yara 1.5.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. data/History.txt +6 -1
  2. data/VERSION +1 -1
  3. data/ext/yara_native/Match.c +3 -0
  4. data/ext/yara_native/Match.h +1 -1
  5. data/samples/flashfinder +70 -0
  6. metadata +11 -19
data/History.txt CHANGED
@@ -1,7 +1,12 @@
1
+ == 1.6.0 /2011-08-26
2
+ * Version 1.6.0 supports yara 1.6 - (backward compatible with yara v1.5)
3
+ * Note: Nothing actually changed in the API for yara 1.6, we are just keeping
4
+ step with yara's version numbers.
5
+
1
6
  == 1.5.0 /2011-04-18
2
7
  * Version 1.5.0 supports yara 1.5 - it is not backward compatible
3
8
 
4
- == 1.4.3 / 2011-04-11
9
+ == 1.4.4 / 2011-04-11
5
10
  * Support optional namespaces when calling compile_file or compile_string
6
11
  * Better yardoc tags
7
12
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.5.0
1
+ 1.6.0
data/ext/yara_native/Match.c CHANGED
@@ -57,6 +57,9 @@ const char * SCAN_ERRORS[] = {
57
57
  "duplicate meta identifier",
58
58
  "includes circular reference",
59
59
  "incorrect external variable type",
60
+ "could not attach to process",
61
+ "vector too long",
62
+ "include depth exceeded"
60
63
  };
61
64
 
62
65
  typedef struct {
data/ext/yara_native/Match.h CHANGED
@@ -31,7 +31,7 @@ extern const char * SCAN_ERRORS[];
31
31
 
32
32
  void init_Match();
33
33
 
34
- #define MAX_SCAN_ERROR 29
34
+ #define MAX_SCAN_ERROR 32
35
35
 
36
36
  #endif
37
37
 
data/samples/flashfinder ADDED
@@ -0,0 +1,70 @@
1
+ #!/usr/bin/env ruby
2
+ # Simple yara-ruby script to extract SWF files from raw blobs
3
+ #
4
+ # yara-ruby - Ruby bindings for the yara malware analysis library.
5
+ # Eric Monti
6
+ # Copyright (C) 2011 Trustwave Holdings
7
+ #
8
+ # This program is free software: you can redistribute it and/or modify it
9
+ # under the terms of the GNU General Public License as published by the
10
+ # Free Software Foundation, either version 3 of the License, or (at your
11
+ # option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful, but
14
+ # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15
+ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16
+ # for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License along
19
+ # with this program. If not, see <http://www.gnu.org/licenses/>.
20
+ #
21
+ $: << File.join(File.dirname(__FILE__), '..', 'lib')
22
+ require 'yara'
23
+ require 'pp'
24
+
25
+ ctx = Yara::Rules.new
26
+ ctx.compile_string <<_EOF_
27
+ rule fws
28
+ {
29
+ meta:
30
+ desc = "SWF file"
31
+ ext = "swf"
32
+ strings: $a = { 46 57 53 }
33
+ condition: $a
34
+ }
35
+
36
+ rule cws
37
+ {
38
+ meta:
39
+ desc = "Compressed SWF file"
40
+ ext = "swf"
41
+ strings: $a = { 43 57 53 }
42
+ condition: $a
43
+ }
44
+
45
+ _EOF_
46
+
47
+
48
+ ARGV.each do |fname|
49
+ begin
50
+ file = File.new(fname, 'rb')
51
+ ctx.scan_file(fname).each do |match|
52
+ match.strings.each do |string|
53
+ file.pos = string.offset
54
+ hdr = file.read(8)
55
+
56
+ magic, vers, len = hdr.unpack("A3CV")
57
+
58
+ outf = "#{fname}_%0.8x.#{match.meta['ext']}" % string.offset
59
+ STDERR.puts "Found #{match.meta['desc']} version #{vers} in #{fname.inspect} @0x#{string.offset.to_s(16)} - writing to #{outf.inspect}"
60
+
61
+ File.open(outf, 'wb') do |out|
62
+ out.write hdr
63
+ out.write file.read(len-8)
64
+ end
65
+ end
66
+ end
67
+ ensure
68
+ file.close if file
69
+ end
70
+ end
metadata CHANGED
@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
4
4
  prerelease: false
5
5
  segments:
6
6
  - 1
7
- - 5
7
+ - 6
8
8
  - 0
9
- version: 1.5.0
9
+ version: 1.6.0
10
10
  platform: ruby
11
11
  authors:
12
12
  - Eric Monti
@@ -14,13 +14,13 @@ autorequire:
14
14
  bindir: bin
15
15
  cert_chain: []
16
16
 
