Merge pull request #30 from y1z2g3/master

p8a · web-flow · commit a6f6536f83cc · 2022-06-29T13:33:49.000-04:00
Adapt to yara v4.0.2 version
diff --git a/README.md b/README.md
@@ -9,21 +9,22 @@ Highlights
 - Rules can be loaded as strings, files or archives; for archives will recursively look for and load all yara rule files
 - Matches are returned with identifier, metadata and tags
 - Negate, timeout and limit supported
+- Support yara 4.0.2 -- 2021/1/17
 
 
 How to build 
 ------------  
 
 ### Get and build yara source code
 
-Example (building from 3.10.0 version)
+Example (building from 4.0.2 version)
 
 ```
 git clone https://github.com/virustotal/yara.git
 cd yara
-git checkout tags/v3.10.0
+git checkout tags/v4.0.2
 ./bootstrap.sh
-./configure --disable-shared
+./configure --enable-shared --without-crypto CFLAGS=-fPIC
 make
 ```
 
@@ -34,11 +35,17 @@ Example (in "yara" folder):
 ```
 git clone https://github.com/p8a/yara-java.git
 cd yara-java
-git checkout tags/v3.10.0
 mvn clean install
 ```
 
 Usage and examples
 ------------------
 
 See the unit tests
+
+
+Notes
+----
+After you successfully added some sources you can get the compiled rules using the yr_compiler_get_rules() function. You'll get a pointer to a YR_RULES structure which can be used to scan your data as described in Scanning data. Once yr_compiler_get_rules() is invoked you can not add more sources to the compiler, but you can call yr_compiler_get_rules() multiple times. Each time this function is called it returns a pointer to the same YR_RULES structure. Notice that this behaviour is new in YARA 4.0.0, in YARA 3.X and 2.X yr_compiler_get_rules() returned a new copy the YR_RULES structure.Instances of YR_RULES must be destroyed with yr_rules_destroy().
+
+When you call YaraCompilerImpl.createScanner() multiple times. the return YaraScanner will point to the same YR_RULES structure. so, you cann't destroy YaraScanner multiple times!!!
diff --git a/src/main/java/com/github/plusvic/yara/embedded/YaraCompilerImpl.java b/src/main/java/com/github/plusvic/yara/embedded/YaraCompilerImpl.java
@@ -36,7 +36,7 @@ public NativeCompilationCallback(YaraLibrary library, YaraCompilationCallback ca
             this.callback = callback;
         }
 
-        long nativeOnError(long errorLevel, long fileName, long lineNumber, long message, long data) {
+        long nativeOnError(long errorLevel, long fileName, long lineNumber, long rule, long message, long data) {
             callback.onError(YaraCompilationCallback.ErrorLevel.from((int) errorLevel),
                     library.toString(fileName),
                     lineNumber,
@@ -71,7 +71,7 @@ public void setCallback(YaraCompilationCallback cbk) {
         checkArgument(cbk != null);
         checkState(callback == null);
 
-        callback = new Callback(new NativeCompilationCallback(library, cbk), "nativeOnError", 5);
+        callback = new Callback(new NativeCompilationCallback(library, cbk), "nativeOnError", 6);
         final long callBackAddress = callback.getAddress();
         if(callBackAddress == 0) {
           throw new IllegalStateException("Too many concurent callbacks, unable to create.");
diff --git a/src/main/java/com/github/plusvic/yara/embedded/YaraLibrary.java b/src/main/java/com/github/plusvic/yara/embedded/YaraLibrary.java
@@ -55,7 +55,7 @@ public void compilerDestroy(long compiler) {
 
     private final native void yr_compiler_set_callback(
             @JniArg(cast = "YR_COMPILER*") long compiler,
-            @JniArg(cast = "void (*)(int, const char*, int, const char*,void*)", flags = ArgFlag.POINTER_ARG) long callback,
+            @JniArg(cast = "void (*)(int, const char*, int, const YR_RULE* rule, const char*,void*)", flags = ArgFlag.POINTER_ARG) long callback,
             @JniArg(cast = "void *") long data
     );
     public void compilerSetCallback(long compiler, long callback, long data) {
@@ -227,13 +227,18 @@ public String stringIdentifier(long pv) {
         return yara_string_identifier(null, pv);
     }
 
