pull ascii, nocase, and wide keywords from YARA rule strings.

11 years ago · a3c5f974ca
parent 6e767879e0
commit a3c5f974ca
3 changed files with 22 additions and 3 deletions
--- a/libclamav/readdb.c
+++ b/libclamav/readdb.c
@ -2651,8 +2651,15 @@ static int cli_loadyara(FILE *fs, const char *dbname, struct cl_engine *engine,
        while (!STAILQ_EMPTY(&rule->strings)) {
            string = STAILQ_FIRST(&rule->strings);
            STAILQ_REMOVE(&rule->strings, string, _yc_string, link);
-            printf ("    %s = \"%s\"\n", string->id, string->string);
-            free(string->id);
+            printf("    %s = \"%s\"", string->id, string->string);
+            if (STRING_IS_NO_CASE(string))
+                printf(" nocase");
+            if (STRING_IS_WIDE(string))
+                printf(" wide");
+            if (STRING_IS_ASCII(string))
+                printf(" ascii");
+            printf("\n");
+           free(string->id);
            free(string);            
        }
        free(rule->id);
--- a/libclamav/yara_clam.h
+++ b/libclamav/yara_clam.h
@ -206,6 +206,16 @@ typedef struct _SIZED_STRING
 #define ERROR_TOO_MANY_ARGUMENTS                39
 #define ERROR_WRONG_NUMBER_OF_ARGUMENTS         40

+/* From libyara/include/yara/re.h            */
+#define RE_FLAGS_FAST_HEX_REGEXP          0x02
+#define RE_FLAGS_BACKWARDS                0x04
+#define RE_FLAGS_EXHAUSTIVE               0x08
+#define RE_FLAGS_WIDE                     0x10
+#define RE_FLAGS_NO_CASE                  0x20
+#define RE_FLAGS_SCAN                     0x40
+#define RE_FLAGS_DOT_ALL                  0x80
+#define RE_FLAGS_NOT_AT_START            0x100
+

 /*
 typedef struct _YR_MATCH
--- a/libclamav/yara_parser.c
+++ b/libclamav/yara_parser.c
@ -499,6 +499,7 @@ YR_STRING* yr_parser_reduce_string_declaration(

 #if REAL_YARA
  RE_ERROR re_error;
+#endif

  if (str->flags & SIZED_STRING_FLAGS_NO_CASE)
    string_flags |= STRING_GFLAGS_NO_CASE;
@ -514,7 +515,7 @@ YR_STRING* yr_parser_reduce_string_declaration(

  if (string_flags & STRING_GFLAGS_NO_CASE)
    re_flags |= RE_FLAGS_NO_CASE;
-#endif
+
  // The STRING_GFLAGS_SINGLE_MATCH flag indicates that finding
  // a single match for the string is enough. This is true in
  // most cases, except when the string count (#) and string offset (@)
@ -656,6 +657,7 @@ YR_STRING* yr_parser_reduce_string_declaration(
          return NULL;
      } 
      memcpy(string->string, (char *)&str->c_string, str->length);
+      string->g_flags = string_flags;
  }
  STAILQ_INSERT_TAIL(&compiler->current_rule_strings, string, link);