static int r_cmd_yara_scan(const RCore* core) {
RListIter* rules_it;
YR_RULES* rules;
void* to_scan;
int result;
const unsigned int to_scan_size = r_io_size (core->io);
if (to_scan_size < 1) {
eprintf ("Invalid file size\n");
return R_FALSE;
}
to_scan = malloc (to_scan_size);
if (!to_scan) {
eprintf ("Something went wrong during memory allocation\n");
return R_FALSE;
}
result = r_io_read_at (core->io, 0L, to_scan, to_scan_size);
if (!result) {
eprintf ("Something went wrong during r_io_read_at\n");
free (to_scan);
return R_FALSE;
}
r_list_foreach (rules_list, rules_it, rules) {
yr_rules_scan_mem (rules, to_scan, to_scan_size, 0, callback, NULL, 0);
}
const_matches Yara::scan_bytes(const std::vector<boost::uint8_t>& bytes) const
{
pcallback_data cb_data(new callback_data);
cb_data->yara_matches = boost::make_shared<match_vector>();
int retval;
if (_rules == nullptr || bytes.size() == 0)
{
if (_rules == nullptr) {
PRINT_ERROR << "No Yara rules loaded!" << std::endl;
}
return cb_data->yara_matches;
}
// Make a copy of the input buffer, because we can't be sure that Yara will not modify it
// and the constness of the input has to be guaranteed.
std::vector<boost::uint8_t> copy(bytes.begin(), bytes.end());
// Yara setup done. Scan the file.
retval = yr_rules_scan_mem(_rules,
©[0], // The bytes to scan
bytes.size(), // Number of bytes
SCAN_FLAGS_PROCESS_MEMORY,
get_match_data,
&cb_data, // The vector to fill
0); // No timeout)
if (retval != ERROR_SUCCESS)
{
PRINT_ERROR << "Yara error: " << translate_error(retval) << std::endl;
cb_data->yara_matches->clear();
}
return cb_data->yara_matches;
}
int yr_rules_scan_file(
YR_RULES* rules,
const char* filename,
YR_CALLBACK_FUNC callback,
void* user_data,
int fast_scan_mode,
int timeout)
{
MAPPED_FILE mfile;
int result;
result = yr_filemap_map(filename, &mfile);
if (result == ERROR_SUCCESS)
{
result = yr_rules_scan_mem(
rules,
mfile.data,
mfile.size,
callback,
user_data,
fast_scan_mode,
timeout);
yr_filemap_unmap(&mfile);
}
return result;
}
int matches_blob(
char* rule,
uint8_t* blob,
size_t len)
{
if (blob == NULL)
{
blob = (uint8_t*) "dummy";
len = 5;
}
YR_RULES* rules = compile_rule(rule);
if (rules == NULL)
{
fprintf(stderr, "failed to compile rule << %s >>: %s\n", rule, compile_error);
exit(EXIT_FAILURE);
}
int matches = 0;
int scan_result = yr_rules_scan_mem(
rules, blob, len, 0, count_matches, &matches, 0);
if (scan_result != ERROR_SUCCESS)
{
fprintf(stderr, "yr_rules_scan_mem: error\n");
exit(EXIT_FAILURE);
}
yr_rules_destroy(rules);
return matches;
}
if (error == ERROR_CALLBACK_ERROR)
return NULL;
else
return handle_error(error, filepath);
}
}
else if (data != NULL)
{
callback_data.matches = PyList_New(0);
Py_BEGIN_ALLOW_THREADS
error = yr_rules_scan_mem(
object->rules,
(unsigned char*) data,
(unsigned int) length,
yara_callback,
&callback_data,
fast_mode,
timeout);
Py_END_ALLOW_THREADS
if (error != ERROR_SUCCESS)
{
Py_DECREF(callback_data.matches);
if (error == ERROR_CALLBACK_ERROR)
return NULL;
else
return handle_error(error, NULL);
}
static
RU32
_scanProcessWith
(
RU32 pid,
YaraMatchContext* matchContext,
YR_RULES* rules,
rEvent isTimeToStop
)
{
RU32 scanError = (RU32)(-1);
rList modules = NULL;
rSequence module = NULL;
_MemRange* memRanges = NULL;
RU32 i = 0;
rList memoryMap = NULL;
rSequence memoryRegion = NULL;
RU8 memAccess = 0;
RU64 mem = 0;
RU64 memSize = 0;
RPU8 buffer = NULL;
// First pass is to scan known modules
if( NULL != ( modules = processLib_getProcessModules( pid ) ) )
{
rpal_debug_info( "scanning process %d module memory with yara", pid );
