open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

YARA: support for YARA condition 'in' clauses.

Browse Source
remotes/push_mirror/klin/altstr-yara
Steven Morgan 10 years ago
parent fbe22188d6
commit 3c0cea48ba
3 changed files with 92 additions and 75 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 33
      libclamav/yara_exec.c
  2. 132
      libclamav/yara_grammar.c
  3. 2
      libclamav/yara_grammar.y

33
libclamav/yara_exec.c
Unescape View File

@ -569,14 +569,8 @@ int yr_execute_code(
string = UINT64_TO_PTR(YR_STRING*, r2);
#if REAL_YARA
match = string->matches[tidx].head;
#else
//TBD: find clamav matches
match = NULL; //TEMP
#endif
found = 0;
#if REAL_YARA
while (match != NULL)
{
if (r1 == match->base + match->offset)
@ -592,6 +586,7 @@ int yr_execute_code(
match = match->next;
}
#else
found = 0;
ls_matches = acdata->lsig_matches[aclsig->id];
if (ls_matches != NULL) {
ss_matches = ls_matches->matches[string->subsig_id];
@ -603,6 +598,8 @@ int yr_execute_code(
found = 1;
break;
}
if (r1 < offs[i])
break;
}
}
}
@ -626,10 +623,6 @@ int yr_execute_code(
string = UINT64_TO_PTR(YR_STRING*, r3);
#if REAL_YARA
match = string->matches[tidx].head;
#else
//TBD: find clamav matches
match = NULL; //TEMP
#endif
found = FALSE;
while (match != NULL && !found)
@ -646,6 +639,26 @@ int yr_execute_code(
match = match->next;
}
#else
found = FALSE;
ls_matches = acdata->lsig_matches[aclsig->id];
if (ls_matches != NULL) {
ss_matches = ls_matches->matches[string->subsig_id];
if (ss_matches != NULL) {
offs = ss_matches->offsets;
for (i = 0; i < ss_matches->next; i++) {
if (offs[i] >= r1 &&
offs[i] <= r2) {
push(1);
found = TRUE;
break;
}
if (r2 < offs[i])
break;
}
}
}
#endif
if (!found)
push(0);

