RubyGems - yara-ffi - Versions diffs - 2.1.1 → 3.0.0 - Mend

yara-ffi 2.1.1 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

checksums.yaml +4 -4
data/Dockerfile +17 -0
data/Gemfile.lock +3 -3
data/README.md +28 -1
data/lib/yara/ffi.rb +3 -3
data/lib/yara/scan_result.rb +34 -37
data/lib/yara/scanner.rb +81 -0
data/lib/yara/version.rb +1 -1
data/lib/yara.rb +14 -55
data/script/bootstrap +3 -0
data/script/test +3 -0
metadata +6 -18
data/vendor/cache/ast-2.4.2.gem +0 -0
data/vendor/cache/coderay-1.1.3.gem +0 -0
data/vendor/cache/ffi-1.15.0.gem +0 -0
data/vendor/cache/method_source-1.0.0.gem +0 -0
data/vendor/cache/minitest-5.14.4.gem +0 -0
data/vendor/cache/parallel-1.20.1.gem +0 -0
data/vendor/cache/parser-3.0.0.0.gem +0 -0
data/vendor/cache/pry-0.14.0.gem +0 -0
data/vendor/cache/rainbow-3.0.0.gem +0 -0
data/vendor/cache/rake-13.0.3.gem +0 -0
data/vendor/cache/regexp_parser-2.1.1.gem +0 -0
data/vendor/cache/rexml-3.2.4.gem +0 -0
data/vendor/cache/rubocop-1.11.0.gem +0 -0
data/vendor/cache/rubocop-ast-1.4.1.gem +0 -0
data/vendor/cache/ruby-progressbar-1.11.0.gem +0 -0
data/vendor/cache/unicode-display_width-2.0.0.gem +0 -0

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac111338f4038017b3eb887d2bfcea73c2a2aa5a9b409370e13cfd01985276df
-  data.tar.gz: 353ab52ebe038b8fbd2b3c9ce35436df1b4fb20cad1cfa0b3019e678291e0f0b
+  metadata.gz: 814d5fa21cda6f98707e038549321eab8ce359f013c47d36e8d0845c05ff0b2c
+  data.tar.gz: 531d85f217da5f9bec89de9319ee5f9f33c3a801ec75db439de1fa377612c88e
 SHA512:
-  metadata.gz: 96a2ede305474b3457dcaf4256e3b57fa28becae0abc51eb3e45897667f5a971ba818a45a6b945b15d02208c2eee6adad43ff416c31d9528083ed7dd5a317046
-  data.tar.gz: 6b1a3fa08e02123b655d140f30fa531494d585276591f5758b6f8c26636ea0fe388eef7fa5e6253d9fce42221b19729eab0960684a87eaf95e96f701eacd4fb7
+  metadata.gz: 3fd910b4f3ea435dcc5cfaa1763fe7cd33727bc77929b52d326d4f3baaad7caff2671c73100ec5102bdb61f9ac34d330ad2a33626faaeebf65ff16dde7d7e6fe
+  data.tar.gz: 53133f057a23dc32227a6c603322cdd5b9da273416bdd6aad9245b4c270249c83dd8e8f5211f531be1180a12c28825824977966425456bd9c18ff8883566f7bb

data/Dockerfile ADDED Viewed

@@ -0,0 +1,17 @@
+FROM ruby:2.6.6
+RUN apt-get update -qq
+RUN apt-get install -y flex bison
+WORKDIR /app
+COPY . ./
+RUN gem install bundler:2.2.15
+RUN bundle install
+RUN git clone --recursive --branch v4.1.1 https://github.com/VirusTotal/yara.git /tmp/yara && \
+  cd /tmp/yara/ && \
+  ./bootstrap.sh && \
+  ./configure && \
+  make && \
+  make install

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    yara-ffi (1.0.0)
+    yara-ffi (2.1.1)
       ffi
 GEM
@@ -9,7 +9,7 @@ GEM
   specs:
     ast (2.4.2)
     coderay (1.1.3)
-    ffi (1.15.0)
+    ffi (1.15.4)
     method_source (1.0.0)
     minitest (5.14.4)
     parallel (1.20.1)
@@ -48,4 +48,4 @@ DEPENDENCIES
   yara-ffi!
 BUNDLED WITH
-   2.2.14
+   2.2.15

