Skip to content

Commit

Permalink
Updated to use YARA 4.5.0
Browse files Browse the repository at this point in the history
  • Loading branch information
Chris Mayhew committed Feb 16, 2024
1 parent 685aadd commit d831f53
Show file tree
Hide file tree
Showing 60 changed files with 3,668 additions and 2,519 deletions.
6 changes: 3 additions & 3 deletions MSVC 2019/XT_Main/XT_Main.vcxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,22 @@
<TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
<Keyword>ManagedCProj</Keyword>
<RootNamespace>XT_Main</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0.22621.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<CLRSupport>false</CLRSupport>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v142</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<CLRSupport>false</CLRSupport>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v142</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
Expand Down
6 changes: 3 additions & 3 deletions MSVC 2019/XT_Yara/XT_Yara.vcxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
<TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
<Keyword>ManagedCProj</Keyword>
<RootNamespace>XT_Yara</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0.22621.0</WindowsTargetPlatformVersion>
<ProjectName>XT_Yara</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
Expand All @@ -24,14 +24,14 @@
<UseDebugLibraries>false</UseDebugLibraries>
<CLRSupport>false</CLRSupport>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v142</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<CLRSupport>false</CLRSupport>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v142</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
Expand Down
4 changes: 2 additions & 2 deletions MSVC 2019/libyara/libyara.vcxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{E236CE39-D8F3-4DB6-985C-F2794FF17746}</ProjectGuid>
<WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0.22621.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<ConfigurationType>StaticLibrary</ConfigurationType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='StaticRelease|x64'" Label="Configuration">
Expand Down
4 changes: 2 additions & 2 deletions src/libyara/base64.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// is expected to trim the appropriate number of leading and trailing bytes.
//
// This is based upon the ideas at:
// https://www.leeholmes.com/blog/2019/12/10/searching-for-content-in-base-64-strings-2/
// https://www.leeholmes.com/searching-for-content-in-base-64-strings/
//
// The caller is responsible for freeing the returned string.
//
Expand Down Expand Up @@ -361,7 +361,7 @@ int _yr_base64_create_regexp(
// printf("%s\n", re_str);

FAIL_ON_ERROR_WITH_CLEANUP(
yr_re_parse(re_str, re_ast, re_error), yr_free(re_str));
yr_re_parse(re_str, re_ast, re_error, RE_PARSER_FLAG_NONE), yr_free(re_str));

yr_free(re_str);

Expand Down
26 changes: 26 additions & 0 deletions src/libyara/compiler.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,7 @@ YR_API int yr_compiler_create(YR_COMPILER** compiler)
new_compiler->re_ast_clbk_user_data = NULL;
new_compiler->last_error = ERROR_SUCCESS;
new_compiler->last_error_line = 0;
new_compiler->strict_escape = false;
new_compiler->current_line = 0;
new_compiler->file_name_stack_ptr = 0;
new_compiler->fixup_stack_head = NULL;
Expand Down Expand Up @@ -629,6 +630,31 @@ YR_API int yr_compiler_add_fd(
return result;
}

YR_API int yr_compiler_add_bytes(
YR_COMPILER* compiler,
const void* rules_data,
size_t rules_size,
const char* namespace_)
{
// Don't allow calls to yr_compiler_add_bytes() after
// yr_compiler_get_rules() has been called.
assert(compiler->rules == NULL);

// Don't allow calls to yr_compiler_add_bytes() if a previous call to
// yr_compiler_add_XXXX failed.
assert(compiler->errors == 0);

if (namespace_ != NULL)
compiler->last_error = _yr_compiler_set_namespace(compiler, namespace_);
else
compiler->last_error = _yr_compiler_set_namespace(compiler, "default");

if (compiler->last_error != ERROR_SUCCESS)
return ++compiler->errors;

return yr_lex_parse_rules_bytes(rules_data, rules_size, compiler);
}

YR_API int yr_compiler_add_string(
YR_COMPILER* compiler,
const char* rules_string,
Expand Down
196 changes: 145 additions & 51 deletions src/libyara/exception.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include <assert.h>
#include <yara/globals.h>

typedef struct {
void* memfault_from;
void* memfault_to;
void* jump_back;
} jumpinfo;