// We also generate an optimized list of module ranges for later
if( NULL != ( memRanges = rpal_memory_alloc( sizeof( _MemRange ) *
rList_getNumElements( modules ) ) ) )
{
while( ( NULL == isTimeToStop || !rEvent_wait( isTimeToStop, MSEC_FROM_SEC( 5 ) ) ) &&
rList_getSEQUENCE( modules, RP_TAGS_DLL, &module ) )
{
if( rSequence_getPOINTER64( module, RP_TAGS_BASE_ADDRESS, &mem ) &&
rSequence_getRU64( module, RP_TAGS_MEMORY_SIZE, &memSize ) )
{
memRanges[ i ].base = mem;
memRanges[ i ].size = memSize;
i++;
matchContext->regionBase = mem;
matchContext->regionSize = memSize;
matchContext->moduleInfo = module;
if( processLib_getProcessMemory( pid,
(RPVOID)NUMBER_TO_PTR( mem ),
memSize,
(RPVOID*)&buffer,
TRUE ) )
{
rpal_debug_info( "yara scanning module region of size 0x%lx", memSize );
if( NULL != rules ||
rMutex_lock( g_global_rules_mutex ) )
{
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_mem( NULL == rules ? g_global_rules : rules,
buffer,
(size_t)memSize,
SCAN_FLAGS_FAST_MODE |
SCAN_FLAGS_PROCESS_MEMORY,
_yaraMemMatchCallback,
matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara module scan error: %d 0x%lx 0x%lx: %d",
pid,
mem,
memSize,
scanError );
}
if( NULL == rules )
{
rMutex_unlock( g_global_rules_mutex );
}
}
rpal_memory_free( buffer );
rpal_debug_info( "finished region" );
}
}
}
}
rList_free( modules );
}
// Optimize the memory ranges
if( rpal_memory_isValid( memRanges ) &&
!rpal_sort_array( memRanges, i, sizeof( _MemRange ), (rpal_ordering_func)rpal_order_RU64 ) )
{
rpal_memory_free( memRanges );
memRanges = NULL;
}
// Second pass is to go through executable non-module areas
if( NULL != ( memoryMap = processLib_getProcessMemoryMap( pid ) ) )
{
rpal_debug_info( "scanning process %d non-module memory with yara", pid );
while( ( NULL == isTimeToStop || !rEvent_wait(isTimeToStop, MSEC_FROM_SEC( 5 ) ) ) &&
rList_getSEQUENCE( memoryMap, RP_TAGS_MEMORY_REGION, &memoryRegion ) )
{
if( rSequence_getPOINTER64( memoryRegion, RP_TAGS_BASE_ADDRESS, &mem ) &&
rSequence_getRU64( memoryRegion, RP_TAGS_MEMORY_SIZE, &memSize ) &&
rSequence_getRU8( memoryRegion, RP_TAGS_MEMORY_ACCESS, &memAccess ) &&
( PROCESSLIB_MEM_ACCESS_EXECUTE == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ_WRITE == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_WRITE_COPY == memAccess ) )
{
// If it's in a known module, skip
if( (RU32)( -1 ) != rpal_binsearch_array_closest( memRanges,
i,
sizeof( _MemRange ),
&mem,
(rpal_ordering_func)rpal_order_RU64,
TRUE ) )
{
continue;
}
matchContext->regionBase = mem;
matchContext->regionSize = memSize;
matchContext->moduleInfo = NULL;
if( processLib_getProcessMemory( pid,
(RPVOID)NUMBER_TO_PTR(mem),
memSize,
(RPVOID*)&buffer,
TRUE ) )
{
rpal_debug_info( "yara scanning memory region of size 0x%lx", memSize );
if( NULL != rules ||
rMutex_lock( g_global_rules_mutex ) )
{
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_mem( NULL == rules ? g_global_rules : rules,
buffer,
(size_t)memSize,
SCAN_FLAGS_FAST_MODE |
SCAN_FLAGS_PROCESS_MEMORY,
_yaraMemMatchCallback,
matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara memory scan error: %d 0x%lx 0x%lx: %d",
pid,
mem,
memSize,
scanError );
}
if( NULL == rules )
{
rMutex_unlock( g_global_rules_mutex );
}
}
rpal_memory_free( buffer );
}
}
}
rList_free( memoryMap );
}
if( rpal_memory_isValid( memRanges ) )
{
rpal_memory_free( memRanges );
}
return scanError;
}
void moloch_yara_email_execute(MolochSession_t *session, unsigned char *data, int len, int UNUSED(first))
{
yr_rules_scan_mem(yEmailRules, data, len, 0, (YR_CALLBACK_FUNC)moloch_yara_callback, session, 0);
return;
}