data/README.md CHANGED Viewed

@@ -20,7 +20,34 @@ Or install it yourself as:
 ## Usage
-TODO: Write usage instructions here
+```ruby
+Yara.start # run before you start using the Yara API.
+rule = <<-RULE
+rule ExampleRule
+{
+meta:
+    string_meta = "an example rule for testing"
+strings:
+    $my_text_string = "we were here"
+    $my_text_regex = /were here/
+condition:
+    $my_text_string or $my_text_regex
+}
+RULE
+scanner = Yara::Scanner.new
+scanner.add_rule(rule)
+scanner.compile
+result = scanner.call("one day we were here and then we were not")
+result.match?
+# => true
+scanner.close   # run when you are done using the scanner API and want to free up memory.
+Yara.stop       # run when you are completely done using the Yara API to free up memory.
+```
 ## Development

data/lib/yara/ffi.rb CHANGED Viewed

@@ -90,9 +90,9 @@ module Yara
     #   void* user_data)
     callback :scan_callback, [
       :pointer,       # YR_SCAN_CONTEXT*
-      :int,           # message
-      :pointer,       # message_data_pointer
-      :pointer,       # user_data_pointer
+      :int,           # callback_type
+      YrRule.ptr,     # rule
+      UserData.ptr,   # user_data
     ], :int
     # int yr_rules_scan_mem(

data/lib/yara/scan_result.rb CHANGED Viewed

@@ -6,38 +6,50 @@ module Yara
     META_FLAGS_LAST_IN_RULE = 1
     META_TYPE_INTEGER = 1
-    META_TYPE_STRING  = 2
+    # META_TYPE_STRING  = 2
     META_TYPE_BOOLEAN = 3
     STRING_FLAGS_LAST_IN_RULE = 0
-    STRING_LENGTH = 4
-    STRING_POINTER = 5
-    RULE_IDENTIFIER  = 1
-    METAS_IDENTIFIER = 3
-    STRING_IDENTIFIER = 4
     attr_reader :callback_type, :rule
-    def initialize(callback_type, rule_ptr)
+    def initialize(callback_type, rule, user_data)
       @callback_type = callback_type
-      @rule = YrRule.new(rule_ptr)
+      @rule = rule
+      @rule_meta = extract_rule_meta
+      @rule_strings = extract_rule_strings
+      @user_data_number = user_data[:number]
     end
+    attr_reader :rule_meta, :rule_strings, :user_data_number
     def rule_name
-      @rule.values[RULE_IDENTIFIER]
+      @rule[:identifier]
+    end
+    def scan_complete?
+      callback_type == SCAN_FINISHED
+    end
+    def rule_outcome?
+      [RULE_MATCHING, RULE_NOT_MATCHING].include?(callback_type)
+    end
+    def match?
+      callback_type == RULE_MATCHING
     end
-    def rule_meta
+    private
+    def extract_rule_meta
       metas = {}
       reading_metas = true
       meta_index = 0
-      meta_pointer = @rule.values[METAS_IDENTIFIER]
+      meta_pointer = @rule[:metas]
       while reading_metas do
         meta = YrMeta.new(meta_pointer + meta_index * YrMeta.size)
         metas.merge!(meta_as_hash(meta))
-        flags = meta.values.last
+        flags = meta[:flags]
         if flags == META_FLAGS_LAST_IN_RULE
           reading_metas = false
         else
@@ -47,15 +59,15 @@ module Yara
       metas
     end
-    def rule_strings
+    def extract_rule_strings
       strings = {}
       reading_strings = true
       string_index = 0
-      string_pointer = @rule.values[STRING_IDENTIFIER]
+      string_pointer = @rule[:strings]
       while reading_strings do
         string = YrString.new(string_pointer + string_index * YrString.size)
-        string_length = string.values[STRING_LENGTH]
-        flags = string.values.first
+        string_length = string[:length]
+        flags = string[:flags]
         if flags == STRING_FLAGS_LAST_IN_RULE
           reading_strings = false
         else
@@ -66,29 +78,14 @@ module Yara
       strings
     end
-    def scan_complete?
-      callback_type == SCAN_FINISHED
-    end
-    def rule_outcome?
-      [RULE_MATCHING, RULE_NOT_MATCHING].include?(callback_type)
-    end
-    def match?
-      callback_type == RULE_MATCHING
-    end
-    private
     def meta_as_hash(meta)
-      name, string_value, int_value, type, _flags = meta.values
-      value = meta_value(string_value, int_value, type)
-      { name.to_sym => value }
+      value = meta_value(meta[:string], meta[:integer], meta[:type])
+      { meta[:identifier].to_sym => value }
     end
     def string_as_hash(yr_string)
-      string_pointer = yr_string.values[STRING_POINTER]
-      string_identifier = yr_string.values.last
+      string_pointer = yr_string[:string]
+      string_identifier = yr_string[:identifier]
       { string_identifier.to_sym => string_pointer.read_string }
     end