132
libclamav/yara_grammar.c
Unescape View File

@ -659,13 +659,13 @@ static const yytype_uint16 yyrline[] =
373, 390, 429, 430, 435, 451, 464, 477, 494, 495,
500, 514, 513, 530, 547, 548, 553, 554, 555, 556,
561, 646, 696, 719, 759, 762, 784, 817, 864, 882,
891, 900, 915, 929, 942, 959, 973, 1007, 972, 1118,
1117, 1193, 1199, 1205, 1211, 1219, 1228, 1237, 1246, 1255,
1282, 1309, 1336, 1340, 1348, 1349, 1354, 1376, 1388, 1404,
1403, 1409, 1421, 1422, 1427, 1432, 1441, 1442, 1449, 1460,
1464, 1473, 1488, 1499, 1510, 1521, 1532, 1543, 1554, 1563,
1588, 1601, 1614, 1634, 1669, 1678, 1687, 1696, 1705, 1714,
1723, 1732, 1741, 1749, 1758, 1767
891, 900, 915, 929, 942, 959, 975, 1009, 974, 1120,
1119, 1195, 1201, 1207, 1213, 1221, 1230, 1239, 1248, 1257,
1284, 1311, 1338, 1342, 1350, 1351, 1356, 1378, 1390, 1406,
1405, 1411, 1423, 1424, 1429, 1434, 1443, 1444, 1451, 1462,
1466, 1475, 1490, 1501, 1512, 1523, 1534, 1545, 1556, 1565,
1590, 1603, 1616, 1636, 1671, 1680, 1689, 1698, 1707, 1716,
1725, 1734, 1743, 1751, 1760, 1769
};
#endif
@ -2771,6 +2771,8 @@ yyreduce:
/* Line 1806 of yacc.c */
#line 960 "yara_grammar.y"
{
compiler->current_rule_clflags |= RULE_OFFSETS;
compiler->last_result = yr_parser_reduce_string_identifier(
yyscanner,
(yyvsp[(1) - (3)].c_string),
@ -2787,7 +2789,7 @@ yyreduce:
case 56:
/* Line 1806 of yacc.c */
#line 973 "yara_grammar.y"
#line 975 "yara_grammar.y"
{
int var_index;
@ -2826,7 +2828,7 @@ yyreduce:
case 57:
/* Line 1806 of yacc.c */
#line 1007 "yara_grammar.y"
#line 1009 "yara_grammar.y"
{
int mem_offset = LOOP_LOCAL_VARS * compiler->loop_depth;
@ -2866,7 +2868,7 @@ yyreduce:
case 58:
/* Line 1806 of yacc.c */
#line 1042 "yara_grammar.y"
#line 1044 "yara_grammar.y"
{
int mem_offset;
@ -2947,7 +2949,7 @@ yyreduce:
case 59:
/* Line 1806 of yacc.c */
#line 1118 "yara_grammar.y"
#line 1120 "yara_grammar.y"
{
int mem_offset = LOOP_LOCAL_VARS * compiler->loop_depth;
int8_t* addr;
@ -2982,7 +2984,7 @@ yyreduce:
case 60:
/* Line 1806 of yacc.c */
#line 1148 "yara_grammar.y"
#line 1150 "yara_grammar.y"
{
int mem_offset;
@ -3033,7 +3035,7 @@ yyreduce:
case 61:
/* Line 1806 of yacc.c */
#line 1194 "yara_grammar.y"
#line 1196 "yara_grammar.y"
{
yr_parser_emit(yyscanner, OP_OF, NULL);
@ -3044,7 +3046,7 @@ yyreduce:
case 62:
/* Line 1806 of yacc.c */
#line 1200 "yara_grammar.y"
#line 1202 "yara_grammar.y"
{
yr_parser_emit(yyscanner, OP_NOT, NULL);
@ -3055,7 +3057,7 @@ yyreduce:
case 63:
/* Line 1806 of yacc.c */
#line 1206 "yara_grammar.y"
#line 1208 "yara_grammar.y"
{
yr_parser_emit(yyscanner, OP_AND, NULL);
@ -3066,7 +3068,7 @@ yyreduce:
case 64:
/* Line 1806 of yacc.c */
#line 1212 "yara_grammar.y"
#line 1214 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_BOOLEAN, "or");
@ -3079,7 +3081,7 @@ yyreduce:
case 65:
/* Line 1806 of yacc.c */
#line 1220 "yara_grammar.y"
#line 1222 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<");
@ -3093,7 +3095,7 @@ yyreduce:
case 66:
/* Line 1806 of yacc.c */
#line 1229 "yara_grammar.y"
#line 1231 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">");
@ -3107,7 +3109,7 @@ yyreduce:
case 67:
/* Line 1806 of yacc.c */
#line 1238 "yara_grammar.y"
#line 1240 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<=");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<=");
@ -3121,7 +3123,7 @@ yyreduce:
case 68:
/* Line 1806 of yacc.c */
#line 1247 "yara_grammar.y"
#line 1249 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">=");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">=");
@ -3135,7 +3137,7 @@ yyreduce:
case 69:
/* Line 1806 of yacc.c */
#line 1256 "yara_grammar.y"
#line 1258 "yara_grammar.y"
{
if ((yyvsp[(1) - (3)].expression_type) != (yyvsp[(3) - (3)].expression_type))
{
@ -3167,7 +3169,7 @@ yyreduce:
case 70:
/* Line 1806 of yacc.c */
#line 1283 "yara_grammar.y"
#line 1285 "yara_grammar.y"
{
if ((yyvsp[(1) - (3)].expression_type) != (yyvsp[(3) - (3)].expression_type))
{
@ -3199,7 +3201,7 @@ yyreduce:
case 71:
/* Line 1806 of yacc.c */
#line 1310 "yara_grammar.y"
#line 1312 "yara_grammar.y"
{
if ((yyvsp[(1) - (3)].expression_type) != (yyvsp[(3) - (3)].expression_type))
{
@ -3231,7 +3233,7 @@ yyreduce:
case 72:
/* Line 1806 of yacc.c */
#line 1337 "yara_grammar.y"
