void yr_compiler_destroy(
YR_COMPILER* compiler)
{
int i;
if (compiler->compiled_rules_arena != NULL)
yr_arena_destroy(compiler->compiled_rules_arena);
if (compiler->sz_arena != NULL)
yr_arena_destroy(compiler->sz_arena);
if (compiler->rules_arena != NULL)
yr_arena_destroy(compiler->rules_arena);
if (compiler->strings_arena != NULL)
yr_arena_destroy(compiler->strings_arena);
if (compiler->code_arena != NULL)
yr_arena_destroy(compiler->code_arena);
if (compiler->re_code_arena != NULL)
yr_arena_destroy(compiler->re_code_arena);
if (compiler->automaton_arena != NULL)
yr_arena_destroy(compiler->automaton_arena);
if (compiler->externals_arena != NULL)
yr_arena_destroy(compiler->externals_arena);
if (compiler->namespaces_arena != NULL)
yr_arena_destroy(compiler->namespaces_arena);
if (compiler->metas_arena != NULL)
yr_arena_destroy(compiler->metas_arena);
yr_hash_table_destroy(
compiler->rules_table,
NULL);
yr_hash_table_destroy(
compiler->objects_table,
(YR_HASH_TABLE_FREE_VALUE_FUNC) yr_object_destroy);
for (i = 0; i < compiler->file_name_stack_ptr; i++)
yr_free(compiler->file_name_stack[i]);
yr_free(compiler);
}
YR_API void yr_compiler_destroy(
YR_COMPILER* compiler)
{
YR_FIXUP* fixup;
int i;
yr_arena_destroy(compiler->compiled_rules_arena);
yr_arena_destroy(compiler->sz_arena);
yr_arena_destroy(compiler->rules_arena);
yr_arena_destroy(compiler->strings_arena);
yr_arena_destroy(compiler->code_arena);
yr_arena_destroy(compiler->re_code_arena);
yr_arena_destroy(compiler->externals_arena);
yr_arena_destroy(compiler->namespaces_arena);
yr_arena_destroy(compiler->metas_arena);
yr_arena_destroy(compiler->automaton_arena);
yr_arena_destroy(compiler->matches_arena);
yr_ac_automaton_destroy(compiler->automaton);
yr_hash_table_destroy(
compiler->rules_table,
NULL);
yr_hash_table_destroy(
compiler->strings_table,
NULL);
yr_hash_table_destroy(
compiler->objects_table,
(YR_HASH_TABLE_FREE_VALUE_FUNC) yr_object_destroy);
for (i = 0; i < compiler->file_name_stack_ptr; i++)
yr_free(compiler->file_name_stack[i]);
fixup = compiler->fixup_stack_head;
while (fixup != NULL)
{
YR_FIXUP* next_fixup = fixup->next;
yr_free(fixup);
fixup = next_fixup;
}
yr_free(compiler);
}
int module_unload(
YR_OBJECT* module_object)
{
YR_HASH_TABLE* hash_table = (YR_HASH_TABLE*) module_object->data;
if (hash_table != NULL)
yr_hash_table_destroy(
hash_table,
(YR_HASH_TABLE_FREE_VALUE_FUNC) yr_free);
return ERROR_SUCCESS;
}
int yr_rules_scan_mem_blocks(
YR_RULES* rules,
YR_MEMORY_BLOCK* block,
int flags,
YR_CALLBACK_FUNC callback,
void* user_data,
int timeout)
{
YR_SCAN_CONTEXT context;
YR_RULE* rule;
YR_OBJECT* object;
YR_EXTERNAL_VARIABLE* external;
YR_ARENA* matches_arena = NULL;
time_t start_time;
tidx_mask_t bit;
int message;
int tidx = 0;
int result = ERROR_SUCCESS;
if (block == NULL)
return ERROR_SUCCESS;
context.flags = flags;
context.callback = callback;
context.user_data = user_data;
context.file_size = block->size;
context.mem_block = block;
context.entry_point = UNDEFINED;
context.objects_table = NULL;
_yr_rules_lock(rules);
bit = 1;
while (rules->tidx_mask & bit)
{
tidx++;
bit <<= 1;
}
if (tidx < MAX_THREADS)
rules->tidx_mask |= bit;
else
result = ERROR_TOO_MANY_SCAN_THREADS;
_yr_rules_unlock(rules);
if (result != ERROR_SUCCESS)
return result;
yr_set_tidx(tidx);
result = yr_arena_create(1024, 0, &matches_arena);
if (result != ERROR_SUCCESS)
goto _exit;
result = yr_hash_table_create(64, &context.objects_table);
if (result != ERROR_SUCCESS)
goto _exit;
external = rules->externals_list_head;
while (!EXTERNAL_VARIABLE_IS_NULL(external))
{
result = yr_object_from_external_variable(
external,
&object);
if (result == ERROR_SUCCESS)
result = yr_hash_table_add(
context.objects_table,
external->identifier,
NULL,
(void*) object);
if (result != ERROR_SUCCESS)
goto _exit;
external++;
}
start_time = time(NULL);
while (block != NULL)
{
if (context.entry_point == UNDEFINED)
{
if (flags & SCAN_FLAGS_PROCESS_MEMORY)
context.entry_point = yr_get_entry_point_address(
block->data,
block->size,
block->base);
else
context.entry_point = yr_get_entry_point_offset(
block->data,
block->size);
}
result = yr_rules_scan_mem_block(
rules,
block,
flags,
timeout,
start_time,
matches_arena);
if (result != ERROR_SUCCESS)
goto _exit;
block = block->next;
}
result = yr_execute_code(
rules,
&context,
timeout,
start_time);
if (result != ERROR_SUCCESS)
goto _exit;
rule = rules->rules_list_head;
while (!RULE_IS_NULL(rule))
{
if (RULE_IS_GLOBAL(rule) && !(rule->t_flags[tidx] & RULE_TFLAGS_MATCH))
{
rule->ns->t_flags[tidx] |= NAMESPACE_TFLAGS_UNSATISFIED_GLOBAL;
}
rule++;
}
rule = rules->rules_list_head;
while (!RULE_IS_NULL(rule))
{
if (rule->t_flags[tidx] & RULE_TFLAGS_MATCH &&
!(rule->ns->t_flags[tidx] & NAMESPACE_TFLAGS_UNSATISFIED_GLOBAL))
{
message = CALLBACK_MSG_RULE_MATCHING;
}
else
{
message = CALLBACK_MSG_RULE_NOT_MATCHING;
}
if (!RULE_IS_PRIVATE(rule))
{
switch (callback(message, rule, user_data))
{
case CALLBACK_ABORT:
result = ERROR_SUCCESS;
goto _exit;
case CALLBACK_ERROR:
result = ERROR_CALLBACK_ERROR;
goto _exit;
}
}
rule++;
}
callback(CALLBACK_MSG_SCAN_FINISHED, NULL, user_data);
_exit:
yr_modules_unload_all(&context);
_yr_rules_clean_matches(rules);
if (matches_arena != NULL)
yr_arena_destroy(matches_arena);
if (context.objects_table != NULL)
yr_hash_table_destroy(
context.objects_table,
(YR_HASH_TABLE_FREE_VALUE_FUNC) yr_object_destroy);
_yr_rules_lock(rules);
rules->tidx_mask &= ~(1 << tidx);
_yr_rules_unlock(rules);
yr_set_tidx(-1);
return result;
}