data/lib/yara/scanner.rb ADDED Viewed

@@ -0,0 +1,81 @@
+module Yara
+  class Scanner
+    class NotCompiledError < StandardError; end
+    ERROR_CALLBACK = proc do |error_level, file_name, line_number, rule, message, user_data|
+      # noop
+    end
+    SCAN_FINISHED = 3
+    # Public: Initializes instance of scanner. Under the hood this calls yr_initialize, then
+    # creates a pointer, then calls yr_compiler_create with that pointer.
+    #
+    # error_callback: (optional) Proc to be called when an error occurs.
+    # user_data: (optional) Instance of UserData to store and pass information.
+    def initialize(error_callback: ERROR_CALLBACK, user_data: UserData.new)
+      @error_callback = error_callback
+      @user_data = user_data
+      @compiler_pointer = ::FFI::MemoryPointer.new(:pointer)
+      Yara::FFI.yr_compiler_create(@compiler_pointer)
+      @compiler_pointer = @compiler_pointer.get_pointer(0)
+      Yara::FFI.yr_compiler_set_callback(@compiler_pointer, error_callback, user_data)
+    end
+    # Public: Adds a rule to the scanner and returns the namespace value. If a namespace
+    # is not provided it will default to nil and use the global namespace.
+    #
+    # rule_string - String containing the Yara rule to be added.
+    # namespace:    (optional) String containing the namespace to be used for the rule.
+    def add_rule(rule_string, namespace: nil)
+      Yara::FFI.yr_compiler_add_string(@compiler_pointer, rule_string, namespace)
+    end
+    def compile
+      @rules_pointer = ::FFI::MemoryPointer.new(:pointer)
+      Yara::FFI.yr_compiler_get_rules(@compiler_pointer, @rules_pointer)
+      @rules_pointer = @rules_pointer.get_pointer(0)
+      Yara::FFI.yr_compiler_destroy(@compiler_pointer)
+    end
+    def call(test_string)
+      raise NotCompiledError unless @rules_pointer
+      results = []
+      scanning = true
+      result_callback = proc do |context_ptr, callback_type, rule, user_data|
+        if callback_type == SCAN_FINISHED
+          scanning = false
+        else
+          result = ScanResult.new(callback_type, rule, user_data)
+          results << result if result.rule_outcome?
+        end
+        0 # ERROR_SUCCESS
+      end
+      test_string_bytesize = test_string.bytesize
+      test_string_pointer = ::FFI::MemoryPointer.new(:char, test_string_bytesize)
+      test_string_pointer.put_bytes(0, test_string)
+      Yara::FFI.yr_rules_scan_mem(
+        @rules_pointer,
+        test_string_pointer,
+        test_string_bytesize,
+        0,
+        result_callback,
+        @user_data,
+        1,
+      )
+      while scanning do
+      end
+      results
+    end
+    def close
+      Yara::FFI.yr_rules_destroy(@rules_pointer)
+    end
+  end
+end

data/lib/yara/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Yara
-  VERSION = "2.1.1"
+  VERSION = "3.0.0"
 end

data/lib/yara.rb CHANGED Viewed

@@ -4,67 +4,26 @@ require "ffi"
 require "pry"
 require_relative "yara/ffi"
 require_relative "yara/scan_result"
+require_relative "yara/scanner"
 require_relative "yara/version"
 module Yara
-  SCAN_FINISHED = 3
-  class Error < StandardError; end
-  def self.test(rule_string, test_string)
-    user_data = UserData.new
-    scanning = true
-    results = []
+  def self.start
     Yara::FFI.yr_initialize
+  end
-    compiler_pointer = ::FFI::MemoryPointer.new(:pointer)
-    Yara::FFI.yr_compiler_create(compiler_pointer)
-    compiler_pointer = compiler_pointer.get_pointer(0)
-    error_callback = proc do |error_level, file_name, line_number, rule, message, user_data|
-      # noop
-    end
-    Yara::FFI.yr_compiler_set_callback(compiler_pointer, error_callback, user_data)
-    Yara::FFI.yr_compiler_add_string(compiler_pointer, rule_string, nil)
-    rules_pointer =::FFI::MemoryPointer.new(:pointer)
-    Yara::FFI.yr_compiler_get_rules(compiler_pointer, rules_pointer)
-    rules_pointer = rules_pointer.get_pointer(0)
-    result_callback = proc do |context_ptr, callback_type, rule_ptr, user_data_ptr|
-      if callback_type == SCAN_FINISHED
-        scanning = false
-      else
-        result = ScanResult.new(callback_type, rule_ptr)
-        results << result if result.rule_outcome?
-      end
-      0 # ERROR_SUCCESS
-    end
-    test_string_bytesize = test_string.bytesize
-    test_string_pointer = ::FFI::MemoryPointer.new(:char, test_string_bytesize)
-    test_string_pointer.put_bytes(0, test_string)
-    Yara::FFI.yr_rules_scan_mem(
-      rules_pointer,
-      test_string_pointer,
-      test_string_bytesize,
-      0,
-      result_callback,
-      user_data,
-      1,
-    )
-    while scanning do
-    end
+  def self.stop
+    Yara::FFI.yr_finalize
+  end
-    results
+  def self.test(rule_string, test_string)
+    start
+    scanner = Yara::Scanner.new
+    scanner.add_rule(rule_string)
+    scanner.compile
+    scanner.call(test_string)
   ensure
-    Yara::FFI.yr_rules_destroy(rules_pointer)
-    Yara::FFI.yr_compiler_destroy(compiler_pointer)
-    Yara::FFI.yr_finalize
+    scanner.close
+    stop
   end
 end

