Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve PE module when scanning memory and fix PE certificate parsing #1657

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Improve PE module when scanning memory and fix PE certificate parsing #1657

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
de44c33
Added ability for pe module to scan memory mapped images
niallnsec Oct 8, 2020
98680c3
Fix win process base module location to work with 32 bit builds
niallnsec Oct 8, 2020
1a17386
Do not attempt to get process module base address when running under …
niallnsec Oct 8, 2020
feb2e7c
Return correct process memory region when an offset is on the upper b…
niallnsec Oct 8, 2020
3824f56
Avoid use after free when the block buffer is reallocated to fit the …
niallnsec Oct 8, 2020
fda8607
Fix typo in libyara vcxproj file
niallnsec Oct 8, 2020
659507f
Use correct size for WOW64 ImageBase in 64 bit build
niallnsec Oct 8, 2020
9d4212e
Fix bounds checks for memory region buffer data size
niallnsec Oct 8, 2020
7564997
Added vs2019 solution directory for Windows
niallnsec Jun 27, 2021
dc15092
Fix various uninitialised variables when scanning process memory
niallnsec Jun 27, 2021
58b08a0
Set DLLs which are rarely used to delay load for better performance
niallnsec Jun 27, 2021
3ae5bda
Fix issue where certificate subject and issuer are truncated
niallnsec Jul 1, 2021
1046b5f
Updated vs2019 project for new console module
niallnsec Feb 24, 2022
6617f76
Switch from MultiByte to Unicode builds
niallnsec Feb 24, 2022
c0b0b77
Fix build error due to use of windows typedef
niallnsec Feb 24, 2022
18dbd48
Attempt to fix issues with CI build
niallnsec Feb 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ case $host_os in
proc_interface=mach
jemalloc_prefix=je_ ;;
mingw*|cygwin*) CFLAGS="$CFLAGS -DUSE_WINDOWS_PROC"
LDFLAGS="$LDFLAGS -lntdll"
proc_interface=windows
jemalloc_prefix= ;;
linux*|netbsd*|dragonfly*|kfreebsd*)
Expand Down
37 changes: 34 additions & 3 deletions libyara/include/yara/pe_utils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ typedef struct _PE
{
const uint8_t* data;
size_t data_size;
YR_MEMORY_REGION* region;
int memory;

union
{
Expand All @@ -68,13 +70,42 @@ typedef struct _PE

} PE;

#define fits_in_pe(pe, pointer, size) \
((size_t)(size) <= pe->data_size && (uint8_t*) (pointer) >= pe->data && \
(uint8_t*) (pointer) <= pe->data + pe->data_size - (size))
#define fits_in_pe(pe, pointer, size) \
(pe->memory ? \
((size_t)size <= pe->region->data_size && \
pe->region->block_count > 0 && \
(uint8_t*)(pointer) >= (uint8_t*)pe->region->blocks[0].context && \
(uint8_t*)(pointer) <= (uint8_t*)pe->region->blocks[0].context + pe->region->data_size - size) : \
((size_t)size <= pe->data_size && \
(uint8_t*)(pointer) >= pe->data && \
(uint8_t*)(pointer) <= pe->data + pe->data_size - size))

#define struct_fits_in_pe(pe, pointer, struct_type) \
fits_in_pe(pe, pointer, sizeof(struct_type))

#define get_data_pointer_memory(pe, offset, value, type) \
for (uint8_t i = 0; i < pe->region->block_count; i++) \
{ \
if (offset >= pe->region->blocks[i].base && \
offset < pe->region->blocks[i].base + pe->region->blocks[i].size) \
{ \
value = (type)((uint8_t*)pe->region->blocks[i].context + (offset - pe->region->blocks[i].base)); \
break; \
} \
}

#define get_data_pointer_memory_with_size(pe, offset, value, type, maxsize) \
for (uint8_t i = 0; i < pe->region->block_count; i++) \
{ \
if (offset >= pe->region->blocks[i].base && \
offset < pe->region->blocks[i].base + pe->region->blocks[i].size) \
{ \
value = (type)((uint8_t*)pe->region->blocks[i].context + (offset - pe->region->blocks[i].base)); \
maxsize = pe->region->blocks[i].size - (offset - pe->region->blocks[i].base); \
break; \
} \
}

PIMAGE_NT_HEADERS32 pe_get_header(const uint8_t* data, size_t data_size);

PIMAGE_DATA_DIRECTORY pe_get_directory_entry(PE* pe, int entry);
Expand Down
8 changes: 8 additions & 0 deletions libyara/include/yara/types.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,7 @@ typedef struct YR_MODULE_IMPORT YR_MODULE_IMPORT;

typedef struct YR_MEMORY_BLOCK YR_MEMORY_BLOCK;
typedef struct YR_MEMORY_BLOCK_ITERATOR YR_MEMORY_BLOCK_ITERATOR;
typedef struct YR_MEMORY_REGION YR_MEMORY_REGION;

typedef struct YR_MODIFIER YR_MODIFIER;

Expand Down Expand Up @@ -718,6 +719,13 @@ struct YR_MEMORY_BLOCK_ITERATOR
// only when they want to report an error.
int last_error;
};
struct YR_MEMORY_REGION {
uint8_t block_count;
size_t data_size;
void* context;
YR_MEMORY_BLOCK blocks[32];
};


typedef int (*YR_CALLBACK_FUNC)(
YR_SCAN_CONTEXT* context,
Expand Down
Loading