yara 1.4.1 → 1.4.2

data/ext/yara_native/Rules.h

@@ -1,3 +1,22 @@
+/*
+ *  yara-ruby - Ruby bindings for the yara malware analysis library.
+ *  Eric Monti
+ *  Copyright (C) 2011 Trustwave Holdings
+ *  
+ *  This program is free software: you can redistribute it and/or modify it 
+ *  under the terms of the GNU General Public License as published by the 
+ *  Free Software Foundation, either version 3 of the License, or (at your
+ *  option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful, but 
+ *  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ *  or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *  for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program. If not, see <http://www.gnu.org/licenses/>.
+ *  
+*/
 
 #ifndef RB_RULES_H_GUARD
 #define RB_RULES_H_GUARD
@@ -5,8 +24,6 @@
 #include <yara.h>
 #include "ruby.h"
 
-static VALUE class_Rules;
-
-void init_rules(VALUE ruby_namespace);
+void init_Rules();
 
 #endif

data/ext/yara_native/Yara_native.c

@@ -1,19 +1,44 @@
+/*
+ *  yara-ruby - Ruby bindings for the yara malware analysis library.
+ *  Eric Monti
+ *  Copyright (C) 2011 Trustwave Holdings
+ *  
+ *  This program is free software: you can redistribute it and/or modify it 
+ *  under the terms of the GNU General Public License as published by the 
+ *  Free Software Foundation, either version 3 of the License, or (at your
+ *  option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful, but 
+ *  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ *  or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *  for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program. If not, see <http://www.gnu.org/licenses/>.
+ *  
+*/
+
 #include "ruby.h"
 #include <yara.h>
-
-#include "Yara_native.h"
 #include "Rules.h"
-#include "errors.h"
+#include "Match.h"
 
-static VALUE module_Yara = Qnil;
+VALUE module_Yara = Qnil;
+VALUE error_CompileError = Qnil;
+VALUE error_ScanError = Qnil;
 
 void Init_yara_native() {
   yr_init();
 
   module_Yara = rb_define_module("Yara");
 
-  init_errors(module_Yara);
-  init_rules(module_Yara);
+  /* Class Yara::CompileError */
+  error_CompileError = rb_define_class_under(module_Yara, "CompileError", rb_eStandardError);
+  /* Class Yara::ScanError */
+  error_ScanError = rb_define_class_under(module_Yara, "ScanError", rb_eStandardError);
+
+  init_Rules();
+  init_Match();
 }
 
 

data/ext/yara_native/Yara_native.h

@@ -1,9 +1,30 @@
+/*
+ *  yara-ruby - Ruby bindings for the yara malware analysis library.
+ *  Eric Monti
+ *  Copyright (C) 2011 Trustwave Holdings
+ *  
+ *  This program is free software: you can redistribute it and/or modify it 
+ *  under the terms of the GNU General Public License as published by the 
+ *  Free Software Foundation, either version 3 of the License, or (at your
+ *  option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful, but 
+ *  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ *  or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *  for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program. If not, see <http://www.gnu.org/licenses/>.
+ *  
+*/
+
 #ifndef RB_YARA_H_GUARD
 #define RB_YARA_H_GUARD
 
 #include "ruby.h"
 #include <yara.h>
 
-static VALUE module_Yara;
+extern VALUE error_CompileError;
+extern VALUE error_ScanError;
 
 #endif

data/ext/yara_native/extconf.rb

@@ -1,3 +1,21 @@
+#  yara-ruby - Ruby bindings for the yara malware analysis library.
+#  Eric Monti
+#  Copyright (C) 2011 Trustwave Holdings
+#  
+#  This program is free software: you can redistribute it and/or modify it 
+#  under the terms of the GNU General Public License as published by the 
+#  Free Software Foundation, either version 3 of the License, or (at your
+#  option) any later version.
+#  
+#  This program is distributed in the hope that it will be useful, but 
+#  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#  or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+#  for more details.
+#  
+#  You should have received a copy of the GNU General Public License along
+#  with this program. If not, see <http://www.gnu.org/licenses/>.
+#  
+
 require 'mkmf'
 require 'rbconfig'
 
@@ -10,5 +28,6 @@ unless have_library("yara") and
   raise "You must install the yara library"
 end
 