-    private final native long yara_string_matches(JNIEnv env, @JniArg(cast = "void*") long pv);
-    public long stringMatches(long pv) {
+    private final native long yara_string_matches(
+        JNIEnv env, 
+        @JniArg(cast = "void*") long context,
+        @JniArg(cast = "void*") long pv);
+    public long stringMatches(long context, long pv) {
         Preconditions.checkState(library != null);
-        return yara_string_matches(null, pv);
+        return yara_string_matches(null, context, pv);
     }
 
-    private final native long yara_string_match_next(JNIEnv env, @JniArg(cast = "void*") long pv);
+    private final native long yara_string_match_next(
+        JNIEnv env, 
+        @JniArg(cast = "void*") long pv);
     public long stringMatchNext(long pv) {
         Preconditions.checkState(library != null);
         return yara_string_match_next(null, pv);
diff --git a/src/main/java/com/github/plusvic/yara/embedded/YaraRuleImpl.java b/src/main/java/com/github/plusvic/yara/embedded/YaraRuleImpl.java
@@ -11,13 +11,16 @@
  */
 public class YaraRuleImpl implements YaraRule {
     private final YaraLibrary library;
+    private final long context;
     private final long peer;
 
-    YaraRuleImpl(YaraLibrary library, long peer) {
+    YaraRuleImpl(YaraLibrary library, long context, long peer) {
         checkArgument(library != null);
+        checkArgument(context != 0);
         checkArgument(peer != 0);
 
         this.library = library;
+        this.context = context;
         this.peer = peer;
     }
 
@@ -64,13 +67,13 @@ public Iterator<YaraMeta> getMetadata() {
 
             @Override
             protected YaraMetaImpl getNext() {
-                long last = index;
-                index = library.ruleMetaNext(index);
-
-                if (index == 0 || last == 0) {
+                if (index == 0){
                     return null;
                 }
 
+                long last = index;
+                index = library.ruleMetaNext(index);
+
                 return new YaraMetaImpl(library, last);
             }
         };
@@ -87,14 +90,14 @@ public Iterator<YaraString> getStrings() {
 
             @Override
             protected YaraStringImpl getNext() {
-                long last = index;
-                index = library.ruleStringNext(index);
-
-                if (index == 0 || last == 0) {
+                if (index == 0){
                     return null;
                 }
 
-                return new YaraStringImpl(library, last);
+                long last = index;
+                index = library.ruleStringNext(index);
+
+                return new YaraStringImpl(library, context, last);
             }
         };
     }
diff --git a/src/main/java/com/github/plusvic/yara/embedded/YaraScannerImpl.java b/src/main/java/com/github/plusvic/yara/embedded/YaraScannerImpl.java
@@ -61,20 +61,20 @@ public void setMaxRules(int count) {
             this.maxRules = count;
         }
 
-        long nativeOnScan(long type, long message, long data) {
+        long nativeOnScan(long context, long type, long message, long data) {
             if (!negate && type == CALLBACK_MSG_RULE_MATCHING) {
                 ++count;
 
                 if (scanCallback != null) {
-                    YaraRuleImpl rule = new YaraRuleImpl(library, message);
+                    YaraRuleImpl rule = new YaraRuleImpl(library, context, message);
                     scanCallback.onMatch(rule);
                 }
             }
             else if(negate && type == CALLBACK_MSG_RULE_NOT_MATCHING) {
                 ++count;
 
                 if (scanCallback != null) {
-                    YaraRuleImpl rule = new YaraRuleImpl(library, message);
+                    YaraRuleImpl rule = new YaraRuleImpl(library, context, message);
                     scanCallback.onMatch(rule);
                 }
             }
@@ -211,7 +211,7 @@ public void scan(File file, Map<String, String> moduleArgs, YaraScanCallback yar
         nativeCallback.setMaxRules(maxRules);
         nativeCallback.setNegate(notSatisfiedOnly);
 
