OBJECT_FUNCTION* )f)->arguments_fmt = arguments_fmt; ((YR_OBJECT_FUNCTION* )f)->return_obj = return_obj; ((YR_OBJECT_FUNCTION* )f)->code = code; if (function != NULL) *function = f; return ERROR_SUCCESS; }
YR_API int yr_compiler_get_rules( YR_COMPILER* compiler, YR_RULES** rules) { YR_RULES* yara_rules; YARA_RULES_FILE_HEADER* rules_file_header; *rules = NULL; if (compiler->compiled_rules_arena == NULL) FAIL_ON_ERROR(_yr_compiler_compile_rules(compiler)); yara_rules = (YR_RULES*) yr_malloc(sizeof(YR_RULES)); if (yara_rules == NULL) return ERROR_INSUFICIENT_MEMORY; FAIL_ON_ERROR_WITH_CLEANUP( yr_arena_duplicate(compiler->compiled_rules_arena, &yara_rules->arena), yr_free(yara_rules)); rules_file_header = (YARA_RULES_FILE_HEADER*) yr_arena_base_address( yara_rules->arena); yara_rules->externals_list_head = rules_file_header->externals_list_head; yara_rules->rules_list_head = rules_file_header->rules_list_head; yara_rules->match_table = rules_file_header->match_table; yara_rules->transition_table = rules_file_header->transition_table; yara_rules->code_start = rules_file_header->code_start; yara_rules->tidx_mask = 0; FAIL_ON_ERROR_WITH_CLEANUP( yr_mutex_create(&yara_rules->mutex), // cleanup yr_arena_destroy(yara_rules->arena); yr_free(yara_rules)); *rules = yara_rules; return ERROR_SUCCESS; }
int yr_compiler_get_rules( YR_COMPILER* compiler, YR_RULES** rules) { YR_RULES* yara_rules; YARA_RULES_FILE_HEADER* rules_file_header; *rules = NULL; if (compiler->compiled_rules_arena == NULL) FAIL_ON_ERROR(_yr_compiler_compile_rules(compiler)); yara_rules = yr_malloc(sizeof(YR_RULES)); if (yara_rules == NULL) return ERROR_INSUFICIENT_MEMORY; FAIL_ON_ERROR_WITH_CLEANUP( yr_arena_duplicate(compiler->compiled_rules_arena, &yara_rules->arena), yr_free(yara_rules)); rules_file_header = (YARA_RULES_FILE_HEADER*) yr_arena_base_address( yara_rules->arena); yara_rules->externals_list_head = rules_file_header->externals_list_head; yara_rules->rules_list_head = rules_file_header->rules_list_head; yara_rules->automaton = rules_file_header->automaton; yara_rules->code_start = rules_file_header->code_start; yara_rules->tidx_mask = 0; #if _WIN32 yara_rules->mutex = CreateMutex(NULL, FALSE, NULL); #else pthread_mutex_init(&yara_rules->mutex, NULL); #endif *rules = yara_rules; return ERROR_SUCCESS; }
YR_API int yr_initialize(void) { uint32_t def_stack_size = DEFAULT_STACK_SIZE; int i; init_count++; if (init_count > 1) return ERROR_SUCCESS; for (i = 0; i < 256; i++) { if (i >= 'a' && i <= 'z') altercase[i] = i - 32; else if (i >= 'A' && i <= 'Z') altercase[i] = i + 32; else altercase[i] = i; lowercase[i] = tolower(i); } FAIL_ON_ERROR(yr_heap_alloc()); FAIL_ON_ERROR(yr_thread_storage_create(&tidx_key)); FAIL_ON_ERROR(yr_thread_storage_create(&recovery_state_key)); #if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L openssl_locks = (YR_MUTEX*) OPENSSL_malloc( CRYPTO_num_locks() * sizeof(YR_MUTEX)); for (i = 0; i < CRYPTO_num_locks(); i++) yr_mutex_create(&openssl_locks[i]); CRYPTO_set_id_callback(thread_id); CRYPTO_set_locking_callback(locking_function); #endif FAIL_ON_ERROR(yr_re_initialize()); FAIL_ON_ERROR(yr_modules_initialize()); // Initialize default configuration options FAIL_ON_ERROR(yr_set_configuration(YR_CONFIG_STACK_SIZE, &def_stack_size)); return ERROR_SUCCESS; }
GLboolean test_GetSynciv(GLsync sync, GLenum pname, GLint expect) { GLboolean pass = GL_TRUE; GLint val; GLsizei len; glGetSynciv(sync, pname, 1, & len, & val); FAIL_ON_ERROR("glGetSynciv"); if (len != 1) { fprintf(stderr, "glGetSynciv length of 0x%04x was %d\n", pname, len); pass = GL_FALSE; } else if (val != expect) { fprintf(stderr, "glGetSynciv of 0x%04x expected 0x%08x, " "got 0x%08x\n", pname, expect, val); pass = GL_FALSE; } done: return pass; }
