yara-ffi 2.0.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77c78c082eac821fd90e99808b1d944d7ac5e0a4c597339d46e9d9806cc61a17
-  data.tar.gz: 75a6e4cb0f1d9b6b89d611bfd615006b5f638532337a8a6b03d5e37bd697a6a5
+  metadata.gz: 814d5fa21cda6f98707e038549321eab8ce359f013c47d36e8d0845c05ff0b2c
+  data.tar.gz: 531d85f217da5f9bec89de9319ee5f9f33c3a801ec75db439de1fa377612c88e
 SHA512:
-  metadata.gz: de69cea095663dc7a7fe66d896d846139328f3e0e47d07c3ad05340e9f99ee755311da3ec6ab1afc19ddda809fea1de04274fecf4404544c0e7ed48bde48e3de
-  data.tar.gz: c09131210c41e871d677b0779f2a736dad22c6ba1c32d3e155f1083bb4886b3d6d0815c293889a8da497b3af882fad5fb31d234c46733243cefc576c023ee964
+  metadata.gz: 3fd910b4f3ea435dcc5cfaa1763fe7cd33727bc77929b52d326d4f3baaad7caff2671c73100ec5102bdb61f9ac34d330ad2a33626faaeebf65ff16dde7d7e6fe
+  data.tar.gz: 53133f057a23dc32227a6c603322cdd5b9da273416bdd6aad9245b4c270249c83dd8e8f5211f531be1180a12c28825824977966425456bd9c18ff8883566f7bb

data/Dockerfile

@@ -0,0 +1,17 @@
+FROM ruby:2.6.6
+
+RUN apt-get update -qq
+RUN apt-get install -y flex bison
+
+WORKDIR /app
+
+COPY . ./
+RUN gem install bundler:2.2.15
+RUN bundle install
+
+RUN git clone --recursive --branch v4.1.1 https://github.com/VirusTotal/yara.git /tmp/yara && \
+  cd /tmp/yara/ && \
+  ./bootstrap.sh && \
+  ./configure && \
+  make && \
+  make install

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    yara-ffi (1.0.0)
+    yara-ffi (2.1.1)
       ffi
 
 GEM
@@ -9,7 +9,7 @@ GEM
   specs:
     ast (2.4.2)
     coderay (1.1.3)
-    ffi (1.15.0)
+    ffi (1.15.4)
     method_source (1.0.0)
     minitest (5.14.4)
     parallel (1.20.1)
@@ -48,4 +48,4 @@ DEPENDENCIES
   yara-ffi!
 
 BUNDLED WITH
-   2.2.14
+   2.2.15

data/README.md

@@ -20,7 +20,34 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+```ruby
+Yara.start # run before you start using the Yara API.
+
+rule = <<-RULE
+rule ExampleRule
+{
+meta:
+    string_meta = "an example rule for testing"
+
+strings:
+    $my_text_string = "we were here"
+    $my_text_regex = /were here/
+
+condition:
+    $my_text_string or $my_text_regex
+}
+RULE
+
+scanner = Yara::Scanner.new
+scanner.add_rule(rule)
+scanner.compile
+result = scanner.call("one day we were here and then we were not")
+result.match?
+# => true
+
+scanner.close   # run when you are done using the scanner API and want to free up memory.
+Yara.stop       # run when you are completely done using the Yara API to free up memory.
+```
 
 ## Development
 

data/lib/yara/ffi.rb

@@ -35,6 +35,11 @@ module Yara
       :pointer, # compiler_pointer
     ], :void
 
+    # int yr_rules_destroy(YR_RULES* rules)
+    attach_function :yr_rules_destroy, [
+      :pointer, # rules_pointer
+    ], :void
+
     # void callback_function(
     #   int error_level,
     #   const char* file_name,
@@ -85,9 +90,9 @@ module Yara
     #   void* user_data)
     callback :scan_callback, [
       :pointer,       # YR_SCAN_CONTEXT*
-      :int,           # message
-      :pointer,       # message_data_pointer
-      :pointer,       # user_data_pointer
+      :int,           # callback_type
+      YrRule.ptr,     # rule
+      UserData.ptr,   # user_data
     ], :int
 
