extern "C" DLL_EXPORT void _dbg_dbgexitsignal()
{
dputs("Stopping running debuggee...");
cbDebugStop(0, 0);
dputs("Aborting scripts...");
scriptabort();
dputs("Waiting for the debuggee to be stopped...");
wait(WAITID_STOP); //after this, debugging stopped
dputs("Unloading plugins...");
pluginunload();
dputs("Stopping command thread...");
bStopCommandLoopThread = true;
WaitForThreadTermination(hCommandLoopThread);
dputs("Cleaning up allocated data...");
cmdfree(command_list);
varfree();
MsgFreeStack(gMsgStack);
yr_finalize();
Capstone::GlobalFinalize();
dputs("Checking for mem leaks...");
if(memleaks())
dprintf("%d memory leak(s) found!\n", memleaks());
else
DeleteFileA(alloctrace);
dputs("Cleaning up wait objects...");
waitdeinitialize();
dputs("Cleaning up debugger threads...");
dbgstop();
dputs("Exit signal processed successfully!");
bIsStopped = true;
}
Yara::~Yara()
{
_clean_compiler_and_rules();
--_instance_count;
if (_instance_count == 0) {
yr_finalize();
}
}
void moloch_yara_exit()
{
if (yRules)
yr_rules_destroy(yRules);
if (yEmailRules)
yr_rules_destroy(yEmailRules);
if (yCompiler)
yr_compiler_destroy(yCompiler);
if (yEmailCompiler)
yr_compiler_destroy(yEmailCompiler);
yr_finalize();
}
int main(int argc, char** argv)
{
yr_initialize();
assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
"tests/data/tiny");
assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
"tests/data/tiny-idata-51ff");
assert_false_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
"tests/data/tiny-idata-5200");
yr_finalize();
return 0;
}
RBOOL
collector_16_cleanup
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL );
if( rMutex_lock( g_global_rules_mutex ) )
{
if( NULL != g_global_rules )
{
yr_rules_destroy( g_global_rules );
g_global_rules = NULL;
}
rMutex_unlock( g_global_rules_mutex );
}
rQueue_free( g_async_files_to_scan );
g_async_files_to_scan = NULL;
rMutex_free( g_global_rules_mutex );
g_global_rules_mutex = NULL;
yr_finalize();
isSuccess = TRUE;
}
return isSuccess;
}
extern "C" DLL_EXPORT void _dbg_dbgexitsignal()
{
cbStopDebug(0, 0);
scriptabort();
wait(WAITID_STOP); //after this, debugging stopped
pluginunload();
TerminateThread(hCommandLoopThread, 0);
CloseHandle(hCommandLoopThread);
cmdfree(command_list);
varfree();
MsgFreeStack(gMsgStack);
yr_finalize();
Capstone::GlobalFinalize();
if(memleaks())
{
char msg[256] = "";
sprintf(msg, "%d memory leak(s) found!\n\nPlease send contact the authors of x64dbg.", memleaks());
MessageBoxA(0, msg, "error", MB_ICONERROR | MB_SYSTEMMODAL);
}
else
DeleteFileA(alloctrace);
SectionLockerGlobal::Deinitialize();
}
RBOOL
collector_16_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( 0 == yr_initialize() )
{
if( NULL != ( g_global_rules_mutex = rMutex_create() ) )
{
if( rQueue_create( &g_async_files_to_scan, _freeSeq, 100 ) )
{
if( notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE,
NULL,
0,
NULL,
updateSignatures ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_SCAN,
NULL,
0,
NULL,
doScan ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD,
NULL,
0,
g_async_files_to_scan,
NULL ) )
{
isSuccess = TRUE;
if( !rThreadPool_task( hbsState->hThreadPool, continuousMemScan, NULL ) ||
!rThreadPool_task( hbsState->hThreadPool, continuousFileScan, NULL ) )
{
isSuccess = FALSE;
}
}
}
}
}
}
if( !isSuccess )
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL);
rQueue_free( g_async_files_to_scan );
g_async_files_to_scan = NULL;
rMutex_free( g_global_rules_mutex );
g_global_rules_mutex = NULL;
yr_finalize();