-        Callback callback = new Callback(nativeCallback, "nativeOnScan", 3);
+        Callback callback = new Callback(nativeCallback, "nativeOnScan", 4);
 
         try {
             final long callBackAddress = callback.getAddress();
@@ -284,7 +284,7 @@ public void scan(byte[] buffer, Map<String, String> moduleArgs, YaraScanCallback
         nativeCallback.setMaxRules(maxRules);
         nativeCallback.setNegate(notSatisfiedOnly);
 
-        Callback callback = new Callback(nativeCallback, "nativeOnScan", 3);
+        Callback callback = new Callback(nativeCallback, "nativeOnScan", 4);
 
         try {
             final long callBackAddress = callback.getAddress();
diff --git a/src/main/java/com/github/plusvic/yara/embedded/YaraStringImpl.java b/src/main/java/com/github/plusvic/yara/embedded/YaraStringImpl.java
@@ -13,13 +13,16 @@
  */
 public class YaraStringImpl implements YaraString {
     private final YaraLibrary library;
+    private final long context;
     private final long peer;
 
-    YaraStringImpl(YaraLibrary library, long peer) {
+    YaraStringImpl(YaraLibrary library, long context, long peer) {
         checkArgument(library != null);
+        checkArgument(context != 0);
         checkArgument(peer != 0);
 
         this.library = library;
+        this.context = context;
         this.peer = peer;
     }
 
@@ -39,7 +42,7 @@ public String getIdentifier() {
      */
     public Iterator<YaraMatch> getMatches() {
         return new GenericIterator<YaraMatch>() {
-            private long index = library.stringMatches(peer);
+            private long index = library.stringMatches(context, peer);
 
             @Override
             protected YaraMatchImpl getNext() {
diff --git a/src/main/native-package/src/yara-wrapper.h b/src/main/native-package/src/yara-wrapper.h
@@ -62,10 +62,10 @@ static void*
 yara_rule_meta_next(JNIEnv *env, void *v) {
     YR_META *meta = (YR_META *)v;
 
-    if (META_IS_NULL(meta)) {
+    if (NULL == meta) {
         return 0;
     }
-    return ++meta;
+    return META_IS_LAST_IN_RULE(meta) ? NULL : ++meta;
 }
 
 static int
@@ -102,10 +102,10 @@ static void*
 yara_rule_string_next(JNIEnv *env, void *v) {
     YR_STRING *string = (YR_STRING *)v;
 
-    if (STRING_IS_NULL(string)) {
+    if (NULL == string) {
         return 0;
     }
-    return ++string;
+    return STRING_IS_LAST_IN_RULE(string) ? NULL : ++string;
 }
 
 static jstring
@@ -115,15 +115,25 @@ yara_string_identifier(JNIEnv *env, void *v) {
 }
 
 static void*
-yara_string_matches(JNIEnv *env, void *v) {
+yara_string_matches(JNIEnv *env, void *context, void *v) {
     YR_STRING *string = (YR_STRING *)v;
-    return (string ? STRING_MATCHES(string).head : NULL);
+    YR_MATCHES* matches = ((YR_SCAN_CONTEXT*)context)->matches;
+    return matches[string->idx].head;
 }
 
 static void*
 yara_string_match_next(JNIEnv *env, void *v) {
-    return !v ? 0 :
-            ((YR_MATCH *)v)->next;
+    YR_MATCH *match = (YR_MATCH *)v;
+
+    if(NULL == match) {
+        return 0;
+    }
+
+    while(match->is_private){
+        match = match->next;
+    }
+
+    return match->next;
 }
 
 static int64_t
