Пример #1
0
extern "C" DLL_EXPORT void _dbg_dbgexitsignal()
{
    dputs("Stopping running debuggee...");
    cbDebugStop(0, 0);
    dputs("Aborting scripts...");
    scriptabort();
    dputs("Waiting for the debuggee to be stopped...");
    wait(WAITID_STOP); //after this, debugging stopped
    dputs("Unloading plugins...");
    pluginunload();
    dputs("Stopping command thread...");
    bStopCommandLoopThread = true;
    WaitForThreadTermination(hCommandLoopThread);
    dputs("Cleaning up allocated data...");
    cmdfree(command_list);
    varfree();
    MsgFreeStack(gMsgStack);
    yr_finalize();
    Capstone::GlobalFinalize();
    dputs("Checking for mem leaks...");
    if(memleaks())
        dprintf("%d memory leak(s) found!\n", memleaks());
    else
        DeleteFileA(alloctrace);
    dputs("Cleaning up wait objects...");
    waitdeinitialize();
    dputs("Cleaning up debugger threads...");
    dbgstop();
    dputs("Exit signal processed successfully!");
    bIsStopped = true;
}
Пример #2
0
Yara::~Yara()
{
	_clean_compiler_and_rules();

	--_instance_count;
	if (_instance_count == 0) {
		yr_finalize();
	}
}
Пример #3
0
void moloch_yara_exit()
{
    if (yRules)
        yr_rules_destroy(yRules);
    if (yEmailRules)
        yr_rules_destroy(yEmailRules);

    if (yCompiler)
        yr_compiler_destroy(yCompiler);
    if (yEmailCompiler)
        yr_compiler_destroy(yEmailCompiler);
    yr_finalize();
}
Пример #4
0
int main(int argc, char** argv)
{
  yr_initialize();

  assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
      "tests/data/tiny");

  assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
      "tests/data/tiny-idata-51ff");

  assert_false_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
      "tests/data/tiny-idata-5200");

  yr_finalize();
  return 0;
}
Пример #5
0
RBOOL
    collector_16_cleanup
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;

    UNREFERENCED_PARAMETER( config );

    if( NULL != hbsState )
    {
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL );

        if( rMutex_lock( g_global_rules_mutex ) )
        {
            if( NULL != g_global_rules )
            {
                yr_rules_destroy( g_global_rules );
                g_global_rules = NULL;
            }

            rMutex_unlock( g_global_rules_mutex );
        }

        rQueue_free( g_async_files_to_scan );
        g_async_files_to_scan = NULL;

        rMutex_free( g_global_rules_mutex );
        g_global_rules_mutex = NULL;

        yr_finalize();

        isSuccess = TRUE;
    }

    return isSuccess;
}
Пример #6
0
extern "C" DLL_EXPORT void _dbg_dbgexitsignal()
{
    cbStopDebug(0, 0);
    scriptabort();
    wait(WAITID_STOP); //after this, debugging stopped
    pluginunload();
    TerminateThread(hCommandLoopThread, 0);
    CloseHandle(hCommandLoopThread);
    cmdfree(command_list);
    varfree();
    MsgFreeStack(gMsgStack);
    yr_finalize();
    Capstone::GlobalFinalize();
    if(memleaks())
    {
        char msg[256] = "";
        sprintf(msg, "%d memory leak(s) found!\n\nPlease send contact the authors of x64dbg.", memleaks());
        MessageBoxA(0, msg, "error", MB_ICONERROR | MB_SYSTEMMODAL);
    }
    else
        DeleteFileA(alloctrace);

    SectionLockerGlobal::Deinitialize();
}
Пример #7
0
RBOOL
    collector_16_init
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;

