yara-ffi 2.1.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69d13f5f4b62199af83b30a5bb43366c98bd298b10f11b33d54ce931b5b3a23b
-  data.tar.gz: 384f0506d4781049c57f143243b4b8ff9fb7c46fc95cd8e9fe781d39e16c22ce
+  metadata.gz: 8093d210271e152cfd1d66f69169f9efaf46838ad93dd5473a0b11a242bc0164
+  data.tar.gz: a73687b9d7a3e7d098d4706c7c558954f1963a8bf8b3206984cdccd8dd757d2d
 SHA512:
-  metadata.gz: 6811bee54889a6a95a01df893fe694e3fc2bd1a424063c7d51aa222f6a37e7b202dbcee06ed58b7768b9b348b530918b3e093994ac753831823951ac194a21cd
-  data.tar.gz: b58b0fa59f64501b560f99b012ea2132617e16811988e70d887838df157028fabdeed2109ba723389e1830e411c111233f1f0a1ef6e877913ac55849d37203dc
+  metadata.gz: 879454866631eb296874a07aed2848a3252d547b45b593245114a0bb57404b5bea0badfecb553f77bd0029727112bfd9cde527f8722c3dfcf55e73f16a0cb6f7
+  data.tar.gz: 6cc31a9d0e330897c3133fd17d90ddac3e7b54a1b073af31235185e3e70a2738fa8041e9adc8c087e5867d34dc4ffaed3f75c7c54d4be08bdfe60059d5c0e672

data/Dockerfile

@@ -0,0 +1,17 @@
+FROM ruby:2.6.6
+
+RUN apt-get update -qq
+RUN apt-get install -y flex bison
+
+WORKDIR /app
+
+COPY . ./
+RUN gem install bundler:2.2.15
+RUN bundle install
+
+RUN git clone --recursive --branch v4.1.1 https://github.com/VirusTotal/yara.git /tmp/yara && \
+  cd /tmp/yara/ && \
+  ./bootstrap.sh && \
+  ./configure && \
+  make && \
+  make install

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    yara-ffi (1.0.0)
+    yara-ffi (3.0.0)
       ffi
 
 GEM
@@ -9,7 +9,7 @@ GEM
   specs:
     ast (2.4.2)
     coderay (1.1.3)
-    ffi (1.15.0)
+    ffi (1.15.5)
     method_source (1.0.0)
     minitest (5.14.4)
     parallel (1.20.1)
@@ -37,6 +37,8 @@ GEM
     unicode-display_width (2.0.0)
 
 PLATFORMS
+  aarch64-linux
+  arm64-darwin-21
   x86_64-darwin-19
   x86_64-linux
 
@@ -48,4 +50,4 @@ DEPENDENCIES
   yara-ffi!
 
 BUNDLED WITH
-   2.2.14
+   2.2.32

data/README.md

@@ -20,7 +20,34 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+```ruby
+Yara.start # run before you start using the Yara API.
+
+rule = <<-RULE
+rule ExampleRule
+{
+meta:
+    string_meta = "an example rule for testing"
+
+strings:
+    $my_text_string = "we were here"
+    $my_text_regex = /were here/
+
+condition:
+    $my_text_string or $my_text_regex
+}
+RULE
+
+scanner = Yara::Scanner.new
+scanner.add_rule(rule)
+scanner.compile
+result = scanner.call("one day we were here and then we were not").first
+result.match?
+# => true
+
+scanner.close   # run when you are done using the scanner API and want to free up memory.
+Yara.stop       # run when you are completely done using the Yara API to free up memory.
+```
 
 ## Development
 

data/lib/yara/ffi.rb

@@ -35,6 +35,11 @@ module Yara
       :pointer, # compiler_pointer
     ], :void
 
+    # int yr_rules_destroy(YR_RULES* rules)
+    attach_function :yr_rules_destroy, [
+      :pointer, # rules_pointer
+    ], :void
+
     # void callback_function(
     #   int error_level,
     #   const char* file_name,
@@ -85,9 +90,9 @@ module Yara
     #   void* user_data)
     callback :scan_callback, [
       :pointer,       # YR_SCAN_CONTEXT*
-      :int,           # message
-      :pointer,       # message_data_pointer
-      :pointer,       # user_data_pointer
+      :int,           # callback_type
+      YrRule.ptr,     # rule
+      UserData.ptr,   # user_data
     ], :int
 