}
return isSuccess;
}
int main(
int argc,
const char** argv)
{
COMPILER_RESULTS cr;
YR_COMPILER* compiler = NULL;
YR_RULES* rules = NULL;
int result;
argc = args_parse(options, argc, argv);
if (show_version)
{
printf("%s\n", YR_VERSION);
return EXIT_SUCCESS;
}
if (show_help)
{
printf("%s\n\n", USAGE_STRING);
args_print_usage(options, 35);
printf("\nSend bug reports and suggestions to: [email protected]\n");
return EXIT_SUCCESS;
}
if (argc < 2)
{
fprintf(stderr, "yarac: wrong number of arguments\n");
fprintf(stderr, "%s\n\n", USAGE_STRING);
fprintf(stderr, "Try `--help` for more options\n");
exit_with_code(EXIT_FAILURE);
}
result = yr_initialize();
if (result != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (!define_external_variables(compiler))
exit_with_code(EXIT_FAILURE);
cr.errors = 0;
cr.warnings = 0;
yr_set_configuration(YR_CONFIG_MAX_STRINGS_PER_RULE, &max_strings_per_rule);
yr_compiler_set_callback(compiler, report_error, &cr);
if (!compile_files(compiler, argc, argv))
exit_with_code(EXIT_FAILURE);
if (cr.errors > 0)
exit_with_code(EXIT_FAILURE);
if (fail_on_warnings && cr.warnings > 0)
exit_with_code(EXIT_FAILURE);
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = EXIT_SUCCESS;
_exit:
if (compiler != NULL)
yr_compiler_destroy(compiler);
if (rules != NULL)
yr_rules_destroy(rules);
yr_finalize();
return result;
}
int main(
int argc,
char const* argv[])
{
YR_COMPILER* compiler;
YR_RULES* rules;
FILE* rule_file;
EXTERNAL* external;
int pid;
int i;
int errors;
int result;
THREAD thread[MAX_THREADS];
if (!process_cmd_line(argc, argv))
return 0;
if (argc == 1 || optind == argc)
{
show_help();
return 0;
}
yr_initialize();
result = yr_rules_load(argv[optind], &rules);
if (result == ERROR_UNSUPPORTED_FILE_VERSION ||
result == ERROR_CORRUPT_FILE)
{
print_scanning_error(result);
return;
}
if (result == ERROR_SUCCESS)
{
external = externals_list;
while (external != NULL)
{
switch (external->type)
{
case EXTERNAL_TYPE_INTEGER:
yr_rules_define_integer_variable(
rules,
external->name,
external->integer);
break;
case EXTERNAL_TYPE_BOOLEAN:
yr_rules_define_boolean_variable(
rules,
external->name,
external->boolean);
break;
case EXTERNAL_TYPE_STRING:
yr_rules_define_string_variable(
rules,
external->name,
external->string);
break;
}
external = external->next;
}
}
else
{
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
return 0;
external = externals_list;
while (external != NULL)
{
switch (external->type)
{
case EXTERNAL_TYPE_INTEGER:
yr_compiler_define_integer_variable(
compiler,
external->name,
external->integer);
break;
case EXTERNAL_TYPE_BOOLEAN:
yr_compiler_define_boolean_variable(
compiler,
external->name,
external->boolean);
break;
case EXTERNAL_TYPE_STRING:
yr_compiler_define_string_variable(
compiler,
external->name,
external->string);
break;
}
external = external->next;
}
compiler->error_report_function = print_compiler_error;
rule_file = fopen(argv[optind], "r");
if (rule_file != NULL)
{
yr_compiler_push_file_name(compiler, argv[optind]);
errors = yr_compiler_add_file(compiler, rule_file, NULL);
fclose(rule_file);
if (errors == 0)
yr_compiler_get_rules(compiler, &rules);
yr_compiler_destroy(compiler);
if (errors > 0)
{
yr_finalize();
return 0;
}
}
else
{
fprintf(stderr, "could not open file: %s\n", argv[optind]);
return 0;
}
}
mutex_init(&output_mutex);
if (is_numeric(argv[argc - 1]))
{
pid = atoi(argv[argc - 1]);
result = yr_rules_scan_proc(
rules,
pid,
callback,
(void*) argv[argc - 1],
fast_scan,
timeout);
if (result != ERROR_SUCCESS)
