yara-ffi 2.0.1 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/yara/scan_result.rb +31 -0
  3. data/lib/yara/version.rb +1 -1
  4. data/lib/yara/yr_rule.rb +1 -1
  5. data/lib/yara/yr_string.rb +11 -1
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 495c967a7af5781f211a7f02a8161e117d35e701ebbdcc8b15fe0def323a623b
4
- data.tar.gz: 2f4b0325bf5c51d2483326f98de991f89633d27923f31c046bef919e49fc6e23
3
+ metadata.gz: 69d13f5f4b62199af83b30a5bb43366c98bd298b10f11b33d54ce931b5b3a23b
4
+ data.tar.gz: 384f0506d4781049c57f143243b4b8ff9fb7c46fc95cd8e9fe781d39e16c22ce
5
5
  SHA512:
6
- metadata.gz: 38cc0d0af7ab17fa8103ed273556ef489f619c2de4facf678a724e05af03c0454b5d5b1dddd24134469d5340cec4f17e4de459066f6d9e6086099dbf61b52510
7
- data.tar.gz: 7bc527f30f067905006e1155645c4a01fe34e413bec32a93611b02dfe6a9330753006962b44dcdcd1d085050c0aa54dbf99b334825b547f5cb3fac1e95788431
6
+ metadata.gz: 6811bee54889a6a95a01df893fe694e3fc2bd1a424063c7d51aa222f6a37e7b202dbcee06ed58b7768b9b348b530918b3e093994ac753831823951ac194a21cd
7
+ data.tar.gz: b58b0fa59f64501b560f99b012ea2132617e16811988e70d887838df157028fabdeed2109ba723389e1830e411c111233f1f0a1ef6e877913ac55849d37203dc
data/lib/yara/scan_result.rb CHANGED
@@ -9,8 +9,14 @@ module Yara
9
9
  META_TYPE_STRING = 2
10
10
  META_TYPE_BOOLEAN = 3
11
11
 
12
+ STRING_FLAGS_LAST_IN_RULE = 0
13
+
14
+ STRING_LENGTH = 4
15
+ STRING_POINTER = 5
16
+
12
17
  RULE_IDENTIFIER = 1
13
18
  METAS_IDENTIFIER = 3
19
+ STRING_IDENTIFIER = 4
14
20
 
15
21
  attr_reader :callback_type, :rule
16
22
 
@@ -41,6 +47,25 @@ module Yara
41
47
  metas
42
48
  end
43
49
 
50
+ def rule_strings
51
+ strings = {}
52
+ reading_strings = true
53
+ string_index = 0
54
+ string_pointer = @rule.values[STRING_IDENTIFIER]
55
+ while reading_strings do
56
+ string = YrString.new(string_pointer + string_index * YrString.size)
57
+ string_length = string.values[STRING_LENGTH]
58
+ flags = string.values.first
59
+ if flags == STRING_FLAGS_LAST_IN_RULE
60
+ reading_strings = false
61
+ else
62
+ strings.merge!(string_as_hash(string)) unless string_length == 0
63
+ string_index += 1
64
+ end
65
+ end
66
+ strings
67
+ end
68
+
44
69
  def scan_complete?
45
70
  callback_type == SCAN_FINISHED
46
71
  end
@@ -61,6 +86,12 @@ module Yara
61
86
  { name.to_sym => value }
62
87
  end
63
88
 
89
+ def string_as_hash(yr_string)
90
+ string_pointer = yr_string.values[STRING_POINTER]
91
+ string_identifier = yr_string.values.last
92
+ { string_identifier.to_sym => string_pointer.read_string }
93
+ end
94
+
64
95
  def meta_value(string_value, int_value, type)
65
96
  if type == META_TYPE_INTEGER
66
97
  int_value
data/lib/yara/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Yara
4
- VERSION = "2.0.1"
4
+ VERSION = "2.1.0"
5
5
  end
data/lib/yara/yr_rule.rb CHANGED
@@ -5,7 +5,7 @@ module Yara
5
5
  :identifier, :string,
6
6
  :tags, :string,
7
7
  :metas, :pointer,
8
- :strings, YrString.ptr,
8
+ :strings, :pointer,
9
9
  :ns, YrNamespace.ptr
10
10
  end
11
11
  end
data/lib/yara/yr_string.rb CHANGED
@@ -1,5 +1,15 @@
1
1
  module Yara
2
2
  class YrString < FFI::Struct
3
- layout :identifier, :string
3
+ layout \
4
+ :flags, :uint32_t,
5
+ :idx, :uint32_t,
6
+ :fixed_offset, :int64_t,
7
+ :rule_idx, :uint32_t,
8
+ :length, :int32_t,
9
+ :string, :pointer,
10
+ :chained_to, :pointer,
11
+ :chain_gap_min, :int32_t,
12
+ :chain_gap_max, :int32_t,
13
+ :identifier, :string
4
14
  end
5
15
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: yara-ffi
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.1
4
+ version: 2.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jonathan Hoyt