17
- date: 2011-04-18 00:00:00 -05:00
17
+ date: 2011-08-26 00:00:00 -05:00
18
18
  default_executable:
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: rspec
22
+ prerelease: false
22
23
  requirement: &id001 !ruby/object:Gem::Requirement
23
- none: false
24
24
  requirements:
25
25
  - - ~>
26
26
  - !ruby/object:Gem::Version
@@ -30,12 +30,11 @@ dependencies:
30
30
  - 0
31
31
  version: 2.3.0
32
32
  type: :development
33
- prerelease: false
34
33
  version_requirements: *id001
35
34
  - !ruby/object:Gem::Dependency
36
35
  name: yard
36
+ prerelease: false
37
37
  requirement: &id002 !ruby/object:Gem::Requirement
38
- none: false
39
38
  requirements:
40
39
  - - ~>
41
40
  - !ruby/object:Gem::Version
@@ -45,12 +44,11 @@ dependencies:
45
44
  - 0
46
45
  version: 0.6.0
47
46
  type: :development
48
- prerelease: false
49
47
  version_requirements: *id002
50
48
  - !ruby/object:Gem::Dependency
51
49
  name: bundler
50
+ prerelease: false
52
51
  requirement: &id003 !ruby/object:Gem::Requirement
53
- none: false
54
52
  requirements:
55
53
  - - ~>
56
54
  - !ruby/object:Gem::Version
@@ -60,12 +58,11 @@ dependencies:
60
58
  - 0
61
59
  version: 1.0.0
62
60
  type: :development
63
- prerelease: false
64
61
  version_requirements: *id003
65
62
  - !ruby/object:Gem::Dependency
66
63
  name: jeweler
64
+ prerelease: false
67
65
  requirement: &id004 !ruby/object:Gem::Requirement
68
- none: false
69
66
  requirements:
70
67
  - - ~>
71
68
  - !ruby/object:Gem::Version
@@ -75,12 +72,11 @@ dependencies:
75
72
  - 2
76
73
  version: 1.5.2
77
74
  type: :development
78
- prerelease: false
79
75
  version_requirements: *id004
80
76
  - !ruby/object:Gem::Dependency
81
77
  name: rcov
78
+ prerelease: false
82
79
  requirement: &id005 !ruby/object:Gem::Requirement
83
- none: false
84
80
  requirements:
85
81
  - - ">="
86
82
  - !ruby/object:Gem::Version
@@ -88,12 +84,11 @@ dependencies:
88
84
  - 0
89
85
  version: "0"
90
86
  type: :development
91
- prerelease: false
92
87
  version_requirements: *id005
93
88
  - !ruby/object:Gem::Dependency
94
89
  name: rake-compiler
90
+ prerelease: false
95
91
  requirement: &id006 !ruby/object:Gem::Requirement
96
- none: false
97
92
  requirements:
98
93
  - - ">="
99
94
  - !ruby/object:Gem::Version
@@ -101,7 +96,6 @@ dependencies:
101
96
  - 0
102
97
  version: "0"
103
98
  type: :development
104
- prerelease: false
105
99
  version_requirements: *id006
106
100
  description: Ruby bindings for the yara malware analysis library
107
101
  email: emonti@trustwave.com
@@ -132,6 +126,7 @@ files:
132
126
  - ext/yara_native/Yara_native.h
133
127
  - ext/yara_native/extconf.rb
134
128
  - lib/yara.rb
129
+ - samples/flashfinder
135
130
  - samples/ispe.rb
136
131
  - samples/sslkeyfinder
137
132
  - samples/upx.rb
@@ -151,16 +146,13 @@ rdoc_options: []
151
146
  require_paths:
152
147
  - lib
153
148
  required_ruby_version: !ruby/object:Gem::Requirement
154
- none: false
155
149
  requirements:
156
150
  - - ">="
157
151
  - !ruby/object:Gem::Version
158
- hash: -9224945978915744
159
152
  segments:
160
153
  - 0
161
154
  version: "0"
162
155
  required_rubygems_version: !ruby/object:Gem::Requirement
163
- none: false
164
156
  requirements:
165
157
  - - ">="
166
158
  - !ruby/object:Gem::Version
@@ -170,7 +162,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
170
162
  requirements: []
171
163
 
172
164
  rubyforge_project:
173
- rubygems_version: 1.3.7
165
+ rubygems_version: 1.3.6
174
166
  signing_key:
175
167
  specification_version: 3
176
168
  summary: Ruby bindings for libyara