int yr_re_compile( const char* re_string, int flags, YR_ARENA* code_arena, RE** re, RE_ERROR* error) { RE* compiled_re; YR_ARENA* arena; *re = NULL; FAIL_ON_ERROR(yr_re_parse(re_string, flags, &compiled_re, error)); if (code_arena == NULL) { FAIL_ON_ERROR_WITH_CLEANUP( yr_arena_create( RE_MAX_CODE_SIZE, ARENA_FLAGS_FIXED_SIZE, &arena), yr_re_destroy(compiled_re)); compiled_re->code_arena = arena; } else { arena = code_arena; } FAIL_ON_ERROR_WITH_CLEANUP( yr_re_emit_code(compiled_re, arena), yr_re_destroy(compiled_re)); *re = compiled_re; return ERROR_SUCCESS; }
int _yr_re_alloc_storage( RE_THREAD_STORAGE** storage) { *storage = (RE_THREAD_STORAGE*) yr_thread_storage_get_value( &thread_storage_key); if (*storage == NULL) { *storage = (RE_THREAD_STORAGE*) yr_malloc(sizeof(RE_THREAD_STORAGE)); if (*storage == NULL) return ERROR_INSUFICIENT_MEMORY; (*storage)->fiber_pool.fiber_count = 0; (*storage)->fiber_pool.fibers.head = NULL; (*storage)->fiber_pool.fibers.tail = NULL; FAIL_ON_ERROR( yr_thread_storage_set_value(&thread_storage_key, *storage)); } return ERROR_SUCCESS; }
void RegisterShellMenu(std::wstring opt, wchar_t* keyBaseName) { // First, get the paths we will use wchar_t exePath[MAX_PATH] = { 0 }; wchar_t icoPath[MAX_PATH] = { 0 }; GetModuleFileName(NULL, exePath, sizeof(exePath)); wchar_t commandStr[MAX_PATH + 20] = { 0 }; swprintf_s(commandStr, L"\"%s\" \"%%V\"", exePath); // Now that we have `commandStr`, it's OK to change `exePath`... PathRemoveFileSpec(exePath); PathCombine(icoPath, exePath, L"icons\\cmder.ico"); // Now set the registry keys HKEY root = GetRootKey(opt); HKEY cmderKey; FAIL_ON_ERROR( RegCreateKeyEx(root, keyBaseName, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &cmderKey, NULL)); FAIL_ON_ERROR(RegSetValue(cmderKey, L"", REG_SZ, L"Cmder Here", NULL)); FAIL_ON_ERROR(RegSetValueEx(cmderKey, L"NoWorkingDirectory", 0, REG_SZ, (BYTE *)L"", 2)); FAIL_ON_ERROR(RegSetValueEx(cmderKey, L"Icon", 0, REG_SZ, (BYTE *)icoPath, wcslen(icoPath) * sizeof(wchar_t))); HKEY command; FAIL_ON_ERROR( RegCreateKeyEx(cmderKey, L"command", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &command, NULL)); FAIL_ON_ERROR(RegSetValue(command, L"", REG_SZ, commandStr, NULL)); RegCloseKey(command); RegCloseKey(cmderKey); RegCloseKey(root); }
int _yr_scan_verify_literal_match( YR_SCAN_CONTEXT* context, YR_AC_MATCH* ac_match, uint8_t* data, size_t data_size, size_t data_base, size_t offset) { int flags = 0; int forward_matches = 0; CALLBACK_ARGS callback_args; YR_STRING* string = ac_match->string; if (STRING_FITS_IN_ATOM(string)) { forward_matches = ac_match->backtrack; } else if (STRING_IS_NO_CASE(string)) { if (STRING_IS_ASCII(string)) { forward_matches = _yr_scan_icompare( data + offset, data_size - offset, string->string, string->length); } if (STRING_IS_WIDE(string) && forward_matches == 0) { forward_matches = _yr_scan_wicompare( data + offset, data_size - offset, string->string, string->length); } } else { if (STRING_IS_ASCII(string)) { forward_matches = _yr_scan_compare( data + offset, data_size - offset, string->string, string->length); } if (STRING_IS_WIDE(string) && forward_matches == 0) { forward_matches = _yr_scan_wcompare( data + offset, data_size - offset, string->string, string->length); } } if (forward_matches == 0) return ERROR_SUCCESS; if (forward_matches == string->length * 2) flags |= RE_FLAGS_WIDE; if (STRING_IS_NO_CASE(string)) flags |= RE_FLAGS_NO_CASE; callback_args.context = context; callback_args.string = string; callback_args.data = data; callback_args.data_size = data_size; callback_args.data_base = data_base; callback_args.forward_matches = forward_matches; callback_args.full_word = STRING_IS_FULL_WORD(string); FAIL_ON_ERROR(_yr_scan_match_callback( data + offset, 0, flags, &callback_args)); return ERROR_SUCCESS; }
