int yr_scan_verify_match(
YR_SCAN_CONTEXT* context,
YR_AC_MATCH* ac_match,
const uint8_t* data,
size_t data_size,
uint64_t data_base,
size_t offset)
{
YR_STRING* string = ac_match->string;
int result;
if (data_size - offset <= 0)
return ERROR_SUCCESS;
if (STRING_IS_DISABLED(string))
return ERROR_SUCCESS;
if (context->flags & SCAN_FLAGS_FAST_MODE &&
STRING_IS_SINGLE_MATCH(string) &&
string->matches[context->tidx].head != NULL)
return ERROR_SUCCESS;
if (STRING_IS_FIXED_OFFSET(string) &&
string->fixed_offset != data_base + offset)
return ERROR_SUCCESS;
#ifdef PROFILING_ENABLED
uint64_t start_time = yr_stopwatch_elapsed_us(&context->stopwatch);
#endif
if (STRING_IS_LITERAL(string))
{
result = _yr_scan_verify_literal_match(
context, ac_match, data, data_size, data_base, offset);
}
else
{
result = _yr_scan_verify_re_match(
context, ac_match, data, data_size, data_base, offset);
}
if (result != ERROR_SUCCESS)
context->last_error_string = string;
#ifdef PROFILING_ENABLED
uint64_t finish_time = yr_stopwatch_elapsed_us(&context->stopwatch);
#ifdef _WIN32
InterlockedAdd64(&string->time_cost, finish_time - start_time);
InterlockedAdd64(&string->rule->time_cost, finish_time - start_time);
#else
__sync_fetch_and_add(&string->time_cost, finish_time - start_time);
__sync_fetch_and_add(&string->rule->time_cost, finish_time - start_time);
#endif
#endif
return result;
}
int yr_scan_verify_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t data_base,
size_t offset,
YR_ARENA* matches_arena,
int flags)
{
YR_STRING* string = ac_match->string;
#ifdef PROFILING_ENABLED
clock_t start = clock();
#endif
if (data_size - offset <= 0)
return ERROR_SUCCESS;
if (flags & SCAN_FLAGS_FAST_MODE &&
STRING_IS_SINGLE_MATCH(string) &&
STRING_FOUND(string))
return ERROR_SUCCESS;
if (STRING_IS_FIXED_OFFSET(string) &&
string->fixed_offset != data_base + offset)
return ERROR_SUCCESS;
if (STRING_IS_LITERAL(string))
{
FAIL_ON_ERROR(_yr_scan_verify_literal_match(
ac_match, data, data_size, data_base, offset, matches_arena));
}
else
{
FAIL_ON_ERROR(_yr_scan_verify_re_match(
ac_match, data, data_size, data_base, offset, matches_arena));
}
#ifdef PROFILING_ENABLED
string->clock_ticks += clock() - start;
#endif
return ERROR_SUCCESS;
}
int yr_scan_verify_match(
YR_SCAN_CONTEXT* context,
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t data_base,
size_t offset)
{
YR_STRING* string = ac_match->string;
#ifdef PROFILING_ENABLED
clock_t start = clock();
#endif
if (data_size - offset <= 0)
return ERROR_SUCCESS;
if (context->flags & SCAN_FLAGS_FAST_MODE &&
STRING_IS_SINGLE_MATCH(string) &&
string->matches[context->tidx].head != NULL)
return ERROR_SUCCESS;
if (STRING_IS_FIXED_OFFSET(string) &&
string->fixed_offset != data_base + offset)
return ERROR_SUCCESS;
if (STRING_IS_LITERAL(string))
{
FAIL_ON_ERROR(_yr_scan_verify_literal_match(
context, ac_match, data, data_size, data_base, offset));
}
else
{
FAIL_ON_ERROR(_yr_scan_verify_re_match(
context, ac_match, data, data_size, data_base, offset));
}
#ifdef PROFILING_ENABLED
string->clock_ticks += clock() - start;
#endif
return ERROR_SUCCESS;
}
inline int _yr_scan_verify_match(
YR_AC_MATCH* ac_match,
uint8_t* data,
size_t data_size,
size_t offset,
YR_ARENA* matches_arena,
int fast_scan_mode)
{
YR_STRING* string = ac_match->string;
#ifdef PROFILING_ENABLED
clock_t start = clock();
#endif
if (data_size - offset <= 0)
return ERROR_SUCCESS;
if (fast_scan_mode &&
STRING_IS_SINGLE_MATCH(string) &&
STRING_FOUND(string))
return ERROR_SUCCESS;
if (STRING_IS_LITERAL(string))
{
FAIL_ON_ERROR(_yr_scan_verify_literal_match(
ac_match, data, data_size, offset, matches_arena));
}
else
{
FAIL_ON_ERROR(_yr_scan_verify_re_match(
ac_match, data, data_size, offset, matches_arena));
}
#ifdef PROFILING_ENABLED
string->clock_ticks += clock() - start;
#endif
return ERROR_SUCCESS;
}