     # int yr_rules_scan_mem(

data/lib/yara/scan_result.rb

@@ -6,38 +6,50 @@ module Yara
     META_FLAGS_LAST_IN_RULE = 1
 
     META_TYPE_INTEGER = 1
-    META_TYPE_STRING  = 2
+    # META_TYPE_STRING  = 2
     META_TYPE_BOOLEAN = 3
 
     STRING_FLAGS_LAST_IN_RULE = 0
 
-    STRING_LENGTH = 4
-    STRING_POINTER = 5
-
-    RULE_IDENTIFIER  = 1
-    METAS_IDENTIFIER = 3
-    STRING_IDENTIFIER = 4
-
     attr_reader :callback_type, :rule
 
-    def initialize(callback_type, rule_ptr)
+    def initialize(callback_type, rule, user_data)
       @callback_type = callback_type
-      @rule = YrRule.new(rule_ptr)
+      @rule = rule
+      @rule_meta = extract_rule_meta
+      @rule_strings = extract_rule_strings
+      @user_data_number = user_data[:number]
     end
 
+    attr_reader :rule_meta, :rule_strings, :user_data_number
+
     def rule_name
-      @rule.values[RULE_IDENTIFIER]
+      @rule[:identifier]
+    end
+
+    def scan_complete?
+      callback_type == SCAN_FINISHED
+    end
+
+    def rule_outcome?
+      [RULE_MATCHING, RULE_NOT_MATCHING].include?(callback_type)
+    end
+
+    def match?
+      callback_type == RULE_MATCHING
     end
 
-    def rule_meta
+    private
+
+    def extract_rule_meta
       metas = {}
       reading_metas = true
       meta_index = 0
-      meta_pointer = @rule.values[METAS_IDENTIFIER]
+      meta_pointer = @rule[:metas]
       while reading_metas do
         meta = YrMeta.new(meta_pointer + meta_index * YrMeta.size)
         metas.merge!(meta_as_hash(meta))
-        flags = meta.values.last
+        flags = meta[:flags]
         if flags == META_FLAGS_LAST_IN_RULE
           reading_metas = false
         else
@@ -47,15 +59,15 @@ module Yara
       metas
     end
 
-    def rule_strings
+    def extract_rule_strings
       strings = {}
       reading_strings = true
       string_index = 0
-      string_pointer = @rule.values[STRING_IDENTIFIER]
+      string_pointer = @rule[:strings]
       while reading_strings do
         string = YrString.new(string_pointer + string_index * YrString.size)
-        string_length = string.values[STRING_LENGTH]
-        flags = string.values.first
+        string_length = string[:length]
+        flags = string[:flags]
         if flags == STRING_FLAGS_LAST_IN_RULE
           reading_strings = false
         else
@@ -66,29 +78,14 @@ module Yara
       strings
     end
 
-    def scan_complete?
-      callback_type == SCAN_FINISHED
-    end
-
-    def rule_outcome?
-      [RULE_MATCHING, RULE_NOT_MATCHING].include?(callback_type)
-    end
-
-    def match?
-      callback_type == RULE_MATCHING
-    end
-
-    private
-
     def meta_as_hash(meta)
-      name, string_value, int_value, type, _flags = meta.values
-      value = meta_value(string_value, int_value, type)
-      { name.to_sym => value }
+      value = meta_value(meta[:string], meta[:integer], meta[:type])
+      { meta[:identifier].to_sym => value }
     end
 
     def string_as_hash(yr_string)
-      string_pointer = yr_string.values[STRING_POINTER]
-      string_identifier = yr_string.values.last
+      string_pointer = yr_string[:string]
+      string_identifier = yr_string[:identifier]
       { string_identifier.to_sym => string_pointer.read_string }
     end
 