    UNREFERENCED_PARAMETER( config );

    if( NULL != hbsState )
    {
        if( 0 == yr_initialize() )
        {
            if( NULL != ( g_global_rules_mutex = rMutex_create() ) )
            {
                if( rQueue_create( &g_async_files_to_scan, _freeSeq, 100 ) )
                {
                    if( notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE,
                                                 NULL,
                                                 0,
                                                 NULL,
                                                 updateSignatures ) &&
                        notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_SCAN,
                                                 NULL,
                                                 0,
                                                 NULL,
                                                 doScan ) &&
                        notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD,
                                                 NULL,
                                                 0,
                                                 g_async_files_to_scan,
                                                 NULL ) )
                    {
                        isSuccess = TRUE;

                        if( !rThreadPool_task( hbsState->hThreadPool, continuousMemScan, NULL ) ||
                            !rThreadPool_task( hbsState->hThreadPool, continuousFileScan, NULL ) )
                        {
                            isSuccess = FALSE;
                        }
                    }
                }
            }
        }
    }

    if( !isSuccess )
    {
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL);
        rQueue_free( g_async_files_to_scan );
        g_async_files_to_scan = NULL;
        rMutex_free( g_global_rules_mutex );
        g_global_rules_mutex = NULL;

        yr_finalize();
    }

    return isSuccess;
}
Пример #8
0
int main(
    int argc,
    const char** argv)
{
  COMPILER_RESULTS cr;

  YR_COMPILER* compiler = NULL;
  YR_RULES* rules = NULL;

  int result;

  argc = args_parse(options, argc, argv);

  if (show_version)
  {
    printf("%s\n", YR_VERSION);
    return EXIT_SUCCESS;
  }

  if (show_help)
  {
    printf("%s\n\n", USAGE_STRING);

    args_print_usage(options, 35);
    printf("\nSend bug reports and suggestions to: [email protected]\n");

    return EXIT_SUCCESS;
  }

  if (argc < 2)
  {
    fprintf(stderr, "yarac: wrong number of arguments\n");
    fprintf(stderr, "%s\n\n", USAGE_STRING);
    fprintf(stderr, "Try `--help` for more options\n");

    exit_with_code(EXIT_FAILURE);
  }

  result = yr_initialize();

  if (result != ERROR_SUCCESS)
    exit_with_code(EXIT_FAILURE);

  if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
    exit_with_code(EXIT_FAILURE);

  if (!define_external_variables(compiler))
    exit_with_code(EXIT_FAILURE);

  cr.errors = 0;
  cr.warnings = 0;

  yr_set_configuration(YR_CONFIG_MAX_STRINGS_PER_RULE, &max_strings_per_rule);
  yr_compiler_set_callback(compiler, report_error, &cr);

  if (!compile_files(compiler, argc, argv))
    exit_with_code(EXIT_FAILURE);

  if (cr.errors > 0)
    exit_with_code(EXIT_FAILURE);

  if (fail_on_warnings && cr.warnings > 0)
    exit_with_code(EXIT_FAILURE);

  result = yr_compiler_get_rules(compiler, &rules);

  if (result != ERROR_SUCCESS)
  {
    fprintf(stderr, "error: %d\n", result);
    exit_with_code(EXIT_FAILURE);
  }

  result = yr_rules_save(rules, argv[argc - 1]);

  if (result != ERROR_SUCCESS)
  {
    fprintf(stderr, "error: %d\n", result);
    exit_with_code(EXIT_FAILURE);
  }

  result = EXIT_SUCCESS;

_exit:

  if (compiler != NULL)
    yr_compiler_destroy(compiler);

  if (rules != NULL)
    yr_rules_destroy(rules);

  yr_finalize();

  return result;
}
Пример #9
0
int main(
    int argc,
    char const* argv[])
{
  YR_COMPILER* compiler;
  YR_RULES* rules;
  FILE* rule_file;
  EXTERNAL* external;

  int pid;
  int i;
  int errors;
  int result;

