yara-ffi 1.0.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/yara/scan_result.rb +74 -0
- data/lib/yara/version.rb +1 -1
- data/lib/yara/yr_meta.rb +4 -1
- data/lib/yara/yr_rule.rb +1 -1
- data/lib/yara.rb +9 -16
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 77c78c082eac821fd90e99808b1d944d7ac5e0a4c597339d46e9d9806cc61a17
|
|
4
|
+
data.tar.gz: 75a6e4cb0f1d9b6b89d611bfd615006b5f638532337a8a6b03d5e37bd697a6a5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: de69cea095663dc7a7fe66d896d846139328f3e0e47d07c3ad05340e9f99ee755311da3ec6ab1afc19ddda809fea1de04274fecf4404544c0e7ed48bde48e3de
|
|
7
|
+
data.tar.gz: c09131210c41e871d677b0779f2a736dad22c6ba1c32d3e155f1083bb4886b3d6d0815c293889a8da497b3af882fad5fb31d234c46733243cefc576c023ee964
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
module Yara
|
|
2
|
+
class ScanResult
|
|
3
|
+
RULE_MATCHING = 1
|
|
4
|
+
RULE_NOT_MATCHING = 2
|
|
5
|
+
|
|
6
|
+
META_FLAGS_LAST_IN_RULE = 1
|
|
7
|
+
|
|
8
|
+
META_TYPE_INTEGER = 1
|
|
9
|
+
META_TYPE_STRING = 2
|
|
10
|
+
META_TYPE_BOOLEAN = 3
|
|
11
|
+
|
|
12
|
+
RULE_IDENTIFIER = 1
|
|
13
|
+
METAS_IDENTIFIER = 3
|
|
14
|
+
|
|
15
|
+
attr_reader :callback_type, :rule
|
|
16
|
+
|
|
17
|
+
def initialize(callback_type, rule_ptr)
|
|
18
|
+
@callback_type = callback_type
|
|
19
|
+
@rule = YrRule.new(rule_ptr)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def rule_name
|
|
23
|
+
@rule.values[RULE_IDENTIFIER]
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def rule_meta
|
|
27
|
+
metas = {}
|
|
28
|
+
reading_metas = true
|
|
29
|
+
meta_index = 0
|
|
30
|
+
meta_pointer = @rule.values[METAS_IDENTIFIER]
|
|
31
|
+
while reading_metas do
|
|
32
|
+
meta = YrMeta.new(meta_pointer + meta_index * YrMeta.size)
|
|
33
|
+
metas.merge!(meta_as_hash(meta))
|
|
34
|
+
flags = meta.values.last
|
|
35
|
+
if flags == META_FLAGS_LAST_IN_RULE
|
|
36
|
+
reading_metas = false
|
|
37
|
+
else
|
|
38
|
+
meta_index += 1
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
metas
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def scan_complete?
|
|
45
|
+
callback_type == SCAN_FINISHED
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def rule_outcome?
|
|
49
|
+
[RULE_MATCHING, RULE_NOT_MATCHING].include?(callback_type)
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def match?
|
|
53
|
+
callback_type == RULE_MATCHING
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
private
|
|
57
|
+
|
|
58
|
+
def meta_as_hash(meta)
|
|
59
|
+
name, string_value, int_value, type, _flags = meta.values
|
|
60
|
+
value = meta_value(string_value, int_value, type)
|
|
61
|
+
{ name.to_sym => value }
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
def meta_value(string_value, int_value, type)
|
|
65
|
+
if type == META_TYPE_INTEGER
|
|
66
|
+
int_value
|
|
67
|
+
elsif type == META_TYPE_BOOLEAN
|
|
68
|
+
int_value == 1
|
|
69
|
+
else
|
|
70
|
+
string_value
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
end
|
data/lib/yara/version.rb
CHANGED
data/lib/yara/yr_meta.rb
CHANGED
data/lib/yara/yr_rule.rb
CHANGED
data/lib/yara.rb
CHANGED
|
@@ -2,22 +2,17 @@
|
|
|
2
2
|
|
|
3
3
|
require "ffi"
|
|
4
4
|
require "pry"
|
|
5
|
-
require_relative "yara/version"
|
|
6
5
|
require_relative "yara/ffi"
|
|
6
|
+
require_relative "yara/scan_result"
|
|
7
|
+
require_relative "yara/version"
|
|
7
8
|
|
|
8
|
-
# TBD
|
|
9
9
|
module Yara
|
|
10
|
-
|
|
10
|
+
SCAN_FINISHED = 3
|
|
11
11
|
|
|
12
|
-
|
|
13
|
-
CALLBACK_MSG_RULE_NOT_MATCHING = 2
|
|
14
|
-
CALLBACK_MSG_SCAN_FINISHED = 3
|
|
15
|
-
|
|
16
|
-
RULE_IDENTIFIER = 1
|
|
12
|
+
class Error < StandardError; end
|
|
17
13
|
|
|
18
14
|
def self.test(rule_string, test_string)
|
|
19
15
|
user_data = UserData.new
|
|
20
|
-
user_data[:number] = 42
|
|
21
16
|
scanning = true
|
|
22
17
|
results = []
|
|
23
18
|
|
|
@@ -38,14 +33,12 @@ module Yara
|
|
|
38
33
|
Yara::FFI.yr_compiler_get_rules(compiler_pointer, rules_pointer)
|
|
39
34
|
rules_pointer = rules_pointer.get_pointer(0)
|
|
40
35
|
|
|
41
|
-
result_callback = proc do |context_ptr,
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
case message
|
|
45
|
-
when CALLBACK_MSG_RULE_MATCHING
|
|
46
|
-
results << rule.values[RULE_IDENTIFIER]
|
|
47
|
-
when CALLBACK_MSG_SCAN_FINISHED
|
|
36
|
+
result_callback = proc do |context_ptr, callback_type, rule_ptr, user_data_ptr|
|
|
37
|
+
if callback_type == SCAN_FINISHED
|
|
48
38
|
scanning = false
|
|
39
|
+
else
|
|
40
|
+
result = ScanResult.new(callback_type, rule_ptr)
|
|
41
|
+
results << result if result.rule_outcome?
|
|
49
42
|
end
|
|
50
43
|
|
|
51
44
|
0 # ERROR_SUCCESS
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: yara-ffi
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jonathan Hoyt
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-08-
|
|
11
|
+
date: 2021-08-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: ffi
|
|
@@ -45,6 +45,7 @@ files:
|
|
|
45
45
|
- bin/setup
|
|
46
46
|
- lib/yara.rb
|
|
47
47
|
- lib/yara/ffi.rb
|
|
48
|
+
- lib/yara/scan_result.rb
|
|
48
49
|
- lib/yara/user_data.rb
|
|
49
50
|
- lib/yara/version.rb
|
|
50
51
|
- lib/yara/yr_meta.rb
|