yara 1.4.1

data/ext/yara_native/Rules.c

@@ -0,0 +1,203 @@
+#include "errors.h"
+#include "Rules.h"
+#include "Match.h"
+#include <stdio.h>
+
+static VALUE class_Rules = Qnil;
+
+void rules_mark(YARA_CONTEXT *ctx) { }
+
+void rules_free(YARA_CONTEXT *ctx) {
+  yr_destroy_context(ctx);
+}
+
+VALUE rules_allocate(VALUE klass) {
+  YARA_CONTEXT *ctx = yr_create_context();
+
+  return Data_Wrap_Struct(klass, rules_mark, rules_free, ctx);
+}
+
+VALUE rules_compile_file(VALUE self, VALUE rb_fname) {
+  FILE * file;
+  char * fname;
+  YARA_CONTEXT *ctx;
+  char error_message[256];
+
+  Check_Type(rb_fname, T_STRING);
+  fname = RSTRING_PTR(rb_fname);
+
+  if( !(file=fopen(fname, "r")) ) {
+    rb_raise(error_CompileError, "No such file: %s", fname);
+  } else {
+    Data_Get_Struct(self, YARA_CONTEXT, ctx);
+
+    if( yr_compile_file(file, ctx) != 0 ) {
+      yr_get_error_message(ctx, error_message, sizeof(error_message));
+      fclose(file);
+      rb_raise(error_CompileError, "Syntax Error - %s(%d): %s", fname, ctx->last_error_line, error_message);
+    }
+
+    yr_push_file_name(ctx, fname);
+    fclose(file);
+    return Qtrue;
+  }
+}
+
+VALUE rules_compile_string(VALUE self, VALUE rb_rules) {
+  YARA_CONTEXT *ctx;
+  char *rules;
+  char error_message[256];
+
+  Check_Type(rb_rules, T_STRING);
+  rules = RSTRING_PTR(rb_rules);
+  Data_Get_Struct(self, YARA_CONTEXT, ctx);
+
+  if( yr_compile_string(rules, ctx) != 0) {
+      yr_get_error_message(ctx, error_message, sizeof(error_message));
+      rb_raise(error_CompileError, "Syntax Error - line(%d): %s", ctx->last_error_line, error_message);
+  }
+
+  return Qtrue;
+}
+
+VALUE rules_weight(VALUE self) {
+  YARA_CONTEXT *ctx;
+  Data_Get_Struct(self, YARA_CONTEXT, ctx);
+  return INT2NUM(yr_calculate_rules_weight(ctx));
+}
+
+
+VALUE rules_current_namespace(VALUE self) {
+  YARA_CONTEXT *ctx;
+  Data_Get_Struct(self, YARA_CONTEXT, ctx);
+  if(ctx->current_namespace && ctx->current_namespace->name)
+    return rb_str_new2(ctx->current_namespace->name);
+  else
+    return Qnil;
+}
+
+VALUE rules_namespaces(VALUE self) {
+  YARA_CONTEXT *ctx;
+  NAMESPACE *ns;
+  VALUE ary = rb_ary_new();
+
+  Data_Get_Struct(self, YARA_CONTEXT, ctx);
+  ns = ctx->namespaces;
+  while(ns && ns->name) {
+    rb_ary_push(ary, rb_str_new2(ns->name));
+    ns = ns->next;
+  }
+  return ary;
+}
+
+NAMESPACE * find_namespace(YARA_CONTEXT *ctx, const char *name) {
+  NAMESPACE *ns = ctx->namespaces;
+
+  while(ns && ns->name) {
+    if(strcmp(name, ns->name) == 0)
+      return(ns);
+    else
+      ns = ns->next;
+  }
+  return (NAMESPACE*) NULL;
+}
+
+VALUE rules_set_namespace(VALUE self, VALUE rb_namespace) {
+  YARA_CONTEXT *ctx;
+  NAMESPACE *ns = NULL;
+  const char *name;
+
+  Check_Type(rb_namespace, T_STRING);
+  name = RSTRING_PTR(rb_namespace);
+
+  Data_Get_Struct(self, YARA_CONTEXT, ctx);
+
+  if (!(ns = find_namespace(ctx, name)))
+      ns = yr_create_namespace(ctx, name);
+
+  if (ns) {
+    ctx->current_namespace = ns;
+    return rb_namespace;
+  } else {
+    return Qnil;
+  }
+
+}
+
+static int 
+scan_callback(RULE *rule, unsigned char *buffer, unsigned int buffer_size, void *data) {
+  int match_ret;
+  VALUE match = Qnil;
+  VALUE results = *((VALUE *) data);
+
+  Check_Type(results, T_ARRAY);
+
+  match_ret = Match_NEW_from_rule(rule, buffer, &match);
+  if(match_ret == 0 && !NIL_P(match))
+    rb_ary_push(results,match);
+
+  return match_ret;
+}
+
+
+VALUE rules_scan_file(VALUE self, VALUE rb_fname) {
+  YARA_CONTEXT *ctx;
+  VALUE results;
+  unsigned int ret;
+  char *fname;
+
+  Check_Type(rb_fname, T_STRING);
+  results = rb_ary_new();
+  Data_Get_Struct(self, YARA_CONTEXT, ctx);
+  fname = RSTRING_PTR(rb_fname);
+
+  ret = yr_scan_file(fname, ctx, scan_callback, &results);
+  if (ret == ERROR_COULD_NOT_OPEN_FILE)
+    rb_raise(error_ScanError, "Could not open file: '%s'", fname);
+  else if (ret != 0)
+    rb_raise(error_ScanError, "A error occurred while scanning: %s", 
+        ((ret > MAX_SCAN_ERROR)? "unknown error" : SCAN_ERRORS[ret]));
+
+  return results;
+}
+
+VALUE rules_scan_string(VALUE self, VALUE rb_dat) {
+  YARA_CONTEXT *ctx;
+  VALUE results;
+  char *buf;
+  long buflen;
+  int ret;
+
+  Check_Type(rb_dat, T_STRING);
+  buf = RSTRING_PTR(rb_dat);
+  buflen = RSTRING_LEN(rb_dat);
+
+  results = rb_ary_new();
+
+  Data_Get_Struct(self, YARA_CONTEXT, ctx);
+
+  ret = yr_scan_mem(buf, buflen, ctx, scan_callback, &results);
+  if (ret != 0)
+    rb_raise(error_ScanError, "A error occurred while scanning: %s", 
+        ((ret > MAX_SCAN_ERROR)? "unknown error" : SCAN_ERRORS[ret]));
+
+  return results;
+}
+
+void init_rules(VALUE rb_ns) {
+
+  class_Rules = rb_define_class_under(rb_ns, "Rules", rb_cObject);
+  rb_define_alloc_func(class_Rules, rules_allocate);
+
+  rb_define_method(class_Rules, "compile_file", rules_compile_file, 1);
+  rb_define_method(class_Rules, "compile_string", rules_compile_string, 1);
+  rb_define_method(class_Rules, "weight", rules_weight, 0);
+  rb_define_method(class_Rules, "current_namespace", rules_current_namespace, 0);
+  rb_define_method(class_Rules, "namespaces", rules_namespaces, 0);
+  rb_define_method(class_Rules, "set_namespace", rules_set_namespace, 1);
+  rb_define_method(class_Rules, "scan_file", rules_scan_file, 1);
+  rb_define_method(class_Rules, "scan_string", rules_scan_string, 1);
+
+  init_match(rb_ns);
+}
+

