yara-ffi 1.0.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 380c0c04b4e921df435344606ae662123cdf59e8e1bb20bc442f1282285d87d1
-  data.tar.gz: 5348991427d0376f4d0b31e8a1e9cd64275e760a2a9839e10eb0cc87dcedbfaf
+  metadata.gz: ac111338f4038017b3eb887d2bfcea73c2a2aa5a9b409370e13cfd01985276df
+  data.tar.gz: 353ab52ebe038b8fbd2b3c9ce35436df1b4fb20cad1cfa0b3019e678291e0f0b
 SHA512:
-  metadata.gz: a640d8ef7adce2b261de4e7144e2c8ea35519c566cbd2c6a75c04ab68bda54bbf0d339b37bb210fdf60b1bed7bb152fe3c0e0e20355c7f8ec45364c2dd25dc31
-  data.tar.gz: 9063e8934d649121a5c2e9489d662c5bdb64b695ac359981d0801bc439ba64699fded19c8d0096c3ae4900fb59b8823c84cec153e0573bc81219e3d4e0e74b12
+  metadata.gz: 96a2ede305474b3457dcaf4256e3b57fa28becae0abc51eb3e45897667f5a971ba818a45a6b945b15d02208c2eee6adad43ff416c31d9528083ed7dd5a317046
+  data.tar.gz: 6b1a3fa08e02123b655d140f30fa531494d585276591f5758b6f8c26636ea0fe388eef7fa5e6253d9fce42221b19729eab0960684a87eaf95e96f701eacd4fb7

data/lib/yara/ffi.rb

@@ -35,6 +35,11 @@ module Yara
       :pointer, # compiler_pointer
     ], :void
 
+    # int yr_rules_destroy(YR_RULES* rules)
+    attach_function :yr_rules_destroy, [
+      :pointer, # rules_pointer
+    ], :void
+
     # void callback_function(
     #   int error_level,
     #   const char* file_name,
@@ -100,7 +105,7 @@ module Yara
     #   int timeout)
     attach_function :yr_rules_scan_mem, [
       :pointer,       # rules_pointer*
-      :string,        # buffer (aka test subject)
+      :pointer,       # buffer (aka test subject)
       :size_t,        # buffer size (String#bytesize)
       :int,           # flags
       :scan_callback, # proc

data/lib/yara/scan_result.rb

@@ -0,0 +1,105 @@
+module Yara
+  class ScanResult
+    RULE_MATCHING     = 1
+    RULE_NOT_MATCHING = 2
+
+    META_FLAGS_LAST_IN_RULE = 1
+
+    META_TYPE_INTEGER = 1
+    META_TYPE_STRING  = 2
+    META_TYPE_BOOLEAN = 3
+
+    STRING_FLAGS_LAST_IN_RULE = 0
+
+    STRING_LENGTH = 4
+    STRING_POINTER = 5
+
+    RULE_IDENTIFIER  = 1
+    METAS_IDENTIFIER = 3
+    STRING_IDENTIFIER = 4
+
+    attr_reader :callback_type, :rule
+
+    def initialize(callback_type, rule_ptr)
+      @callback_type = callback_type
+      @rule = YrRule.new(rule_ptr)
+    end
+
+    def rule_name
+      @rule.values[RULE_IDENTIFIER]
+    end
+
+    def rule_meta
+      metas = {}
+      reading_metas = true
+      meta_index = 0
+      meta_pointer = @rule.values[METAS_IDENTIFIER]
+      while reading_metas do
+        meta = YrMeta.new(meta_pointer + meta_index * YrMeta.size)
+        metas.merge!(meta_as_hash(meta))
+        flags = meta.values.last
+        if flags == META_FLAGS_LAST_IN_RULE
+          reading_metas = false
+        else
+          meta_index += 1
+        end
+      end
+      metas
+    end
+
+    def rule_strings
+      strings = {}
+      reading_strings = true
+      string_index = 0
+      string_pointer = @rule.values[STRING_IDENTIFIER]
+      while reading_strings do
+        string = YrString.new(string_pointer + string_index * YrString.size)
+        string_length = string.values[STRING_LENGTH]
+        flags = string.values.first
+        if flags == STRING_FLAGS_LAST_IN_RULE
+          reading_strings = false
+        else
+          strings.merge!(string_as_hash(string)) unless string_length == 0
+          string_index += 1
+        end
+      end
+      strings
+    end
+
+    def scan_complete?
+      callback_type == SCAN_FINISHED
+    end
+
+    def rule_outcome?
+      [RULE_MATCHING, RULE_NOT_MATCHING].include?(callback_type)
+    end
+
+    def match?
+      callback_type == RULE_MATCHING
+    end
+
+    private
+
+    def meta_as_hash(meta)
+      name, string_value, int_value, type, _flags = meta.values
+      value = meta_value(string_value, int_value, type)
+      { name.to_sym => value }
+    end
+
+    def string_as_hash(yr_string)
+      string_pointer = yr_string.values[STRING_POINTER]
+      string_identifier = yr_string.values.last
+      { string_identifier.to_sym => string_pointer.read_string }
+    end
+
+    def meta_value(string_value, int_value, type)
+      if type == META_TYPE_INTEGER
+        int_value
+      elsif type == META_TYPE_BOOLEAN
+        int_value == 1
+      else
+        string_value
+      end
+    end
+  end
+end