  THREAD thread[MAX_THREADS];

  if (!process_cmd_line(argc, argv))
    return 0;

  if (argc == 1 || optind == argc)
  {
    show_help();
    return 0;
  }

  yr_initialize();

  result = yr_rules_load(argv[optind], &rules);

  if (result == ERROR_UNSUPPORTED_FILE_VERSION ||
      result == ERROR_CORRUPT_FILE)
  {
    print_scanning_error(result);
    return;
  }

  if (result == ERROR_SUCCESS)
  {
    external = externals_list;

    while (external != NULL)
    {
      switch (external->type)
      {
        case EXTERNAL_TYPE_INTEGER:
          yr_rules_define_integer_variable(
              rules,
              external->name,
              external->integer);
          break;

        case EXTERNAL_TYPE_BOOLEAN:
          yr_rules_define_boolean_variable(
              rules,
              external->name,
              external->boolean);
          break;

        case EXTERNAL_TYPE_STRING:
          yr_rules_define_string_variable(
              rules,
              external->name,
              external->string);
          break;
      }
      external = external->next;
    }
  }
  else
  {
    if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
      return 0;

    external = externals_list;

    while (external != NULL)
    {
      switch (external->type)
      {
        case EXTERNAL_TYPE_INTEGER:
          yr_compiler_define_integer_variable(
              compiler,
              external->name,
              external->integer);
          break;

        case EXTERNAL_TYPE_BOOLEAN:
          yr_compiler_define_boolean_variable(
              compiler,
              external->name,
              external->boolean);
          break;

        case EXTERNAL_TYPE_STRING:
          yr_compiler_define_string_variable(
              compiler,
              external->name,
              external->string);
          break;
      }
      external = external->next;
    }

    compiler->error_report_function = print_compiler_error;
    rule_file = fopen(argv[optind], "r");

    if (rule_file != NULL)
    {
      yr_compiler_push_file_name(compiler, argv[optind]);

      errors = yr_compiler_add_file(compiler, rule_file, NULL);

      fclose(rule_file);

      if (errors == 0)
        yr_compiler_get_rules(compiler, &rules);

      yr_compiler_destroy(compiler);

      if (errors > 0)
      {
        yr_finalize();
        return 0;
      }
    }
    else
    {
      fprintf(stderr, "could not open file: %s\n", argv[optind]);
      return 0;
    }
  }

  mutex_init(&output_mutex);

  if (is_numeric(argv[argc - 1]))
  {
    pid = atoi(argv[argc - 1]);
    result = yr_rules_scan_proc(
        rules,
        pid,
        callback,
        (void*) argv[argc - 1],
        fast_scan,
        timeout);

    if (result != ERROR_SUCCESS)
      print_scanning_error(result);
  }
  else if (is_directory(argv[argc - 1]))
  {
    file_queue_init();

    for (i = 0; i < threads; i++)
    {
      if (create_thread(&thread[i], scanning_thread, (void*) rules) != 0)
        return ERROR_COULD_NOT_CREATE_THREAD;
    }

    scan_dir(
        argv[argc - 1],
        recursive_search,
        rules,
        callback);

    file_queue_finish();

    // Wait for scan threads to finish
    for (i = 0; i < threads; i++)
      thread_join(&thread[i]);

    file_queue_destroy();
  }
  else
  {
    result = yr_rules_scan_file(
        rules,
        argv[argc - 1],
        callback,
        (void*) argv[argc - 1],
        fast_scan,
        timeout);
 
    if (result != ERROR_SUCCESS)
    {
      fprintf(stderr, "Error scanning %s: ", argv[argc - 1]);
      print_scanning_error(result);
    }
  }

  yr_rules_destroy(rules);
  yr_finalize();

  mutex_destroy(&output_mutex);
  cleanup();

  return 1;
}
Пример #10
0
int main(
    int argc,
    const char** argv)
{
  YR_COMPILER* compiler = NULL;
  YR_RULES* rules = NULL;

  int result;

  argc = args_parse(options, argc, argv);

  if (show_version)
  {
    printf("%s\n", PACKAGE_STRING);
    printf("\nSend bug reports and suggestions to: %s.\n", PACKAGE_BUGREPORT);

    return EXIT_FAILURE;
  }

  if (show_help)
  {
    printf("%s\n\n", USAGE_STRING);