data/script/bootstrap ADDED Viewed

@@ -0,0 +1,3 @@
+#!/bin/bash
+docker build . -t yara-ffi

data/script/test ADDED Viewed

@@ -0,0 +1,3 @@
+#!/bin/bash
+docker run -it --mount type=bind,src="$(pwd)",dst=/app yara-ffi bundle exec rake

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yara-ffi
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Jonathan Hoyt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-31 00:00:00.000000000 Z
+date: 2021-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -36,6 +36,7 @@ files:
 - ".rubocop.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- Dockerfile
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -46,28 +47,15 @@ files:
 - lib/yara.rb
 - lib/yara/ffi.rb
 - lib/yara/scan_result.rb
+- lib/yara/scanner.rb
 - lib/yara/user_data.rb
 - lib/yara/version.rb
 - lib/yara/yr_meta.rb
 - lib/yara/yr_namespace.rb
 - lib/yara/yr_rule.rb
 - lib/yara/yr_string.rb
-- vendor/cache/ast-2.4.2.gem
-- vendor/cache/coderay-1.1.3.gem
-- vendor/cache/ffi-1.15.0.gem
-- vendor/cache/method_source-1.0.0.gem
-- vendor/cache/minitest-5.14.4.gem
-- vendor/cache/parallel-1.20.1.gem
-- vendor/cache/parser-3.0.0.0.gem
-- vendor/cache/pry-0.14.0.gem
-- vendor/cache/rainbow-3.0.0.gem
-- vendor/cache/rake-13.0.3.gem
-- vendor/cache/regexp_parser-2.1.1.gem
-- vendor/cache/rexml-3.2.4.gem
-- vendor/cache/rubocop-1.11.0.gem
-- vendor/cache/rubocop-ast-1.4.1.gem
-- vendor/cache/ruby-progressbar-1.11.0.gem
-- vendor/cache/unicode-display_width-2.0.0.gem
+- script/bootstrap
+- script/test
 - yara-ffi.gemspec
 homepage: https://github.com/jonmagic/yara-ffi
 licenses:

data/vendor/cache/ast-2.4.2.gem DELETED Viewed

Binary file

data/vendor/cache/coderay-1.1.3.gem DELETED Viewed

Binary file

data/vendor/cache/ffi-1.15.0.gem DELETED Viewed

Binary file

data/vendor/cache/method_source-1.0.0.gem DELETED Viewed

Binary file

data/vendor/cache/minitest-5.14.4.gem DELETED Viewed

Binary file

data/vendor/cache/parallel-1.20.1.gem DELETED Viewed

Binary file

data/vendor/cache/parser-3.0.0.0.gem DELETED Viewed

Binary file

data/vendor/cache/pry-0.14.0.gem DELETED Viewed

Binary file

data/vendor/cache/rainbow-3.0.0.gem DELETED Viewed

Binary file

data/vendor/cache/rake-13.0.3.gem DELETED Viewed

Binary file

data/vendor/cache/regexp_parser-2.1.1.gem DELETED Viewed

Binary file

data/vendor/cache/rexml-3.2.4.gem DELETED Viewed

Binary file

data/vendor/cache/rubocop-1.11.0.gem DELETED Viewed

Binary file

data/vendor/cache/rubocop-ast-1.4.1.gem DELETED Viewed

Binary file

data/vendor/cache/ruby-progressbar-1.11.0.gem DELETED Viewed

Binary file

data/vendor/cache/unicode-display_width-2.0.0.gem DELETED Viewed

Binary file