Add YARA condition evaluation function. Add support for YARA 'of' clauses.

10 years ago · d25549807f
parent a0d134a70a
commit d25549807f
5 changed files with 53 additions and 15 deletions
--- a/libclamav/matcher.c
+++ b/libclamav/matcher.c
@ -55,6 +55,7 @@
 #include "perflogging.h"
 #include "bytecode_priv.h"
 #include "bytecode_api_impl.h"
+#include "yara_clam.h"

 #ifdef CLI_PERF_LOGGING

@ -751,7 +752,17 @@ static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data

 static int yara_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid)
 {
-    return CL_CLEAN;
+    struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsid];
+    uint8_t * code_start = ac_lsig->u.code_start;
+    int rc = 0;
+    YR_SCAN_CONTEXT context = {0}; //FIXME (populate from ldb)
+  
+    rc = yr_execute_code(ac_lsig, acdata, &context, 0, 0);
+
+    if (rc == CL_VIRUS)
+        cli_append_virus(ctx, ac_lsig->virname);
+
+    return rc;
 }

 int cli_exp_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash)
--- a/libclamav/readdb.c
+++ b/libclamav/readdb.c
@ -3456,6 +3456,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
            cli_yaramsg("STRING_FITS_IN_ATOM       yes\n");
        */
 #endif
+        string->subsig_id = ytable.tbl_cnt;
    }

    if (str_error > 0) {
@ -3651,10 +3652,10 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo,
        cli_errmsg("cli_loadyara: failed to parse rules file %s, error count %i\n", dbname, rc);
        yr_hash_table_destroy(compiler.rules_table, NULL);
        yr_hash_table_destroy(compiler.objects_table, NULL);
-        yr_arena_destroy(compiler.sz_arena);
-        yr_arena_destroy(compiler.rules_arena);
+        //        yr_arena_destroy(compiler.sz_arena);
+        //        yr_arena_destroy(compiler.rules_arena);
        yr_arena_destroy(compiler.code_arena);
-        yr_arena_destroy(compiler.strings_arena);
+        //        yr_arena_destroy(compiler.strings_arena);
        yr_arena_destroy(compiler.metas_arena);
 #ifdef YARA_FINISHED
        return CL_EMALFDB;
@ -3680,10 +3681,10 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo,

    yr_hash_table_destroy(compiler.rules_table, NULL);
    yr_hash_table_destroy(compiler.objects_table, NULL);
-    yr_arena_destroy(compiler.sz_arena);
-    yr_arena_destroy(compiler.rules_arena);
+    //    yr_arena_destroy(compiler.sz_arena);
+    //    yr_arena_destroy(compiler.rules_arena);
    yr_arena_destroy(compiler.code_arena);
-    yr_arena_destroy(compiler.strings_arena);
+    //    yr_arena_destroy(compiler.strings_arena);
    yr_arena_destroy(compiler.metas_arena);

    if(rc)
--- a/libclamav/yara_clam.h
+++ b/libclamav/yara_clam.h
@ -54,6 +54,7 @@ limitations under the License.
 #define META_TYPE_STRING    2
 #define META_TYPE_BOOLEAN   3

+
 #define STRING_GFLAGS_REFERENCED        0x01
 #define STRING_GFLAGS_HEXADECIMAL       0x02
 #define STRING_GFLAGS_NO_CASE           0x04
@ -546,10 +547,12 @@ typedef struct _yc_string {
    STAILQ_ENTRY(_yc_string) link;
    int32_t g_flags;
    int32_t length;
-    
+
    DECLARE_REFERENCE(char*, identifier);
    DECLARE_REFERENCE(uint8_t*, string);
    DECLARE_REFERENCE(struct _YR_STRING*, chained_to);
+
+    int32_t subsig_id;
 } yc_string;

 typedef struct _yc_compiler {
--- a/libclamav/yara_exec.c
+++ b/libclamav/yara_exec.c
@ -48,6 +48,7 @@ typedef struct _YR_MATCH
 } YR_MATCH;

 // End of temp for clamAV
+#include "matcher.h"
 #include "yara_clam.h"
 #include "yara_exec.h"
 #endif
@ -103,7 +104,8 @@ int yr_execute_code(
 #if REAL_YARA
    YR_RULES* rules,
 #else
-    uint8_t* ip,
+    struct cli_ac_lsig * aclsig,
+    struct cli_ac_data * acdata,
 #endif
    YR_SCAN_CONTEXT* context,
    int timeout,
@ -118,6 +120,10 @@ int yr_execute_code(
  int32_t sp = 0;
 #if REAL_YARA
  uint8_t* ip = rules->code_start;
+#else
+  uint8_t* ip = aclsig->u.code_start;
+  uint32_t lsig_id;
+  uint32_t rule_matches = 0;
 #endif

  YR_RULE* rule;
@ -143,13 +149,20 @@ int yr_execute_code(

  while(1)
  {
+    cli_errmsg("yara_exec: executing %i\n", *ip);
    switch(*ip)
    {
      case OP_HALT:
        // When the halt instruction is reached the stack
        // should be empty.
        assert(sp == 0);
+#if REAL_YARA
        return ERROR_SUCCESS;
+#else
+        if (rule_matches != 0)
+            return CL_VIRUS;
+        return CL_SUCCESS;
+#endif

      case OP_PUSH:
        r1 = *(uint64_t*)(ip + 1);
@ -407,8 +420,7 @@ int yr_execute_code(
 #if REAL_YARA
          rule->t_flags[tidx] |= RULE_TFLAGS_MATCH;
 #else
-        //tbd clamav
-          rule->g_flags |= RULE_TFLAGS_MATCH;
+        rule_matches++;
 #endif

        #ifdef PROFILING_ENABLED
@ -674,18 +686,28 @@ int yr_execute_code(
        count = 0;
        pop(r1);

+#if REAL_YARA
        while (r1 != UNDEFINED)
        {
          string = UINT64_TO_PTR(YR_STRING*, r1);
-#if REAL_YARA
          if (string->matches[tidx].tail != NULL)
            found++;
+          count++;
+          pop(r1);
+        }
 #else
-        //TBD: clamav
-#endif
+        lsig_id = aclsig->id;
+        for (i = 0; i < aclsig->tdb.subsigs; i++) {
+            if (acdata->lsigsuboff_first[lsig_id][i] != CLI_OFF_NONE) {
+                found++;
+            }
+        }
+        while (r1 != UNDEFINED)
+        {
          count++;
          pop(r1);
        }
+#endif

        pop(r2);

--- a/libclamav/yara_exec.h
+++ b/libclamav/yara_exec.h
@ -90,7 +90,8 @@ int yr_execute_code(
 #if REAL_YARA
    YR_RULES* rules,
 #else
-    uint8_t* ip,
+    struct cli_ac_lsig * aclsig,
+    struct cli_ac_data * acdata,
 #endif
    YR_SCAN_CONTEXT* context,
    int timeout,