data/lib/yara/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Yara
-  VERSION = "1.0.0"
+  VERSION = "2.1.1"
 end

data/lib/yara/yr_meta.rb

@@ -2,6 +2,9 @@ module Yara
   class YrMeta < FFI::Struct
     layout \
       :identifier, :string,
-      :type, :int32_t
+      :string, :string,
+      :integer, :int64_t,
+      :type, :int32_t,
+      :flags, :int32_t
   end
 end

data/lib/yara/yr_rule.rb

@@ -4,8 +4,8 @@ module Yara
       :flags, :int32_t,
       :identifier, :string,
       :tags, :string,
-      :metas, YrMeta.ptr,
-      :strings, YrString.ptr,
+      :metas, :pointer,
+      :strings, :pointer,
       :ns, YrNamespace.ptr
   end
 end

data/lib/yara/yr_string.rb

@@ -1,5 +1,15 @@
 module Yara
   class YrString < FFI::Struct
-    layout :identifier, :string
+    layout \
+      :flags, :uint32_t,
+      :idx, :uint32_t,
+      :fixed_offset, :int64_t,
+      :rule_idx, :uint32_t,
+      :length, :int32_t,
+      :string, :pointer,
+      :chained_to, :pointer,
+      :chain_gap_min, :int32_t,
+      :chain_gap_max, :int32_t,
+      :identifier, :string
   end
 end

data/lib/yara.rb

@@ -2,22 +2,17 @@
 
 require "ffi"
 require "pry"
-require_relative "yara/version"
 require_relative "yara/ffi"
+require_relative "yara/scan_result"
+require_relative "yara/version"
 
-# TBD
 module Yara
-  class Error < StandardError; end
-
-  CALLBACK_MSG_RULE_MATCHING     = 1
-  CALLBACK_MSG_RULE_NOT_MATCHING = 2
-  CALLBACK_MSG_SCAN_FINISHED     = 3
+  SCAN_FINISHED = 3
 
-  RULE_IDENTIFIER = 1
+  class Error < StandardError; end
 
   def self.test(rule_string, test_string)
     user_data = UserData.new
-    user_data[:number] = 42
     scanning = true
     results = []
 
@@ -38,23 +33,25 @@ module Yara
     Yara::FFI.yr_compiler_get_rules(compiler_pointer, rules_pointer)
     rules_pointer = rules_pointer.get_pointer(0)
 
-    result_callback = proc do |context_ptr, message, message_data_ptr, user_data_ptr|
-      rule = YrRule.new(message_data_ptr)
-
-      case message
-      when CALLBACK_MSG_RULE_MATCHING
-        results << rule.values[RULE_IDENTIFIER]
-      when CALLBACK_MSG_SCAN_FINISHED
+    result_callback = proc do |context_ptr, callback_type, rule_ptr, user_data_ptr|
+      if callback_type == SCAN_FINISHED
         scanning = false
+      else
+        result = ScanResult.new(callback_type, rule_ptr)
+        results << result if result.rule_outcome?
       end
 
       0 # ERROR_SUCCESS
     end
 
+    test_string_bytesize = test_string.bytesize
+    test_string_pointer = ::FFI::MemoryPointer.new(:char, test_string_bytesize)
+    test_string_pointer.put_bytes(0, test_string)
+
     Yara::FFI.yr_rules_scan_mem(
       rules_pointer,
-      test_string,
-      test_string.bytesize,
+      test_string_pointer,
+      test_string_bytesize,
       0,
       result_callback,
       user_data,
@@ -66,6 +63,8 @@ module Yara
 
     results
   ensure
+    Yara::FFI.yr_rules_destroy(rules_pointer)
+    Yara::FFI.yr_compiler_destroy(compiler_pointer)
     Yara::FFI.yr_finalize
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yara-ffi
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Jonathan Hoyt
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-16 00:00:00.000000000 Z
+date: 2021-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -45,6 +45,7 @@ files:
 - bin/setup
 - lib/yara.rb
 - lib/yara/ffi.rb
+- lib/yara/scan_result.rb
 - lib/yara/user_data.rb
 - lib/yara/version.rb
 - lib/yara/yr_meta.rb