data/lib/yara/scanner.rb

@@ -0,0 +1,81 @@
+module Yara
+  class Scanner
+    class NotCompiledError < StandardError; end
+
+    ERROR_CALLBACK = proc do |error_level, file_name, line_number, rule, message, user_data|
+      # noop
+    end
+
+    SCAN_FINISHED = 3
+
+    # Public: Initializes instance of scanner. Under the hood this creates a pointer,
+    # then calls yr_compiler_create with that pointer.
+    #
+    # error_callback: (optional) Proc to be called when an error occurs.
+    # user_data: (optional) Instance of UserData to store and pass information.
+    def initialize(error_callback: ERROR_CALLBACK, user_data: UserData.new)
+      @error_callback = error_callback
+      @user_data = user_data
+      @compiler_pointer = ::FFI::MemoryPointer.new(:pointer)
+      Yara::FFI.yr_compiler_create(@compiler_pointer)
+      @compiler_pointer = @compiler_pointer.get_pointer(0)
+      Yara::FFI.yr_compiler_set_callback(@compiler_pointer, error_callback, user_data)
+    end
+
+    # Public: Adds a rule to the scanner and returns the namespace value. If a namespace
+    # is not provided it will default to nil and use the global namespace.
+    #
+    # rule_string - String containing the Yara rule to be added.
+    # namespace:    (optional) String containing the namespace to be used for the rule.
+    def add_rule(rule_string, namespace: nil)
+      Yara::FFI.yr_compiler_add_string(@compiler_pointer, rule_string, namespace)
+    end
+
+    def compile
+      @rules_pointer = ::FFI::MemoryPointer.new(:pointer)
+      Yara::FFI.yr_compiler_get_rules(@compiler_pointer, @rules_pointer)
+      @rules_pointer = @rules_pointer.get_pointer(0)
+      Yara::FFI.yr_compiler_destroy(@compiler_pointer)
+    end
+
+    def call(test_string)
+      raise NotCompiledError unless @rules_pointer
+
+      results = []
+      scanning = true
+      result_callback = proc do |context_ptr, callback_type, rule, user_data|
+        if callback_type == SCAN_FINISHED
+          scanning = false
+        else
+          result = ScanResult.new(callback_type, rule, user_data)
+          results << result if result.rule_outcome?
+        end
+
+        0 # ERROR_SUCCESS
+      end
+
+      test_string_bytesize = test_string.bytesize
+      test_string_pointer = ::FFI::MemoryPointer.new(:char, test_string_bytesize)
+      test_string_pointer.put_bytes(0, test_string)
+
+      Yara::FFI.yr_rules_scan_mem(
+        @rules_pointer,
+        test_string_pointer,
+        test_string_bytesize,
+        0,
+        result_callback,
+        @user_data,
+        1,
+      )
+
+      while scanning do
+      end
+
+      results
+    end
+
+    def close
+      Yara::FFI.yr_rules_destroy(@rules_pointer)
+    end
+  end
+end

data/lib/yara/user_data.rb

@@ -1,5 +1,5 @@
 module Yara
   class UserData < FFI::Struct
-    layout :number, :int32
+    layout :number, :int
   end
 end

data/lib/yara/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Yara
-  VERSION = "2.1.0"
+  VERSION = "3.1.0"
 end

data/lib/yara/yr_meta.rb

@@ -3,8 +3,8 @@ module Yara
     layout \
       :identifier, :string,
       :string, :string,
-      :integer, :int64_t,
-      :type, :int32_t,
-      :flags, :int32_t
+      :integer, :ulong_long,
+      :type, :int,
+      :flags, :int
   end
 end

data/lib/yara/yr_rule.rb

@@ -1,7 +1,7 @@
 module Yara
   class YrRule < FFI::Struct
     layout \
-      :flags, :int32_t,
+      :flags, :int,
       :identifier, :string,
       :tags, :string,
       :metas, :pointer,

data/lib/yara/yr_string.rb

@@ -1,15 +1,15 @@
 module Yara
   class YrString < FFI::Struct
     layout \
-      :flags, :uint32_t,
-      :idx, :uint32_t,
-      :fixed_offset, :int64_t,
-      :rule_idx, :uint32_t,
-      :length, :int32_t,
+      :flags, :uint,
+      :idx, :uint,
+      :fixed_offset, :ulong_long,
+      :rule_idx, :uint,
+      :length, :uint,
       :string, :pointer,
       :chained_to, :pointer,
-      :chain_gap_min, :int32_t,
-      :chain_gap_max, :int32_t,
+      :chain_gap_min, :uint,
+      :chain_gap_max, :uint,
       :identifier, :string
   end
 end

data/lib/yara.rb

@@ -4,65 +4,26 @@ require "ffi"
 require "pry"
 require_relative "yara/ffi"
 require_relative "yara/scan_result"
+require_relative "yara/scanner"
 require_relative "yara/version"
 
 module Yara
-  SCAN_FINISHED = 3
-
-  class Error < StandardError; end
-
-  def self.test(rule_string, test_string)
-    user_data = UserData.new
-    scanning = true
-    results = []
-
+  def self.start
     Yara::FFI.yr_initialize
+  end
 