#if _WIN32 || __CYGWIN__

#include <windows.h>
Expand Down Expand Up @@ -83,65 +90,134 @@ static LONG CALLBACK exception_handler(PEXCEPTION_POINTERS ExceptionInfo)

static LONG CALLBACK exception_handler(PEXCEPTION_POINTERS ExceptionInfo)
{
jmp_buf* jb_ptr;
jumpinfo* jump_info;

switch (ExceptionInfo->ExceptionRecord->ExceptionCode)
{
case EXCEPTION_IN_PAGE_ERROR:
case EXCEPTION_ACCESS_VIOLATION:
jb_ptr =
(jmp_buf*) yr_thread_storage_get_value(&yr_trycatch_trampoline_tls);

if (jb_ptr != NULL)
longjmp(*jb_ptr, 1);
jump_info =
(jumpinfo*) yr_thread_storage_get_value(&yr_trycatch_trampoline_tls);

if (jump_info != NULL)
{
void* fault_address = (void*) ExceptionInfo->ExceptionRecord->ExceptionInformation[1];
if (jump_info->memfault_from <= fault_address && jump_info->memfault_to > fault_address)
{
longjmp(*(jmp_buf*)jump_info->jump_back, 1);
}
}
}

return EXCEPTION_CONTINUE_SEARCH;
}

#define YR_TRYCATCH(_do_, _try_clause_, _catch_clause_) \
do \
{ \
if (_do_) \
{ \
jmp_buf jb; \
/* Store pointer to sigjmp_buf in TLS */ \
yr_thread_storage_set_value(&yr_trycatch_trampoline_tls, &jb); \
HANDLE exh = AddVectoredExceptionHandler(1, exception_handler); \
if (setjmp(jb) == 0) \
{ \
_try_clause_ \
} \
else \
{ \
_catch_clause_ \
} \
RemoveVectoredExceptionHandler(exh); \
yr_thread_storage_set_value(&yr_trycatch_trampoline_tls, NULL); \
} \
else \
{ \
_try_clause_ \
} \
#define YR_TRYCATCH(_do_, _try_clause_, _catch_clause_) \
do \
{ \
if (_do_) \
{ \
jumpinfo jump_info; \
jump_info.memfault_from = 0; \
jump_info.memfault_to = 0; \
jmp_buf jb; \
jump_info.jump_back = (void*) &jb; \
/* Store pointer to sigjmp_buf in TLS */ \
yr_thread_storage_set_value(&yr_trycatch_trampoline_tls, &jump_info); \
HANDLE exh = AddVectoredExceptionHandler(1, exception_handler); \
if (setjmp(jb) == 0) \
{ \
_try_clause_ \
} \
else \
{ \
_catch_clause_ \
} \
RemoveVectoredExceptionHandler(exh); \
yr_thread_storage_set_value(&yr_trycatch_trampoline_tls, NULL); \
} \
else \
{ \
_try_clause_ \
} \
} while (0)

#endif

#else

#if defined(__APPLE__) || defined(__linux__) || defined(_AIX)
#define CATCH_SIGSEGV 0
#define CATCH_SIGBUS 1
#elif defined(BSD)
// According to #551, older BSD versions use SIGSEGV for invalid mmap access.
// Newer versions, however, use SIGBUS (tested with FreeBSD 13.2 / OpenBSD 7.4).
// To be compatible with both, catch SIGBUS and SIGSEGV.
#define CATCH_SIGSEGV 1
#define CATCH_SIGBUS 1
#else // For unknown systems, play it safe by catching both
#define CATCH_SIGSEGV 1
#define CATCH_SIGBUS 1
#endif

#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <yara/globals.h>

static void exception_handler(int sig)
static void exception_handler(int sig, siginfo_t * info, void *context)
{
if (sig == SIGBUS || sig == SIGSEGV)
if (sig != SIGBUS && sig != SIGSEGV)
{
return;
}
jumpinfo* jump_info = (jumpinfo*) yr_thread_storage_get_value(&yr_trycatch_trampoline_tls);

if (jump_info != NULL)
{
jmp_buf* jb_ptr =
(jmp_buf*) yr_thread_storage_get_value(&yr_trycatch_trampoline_tls);
void* fault_address = (void*) info->si_addr;
if (jump_info->memfault_from <= fault_address && jump_info->memfault_to > fault_address)
{
siglongjmp(*(sigjmp_buf*)jump_info->jump_back, 1);
}
}