     # int yr_rules_scan_mem(
@@ -100,7 +105,7 @@ module Yara
     #   int timeout)
     attach_function :yr_rules_scan_mem, [
       :pointer,       # rules_pointer*
-      :string,        # buffer (aka test subject)
+      :pointer,       # buffer (aka test subject)
       :size_t,        # buffer size (String#bytesize)
       :int,           # flags
       :scan_callback, # proc

data/lib/yara/scan_result.rb

@@ -6,32 +6,50 @@ module Yara
     META_FLAGS_LAST_IN_RULE = 1
 
     META_TYPE_INTEGER = 1
-    META_TYPE_STRING  = 2
+    # META_TYPE_STRING  = 2
     META_TYPE_BOOLEAN = 3
 
-    RULE_IDENTIFIER  = 1
-    METAS_IDENTIFIER = 3
+    STRING_FLAGS_LAST_IN_RULE = 0
 
     attr_reader :callback_type, :rule
 
-    def initialize(callback_type, rule_ptr)
+    def initialize(callback_type, rule, user_data)
       @callback_type = callback_type
-      @rule = YrRule.new(rule_ptr)
+      @rule = rule
+      @rule_meta = extract_rule_meta
+      @rule_strings = extract_rule_strings
+      @user_data_number = user_data[:number]
     end
 
+    attr_reader :rule_meta, :rule_strings, :user_data_number
+
     def rule_name
-      @rule.values[RULE_IDENTIFIER]
+      @rule[:identifier]
+    end
+
+    def scan_complete?
+      callback_type == SCAN_FINISHED
     end
 
-    def rule_meta
+    def rule_outcome?
+      [RULE_MATCHING, RULE_NOT_MATCHING].include?(callback_type)
+    end
+
+    def match?
+      callback_type == RULE_MATCHING
+    end
+
+    private
+
+    def extract_rule_meta
       metas = {}
       reading_metas = true
       meta_index = 0
-      meta_pointer = @rule.values[METAS_IDENTIFIER]
+      meta_pointer = @rule[:metas]
       while reading_metas do
         meta = YrMeta.new(meta_pointer + meta_index * YrMeta.size)
         metas.merge!(meta_as_hash(meta))
-        flags = meta.values.last
+        flags = meta[:flags]
         if flags == META_FLAGS_LAST_IN_RULE
           reading_metas = false
         else
@@ -41,24 +59,34 @@ module Yara
       metas
     end
 
-    def scan_complete?
-      callback_type == SCAN_FINISHED
-    end
-
-    def rule_outcome?
-      [RULE_MATCHING, RULE_NOT_MATCHING].include?(callback_type)
+    def extract_rule_strings
+      strings = {}
+      reading_strings = true
+      string_index = 0
+      string_pointer = @rule[:strings]
+      while reading_strings do
+        string = YrString.new(string_pointer + string_index * YrString.size)
+        string_length = string[:length]
+        flags = string[:flags]
+        if flags == STRING_FLAGS_LAST_IN_RULE
+          reading_strings = false
+        else
+          strings.merge!(string_as_hash(string)) unless string_length == 0
+          string_index += 1
+        end
+      end
+      strings
     end
 
-    def match?
-      callback_type == RULE_MATCHING
+    def meta_as_hash(meta)
+      value = meta_value(meta[:string], meta[:integer], meta[:type])
+      { meta[:identifier].to_sym => value }
     end
 