    args_print_usage(options, 25);
    printf("\nSend bug reports and suggestions to: %s.\n", PACKAGE_BUGREPORT);

    return EXIT_FAILURE;
  }

  if (argc < 2)
  {
    fprintf(stderr, "yarac: wrong number of arguments\n");
    fprintf(stderr, "%s\n\n", USAGE_STRING);
    fprintf(stderr, "Try `--help` for more options\n");

    exit_with_code(EXIT_FAILURE);
  }

  result = yr_initialize();

  if (result != ERROR_SUCCESS)
    exit_with_code(EXIT_FAILURE);

  if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
    exit_with_code(EXIT_FAILURE);

  if (!define_external_variables(compiler))
    exit_with_code(EXIT_FAILURE);

  yr_compiler_set_callback(compiler, report_error, NULL);

  for (int i = 0; i < argc - 1; i++)
  {
    const char* ns;
    const char* file_name;
    char* colon = (char*) strchr(argv[i], ':');

    if (colon)
    {
      file_name = colon + 1;
      *colon = '\0';
      ns = argv[i];
    }
    else
    {
      file_name = argv[i];
      ns = NULL;
    }

    FILE* rule_file = fopen(file_name, "r");

    if (rule_file != NULL)
    {
      int errors = yr_compiler_add_file(
          compiler, rule_file, ns, file_name);

      fclose(rule_file);

      if (errors) // errors during compilation
        exit_with_code(EXIT_FAILURE);
    }
    else
    {
      fprintf(stderr, "error: could not open file: %s\n", file_name);
    }
  }

  result = yr_compiler_get_rules(compiler, &rules);

  if (result != ERROR_SUCCESS)
  {
    fprintf(stderr, "error: %d\n", result);
    exit_with_code(EXIT_FAILURE);
  }

  result = yr_rules_save(rules, argv[argc - 1]);

  if (result != ERROR_SUCCESS)
  {
    fprintf(stderr, "error: %d\n", result);
    exit_with_code(EXIT_FAILURE);
  }

  result = EXIT_SUCCESS;

_exit:

  if (compiler != NULL)
    yr_compiler_destroy(compiler);

  if (rules != NULL)
    yr_rules_destroy(rules);

  yr_finalize();

  return result;
}
Пример #11
0
int main(
    int argc,
    char const* argv[])
{
  int i, result, errors;

  YR_COMPILER* compiler;
  YR_RULES* rules;
  FILE* rule_file;

  yr_initialize();

  if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
  {
    yr_finalize();
    return EXIT_FAILURE;
  }

  if (!process_cmd_line(compiler, argc, argv))
  {
    yr_compiler_destroy(compiler);
    yr_finalize();
    return EXIT_FAILURE;
  }

  if (argc == 1 || optind == argc)
  {
    show_help();
    yr_compiler_destroy(compiler);
    yr_finalize();
    return EXIT_FAILURE;
  }

  compiler->error_report_function = report_error;

  for (i = optind; i < argc - 1; i++)
  {
    rule_file = fopen(argv[i], "r");

    if (rule_file != NULL)
    {
      yr_compiler_push_file_name(compiler, argv[i]);

      errors = yr_compiler_add_file(compiler, rule_file, NULL);

      fclose(rule_file);

      if (errors) // errors during compilation
      {
        yr_compiler_destroy(compiler);
        yr_finalize();
        return EXIT_FAILURE;
      }
    }
    else
    {
      fprintf(stderr, "could not open file: %s\n", argv[i]);
    }
  }

  result = yr_compiler_get_rules(compiler, &rules);

  if (result != ERROR_SUCCESS)
  {
    fprintf(stderr, "error: %d\n", result);
    return EXIT_FAILURE;
  }

  result = yr_rules_save(rules, argv[argc - 1]);

  if (result != ERROR_SUCCESS)
  {
    fprintf(stderr, "error: %d\n", result);
    return EXIT_FAILURE;
  }

  yr_rules_destroy(rules);
  yr_compiler_destroy(compiler);

  yr_finalize();

  return EXIT_SUCCESS;
}