int _yr_scan_verify_re_match( YR_SCAN_CONTEXT* context, YR_AC_MATCH* ac_match, uint8_t* data, size_t data_size, size_t data_base, size_t offset) { CALLBACK_ARGS callback_args; RE_EXEC_FUNC exec; int forward_matches = -1; int backward_matches = -1; int flags = 0; if (STRING_IS_GREEDY_REGEXP(ac_match->string)) flags |= RE_FLAGS_GREEDY; if (STRING_IS_FAST_HEX_REGEXP(ac_match->string)) exec = _yr_scan_fast_hex_re_exec; else exec = yr_re_exec; if (STRING_IS_ASCII(ac_match->string)) { forward_matches = exec( ac_match->forward_code, data + offset, data_size - offset, offset > 0 ? flags | RE_FLAGS_NOT_AT_START : flags, NULL, NULL); } if (STRING_IS_WIDE(ac_match->string) && forward_matches == -1) { flags |= RE_FLAGS_WIDE; forward_matches = exec( ac_match->forward_code, data + offset, data_size - offset, offset > 0 ? flags | RE_FLAGS_NOT_AT_START : flags, NULL, NULL); } switch(forward_matches) { case -1: return ERROR_SUCCESS; case -2: return ERROR_INSUFICIENT_MEMORY; case -3: return ERROR_TOO_MANY_MATCHES; case -4: return ERROR_TOO_MANY_RE_FIBERS; case -5: return ERROR_INTERNAL_FATAL_ERROR; } if (forward_matches == 0 && ac_match->backward_code == NULL) return ERROR_SUCCESS; callback_args.string = ac_match->string; callback_args.context = context; callback_args.data = data; callback_args.data_size = data_size; callback_args.data_base = data_base; callback_args.forward_matches = forward_matches; callback_args.full_word = STRING_IS_FULL_WORD(ac_match->string); if (ac_match->backward_code != NULL) { backward_matches = exec( ac_match->backward_code, data + offset, offset, flags | RE_FLAGS_BACKWARDS | RE_FLAGS_EXHAUSTIVE, _yr_scan_match_callback, (void*) &callback_args); switch(backward_matches) { case -2: return ERROR_INSUFICIENT_MEMORY; case -3: return ERROR_TOO_MANY_MATCHES; case -4: return ERROR_TOO_MANY_RE_FIBERS; case -5: return ERROR_INTERNAL_FATAL_ERROR; } } else { FAIL_ON_ERROR(_yr_scan_match_callback( data + offset, 0, flags, &callback_args)); } return ERROR_SUCCESS; }
int _yr_scan_match_callback( uint8_t* match_data, int32_t match_length, int flags, void* args) { CALLBACK_ARGS* callback_args = (CALLBACK_ARGS*) args; YR_STRING* string = callback_args->string; YR_MATCH* new_match; int result = ERROR_SUCCESS; int tidx = callback_args->context->tidx; size_t match_offset = match_data - callback_args->data; // total match length is the sum of backward and forward matches. match_length += callback_args->forward_matches; if (callback_args->full_word) { if (flags & RE_FLAGS_WIDE) { if (match_offset >= 2 && *(match_data - 1) == 0 && isalnum(*(match_data - 2))) return ERROR_SUCCESS; if (match_offset + match_length + 1 < callback_args->data_size && *(match_data + match_length + 1) == 0 && isalnum(*(match_data + match_length))) return ERROR_SUCCESS; } else { if (match_offset >= 1 && isalnum(*(match_data - 1))) return ERROR_SUCCESS; if (match_offset + match_length < callback_args->data_size && isalnum(*(match_data + match_length))) return ERROR_SUCCESS; } } if (STRING_IS_CHAIN_PART(string)) { result = _yr_scan_verify_chained_string_match( string, callback_args->context, match_data, callback_args->data_base, match_offset, match_length); } else { if (string->matches[tidx].count == 0) { // If this is the first match for the string, put the string in the // list of strings whose flags needs to be cleared after the scan. FAIL_ON_ERROR(yr_arena_write_data( callback_args->context->matching_strings_arena, &string, sizeof(string), NULL)); } result = yr_arena_allocate_memory( callback_args->context->matches_arena, sizeof(YR_MATCH), (void**) &new_match); if (result == ERROR_SUCCESS) { new_match->base = callback_args->data_base; new_match->offset = match_offset; new_match->length = match_length; new_match->data = match_data; new_match->prev = NULL; new_match->next = NULL; FAIL_ON_ERROR(_yr_scan_add_match_to_list( new_match, &string->matches[tidx], STRING_IS_GREEDY_REGEXP(string))); } } return result; }