-    private
-
-    def meta_as_hash(meta)
-      name, string_value, int_value, type, _flags = meta.values
-      value = meta_value(string_value, int_value, type)
-      { name.to_sym => value }
+    def string_as_hash(yr_string)
+      string_pointer = yr_string[:string]
+      string_identifier = yr_string[:identifier]
+      { string_identifier.to_sym => string_pointer.read_string }
     end
 
     def meta_value(string_value, int_value, type)

data/lib/yara/scanner.rb

@@ -0,0 +1,81 @@
+module Yara
+  class Scanner
+    class NotCompiledError < StandardError; end
+
+    ERROR_CALLBACK = proc do |error_level, file_name, line_number, rule, message, user_data|
+      # noop
+    end
+
+    SCAN_FINISHED = 3
+
+    # Public: Initializes instance of scanner. Under the hood this calls yr_initialize, then
+    # creates a pointer, then calls yr_compiler_create with that pointer.
+    #
+    # error_callback: (optional) Proc to be called when an error occurs.
+    # user_data: (optional) Instance of UserData to store and pass information.
+    def initialize(error_callback: ERROR_CALLBACK, user_data: UserData.new)
+      @error_callback = error_callback
+      @user_data = user_data
+      @compiler_pointer = ::FFI::MemoryPointer.new(:pointer)
+      Yara::FFI.yr_compiler_create(@compiler_pointer)
+      @compiler_pointer = @compiler_pointer.get_pointer(0)
+      Yara::FFI.yr_compiler_set_callback(@compiler_pointer, error_callback, user_data)
+    end
+
+    # Public: Adds a rule to the scanner and returns the namespace value. If a namespace
+    # is not provided it will default to nil and use the global namespace.
+    #
+    # rule_string - String containing the Yara rule to be added.
+    # namespace:    (optional) String containing the namespace to be used for the rule.
+    def add_rule(rule_string, namespace: nil)
+      Yara::FFI.yr_compiler_add_string(@compiler_pointer, rule_string, namespace)
+    end
+
+    def compile
+      @rules_pointer = ::FFI::MemoryPointer.new(:pointer)
+      Yara::FFI.yr_compiler_get_rules(@compiler_pointer, @rules_pointer)
+      @rules_pointer = @rules_pointer.get_pointer(0)
+      Yara::FFI.yr_compiler_destroy(@compiler_pointer)
+    end
+
+    def call(test_string)
+      raise NotCompiledError unless @rules_pointer
+
+      results = []
+      scanning = true
+      result_callback = proc do |context_ptr, callback_type, rule, user_data|
+        if callback_type == SCAN_FINISHED
+          scanning = false
+        else
+          result = ScanResult.new(callback_type, rule, user_data)
+          results << result if result.rule_outcome?
+        end
+
+        0 # ERROR_SUCCESS
+      end
+
+      test_string_bytesize = test_string.bytesize
+      test_string_pointer = ::FFI::MemoryPointer.new(:char, test_string_bytesize)
+      test_string_pointer.put_bytes(0, test_string)
+
+      Yara::FFI.yr_rules_scan_mem(
+        @rules_pointer,
+        test_string_pointer,
+        test_string_bytesize,
+        0,
+        result_callback,
+        @user_data,
+        1,
+      )
+
+      while scanning do
+      end
+
+      results
+    end
+
+    def close
+      Yara::FFI.yr_rules_destroy(@rules_pointer)
+    end
+  end
+end

data/lib/yara/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Yara
-  VERSION = "2.0.0"
+  VERSION = "3.0.0"
 end

data/lib/yara/yr_rule.rb

@@ -5,7 +5,7 @@ module Yara
       :identifier, :string,
       :tags, :string,
       :metas, :pointer,
-      :strings, YrString.ptr,
+      :strings, :pointer,
       :ns, YrNamespace.ptr
   end
 end

data/lib/yara/yr_string.rb

@@ -1,5 +1,15 @@
 module Yara
   class YrString < FFI::Struct
-    layout :identifier, :string
+    layout \
+      :flags, :uint32_t,
+      :idx, :uint32_t,
+      :fixed_offset, :int64_t,
+      :rule_idx, :uint32_t,
+      :length, :int32_t,
+      :string, :pointer,
+      :chained_to, :pointer,
+      :chain_gap_min, :int32_t,
+      :chain_gap_max, :int32_t,
+      :identifier, :string
   end
 end

data/lib/yara.rb

@@ -4,61 +4,26 @@ require "ffi"
 require "pry"
 require_relative "yara/ffi"
 require_relative "yara/scan_result"
+require_relative "yara/scanner"
 require_relative "yara/version"
 
 module Yara
-  SCAN_FINISHED = 3
-
-  class Error < StandardError; end
-
-  def self.test(rule_string, test_string)
-    user_data = UserData.new
-    scanning = true
-    results = []
-
+  def self.start
     Yara::FFI.yr_initialize
+  end
 
