diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000000..54ca3e2950 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,27 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Please complete the following information:** + - OS: [e.g. iOS] + - YARA version: [e.g. 4.3.0] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000000..e9ed7c90e4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest a new feature for this project +title: '' +labels: feature-request +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/README.md b/README.md index 569511e33e..84b391a5b1 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,7 @@ awesome list of [YARA-related stuff](https://github.com/InQuest/awesome-yara). * [ThreatConnect](https://www.threatconnect.com/) * [ThreatStream, Inc.](https://www.threatstream.com) * [Thug](https://github.com/buffer/thug) +* [Threat.Zone](https://threat.zone) * [TouchWeb](https://www.touchweb.fr) * [Trend Micro](https://www.trendmicro.com) * [Uptycs Inc](https://www.uptycs.com/) diff --git a/docs/modules/math.rst b/docs/modules/math.rst index 79ba011133..bd4c855c57 100644 --- a/docs/modules/math.rst +++ b/docs/modules/math.rst @@ -157,7 +157,7 @@ file and create signatures based on those results. .. c:function:: mode(offset, size) .. versionadded:: 4.2.0 - + Returns the most common byte, starting at *offset* and looking at the next *size* bytes. When scanning a running process the *offset* argument should be a virtual address within @@ -165,3 +165,46 @@ file and create signatures based on those results. *offset* and *size* are optional; if left empty, the complete file is searched. *Example: math.mode(0, filesize) == 0xFF* + +.. c:function:: to_string(int) + + .. versionadded:: 4.3.0 + + Convert the given integer to a string. Note: integers in YARA are signed. + + *Example: math.to_string(10) == "10"* + *Example: math.to_string(-1) == "-1"* + +.. c:function:: to_string(int, base) + + .. versionadded:: 4.3.0 + + Convert the given integer to a string in the given base. Supported bases are + 10, 8 and 16. Note: integers in YARA are signed. + + *Example: math.to_string(32, 16) == "20"* + *Example: math.to_string(-1, 16) == "ffffffffffffffff"* + +.. c:function:: to_int(string) + + .. versionadded:: 4.3.0 + + Convert the given string to a signed integer. If the string starts with "0x" + it is treated as base 16. If the string starts with "0" it is treated base + 8. Leading '+' or '-' is also supported. + + *Example: math.to_int("1234") == 1234* + *Example: math.to_int("-10") == -10* + *Example: math.to_int("-010" == -8* + +.. c:function:: to_int(string, base) + + .. versionadded:: 4.3.0 + + Convert the given string, interpreted with the given base, to a signed + integer. Base must be 0 or between 2 and 32 inclusive. If it is zero then + the string will be intrepreted as base 16 if it starts with "0x" or as base + 8 if it starts with "0". Leading '+' or '-' is also supported. + + *Example: math.to_int("011", 8) == "9"* + *Example: math.to_int("-011", 0) == "-9"* diff --git a/docs/modules/pe.rst b/docs/modules/pe.rst index 9d315ca859..1720737df4 100644 --- a/docs/modules/pe.rst +++ b/docs/modules/pe.rst @@ -1331,6 +1331,12 @@ Reference Ordinal of imported function. If ordinal does not exist this value is YR_UNDEFINED + .. c:member:: rva + + .. versionadded:: 4.3.0 + + Relative virtual address (RVA) of imported function. If rva not found then this value is YR_UNDEFINED + *Example: pe.import_details[1].library_name == "library_name" .. c:type:: delayed_import_details @@ -1359,6 +1365,12 @@ Reference Ordinal of imported function. If ordinal does not exist this value is YR_UNDEFINED + .. c:member:: rva + + .. versionadded:: 4.3.0 + + Relative virtual address (RVA) of imported function. If rva not found then this value is YR_UNDEFINED + *Example: pe.delayed_import_details[1].name == "library_name" .. c:function:: locale(locale_identifier) diff --git a/libyara/arena.c b/libyara/arena.c index cf56baa983..73f6c25237 100644 --- a/libyara/arena.c +++ b/libyara/arena.c @@ -27,6 +27,7 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include #include #include #include diff --git a/libyara/include/yara.h b/libyara/include/yara.h index 812b51cd1a..cb774bd5c2 100644 --- a/libyara/include/yara.h +++ b/libyara/include/yara.h @@ -40,6 +40,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include "yara/object.h" #include "yara/scanner.h" #include "yara/stream.h" +#include "yara/strutils.h" #include "yara/utils.h" #endif diff --git a/libyara/include/yara/pe_utils.h b/libyara/include/yara/pe_utils.h index e36e9db911..7893ae28ee 100644 --- a/libyara/include/yara/pe_utils.h +++ b/libyara/include/yara/pe_utils.h @@ -42,6 +42,7 @@ typedef struct _IMPORT_FUNCTION char* name; uint8_t has_ordinal; uint16_t ordinal; + uint64_t rva; struct _IMPORT_FUNCTION* next; diff --git a/libyara/include/yara/strutils.h b/libyara/include/yara/strutils.h index ba3157fec2..1c1180b4cc 100644 --- a/libyara/include/yara/strutils.h +++ b/libyara/include/yara/strutils.h @@ -58,6 +58,10 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #define PRIi32 "I32i" #endif +#if !defined(PRIo64) +#define PRIo64 "I64o" +#endif + #else #include #endif diff --git a/libyara/include/yara/utils.h b/libyara/include/yara/utils.h index b66e8a1f95..302ab8b858 100644 --- a/libyara/include/yara/utils.h +++ b/libyara/include/yara/utils.h @@ -31,7 +31,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #define YR_UTILS_H #include -#include #ifndef NULL #define NULL 0 diff --git a/libyara/modules/hash/hash.c b/libyara/modules/hash/hash.c index 6c98b3115d..84feb4ede6 100644 --- a/libyara/modules/hash/hash.c +++ b/libyara/modules/hash/hash.c @@ -30,6 +30,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include #include +#include #include "../crypto.h" diff --git a/libyara/modules/math/math.c b/libyara/modules/math/math.c index a88ca825ae..9aa70b8942 100644 --- a/libyara/modules/math/math.c +++ b/libyara/modules/math/math.c @@ -27,14 +27,20 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include +#include #include #include #include +#include #include #define MODULE_NAME math #define PI 3.141592653589793 +// This is more than enough space to hold the maximum signed 64bit integer as a +// string in decimal, hex or octal, including the sign and NULL terminator. +#define INT64_MAX_STRING 30 // log2 is not defined by math.h in VC++ @@ -721,6 +727,53 @@ define_function(mode_global) return_integer(most_common); } +define_function(to_string) +{ + int64_t i = integer_argument(1); + char str[INT64_MAX_STRING]; + snprintf(str, INT64_MAX_STRING, "%" PRId64, i); + return_string(&str); +} + +define_function(to_string_base) +{ + int64_t i = integer_argument(1); + int64_t base = integer_argument(2); + char str[INT64_MAX_STRING]; + char *fmt; + switch (base) + { + case 10: + fmt = "%" PRId64; + break; + case 8: + fmt = "%" PRIo64; + break; + case 16: + fmt = "%" PRIx64; + break; + default: + return_string(YR_UNDEFINED); + } + snprintf(str, INT64_MAX_STRING, fmt, i); + return_string(&str); +} + +define_function(to_int) +{ + char* s = string_argument(1); + int64_t result = strtoll(s, NULL, 0); + return_integer(result == 0 && errno ? YR_UNDEFINED : result); +} + +define_function(to_int_base) +{ + char* s = string_argument(1); + int64_t base = integer_argument(2); + int64_t result = strtoll(s, NULL, base); + return_integer(result == 0 && errno ? YR_UNDEFINED : result); +} + begin_declarations declare_float("MEAN_BYTES"); declare_function("in_range", "fff", "i", in_range); @@ -744,6 +797,10 @@ begin_declarations declare_function("percentage", "i", "f", percentage_global); declare_function("mode", "ii", "i", mode_range); declare_function("mode", "", "i", mode_global); + declare_function("to_string", "i", "s", to_string); + declare_function("to_string", "ii", "s", to_string_base); + declare_function("to_int", "s", "i", to_int); + declare_function("to_int", "si", "i", to_int_base); end_declarations int module_initialize(YR_MODULE* module) diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c index f97eedc51f..0c4c832c79 100644 --- a/libyara/modules/pe/pe.c +++ b/libyara/modules/pe/pe.c @@ -799,6 +799,7 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( if (IS_64BITS_PE(pe)) { PIMAGE_THUNK_DATA64 thunks64 = (PIMAGE_THUNK_DATA64) (pe->data + offset); + uint64_t func_idx = 0; while (struct_fits_in_pe(pe, thunks64, IMAGE_THUNK_DATA64) && yr_le64toh(thunks64->u1.Ordinal) != 0 && @@ -807,6 +808,7 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( char* name = NULL; uint16_t ordinal = 0; uint8_t has_ordinal = 0; + uint64_t rva_address = 0; if (!(yr_le64toh(thunks64->u1.Ordinal) & IMAGE_ORDINAL_FLAG64)) { @@ -835,6 +837,8 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( has_ordinal = 1; } + rva_address = yr_le64toh(import_descriptor->FirstThunk + (sizeof(uint64_t) * func_idx)); + if (name != NULL || has_ordinal == 1) { IMPORT_FUNCTION* imported_func = (IMPORT_FUNCTION*) yr_calloc( @@ -849,6 +853,7 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( imported_func->name = name; imported_func->ordinal = ordinal; imported_func->has_ordinal = has_ordinal; + imported_func->rva = rva_address; imported_func->next = NULL; if (head == NULL) @@ -862,11 +867,13 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( (*num_function_imports)++; thunks64++; + func_idx++; } } else { PIMAGE_THUNK_DATA32 thunks32 = (PIMAGE_THUNK_DATA32) (pe->data + offset); + uint32_t func_idx = 0; while (struct_fits_in_pe(pe, thunks32, IMAGE_THUNK_DATA32) && yr_le32toh(thunks32->u1.Ordinal) != 0 && @@ -875,6 +882,7 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( char* name = NULL; uint16_t ordinal = 0; uint8_t has_ordinal = 0; + uint32_t rva_address = 0; if (!(yr_le32toh(thunks32->u1.Ordinal) & IMAGE_ORDINAL_FLAG32)) { @@ -903,6 +911,8 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( has_ordinal = 1; } + rva_address = yr_le32toh(import_descriptor->FirstThunk + (sizeof(uint32_t) * func_idx)); + if (name != NULL || has_ordinal == 1) { IMPORT_FUNCTION* imported_func = (IMPORT_FUNCTION*) yr_calloc( @@ -917,6 +927,7 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( imported_func->name = name; imported_func->ordinal = ordinal; imported_func->has_ordinal = has_ordinal; + imported_func->rva = rva_address; imported_func->next = NULL; if (head == NULL) @@ -930,6 +941,7 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( (*num_function_imports)++; thunks32++; + func_idx++; } } @@ -988,7 +1000,8 @@ void pe_set_imports( const char* dll_name, const char* dll_number_of_functions, const char* fun_name, - const char* fun_ordinal) + const char* fun_ordinal, + const char* rva) { int dll_cnt = 0; @@ -1003,6 +1016,10 @@ void pe_set_imports( yr_set_integer(func->ordinal, pe->object, fun_ordinal, dll_cnt, fun_cnt); else yr_set_integer(YR_UNDEFINED, pe->object, fun_ordinal, dll_cnt, fun_cnt); + if (func->rva) + yr_set_integer(func->rva, pe->object, rva, dll_cnt, fun_cnt); + else + yr_set_integer(YR_UNDEFINED, pe->object, rva, dll_cnt, fun_cnt); } yr_set_string(dll->name, pe->object, dll_name, dll_cnt); yr_set_integer(fun_cnt, pe->object, dll_number_of_functions, dll_cnt); @@ -1104,7 +1121,8 @@ static IMPORTED_DLL* pe_parse_imports(PE* pe) "import_details[%i].library_name", "import_details[%i].number_of_functions", "import_details[%i].functions[%i].name", - "import_details[%i].functions[%i].ordinal"); + "import_details[%i].functions[%i].ordinal", + "import_details[%i].functions[%i].rva"); return head; } @@ -1325,6 +1343,7 @@ static void* pe_parse_delayed_imports(PE* pe) imported_func->name = NULL; imported_func->has_ordinal = 0; imported_func->ordinal = 0; + imported_func->rva = 0; imported_func->next = NULL; // Check name address. It could be ordinal, VA or RVA @@ -1350,6 +1369,8 @@ static void* pe_parse_delayed_imports(PE* pe) imported_func->has_ordinal = 1; } + imported_func->rva = yr_le64toh(func_rva); + num_function_imports++; name_rva += pointer_size; func_rva += pointer_size; @@ -1386,7 +1407,8 @@ static void* pe_parse_delayed_imports(PE* pe) "delayed_import_details[%i].library_name", "delayed_import_details[%i].number_of_functions", "delayed_import_details[%i].functions[%i].name", - "delayed_import_details[%i].functions[%i].ordinal"); + "delayed_import_details[%i].functions[%i].ordinal", + "delayed_import_details[%i].functions[%i].rva"); return head_dll; } @@ -3495,6 +3517,7 @@ begin_declarations begin_struct_array("functions") declare_string("name"); declare_integer("ordinal"); + declare_integer("rva"); end_struct_array("functions"); end_struct_array("import_details"); @@ -3504,6 +3527,7 @@ begin_declarations begin_struct_array("functions") declare_string("name"); declare_integer("ordinal"); + declare_integer("rva"); end_struct_array("functions"); end_struct_array("delayed_import_details"); diff --git a/libyara/modules/tests/tests.c b/libyara/modules/tests/tests.c index 9d8dd4fc30..69e5d3b39c 100644 --- a/libyara/modules/tests/tests.c +++ b/libyara/modules/tests/tests.c @@ -27,6 +27,7 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include #include #define MODULE_NAME tests diff --git a/libyara/object.c b/libyara/object.c index 359feabb60..76d2531a57 100644 --- a/libyara/object.c +++ b/libyara/object.c @@ -39,6 +39,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include #include +#include #include //////////////////////////////////////////////////////////////////////////////// diff --git a/libyara/proc/freebsd.c b/libyara/proc/freebsd.c index 54d3a445f8..8bcd6cb80a 100644 --- a/libyara/proc/freebsd.c +++ b/libyara/proc/freebsd.c @@ -29,6 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #if defined(USE_FREEBSD_PROC) +#include #include #include #include diff --git a/libyara/proc/linux.c b/libyara/proc/linux.c index 4de4529d6b..d9aad9b62b 100644 --- a/libyara/proc/linux.c +++ b/libyara/proc/linux.c @@ -29,6 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #if defined(USE_LINUX_PROC) +#include #include #include #include @@ -43,6 +44,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include #include +#include typedef struct _YR_PROC_INFO { diff --git a/libyara/proc/openbsd.c b/libyara/proc/openbsd.c index 8e2d0c311d..534ee27344 100644 --- a/libyara/proc/openbsd.c +++ b/libyara/proc/openbsd.c @@ -41,6 +41,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include // clang-format on +#include #include #include #include diff --git a/libyara/proc/windows.c b/libyara/proc/windows.c index 14780e175b..bf1e8afa45 100644 --- a/libyara/proc/windows.c +++ b/libyara/proc/windows.c @@ -29,6 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #if defined(USE_WINDOWS_PROC) +#include #include #include #include diff --git a/libyara/re.c b/libyara/re.c index 26ef87d22a..0f682051e2 100644 --- a/libyara/re.c +++ b/libyara/re.c @@ -47,6 +47,7 @@ order to avoid confusion with operating system threads. #include #include #include +#include #include #include #include diff --git a/libyara/scanner.c b/libyara/scanner.c index 51a0ab4509..f7ae1fa0aa 100644 --- a/libyara/scanner.c +++ b/libyara/scanner.c @@ -37,6 +37,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include #include +#include #include #include "exception.h" diff --git a/libyara/sizedstr.c b/libyara/sizedstr.c index 0dcb158dc1..bafe3de2a4 100644 --- a/libyara/sizedstr.c +++ b/libyara/sizedstr.c @@ -32,6 +32,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include #include +#include #include //////////////////////////////////////////////////////////////////////////////// diff --git a/tests/test-async.c b/tests/test-async.c index 0258446f36..a5e34a3616 100644 --- a/tests/test-async.c +++ b/tests/test-async.c @@ -30,7 +30,9 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include #include +#if !defined(_WIN32) && !defined(__CYGWIN__) #include +#endif #include #include diff --git a/tests/test-math.c b/tests/test-math.c index a869c74f33..6e4bb02403 100644 --- a/tests/test-math.c +++ b/tests/test-math.c @@ -223,6 +223,140 @@ int main(int argc, char** argv) }", "123ABCDEF123456987DE"); + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_string(1234) == \"1234\" \ + }", + NULL); + + // We use signed integers by default if no base is specified. + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_string(-1) == \"-1\" \ + }", + NULL); + + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_string(32, 16) == \"20\" \ + }", + NULL); + + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_string(32, 8) == \"40\" \ + }", + NULL); + + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_string(32, 10) == \"32\" \ + }", + NULL); + + // Base 10 is always a signed integer, all other bases are unsigned. + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_string(-1, 10) == \"-1\" and \ + math.to_string(-1, 16) == \"ffffffffffffffff\" and \ + math.to_string(-1, 8) == \"1777777777777777777777\" \ + }", + NULL); + + // Passing a base that is not 10, 8 or 16 will result in UNDEFINED. + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + not defined(math.to_string(32, 9)) \ + }", + NULL); + + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_int(\"1234\") == 1234 \ + }", + NULL); + + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_int(\"-1\") == -1 \ + }", + NULL); + + // Leading spaces and + are allowed. + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_int(\" +1\") == 1 \ + }", + NULL); + + // Strings can be prefixed with 0x and will be interpreted as hexadecimal. + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_int(\"0x10\") == 16 \ + }", + NULL); + + // Strings prefixed with 0 will be interpreted as octal. + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_int(\"010\") == 8 \ + }", + NULL); + + // Strings that are only partially converted are still fine. + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_int(\"10A20\") == 10 \ + }", + NULL); + + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_int(\"10\", 8) == 8 \ + }", + NULL); + + // Base 0 is a special case that tries to interpret the string by prefix, or + // default to decimal. We aren't doing anything special to get this, it is + // part of strtoll by default. + assert_true_rule( + "import \"math\" \ + rule test { \ + condition: \ + math.to_int(\"010\", 0) == 8 and \ + math.to_int(\"0x10\", 0) == 16 and \ + math.to_int(\"10\", 0) == 10 \ + }", + NULL); + yr_finalize(); YR_DEBUG_FPRINTF( diff --git a/tests/test-pe.c b/tests/test-pe.c index b80cea8e93..2eaca1c848 100644 --- a/tests/test-pe.c +++ b/tests/test-pe.c @@ -685,6 +685,125 @@ int main(int argc, char** argv) "tests/data/" "079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885"); + assert_true_rule_file( + "import \"pe\" \ + \ + rule import_details_rva_32_v1_catch \ + {\ + condition:\ + for any import_detail in pe.import_details: (\ + import_detail.library_name == \"MSVCR100.dll\" and\ + for any function in import_detail.functions : (\ + function.name == \"_initterm\" and\ + function.rva == 0x3084 \ + )\ + )\ + }", + "tests/data/" + "079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885"); + + assert_true_rule_file( + "import \"pe\" \ + \ + rule import_details_rva_32_v2_catch \ + {\ + condition:\ + for any import_detail in pe.import_details: (\ + import_detail.library_name == \"KERNEL32.dll\" and\ + for any function in import_detail.functions : (\ + function.name == \"QueryPerformanceCounter\" and\ + function.rva == 0x3054 \ + )\ + )\ + }", + "tests/data/" + "079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885"); + + assert_true_rule_file( + "import \"pe\" \ + \ + rule import_details_rva_32_v3_catch \ + {\ + condition:\ + for any import_detail in pe.import_details: (\ + import_detail.library_name == \"KERNEL32.dll\" and\ + for any function in import_detail.functions : (\ + function.name == \"CloseHandle\" and\ + function.rva == 0xd10c \ + )\ + )\ + }", + "tests/data/" + "pe_imports"); + + assert_true_rule_file( + "import \"pe\" \ + \ + rule import_details_rva_64_v1_catch \ + {\ + condition:\ + for any import_detail in pe.import_details: (\ + import_detail.library_name == \"KERNEL32.dll\" and\ + for any function in import_detail.functions : (\ + function.name == \"LoadLibraryExW\" and\ + function.rva == 0x2118 \ + )\ + )\ + }", + "tests/data/" + "mtxex_modified_rsrc_rva.dll"); + + assert_true_rule_file( + "import \"pe\" \ + \ + rule import_details_rva_64_v2_catch \ + {\ + condition:\ + for any import_detail in pe.import_details: (\ + import_detail.library_name == \"KERNEL32.dll\" and\ + for any function in import_detail.functions : (\ + function.name == \"GetCurrentProcessId\" and\ + function.rva == 0x21a0 \ + )\ + )\ + }", + "tests/data/" + "mtxex_modified_rsrc_rva.dll"); + + assert_true_rule_file( + "import \"pe\" \ + \ + rule delayed_import_details_rva_32_v1_catch \ + {\ + condition:\ + for any import_detail in pe.delayed_import_details: (\ + import_detail.library_name == \"USER32.dll\" and\ + for any function in import_detail.functions : (\ + function.name == \"MessageBoxA\" and\ + function.rva == 0x13884 \ + )\ + )\ + }", + "tests/data/" + "pe_imports"); + + assert_true_rule_file( + "import \"pe\" \ + \ + rule delayed_import_details_rva_32_v2_catch \ + {\ + condition:\ + for any import_detail in pe.delayed_import_details: (\ + import_detail.library_name == \"USER32.dll\" and\ + for any function in import_detail.functions : (\ + function.name == \"MessageBeep\" and\ + function.rva == 0x13880 \ + )\ + )\ + }", + "tests/data/" + "pe_imports"); + assert_true_rule_file( "import \"pe\" \ \ diff --git a/tests/test-rules.c b/tests/test-rules.c index a9754871ff..c3ceb627d6 100644 --- a/tests/test-rules.c +++ b/tests/test-rules.c @@ -33,7 +33,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include #include -#include #include #include