Merge remote-tracking branch 'origin/master'

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Please complete the following information:**
+ - OS: [e.g. iOS]
+ - YARA version: [e.g. 4.3.0]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest a new feature for this project
+title: ''
+labels: feature-request
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

README.md

@@ -125,6 +125,7 @@ awesome list of [YARA-related stuff](https://github.com/InQuest/awesome-yara).
 * [ThreatConnect](https://www.threatconnect.com/)
 * [ThreatStream, Inc.](https://www.threatstream.com)
 * [Thug](https://github.com/buffer/thug)
+* [Threat.Zone](https://threat.zone)
 * [TouchWeb](https://www.touchweb.fr)
 * [Trend Micro](https://www.trendmicro.com)
 * [Uptycs Inc](https://www.uptycs.com/)

docs/modules/math.rst

@@ -157,11 +157,54 @@ file and create signatures based on those results.
 .. c:function:: mode(offset, size)
 
     .. versionadded:: 4.2.0
-    
+
     Returns the most common byte, starting at *offset* and looking at the next
     *size* bytes. When scanning a
     running process the *offset* argument should be a virtual address within
     the process address space. The returned value is a float.
     *offset* and *size* are optional; if left empty, the complete file is searched.
 
     *Example: math.mode(0, filesize) == 0xFF*
+
+.. c:function:: to_string(int)
+
+    .. versionadded:: 4.3.0
+
+    Convert the given integer to a string. Note: integers in YARA are signed.
+
+    *Example: math.to_string(10) == "10"*
+    *Example: math.to_string(-1) == "-1"*
+
+.. c:function:: to_string(int, base)
+
+    .. versionadded:: 4.3.0
+
+    Convert the given integer to a string in the given base. Supported bases are
+    10, 8 and 16. Note: integers in YARA are signed.
+
+    *Example: math.to_string(32, 16) == "20"*
+    *Example: math.to_string(-1, 16) == "ffffffffffffffff"*
+
+.. c:function:: to_int(string)
+
+    .. versionadded:: 4.3.0
+
+    Convert the given string to a signed integer. If the string starts with "0x"
+    it is treated as base 16. If the string starts with "0" it is treated base
+    8. Leading '+' or '-' is also supported.
+
+    *Example: math.to_int("1234") == 1234*
+    *Example: math.to_int("-10") == -10*
+    *Example: math.to_int("-010" == -8*
+
+.. c:function:: to_int(string, base)
+
+    .. versionadded:: 4.3.0
+
+    Convert the given string, interpreted with the given base, to a signed
+    integer. Base must be 0 or between 2 and 32 inclusive. If it is zero then
+    the string will be intrepreted as base 16 if it starts with "0x" or as base
+    8 if it starts with "0". Leading '+' or '-' is also supported.
+
+    *Example: math.to_int("011", 8) == "9"*
+    *Example: math.to_int("-011", 0) == "-9"*

docs/modules/pe.rst

@@ -1331,6 +1331,12 @@ Reference
 
             Ordinal of imported function. If ordinal does not exist this value is YR_UNDEFINED
 
+        .. c:member:: rva
+
+            .. versionadded:: 4.3.0
+
+            Relative virtual address (RVA) of imported function. If rva not found then this value is YR_UNDEFINED
+
     *Example: pe.import_details[1].library_name == "library_name"
 
 .. c:type:: delayed_import_details
@@ -1359,6 +1365,12 @@ Reference
 
             Ordinal of imported function. If ordinal does not exist this value is YR_UNDEFINED
 
+        .. c:member:: rva
+
+            .. versionadded:: 4.3.0
+
+            Relative virtual address (RVA) of imported function. If rva not found then this value is YR_UNDEFINED
+
     *Example: pe.delayed_import_details[1].name == "library_name"
 