-    compiler_pointer = ::FFI::MemoryPointer.new(:pointer)
-    Yara::FFI.yr_compiler_create(compiler_pointer)
-    compiler_pointer = compiler_pointer.get_pointer(0)
-
-    error_callback = proc do |error_level, file_name, line_number, rule, message, user_data|
-      # noop
-    end
-
-    Yara::FFI.yr_compiler_set_callback(compiler_pointer, error_callback, user_data)
-    Yara::FFI.yr_compiler_add_string(compiler_pointer, rule_string, nil)
-
-    rules_pointer =::FFI::MemoryPointer.new(:pointer)
-    Yara::FFI.yr_compiler_get_rules(compiler_pointer, rules_pointer)
-    rules_pointer = rules_pointer.get_pointer(0)
-
-    result_callback = proc do |context_ptr, callback_type, rule_ptr, user_data_ptr|
-      if callback_type == SCAN_FINISHED
-        scanning = false
-      else
-        result = ScanResult.new(callback_type, rule_ptr)
-        results << result if result.rule_outcome?
-      end
-
-      0 # ERROR_SUCCESS
-    end
-
-    Yara::FFI.yr_rules_scan_mem(
-      rules_pointer,
-      test_string,
-      test_string.bytesize,
-      0,
-      result_callback,
-      user_data,
-      1,
-    )
-
-    while scanning do
-    end
+  def self.stop
+    Yara::FFI.yr_finalize
+  end
 
-    results
+  def self.test(rule_string, test_string)
+    start
+    scanner = Yara::Scanner.new
+    scanner.add_rule(rule_string)
+    scanner.compile
+    scanner.call(test_string)
   ensure
-    Yara::FFI.yr_finalize
+    scanner.close
+    stop
   end
 end

data/script/bootstrap

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker build . -t yara-ffi

data/script/test

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker run -it --mount type=bind,src="$(pwd)",dst=/app yara-ffi bundle exec rake

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yara-ffi
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Jonathan Hoyt
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-24 00:00:00.000000000 Z
+date: 2021-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -36,6 +36,7 @@ files:
 - ".rubocop.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- Dockerfile
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -46,28 +47,15 @@ files:
 - lib/yara.rb
 - lib/yara/ffi.rb
 - lib/yara/scan_result.rb
+- lib/yara/scanner.rb
 - lib/yara/user_data.rb
 - lib/yara/version.rb
 - lib/yara/yr_meta.rb
 - lib/yara/yr_namespace.rb
 - lib/yara/yr_rule.rb
 - lib/yara/yr_string.rb
-- vendor/cache/ast-2.4.2.gem
-- vendor/cache/coderay-1.1.3.gem
-- vendor/cache/ffi-1.15.0.gem
-- vendor/cache/method_source-1.0.0.gem
-- vendor/cache/minitest-5.14.4.gem
-- vendor/cache/parallel-1.20.1.gem
-- vendor/cache/parser-3.0.0.0.gem
-- vendor/cache/pry-0.14.0.gem
-- vendor/cache/rainbow-3.0.0.gem
-- vendor/cache/rake-13.0.3.gem
-- vendor/cache/regexp_parser-2.1.1.gem
-- vendor/cache/rexml-3.2.4.gem
-- vendor/cache/rubocop-1.11.0.gem
-- vendor/cache/rubocop-ast-1.4.1.gem
-- vendor/cache/ruby-progressbar-1.11.0.gem
-- vendor/cache/unicode-display_width-2.0.0.gem
+- script/bootstrap
+- script/test
 - yara-ffi.gemspec
 homepage: https://github.com/jonmagic/yara-ffi
 licenses: