yara 1.4.1

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format nested

data/Gemfile

@@ -0,0 +1,15 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "rspec", "~> 2.3.0"
+  gem "yard", "~> 0.6.0"
+  gem "bundler", "~> 1.0.0"
+  gem "jeweler", "~> 1.5.2"
+  gem "rcov", ">= 0"
+  gem "rake-compiler", ">= 0"
+end

data/History.txt

@@ -0,0 +1,6 @@
+== 1.4.1 / 2011-01-11
+  * Official initial release 
+
+== 1.4.0 / 2011-01-11
+  * Initial version published. C bindings are based on yara v1.4.0.
+

data/LICENSE.txt

@@ -0,0 +1,165 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.

data/README.rdoc

@@ -0,0 +1,43 @@
+= yara
+
+Ruby bindings for the yara malware analysis library.
+
+YARA is a tool aimed at helping malware researchers to identify and classify 
+malware families. With YARA you can create descriptions of malware families
+based on textual or binary information contained on samples of those families.
+These descriptions, named rules, consist of a set of strings and a Boolean
+expression which determines the rule logic.
+
+See http://code.google.com/p/yara-project for more information.
+
+== Synopsis
+
+  # basic example... find all PE files under the current dir
+
+  require 'yara'
+
+  ctx = Yara::Rules.new
+  ctx.compile_string "rule IsPE { condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 }"
+
+  Dir["**/*", "*"].each do |fname|
+    begin
+      next unless File.file?(fname)
+      ctx.scan_file(fname).each {|match| puts "#{fname} -> #{match.rule}" }
+    rescue Yara::ScanError => e
+      STDERR.puts e
+    end
+  end
+
+== Versioning
+The current version is of libyara at the time of writing 1.4.0. 
+The major and minor version numbers of the ruby library are intended
+to be in step with the C api version.
+
+== Requirements
+* libyara 1.4 must be installed - http://code.google.com/p/yara-project/
+
+== Copyright
+
+Copyright (c) 2011 Eric Monti. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,52 @@
+require 'rubygems'
+require 'bundler'
+require 'rake/extensiontask'
+
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "yara"
+  gem.homepage = "http://github.com/SpiderLabs/yara-ruby"
+  gem.summary = %Q{Ruby Bindings for libyara}
+  gem.description = %Q{Ruby Bindings for the yara malware analysis library}
+  gem.email = "emonti@trustwave.com"
+  gem.authors = ["Eric Monti"]
+
+  gem.extensions = FileList['ext/**/extconf.rb']
+
+  # Include your dependencies below. Runtime dependencies are required when using your gem,
+  # and development dependencies are only needed for development (ie running rake tasks, tests, etc)
+  #  gem.add_runtime_dependency 'jabber4r', '> 0.1'
+  #  gem.add_development_dependency 'rspec', '> 1.2.3'
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+Rake::ExtensionTask.new("yara_native")
+
+CLEAN.include("lib/*.bundle")
+CLEAN.include("lib/*.so")
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec => :compile ) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+RSpec::Core::RakeTask.new(:rcov) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new

data/VERSION

@@ -0,0 +1 @@
+1.4.1

data/ext/yara_native/Match.c

@@ -0,0 +1,191 @@
+#include "Match.h"
+#include <strings.h>
+#include <stdlib.h>
+
+VALUE class_Match = Qnil;
+VALUE class_MatchString = Qnil;
+
+const char * SCAN_ERRORS[] = {
+  NULL,
+  "insuficient memory",
+  "duplicate rule identifier",
+  "invalid char in hex string",
+  "mismatched bracket",
+  "skip at end",
+  "invalid skip value",
+  "unpaired nibble",
+  "consecutive skips",
+  "misplaced wildcard or skip",
+  "undefined string",
+  "undefined identifier",
+  "could not open file",
+  "invalid regular expression",
+  "syntax error",
+  "duplicate tag identifier",
+  "unreferenced string",
+  "duplicate string identifier",
+  "callback error",
+  "misplaced or operator",
+  "invalid or operation syntax",
+  "skip inside or operation",
+  "nested or operation",
+  "misplaced anonymous string",
+  "could not map file",
+  "zero length file",
+  "invalid argument",
+  "duplicate meta identifier",
+  "includes circular reference",
+  "incorrect external variable type",
+};
+
+
+typedef struct {
+  VALUE rule;
+  VALUE namespace;
+  VALUE tags;
+  VALUE strings;
+  VALUE meta;
+} match_info;
+
+typedef struct {
+  VALUE offset;
+  VALUE identifier;
+  VALUE buffer;
+} match_string;
+
+VALUE 
+MatchString_NEW(int offset, char *ident, char *buf, size_t buflen) {
+  match_string *ms;
+
+  ms = (match_string *) malloc(sizeof(match_string));
+
+  if (! ms)
+    rb_raise(rb_eNoMemError, "Can't allocate MatchString");
+
+  ms->offset      = INT2NUM(offset);
+  ms->identifier  = rb_obj_freeze(rb_str_new2(ident));
+  ms->buffer      = rb_obj_freeze(rb_str_new(buf, buflen));
+
+  return rb_obj_freeze(Data_Wrap_Struct(class_MatchString, 0, 0, ms));
+}
+
+int 
+Match_NEW_from_rule(RULE *rule, unsigned char *buffer, VALUE *match) {
+  match_info *mi;
+
+  TAG *tag;
+  STRING *string;
+  MATCH *m;
+  META *meta;
+
+  if (!(rule->flags & RULE_FLAGS_MATCH))
+    return 0;
+
+  mi = (match_info *) malloc(sizeof(match_info));
+  if (! mi )
+    return 1;
+
+  mi->rule      = rb_obj_freeze(rb_str_new2(rule->identifier));
+  mi->namespace = rb_obj_freeze(rb_str_new2(rule->namespace->name));
+  mi->tags      = rb_ary_new();
+  mi->strings   = rb_ary_new();
+  mi->meta      = rb_hash_new();
+
+  tag = rule->tag_list_head;
+  while (tag) {
+    rb_ary_push(mi->tags, rb_obj_freeze(rb_str_new2(tag->identifier)));
+    tag = tag->next;
+  }
+  rb_ary_sort_bang(mi->tags);
+  rb_obj_freeze(mi->tags);
+
+  string = rule->string_list_head;
+  while(string) {
+    if (string->flags & STRING_FLAGS_FOUND) {
+      m = string->matches;
+      while (m) {
+       rb_ary_push(mi->strings, MatchString_NEW(m->offset, string->identifier, buffer + m->offset, m->length));
+        m = m->next;
+      }
+    }
+    string = string->next;
+  }
+  rb_obj_freeze(mi->strings);
+
+  meta = rule->meta_list_head;
+  while(meta) {
+    // ... TODO
+    meta = meta->next;
+  }
+  rb_obj_freeze(mi->meta);
+
+  *(match) = rb_obj_freeze(Data_Wrap_Struct(class_Match, 0, 0, mi));
+
+  return 0;
+}
+
+VALUE match_rule(VALUE self) {
+  match_info *mi;
+  Data_Get_Struct(self, match_info, mi);
+  return mi->rule;
+}
+
+VALUE match_namespace(VALUE self) {
+  match_info *mi;
+  Data_Get_Struct(self, match_info, mi);
+  return mi->namespace;
+}
+
+VALUE match_tags(VALUE self) {
+  match_info *mi;
+  Data_Get_Struct(self, match_info, mi);
+  return mi->tags;
+}
+
+VALUE match_strings(VALUE self) {
+  match_info *mi;
+  Data_Get_Struct(self, match_info, mi);
+  return mi->strings;
+}
+
+VALUE match_meta(VALUE self) {
+  match_info *mi;
+  Data_Get_Struct(self, match_info, mi);
+  return mi->meta;
+}
+
+VALUE matchstring_identifier(VALUE self) {
+  match_string *ms;
+  Data_Get_Struct(self, match_string, ms);
+  return ms->identifier;
+}
+
+VALUE matchstring_offset(VALUE self) {
+  match_string *ms;
+  Data_Get_Struct(self, match_string, ms);
+  return ms->offset;
+}
+
+VALUE matchstring_buffer(VALUE self) {
+  match_string *ms;
+  Data_Get_Struct(self, match_string, ms);
+  return ms->buffer;
+}
+
+
+void 
+init_match(VALUE rb_ns) {
+  class_Match = rb_define_class_under(rb_ns, "Match", rb_cObject);
+  rb_define_method(class_Match, "rule", match_rule, 0);
+  rb_define_method(class_Match, "namespace", match_namespace, 0);
+  rb_define_method(class_Match, "tags", match_tags, 0);
+  rb_define_method(class_Match, "strings", match_strings, 0);
+  rb_define_method(class_Match, "meta", match_meta, 0);
+
+  class_MatchString = rb_define_class_under(rb_ns, "MatchString", rb_cObject);
+  rb_define_method(class_MatchString, "identifier", matchstring_identifier, 0);
+  rb_define_method(class_MatchString, "offset", matchstring_offset, 0);
+  rb_define_method(class_MatchString, "buffer", matchstring_buffer, 0);
+}
+
+

data/ext/yara_native/Match.h

@@ -0,0 +1,22 @@
+#ifndef RB_MATCH_H_GUARD
+#define RB_MATCH_H_GUARD
+
+#include "ruby.h"
+#include <yara.h>
+
+extern VALUE class_Match;
+extern VALUE class_MatchString;
+
+extern void 
+init_match(VALUE ruby_namespace);
+
+extern int
+Match_NEW_from_rule(RULE * rule, unsigned char * buffer, VALUE * match);
+
+extern const char * SCAN_ERRORS[];
+
+#define MAX_SCAN_ERROR 29
+
+#endif
+
+