print_scanning_error(result);
}
else if (is_directory(argv[argc - 1]))
{
file_queue_init();
for (i = 0; i < threads; i++)
{
if (create_thread(&thread[i], scanning_thread, (void*) rules) != 0)
return ERROR_COULD_NOT_CREATE_THREAD;
}
scan_dir(
argv[argc - 1],
recursive_search,
rules,
callback);
file_queue_finish();
// Wait for scan threads to finish
for (i = 0; i < threads; i++)
thread_join(&thread[i]);
file_queue_destroy();
}
else
{
result = yr_rules_scan_file(
rules,
argv[argc - 1],
callback,
(void*) argv[argc - 1],
fast_scan,
timeout);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "Error scanning %s: ", argv[argc - 1]);
print_scanning_error(result);
}
}
yr_rules_destroy(rules);
yr_finalize();
mutex_destroy(&output_mutex);
cleanup();
return 1;
}
int main(
int argc,
const char** argv)
{
YR_COMPILER* compiler = NULL;
YR_RULES* rules = NULL;
int result;
argc = args_parse(options, argc, argv);
if (show_version)
{
printf("%s\n", PACKAGE_STRING);
printf("\nSend bug reports and suggestions to: %s.\n", PACKAGE_BUGREPORT);
return EXIT_FAILURE;
}
if (show_help)
{
printf("%s\n\n", USAGE_STRING);
args_print_usage(options, 25);
printf("\nSend bug reports and suggestions to: %s.\n", PACKAGE_BUGREPORT);
return EXIT_FAILURE;
}
if (argc < 2)
{
fprintf(stderr, "yarac: wrong number of arguments\n");
fprintf(stderr, "%s\n\n", USAGE_STRING);
fprintf(stderr, "Try `--help` for more options\n");
exit_with_code(EXIT_FAILURE);
}
result = yr_initialize();
if (result != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (!define_external_variables(compiler))
exit_with_code(EXIT_FAILURE);
yr_compiler_set_callback(compiler, report_error, NULL);
for (int i = 0; i < argc - 1; i++)
{
const char* ns;
const char* file_name;
char* colon = (char*) strchr(argv[i], ':');
if (colon)
{
file_name = colon + 1;
*colon = '\0';
ns = argv[i];
}
else
{
file_name = argv[i];
ns = NULL;
}
FILE* rule_file = fopen(file_name, "r");
if (rule_file != NULL)
{
int errors = yr_compiler_add_file(
compiler, rule_file, ns, file_name);
fclose(rule_file);
if (errors) // errors during compilation
exit_with_code(EXIT_FAILURE);
}
else
{
fprintf(stderr, "error: could not open file: %s\n", file_name);
}
}
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = EXIT_SUCCESS;
_exit:
if (compiler != NULL)
yr_compiler_destroy(compiler);
if (rules != NULL)
yr_rules_destroy(rules);
yr_finalize();
return result;
}
int main(
int argc,
char const* argv[])
{
int i, result, errors;
YR_COMPILER* compiler;
YR_RULES* rules;
FILE* rule_file;
yr_initialize();
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
{
yr_finalize();
return EXIT_FAILURE;
}
if (!process_cmd_line(compiler, argc, argv))
{
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
if (argc == 1 || optind == argc)
{
show_help();
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
compiler->error_report_function = report_error;
for (i = optind; i < argc - 1; i++)
{
rule_file = fopen(argv[i], "r");
if (rule_file != NULL)
{
yr_compiler_push_file_name(compiler, argv[i]);
errors = yr_compiler_add_file(compiler, rule_file, NULL);
fclose(rule_file);
if (errors) // errors during compilation
{
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
}
else
{
fprintf(stderr, "could not open file: %s\n", argv[i]);
}
}
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
return EXIT_FAILURE;
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
return EXIT_FAILURE;
}
yr_rules_destroy(rules);
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_SUCCESS;
}