 .. c:function:: locale(locale_identifier)

libyara/arena.c

@@ -27,6 +27,7 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
+#include <assert.h>
 #include <stdarg.h>
 #include <stddef.h>
 #include <yara/arena.h>

libyara/include/yara.h

@@ -40,6 +40,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #include "yara/object.h"
 #include "yara/scanner.h"
 #include "yara/stream.h"
+#include "yara/strutils.h"
 #include "yara/utils.h"
 
 #endif

libyara/include/yara/pe_utils.h

@@ -42,6 +42,7 @@ typedef struct _IMPORT_FUNCTION
   char* name;
   uint8_t has_ordinal;
   uint16_t ordinal;
+  uint64_t rva;
 
   struct _IMPORT_FUNCTION* next;
 

libyara/include/yara/strutils.h

@@ -58,6 +58,10 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #define PRIi32 "I32i"
 #endif
 
+#if !defined(PRIo64)
+#define PRIo64 "I64o"
+#endif
+
 #else
 #include <inttypes.h>
 #endif

libyara/include/yara/utils.h

@@ -31,7 +31,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #define YR_UTILS_H
 
 #include <limits.h>
-#include <yara/strutils.h>
 
 #ifndef NULL
 #define NULL 0

libyara/modules/hash/hash.c

@@ -30,6 +30,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #include <yara/globals.h>
 #include <yara/mem.h>
 #include <yara/modules.h>
+#include <yara/strutils.h>
 
 #include "../crypto.h"
 

libyara/modules/math/math.c

@@ -27,14 +27,20 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
+#include <stdlib.h>
+#include <errno.h>
 #include <math.h>
 #include <yara/mem.h>
 #include <yara/modules.h>
+#include <yara/strutils.h>
 #include <yara/utils.h>
 
 #define MODULE_NAME math
 
 #define PI 3.141592653589793
+// This is more than enough space to hold the maximum signed 64bit integer as a
+// string in decimal, hex or octal, including the sign and NULL terminator.
+#define INT64_MAX_STRING 30
 
 // log2 is not defined by math.h in VC++
 
@@ -721,6 +727,53 @@ define_function(mode_global)
   return_integer(most_common);
 }
 
+define_function(to_string)
+{
+  int64_t i = integer_argument(1);
+  char str[INT64_MAX_STRING];
+  snprintf(str, INT64_MAX_STRING, "%" PRId64, i);
+  return_string(&str);
+}
+
+define_function(to_string_base)
+{
+  int64_t i = integer_argument(1);
+  int64_t base = integer_argument(2);
+  char str[INT64_MAX_STRING];
+  char *fmt;
+  switch (base)
+  {
+  case 10:
+    fmt = "%" PRId64;
+    break;
+  case 8:
+    fmt = "%" PRIo64;
+    break;
+  case 16:
+    fmt = "%" PRIx64;
+    break;
+  default:
+    return_string(YR_UNDEFINED);
+  }
+  snprintf(str, INT64_MAX_STRING, fmt, i);
+  return_string(&str);
+}
+
+define_function(to_int)
+{
+  char* s = string_argument(1);
+  int64_t result = strtoll(s, NULL, 0);
+  return_integer(result == 0 && errno ? YR_UNDEFINED : result);
+}
+
+define_function(to_int_base)
+{
+  char* s = string_argument(1);
+  int64_t base = integer_argument(2);
+  int64_t result = strtoll(s, NULL, base);
+  return_integer(result == 0 && errno ? YR_UNDEFINED : result);
+}
+
 begin_declarations
   declare_float("MEAN_BYTES");
   declare_function("in_range", "fff", "i", in_range);
@@ -744,6 +797,10 @@ begin_declarations
   declare_function("percentage", "i", "f", percentage_global);
   declare_function("mode", "ii", "i", mode_range);
   declare_function("mode", "", "i", mode_global);
+  declare_function("to_string", "i", "s", to_string);
+  declare_function("to_string", "ii", "s", to_string_base);
+  declare_function("to_int", "s", "i", to_int);
+  declare_function("to_int", "si", "i", to_int_base);
 end_declarations
 
 int module_initialize(YR_MODULE* module)