#line 1339 "yara_grammar.y"
{
(yyval.expression_type) = (yyvsp[(1) - (1)].expression_type);
}
@ -3240,7 +3242,7 @@ yyreduce:
case 73:
/* Line 1806 of yacc.c */
#line 1341 "yara_grammar.y"
#line 1343 "yara_grammar.y"
{
(yyval.expression_type) = (yyvsp[(2) - (3)].expression_type);
}
@ -3249,21 +3251,21 @@ yyreduce:
case 74:
/* Line 1806 of yacc.c */
#line 1348 "yara_grammar.y"
#line 1350 "yara_grammar.y"
{ (yyval.integer) = INTEGER_SET_ENUMERATION; }
break;
case 75:
/* Line 1806 of yacc.c */
#line 1349 "yara_grammar.y"
#line 1351 "yara_grammar.y"
{ (yyval.integer) = INTEGER_SET_RANGE; }
break;
case 76:
/* Line 1806 of yacc.c */
#line 1355 "yara_grammar.y"
#line 1357 "yara_grammar.y"
{
if ((yyvsp[(2) - (6)].expression_type) != EXPRESSION_TYPE_INTEGER)
{
@ -3286,7 +3288,7 @@ yyreduce:
case 77:
/* Line 1806 of yacc.c */
#line 1377 "yara_grammar.y"
#line 1379 "yara_grammar.y"
{
if ((yyvsp[(1) - (1)].expression_type) != EXPRESSION_TYPE_INTEGER)
{
@ -3303,7 +3305,7 @@ yyreduce:
case 78:
/* Line 1806 of yacc.c */
#line 1389 "yara_grammar.y"
#line 1391 "yara_grammar.y"
{
if ((yyvsp[(3) - (3)].expression_type) != EXPRESSION_TYPE_INTEGER)
{
@ -3319,7 +3321,7 @@ yyreduce:
case 79:
/* Line 1806 of yacc.c */
#line 1404 "yara_grammar.y"
#line 1406 "yara_grammar.y"
{
// Push end-of-list marker
yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);
@ -3329,7 +3331,7 @@ yyreduce:
case 81:
/* Line 1806 of yacc.c */
#line 1410 "yara_grammar.y"
#line 1412 "yara_grammar.y"
{
yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);
yr_parser_emit_pushes_for_strings(yyscanner, "$*");
@ -3342,7 +3344,7 @@ yyreduce:
case 84:
/* Line 1806 of yacc.c */
#line 1428 "yara_grammar.y"
#line 1430 "yara_grammar.y"
{
yr_parser_emit_pushes_for_strings(yyscanner, (yyvsp[(1) - (1)].c_string));
yr_free((yyvsp[(1) - (1)].c_string));
@ -3352,7 +3354,7 @@ yyreduce:
case 85:
/* Line 1806 of yacc.c */
#line 1433 "yara_grammar.y"
#line 1435 "yara_grammar.y"
{
yr_parser_emit_pushes_for_strings(yyscanner, (yyvsp[(1) - (1)].c_string));
yr_free((yyvsp[(1) - (1)].c_string));
@ -3362,7 +3364,7 @@ yyreduce:
case 87:
/* Line 1806 of yacc.c */
#line 1443 "yara_grammar.y"
#line 1445 "yara_grammar.y"
{
yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);
#ifdef YARA_PROTO
@ -3374,7 +3376,7 @@ yyreduce:
case 88:
/* Line 1806 of yacc.c */
#line 1450 "yara_grammar.y"
#line 1452 "yara_grammar.y"
{
yr_parser_emit_with_arg(yyscanner, OP_PUSH, 1, NULL);
#ifdef YARA_PROTO
@ -3386,7 +3388,7 @@ yyreduce:
case 89:
/* Line 1806 of yacc.c */
#line 1461 "yara_grammar.y"
#line 1463 "yara_grammar.y"
{
(yyval.expression_type) = (yyvsp[(2) - (3)].expression_type);
}
@ -3395,7 +3397,7 @@ yyreduce:
case 90:
/* Line 1806 of yacc.c */
#line 1465 "yara_grammar.y"
#line 1467 "yara_grammar.y"
{
compiler->last_result = yr_parser_emit(
yyscanner, OP_FILESIZE, NULL);
@ -3409,7 +3411,7 @@ yyreduce:
case 91:
/* Line 1806 of yacc.c */
#line 1474 "yara_grammar.y"
#line 1476 "yara_grammar.y"
{
#ifndef YARA_PROTO
yywarning(yyscanner,
@ -3429,7 +3431,7 @@ yyreduce:
case 92:
/* Line 1806 of yacc.c */
#line 1489 "yara_grammar.y"
#line 1491 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "int8");
@ -3445,7 +3447,7 @@ yyreduce:
case 93:
/* Line 1806 of yacc.c */
#line 1500 "yara_grammar.y"
#line 1502 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "int16");
@ -3461,7 +3463,7 @@ yyreduce:
case 94:
/* Line 1806 of yacc.c */
#line 1511 "yara_grammar.y"
#line 1513 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "int32");
@ -3477,7 +3479,7 @@ yyreduce:
case 95:
/* Line 1806 of yacc.c */
#line 1522 "yara_grammar.y"
#line 1524 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "uint8");
@ -3493,7 +3495,7 @@ yyreduce:
case 96:
/* Line 1806 of yacc.c */
#line 1533 "yara_grammar.y"
#line 1535 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "uint16");
@ -3509,7 +3511,7 @@ yyreduce:
case 97:
/* Line 1806 of yacc.c */
#line 1544 "yara_grammar.y"
#line 1546 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "uint32");
@ -3525,7 +3527,7 @@ yyreduce:
case 98:
/* Line 1806 of yacc.c */
#line 1555 "yara_grammar.y"
#line 1557 "yara_grammar.y"
{
compiler->last_result = yr_parser_emit_with_arg(
yyscanner, OP_PUSH, (yyvsp[(1) - (1)].integer), NULL);