+create_header
 create_makefile(extension_name)
 

data/lib/yara.rb

@@ -1,4 +1,20 @@
-
+#    yara-ruby - Ruby bindings for the yara malware analysis library.
+#    Eric Monti
+#    Copyright (C) 2011 Trustwave Holdings
+#
+#    This program is free software: you can redistribute it and/or modify it 
+#    under the terms of the GNU General Public License as published by the 
+#    Free Software Foundation, either version 3 of the License, or (at your
+#    option) any later version.
+#
+#    This program is distributed in the hope that it will be useful, but 
+#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+#    for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with this program. If not, see <http://www.gnu.org/licenses/>.
+#
 require 'yara_native'
 
 module Yara

data/samples/ispe.rb

@@ -3,6 +3,23 @@
 # Usage example:
 #   ruby ispe.rb /win_c/windows/system32/*.???
 #
+#    yara-ruby - Ruby bindings for the yara malware analysis library.
+#    Eric Monti
+#    Copyright (C) 2011 Trustwave Holdings
+#
+#    This program is free software: you can redistribute it and/or modify it 
+#    under the terms of the GNU General Public License as published by the 
+#    Free Software Foundation, either version 3 of the License, or (at your
+#    option) any later version.
+#
+#    This program is distributed in the hope that it will be useful, but 
+#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+#    for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with this program. If not, see <http://www.gnu.org/licenses/>.
+#
 $: << File.join(File.dirname(__FILE__), '..', 'lib')
 require 'yara'
 

data/samples/sslkeyfinder

@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+# Simple yara-ruby script to extract RSA private keys and certificates
+# based on http://www.trapkit.de/research/sslkeyfinder
+# and http://www.kyprizel.net/work/ida/getkeys.py
+#
+#    yara-ruby - Ruby bindings for the yara malware analysis library.
+#    Eric Monti
+#    Copyright (C) 2011 Trustwave Holdings
+#
+#    This program is free software: you can redistribute it and/or modify it 
+#    under the terms of the GNU General Public License as published by the 
+#    Free Software Foundation, either version 3 of the License, or (at your
+#    option) any later version.
+#
+#    This program is distributed in the hope that it will be useful, but 
+#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+#    for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+$: << File.join(File.dirname(__FILE__), '..', 'lib')
+require 'yara'
+require 'pp'
+
+ctx = Yara::Rules.new
+ctx.compile_string <<_EOF_
+rule x509_public_key_infrastructure_cert
+{
+  meta:
+    desc = "X.509 PKI Certificate"
+    ext = "crt"
+  strings: $a = {30 82 ?? ?? 30 82 ?? ??}
+  condition: $a
+}
+
+rule pkcs8_private_key_information_syntax_standard
+{
+  meta:
+    desc = "Found PKCS #8: Private-Key"
+    ext = "key"
+
+  strings: $a = {30 82 ?? ?? 02 01 00}
+  condition: $a
+}
+_EOF_
+
+
+ARGV.each do |fname|
+  begin
+    file = File.new(fname, 'rb')
+    ctx.scan_file(fname).each do |match|
+      match.strings.each do |string|
+        file.pos = string.offset
+        hdr = file.read(4)
+        magic, len = hdr.unpack("nn")
+
+        next unless magic == 0x3082
+
+        outf = "#{fname}_%0.8x.#{match.meta['ext']}" % string.offset
+        STDERR.puts "Found #{match.meta['desc']} in #{fname.inspect} - writing to #{outf.inspect}"
+
+        File.open(outf, 'wb') do |out|
+          out.write hdr 
+          out.write file.read(len)
+        end
+      end
+    end
+  ensure
+    file.close if file
+  end
+end

data/samples/upx.rb

@@ -1,5 +1,21 @@
 #!/usr/bin/env ruby
-
+#    yara-ruby - Ruby bindings for the yara malware analysis library.
+#    Eric Monti
+#    Copyright (C) 2011 Trustwave Holdings
+#
+#    This program is free software: you can redistribute it and/or modify it 
+#    under the terms of the GNU General Public License as published by the 
+#    Free Software Foundation, either version 3 of the License, or (at your
+#    option) any later version.
+#
+#    This program is distributed in the hope that it will be useful, but 
+#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+#    for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with this program. If not, see <http://www.gnu.org/licenses/>.
+#
 $: << 'lib'
 require 'yara'
 require 'pp'