// If we're here, the signal we received didn't originate from YARA.
// In this case, we want to invoke the original signal handler, which may handle the signal.

if (jb_ptr != NULL)
siglongjmp(*jb_ptr, 1);
// Lock the exception handler mutex to prevent simultaneous write access while we read the old signal handler
pthread_mutex_lock(&exception_handler_mutex);
struct sigaction old_handler;
if (sig == SIGBUS)
old_handler = old_sigbus_exception_handler;
else
old_handler = old_sigsegv_exception_handler;
pthread_mutex_unlock(&exception_handler_mutex);

if (old_handler.sa_flags & SA_SIGINFO)
{
old_handler.sa_sigaction(sig, info, context);
}
else if (old_handler.sa_handler == SIG_DFL)
{
// Old handler is the default action. To do this, set the signal handler back to default and raise the signal.
// This is fairly volatile - since this is not an atomic operation, signals from other threads might also
// cause the default action while we're doing this. However, the default action will typically cause a
// process termination anyway.
pthread_mutex_lock(&exception_handler_mutex);
struct sigaction current_handler;
sigaction(sig, &old_handler, &current_handler);
raise(sig);
sigaction(sig, &current_handler, NULL);
pthread_mutex_unlock(&exception_handler_mutex);
}
else if (old_handler.sa_handler == SIG_IGN)
{
// SIG_IGN wants us to ignore the signal
return;
}
else
{
old_handler.sa_handler(sig);
}
}

Expand All @@ -152,18 +228,28 @@ typedef struct sigaction sa;
{ \
if (_do_) \
{ \
struct sigaction old_sigbus_act; \
struct sigaction old_sigsegv_act; \
struct sigaction act; \
pthread_mutex_lock(&exception_handler_mutex); \
if (exception_handler_usecount == 0) \
{ \
struct sigaction act; \
/* Set exception handler for SIGSEGV / SIGBUS */ \
act.sa_sigaction = exception_handler; \
act.sa_flags = SA_SIGINFO | SA_ONSTACK; \
sigfillset(&act.sa_mask); \
if (CATCH_SIGBUS) \
sigaction(SIGBUS, &act, &old_sigbus_exception_handler); \
if (CATCH_SIGSEGV) \
sigaction(SIGSEGV, &act, &old_sigsegv_exception_handler); \
} \
exception_handler_usecount++; \
pthread_mutex_unlock(&exception_handler_mutex); \
jumpinfo ji; \
ji.memfault_from = 0; \
ji.memfault_to = 0; \
sigjmp_buf jb; \
/* Store pointer to sigjmp_buf in TLS */ \
yr_thread_storage_set_value(&yr_trycatch_trampoline_tls, &jb); \
/* Set exception handler for SIGBUS and SIGSEGV*/ \
act.sa_handler = exception_handler; \
act.sa_flags = 0; /* SA_ONSTACK? */ \
sigfillset(&act.sa_mask); \
sigaction(SIGBUS, &act, &old_sigbus_act); \
sigaction(SIGSEGV, &act, &old_sigsegv_act); \
ji.jump_back = (void*) &jb; \
/* Store pointer to jumpinfo in TLS */ \
yr_thread_storage_set_value(&yr_trycatch_trampoline_tls, &ji); \
if (sigsetjmp(jb, 1) == 0) \
{ \
_try_clause_ \
Expand All @@ -172,9 +258,17 @@ typedef struct sigaction sa;
{ \
_catch_clause_ \
} \
/* Stop capturing SIGBUS and SIGSEGV */ \
sigaction(SIGBUS, &old_sigbus_act, NULL); \
sigaction(SIGSEGV, &old_sigsegv_act, NULL); \
pthread_mutex_lock(&exception_handler_mutex); \
exception_handler_usecount--; \
if (exception_handler_usecount == 0) \
{ \
/* Stop capturing relevant signals */ \
if (CATCH_SIGBUS) \
sigaction(SIGBUS, &old_sigbus_exception_handler, NULL); \
if (CATCH_SIGSEGV) \
sigaction(SIGSEGV, &old_sigsegv_exception_handler, NULL); \
} \
pthread_mutex_unlock(&exception_handler_mutex); \
yr_thread_storage_set_value(&yr_trycatch_trampoline_tls, NULL); \
} \
else \
Expand Down
Loading

0 comments on commit d831f53

Please sign in to comment.