data/ext/yara_native/Rules.h

@@ -0,0 +1,12 @@
+
+#ifndef RB_RULES_H_GUARD
+#define RB_RULES_H_GUARD
+
+#include <yara.h>
+#include "ruby.h"
+
+static VALUE class_Rules;
+
+void init_rules(VALUE ruby_namespace);
+
+#endif

data/ext/yara_native/Yara_native.c

@@ -0,0 +1,20 @@
+#include "ruby.h"
+#include <yara.h>
+
+#include "Yara_native.h"
+#include "Rules.h"
+#include "errors.h"
+
+static VALUE module_Yara = Qnil;
+
+void Init_yara_native() {
+  yr_init();
+
+  module_Yara = rb_define_module("Yara");
+
+  init_errors(module_Yara);
+  init_rules(module_Yara);
+}
+
+
+

data/ext/yara_native/Yara_native.h

@@ -0,0 +1,9 @@
+#ifndef RB_YARA_H_GUARD
+#define RB_YARA_H_GUARD
+
+#include "ruby.h"
+#include <yara.h>
+
+static VALUE module_Yara;
+
+#endif

data/ext/yara_native/errors.c

@@ -0,0 +1,11 @@
+#include "errors.h"
+#include "ruby.h"
+
+VALUE error_CompileError = Qnil;
+VALUE error_ScanError = Qnil;
+
+void
+init_errors(VALUE rb_ns) {
+  error_CompileError = rb_define_class_under(rb_ns, "CompileError", rb_eStandardError);
+  error_ScanError = rb_define_class_under(rb_ns, "ScanError", rb_eStandardError);
+}

data/ext/yara_native/errors.h

@@ -0,0 +1,9 @@
+#ifndef RB_YARA_ERR_H_GUARD
+#define RB_YARA_ERR_H_GUARD
+
+#include "ruby.h"
+
+extern VALUE error_CompileError;
+extern VALUE error_ScanError;
+
+#endif

data/ext/yara_native/extconf.rb

@@ -0,0 +1,14 @@
+require 'mkmf'
+require 'rbconfig'
+
+extension_name = "yara_native"
+
+dir_config(extension_name)
+
+unless have_library("yara") and
+       find_header("yara.h", "/usr/local/include")
+  raise "You must install the yara library"
+end
+
+create_makefile(extension_name)
+

data/lib/yara.rb

@@ -0,0 +1,45 @@
+
+require 'yara_native'
+
+module Yara
+  class Rules
+  end
+
+  class Match
+    def to_hash
+      { :rule => self.rule, 
+        :namespace => self.namespace, 
+        :tags => self.tags,
+        :meta => self.meta,
+        :strings => self.strings }
+    end
+
+    def inspect
+      h=to_hash
+      h.inspect
+    end
+  end
+
+  class MatchString
+
+    alias ident identifier
+
+    def <=>(other)
+      self.offset <=> other.offset
+    end
+
+    def to_a
+      [self.offset, self.ident, self.buffer]
+    end
+
+    def to_hash
+      { :offset => self.offset, :identifier => self.ident, :buffer => self.buffer}
+    end
+
+    def inspect
+      h=to_a
+      h.inspect
+    end
+  end
+
+end

data/samples/ispe.rb

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+#
+# Usage example:
+#   ruby ispe.rb /win_c/windows/system32/*.???
+#
+$: << File.join(File.dirname(__FILE__), '..', 'lib')
+require 'yara'
+
+ctx = Yara::Rules.new
+ctx.compile_string "rule IsPE { condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 }"
+
+ARGV.each do |fname|
+  ctx.scan_file(fname).each {|match| puts "#{fname} -> #{match.rule}" }
+end

data/samples/upx.rb

@@ -0,0 +1,39 @@
+#!/usr/bin/env ruby
+
+$: << 'lib'
+require 'yara'
+require 'pp'
+
+rule_str = <<_EOF_
+  rule UPX {
+      strings:
+          $noep1 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }
+          $noep2 = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 }
+          $noep3 = { 01 DB [0-1] 07 8B 1E 83 EE FC 11 DB [1-4] B8 01 00 00 00 01 DB }
+          $noep4 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 }
+          $noep5 = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }
+          $noep6 = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
+          $noep7 = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 }
+          $noep8 = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
+          $ep1 = { 60 E8 00 00 00 00 58 83 E8 3D }
+          $ep2 = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }
+          $ep3 = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }
+          
+      condition: any of ($noep*) or for any of ($ep*) : ($ at entrypoint)
+  }
+_EOF_
+
+ctx = Yara::Rules.new
+ctx.compile_string rule_str
+
+ARGV.each do |fname|
+  begin
+    ctx.scan_file(fname).each do |match|
+      pp match
+    end
+  rescue Yara::ScanError => e
+    STDERR.puts e
+  end
+end
+  
+