-    compiler_pointer = ::FFI::MemoryPointer.new(:pointer)
-    Yara::FFI.yr_compiler_create(compiler_pointer)
-    compiler_pointer = compiler_pointer.get_pointer(0)
-
-    error_callback = proc do |error_level, file_name, line_number, rule, message, user_data|
-      # noop
-    end
-
-    Yara::FFI.yr_compiler_set_callback(compiler_pointer, error_callback, user_data)
-    Yara::FFI.yr_compiler_add_string(compiler_pointer, rule_string, nil)
-
-    rules_pointer =::FFI::MemoryPointer.new(:pointer)
-    Yara::FFI.yr_compiler_get_rules(compiler_pointer, rules_pointer)
-    rules_pointer = rules_pointer.get_pointer(0)
-
-    result_callback = proc do |context_ptr, callback_type, rule_ptr, user_data_ptr|
-      if callback_type == SCAN_FINISHED
-        scanning = false
-      else
-        result = ScanResult.new(callback_type, rule_ptr)
-        results << result if result.rule_outcome?
-      end
-
-      0 # ERROR_SUCCESS
-    end
-
-    test_string_bytesize = test_string.bytesize
-    test_string_pointer = ::FFI::MemoryPointer.new(:char, test_string_bytesize)
-    test_string_pointer.put_bytes(0, test_string)
-
-    Yara::FFI.yr_rules_scan_mem(
-      rules_pointer,
-      test_string_pointer,
-      test_string_bytesize,
-      0,
-      result_callback,
-      user_data,
-      1,
-    )
-
-    while scanning do
-    end
+  def self.stop
+    Yara::FFI.yr_finalize
+  end
 
-    results
+  def self.test(rule_string, test_string)
+    start
+    scanner = Yara::Scanner.new
+    scanner.add_rule(rule_string)
+    scanner.compile
+    scanner.call(test_string)
   ensure
-    Yara::FFI.yr_finalize
+    scanner.close
+    stop
   end
 end

data/script/bootstrap

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker build . -t yara-ffi

data/script/test

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker run -it --mount type=bind,src="$(pwd)",dst=/app yara-ffi bundle exec rake

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yara-ffi
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 3.1.0
 platform: ruby
 authors:
 - Jonathan Hoyt
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-30 00:00:00.000000000 Z
+date: 2022-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -36,6 +36,7 @@ files:
 - ".rubocop.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- Dockerfile
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -46,28 +47,15 @@ files:
 - lib/yara.rb
 - lib/yara/ffi.rb
 - lib/yara/scan_result.rb
+- lib/yara/scanner.rb
 - lib/yara/user_data.rb
 - lib/yara/version.rb
 - lib/yara/yr_meta.rb
 - lib/yara/yr_namespace.rb
 - lib/yara/yr_rule.rb
 - lib/yara/yr_string.rb
-- vendor/cache/ast-2.4.2.gem
-- vendor/cache/coderay-1.1.3.gem
-- vendor/cache/ffi-1.15.0.gem
-- vendor/cache/method_source-1.0.0.gem
-- vendor/cache/minitest-5.14.4.gem
-- vendor/cache/parallel-1.20.1.gem
-- vendor/cache/parser-3.0.0.0.gem
-- vendor/cache/pry-0.14.0.gem
-- vendor/cache/rainbow-3.0.0.gem
-- vendor/cache/rake-13.0.3.gem
-- vendor/cache/regexp_parser-2.1.1.gem
-- vendor/cache/rexml-3.2.4.gem
-- vendor/cache/rubocop-1.11.0.gem
-- vendor/cache/rubocop-ast-1.4.1.gem
-- vendor/cache/ruby-progressbar-1.11.0.gem
-- vendor/cache/unicode-display_width-2.0.0.gem
+- script/bootstrap
+- script/test
 - yara-ffi.gemspec
 homepage: https://github.com/jonmagic/yara-ffi
 licenses:
@@ -76,7 +64,7 @@ metadata:
   homepage_uri: https://github.com/jonmagic/yara-ffi
   source_code_uri: https://github.com/jonmagic/yara-ffi
   changelog_uri: https://github.com/jonmagic/yara-ffi/main/CHANGELOG.md,
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -91,8 +79,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: A Ruby API to libyara.
 test_files: []