@ -3539,7 +3541,7 @@ yyreduce:
case 99:
/* Line 1806 of yacc.c */
#line 1564 "yara_grammar.y"
#line 1566 "yara_grammar.y"
{
SIZED_STRING* sized_string = (yyvsp[(1) - (1)].sized_string);
char* string;
@ -3569,7 +3571,7 @@ yyreduce:
case 100:
/* Line 1806 of yacc.c */
#line 1589 "yara_grammar.y"
#line 1591 "yara_grammar.y"
{
compiler->last_result = yr_parser_reduce_string_identifier(
yyscanner,
@ -3587,7 +3589,7 @@ yyreduce:
case 101:
/* Line 1806 of yacc.c */
#line 1602 "yara_grammar.y"
#line 1604 "yara_grammar.y"
{
compiler->last_result = yr_parser_reduce_string_identifier(
yyscanner,
@ -3605,7 +3607,7 @@ yyreduce:
case 102:
/* Line 1806 of yacc.c */
#line 1615 "yara_grammar.y"
#line 1617 "yara_grammar.y"
{
compiler->last_result = yr_parser_emit_with_arg(
yyscanner,
@ -3630,7 +3632,7 @@ yyreduce:
case 103:
/* Line 1806 of yacc.c */
#line 1635 "yara_grammar.y"
#line 1637 "yara_grammar.y"
{
if ((yyvsp[(1) - (1)].object) == (YR_OBJECT*) -1) // loop identifier
{
@ -3670,7 +3672,7 @@ yyreduce:
case 104:
/* Line 1806 of yacc.c */
#line 1670 "yara_grammar.y"
#line 1672 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "+");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "+");
@ -3684,7 +3686,7 @@ yyreduce:
case 105:
/* Line 1806 of yacc.c */
#line 1679 "yara_grammar.y"
#line 1681 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "-");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "-");
@ -3698,7 +3700,7 @@ yyreduce:
case 106:
/* Line 1806 of yacc.c */
#line 1688 "yara_grammar.y"
#line 1690 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "*");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "*");
@ -3712,7 +3714,7 @@ yyreduce:
case 107:
/* Line 1806 of yacc.c */
#line 1697 "yara_grammar.y"
#line 1699 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "\\");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "\\");
@ -3726,7 +3728,7 @@ yyreduce:
case 108:
/* Line 1806 of yacc.c */
#line 1706 "yara_grammar.y"
#line 1708 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "%");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "%");
@ -3740,7 +3742,7 @@ yyreduce:
case 109:
/* Line 1806 of yacc.c */
#line 1715 "yara_grammar.y"
#line 1717 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "^");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "^");
@ -3754,7 +3756,7 @@ yyreduce:
case 110:
/* Line 1806 of yacc.c */
#line 1724 "yara_grammar.y"
#line 1726 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "^");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "^");
@ -3768,7 +3770,7 @@ yyreduce:
case 111:
/* Line 1806 of yacc.c */
#line 1733 "yara_grammar.y"
#line 1735 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "|");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "|");
@ -3782,7 +3784,7 @@ yyreduce:
case 112:
/* Line 1806 of yacc.c */
#line 1742 "yara_grammar.y"
#line 1744 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(2) - (2)].expression_type), EXPRESSION_TYPE_INTEGER, "~");
@ -3795,7 +3797,7 @@ yyreduce:
case 113:
/* Line 1806 of yacc.c */
#line 1750 "yara_grammar.y"
#line 1752 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<<");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<<");
@ -3809,7 +3811,7 @@ yyreduce:
case 114:
/* Line 1806 of yacc.c */
#line 1759 "yara_grammar.y"
#line 1761 "yara_grammar.y"
{
CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">>");
CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">>");
@ -3823,7 +3825,7 @@ yyreduce:
case 115:
/* Line 1806 of yacc.c */
#line 1768 "yara_grammar.y"
#line 1770 "yara_grammar.y"
{
(yyval.expression_type) = (yyvsp[(1) - (1)].expression_type);
}
@ -3832,7 +3834,7 @@ yyreduce:
/* Line 1806 of yacc.c */
#line 3836 "yara_grammar.c"
#line 3838 "yara_grammar.c"
default: break;
}
/* User semantic actions sometimes alter yychar, and that requires
@ -4063,6 +4065,6 @@ yyreturn:
/* Line 2067 of yacc.c */
#line 1773 "yara_grammar.y"
#line 1775 "yara_grammar.y"

2
libclamav/yara_grammar.y
Unescape View File

@ -958,6 +958,8 @@ expression
}
| _STRING_IDENTIFIER_ _IN_ range
{
compiler->current_rule_clflags |= RULE_OFFSETS;
compiler->last_result = yr_parser_reduce_string_identifier(
yyscanner,
$1,

Write Preview
Loading…
Cancel
Save