data/spec/rules_spec.rb

@@ -0,0 +1,208 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe Yara::Rules do
+  it "should be a class" do
+    Yara::Rules.should be_kind_of(Class)
+  end
+
+  it "should initialize cleanly" do
+    lambda { Yara::Rules.new }.should_not raise_error
+  end
+
+  context "Instances" do
+    before(:each) do
+      @rules = Yara::Rules.new
+    end
+
+    it "should indicate rules weight" do
+      @rules.weight.should be_kind_of(Numeric)
+      @rules.weight.should == 0
+    end
+
+    it "should compile a file" do
+      lambda { @rules.compile_file(sample_file("upx.yara")) }.should_not raise_error
+      @rules.weight.should > 0
+    end
+
+    it "should compile an empty file" do
+      lambda { @rules.compile_file("/dev/null") }.should_not raise_error
+      @rules.weight.should == 0
+    end
+
+
+    it "should raise an error if compiling an invalid filename" do
+      lambda { @rules.compile_file("so totally bogus a file") }.should raise_error
+      @rules.weight.should == 0
+    end
+
+    it "should raise an error if compiling a file with bad syntax" do
+      lambda { @rules.compile_file(__FILE__) }.should raise_error(Yara::CompileError)
+      @rules.weight.should == 0
+    end
+
+    it "should raise an error if duplicate file data is compiled" do
+      lambda { @rules.compile_file(sample_file("upx.yara")) }.should_not raise_error
+      lambda { @rules.compile_file(sample_file("upx.yara")) }.should raise_error(Yara::CompileError)
+      @rules.weight.should > 0
+    end
+
+    it "should compile a string" do
+      rules = File.read(sample_file("upx.yara"))
+      lambda { @rules.compile_string(rules) }.should_not raise_error
+      @rules.weight.should > 0
+    end
+
+    it "should compile an empty string" do
+      lambda { @rules.compile_string("") }.should_not raise_error
+      @rules.weight.should == 0
+    end
+
+    it "should raise an error if compiling a string with bad syntax" do
+      rules = File.read(sample_file("upx.yara")) << "some bogus stuff\n"
+      lambda { @rules.compile_string(rules) }.should raise_error(Yara::CompileError)
+      @rules.weight.should > 0 # it parsed everything up to the error
+    end
+
+    it "should raise an error if duplicate string data is compiled" do
+      rules = File.read(sample_file("upx.yara"))
+      lambda { @rules.compile_string(rules) }.should_not raise_error
+      lambda { @rules.compile_string(rules) }.should raise_error(Yara::CompileError)
+      @rules.weight.should > 0
+    end
+
+    it "should indicate the current namespace" do
+      @rules.current_namespace.should be_kind_of(String)
+      @rules.current_namespace.should == "default"
+    end
+
+    it "should indicate all known namespaces" do
+      @rules.namespaces.should be_kind_of(Array)
+      @rules.namespaces.should == ["default"]
+    end
+
+    it "should support setting a new namespace" do
+      @rules.namespaces.should be_kind_of(Array)
+      @rules.namespaces.should == ["default"]
+
+      @rules.set_namespace("a_new_namespace").should == "a_new_namespace"
+      @rules.current_namespace.should == "a_new_namespace"
+      @rules.namespaces.should be_kind_of(Array)
+      @rules.namespaces.should == ["a_new_namespace", "default"]
+    end
+
+    it "should not create duplicate namespaces" do
+      @rules.namespaces.should be_kind_of(Array)
+      @rules.namespaces.should == ["default"]
+
+      @rules.set_namespace("a_new_namespace").should == "a_new_namespace"
+      @rules.current_namespace.should == "a_new_namespace"
+      @rules.namespaces.should be_kind_of(Array)
+      @rules.namespaces.should == ["a_new_namespace", "default"]
+
+      @rules.set_namespace("default").should == "default"
+      @rules.current_namespace.should == "default"