data/spec/rules_spec.rb

@@ -1,3 +1,20 @@
+#    yara-ruby - Ruby bindings for the yara malware analysis library.
+#    Eric Monti
+#    Copyright (C) 2011 Trustwave Holdings
+#
+#    This program is free software: you can redistribute it and/or modify it 
+#    under the terms of the GNU General Public License as published by the 
+#    Free Software Foundation, either version 3 of the License, or (at your
+#    option) any later version.
+#
+#    This program is distributed in the hope that it will be useful, but 
+#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+#    for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with this program. If not, see <http://www.gnu.org/licenses/>.
+#
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe Yara::Rules do

data/spec/spec_helper.rb

@@ -1,3 +1,20 @@
+#    yara-ruby - Ruby bindings for the yara malware analysis library.
+#    Eric Monti
+#    Copyright (C) 2011 Trustwave Holdings
+#
+#    This program is free software: you can redistribute it and/or modify it 
+#    under the terms of the GNU General Public License as published by the 
+#    Free Software Foundation, either version 3 of the License, or (at your
+#    option) any later version.
+#
+#    This program is distributed in the hope that it will be useful, but 
+#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+#    for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with this program. If not, see <http://www.gnu.org/licenses/>.
+#
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'rspec'

data/spec/yara_spec.rb

@@ -1,3 +1,20 @@
+#    yara-ruby - Ruby bindings for the yara malware analysis library.
+#    Eric Monti
+#    Copyright (C) 2011 Trustwave Holdings
+#
+#    This program is free software: you can redistribute it and/or modify it 
+#    under the terms of the GNU General Public License as published by the 
+#    Free Software Foundation, either version 3 of the License, or (at your
+#    option) any later version.
+#
+#    This program is distributed in the hope that it will be useful, but 
+#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+#    for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with this program. If not, see <http://www.gnu.org/licenses/>.
+#
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe Yara do

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 1
   - 4
-  - 1
-  version: 1.4.1
+  - 2
+  version: 1.4.2
 platform: ruby
 authors: 
 - Eric Monti
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-01-11 00:00:00 -06:00
+date: 2011-02-17 00:00:00 -06:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -97,7 +97,7 @@ dependencies:
         version: "0"
   type: :development
   version_requirements: *id006
-description: Ruby Bindings for the yara malware analysis library
+description: Ruby bindings for the yara malware analysis library
 email: emonti@trustwave.com
 executables: []
 
@@ -121,11 +121,10 @@ files:
 - ext/yara_native/Rules.h
 - ext/yara_native/Yara_native.c
 - ext/yara_native/Yara_native.h
-- ext/yara_native/errors.c
-- ext/yara_native/errors.h
 - ext/yara_native/extconf.rb
 - lib/yara.rb
 - samples/ispe.rb
+- samples/sslkeyfinder
 - samples/upx.rb
 - spec/rules_spec.rb
 - spec/samples/DumpMem.exe
@@ -162,7 +161,7 @@ rubyforge_project:
 rubygems_version: 1.3.6
 signing_key: 
 specification_version: 3
-summary: Ruby Bindings for libyara
+summary: Ruby bindings for libyara
 test_files: 
 - spec/rules_spec.rb
 - spec/spec_helper.rb

data/ext/yara_native/errors.c

@@ -1,11 +0,0 @@
-#include "errors.h"
-#include "ruby.h"
-
-VALUE error_CompileError = Qnil;
-VALUE error_ScanError = Qnil;
-
-void
-init_errors(VALUE rb_ns) {
-  error_CompileError = rb_define_class_under(rb_ns, "CompileError", rb_eStandardError);
-  error_ScanError = rb_define_class_under(rb_ns, "ScanError", rb_eStandardError);
-}

data/ext/yara_native/errors.h

@@ -1,9 +0,0 @@
-#ifndef RB_YARA_ERR_H_GUARD
-#define RB_YARA_ERR_H_GUARD
-
-#include "ruby.h"
-
-extern VALUE error_CompileError;
-extern VALUE error_ScanError;
-
-#endif