+      @rules.namespaces.should == ["a_new_namespace", "default"]
+
+      @rules.set_namespace("a_new_namespace").should == "a_new_namespace"
+      @rules.current_namespace.should == "a_new_namespace"
+      @rules.namespaces.should == ["a_new_namespace", "default"]
+    end
+
+    it "should scan a file" do
+      @rules.compile_file(sample_file("packers.yara"))
+      @rules.weight.should > 0
+      results = @rules.scan_file(sample_file("DumpMem.exe"))
+      results.should be_kind_of(Array)
+      results.size.should == 1
+      m = results.first
+      m.should be_kind_of(Yara::Match)
+      m.should be_frozen
+
+      m.rule.should == "UPX"
+      m.rule.should be_frozen
+
+      m.namespace.should == "default"
+      m.namespace.should be_frozen
+
+      m.tags.should == ["compression", "packer", "shady"]
+      m.tags.should be_frozen
+      m.tags.map{|v| v.should be_frozen }
+
+      strings = m.strings.sort
+      strings.each do |ms| 
+        ms.should be_kind_of(Yara::MatchString)
+        ms.identifier.should be_frozen
+        ms.buffer.should be_frozen
+      end
+
+      strings.map{|ms| [ms.offset, ms.identifier, md5(ms.buffer)] }.should == [
+        [2824, "$noep5", "af79592a2fc536596fcbe87409734626"],
+        [2830, "$noep3", "04b044f4bfeb6899b6b60ff7d6b1d103"],
+        [3010, "$noep2", "8711f47b104922246e5733211cd832b1"],
+        [3110, "$noep7", "71be53d1049f47219ad8f26a77255229"],
+        [3157, "$noep8", "b9beede7f0d05ee657501cea72e1a453"]
+      ]
+    end
+
+    it "should raise an error if scanning an invalid file" do
+      @rules.compile_file(sample_file("packers.yara"))
+      @rules.weight.should > 0
+      lambda { @rules.scan_file(sample_file("not a real file at all")) }.should raise_error(Yara::ScanError)
+      lambda { @rules.scan_file(Object.new)}.should raise_error(TypeError)
+      lambda { @rules.scan_file(nil)}.should raise_error(TypeError)
+    end
+
+    it "should raise an error if scanning a zero-length file" do
+      @rules.compile_file(sample_file("packers.yara"))
+      @rules.weight.should > 0
+      lambda { @rules.scan_file("/dev/null")}.should raise_error(Yara::ScanError)
+    end
+
+    it "should scan a string" do
+      @rules.compile_file(sample_file("packers.yara"))
+      @rules.weight.should > 0
+      results = @rules.scan_string(File.read(sample_file("DumpMem.exe")))
+      results.should be_kind_of(Array)
+      results.size.should == 1
+      m = results.first
+      m.should be_kind_of(Yara::Match)
+      m.should be_frozen
+
+      m.rule.should == "UPX"
+      m.rule.should be_frozen
+
+      m.namespace.should == "default"
+      m.namespace.should be_frozen
+
+      m.tags.should == ["compression", "packer", "shady"]
+      m.tags.should be_frozen
+      m.tags.map{|v| v.should be_frozen }
+
+      m.strings.should be_frozen
+      strings = m.strings.sort
+      strings.each do |ms| 
+        ms.should be_kind_of(Yara::MatchString)
+        ms.identifier.should be_frozen
+        ms.buffer.should be_frozen
+      end
+
+      strings.map{|ms| [ms.offset, ms.identifier, md5(ms.buffer)] }.should == [
+        [2824, "$noep5", "af79592a2fc536596fcbe87409734626"],
+        [2830, "$noep3", "04b044f4bfeb6899b6b60ff7d6b1d103"],
+        [3010, "$noep2", "8711f47b104922246e5733211cd832b1"],
+        [3110, "$noep7", "71be53d1049f47219ad8f26a77255229"],
+        [3157, "$noep8", "b9beede7f0d05ee657501cea72e1a453"]
+      ]
+
+    end
+
+    it "should raise an error if scanning an invalid string" do
+      @rules.compile_file(sample_file("packers.yara"))
+      @rules.weight.should > 0
+      lambda { @rules.scan_string(Object.new)}.should raise_error(TypeError)
+      lambda { @rules.scan_string(nil)}.should raise_error(TypeError)
+    end
+
+
+  end
+end