2021-12-07 22:47:41 +01:00
|
|
|
#include "content/views/view_yara.hpp"
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2022-02-01 18:09:40 +01:00
|
|
|
#include <hex/api/content_registry.hpp>
|
|
|
|
|
2021-02-26 13:35:19 +01:00
|
|
|
#include <hex/providers/provider.hpp>
|
2021-08-29 22:15:18 +02:00
|
|
|
#include <hex/helpers/utils.hpp>
|
2021-09-08 15:18:24 +02:00
|
|
|
#include <hex/helpers/file.hpp>
|
2022-01-13 14:33:30 +01:00
|
|
|
#include <hex/helpers/paths.hpp>
|
2021-09-23 22:57:19 +02:00
|
|
|
#include <hex/helpers/logger.hpp>
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
#include <yara.h>
|
|
|
|
#include <filesystem>
|
|
|
|
#include <thread>
|
|
|
|
|
2021-09-23 22:57:19 +02:00
|
|
|
#include <hex/helpers/paths.hpp>
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2021-12-07 22:47:41 +01:00
|
|
|
namespace hex::plugin::builtin {
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2021-12-07 22:47:41 +01:00
|
|
|
ViewYara::ViewYara() : View("hex.builtin.view.yara.name") {
|
2021-02-26 13:35:19 +01:00
|
|
|
yr_initialize();
|
|
|
|
|
|
|
|
this->reloadRules();
|
2022-01-13 14:34:19 +01:00
|
|
|
|
|
|
|
ContentRegistry::FileHandler::add({ ".yar" }, [](const auto &path) {
|
2022-02-01 18:09:40 +01:00
|
|
|
for (const auto &destPath : hex::getPath(ImHexPath::Yara)) {
|
2022-01-13 14:34:19 +01:00
|
|
|
std::error_code error;
|
|
|
|
if (fs::copy_file(path, destPath / path.filename(), fs::copy_options::overwrite_existing, error)) {
|
|
|
|
View::showMessagePopup("hex.builtin.view.yara.rule_added"_lang);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
});
|
2021-02-26 13:35:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
ViewYara::~ViewYara() {
|
|
|
|
yr_finalize();
|
|
|
|
}
|
|
|
|
|
|
|
|
void ViewYara::drawContent() {
|
2021-12-07 22:47:41 +01:00
|
|
|
if (ImGui::Begin(View::toWindowName("hex.builtin.view.yara.name").c_str(), &this->getWindowOpenState(), ImGuiWindowFlags_NoCollapse)) {
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
if (!this->m_matching && !this->m_errorMessage.empty()) {
|
2021-12-07 22:47:41 +01:00
|
|
|
View::showErrorPopup("hex.builtin.view.yara.error"_lang + this->m_errorMessage.data());
|
2021-02-26 13:35:19 +01:00
|
|
|
this->m_errorMessage.clear();
|
|
|
|
}
|
|
|
|
|
2021-12-07 22:47:41 +01:00
|
|
|
ImGui::TextUnformatted("hex.builtin.view.yara.header.rules"_lang);
|
2021-02-26 13:35:19 +01:00
|
|
|
ImGui::Separator();
|
|
|
|
|
|
|
|
if (this->m_rules.empty()) {
|
2022-01-15 14:14:53 +01:00
|
|
|
ImGui::TextFormattedColored(ImVec4(0.92F, 0.25F, 0.2F, 1.0F), "{}", "hex.builtin.view.yara.no_rules"_lang);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2021-12-07 22:47:41 +01:00
|
|
|
if (ImGui::Button("hex.builtin.view.yara.reload"_lang)) this->reloadRules();
|
2021-02-26 13:35:19 +01:00
|
|
|
} else {
|
2022-01-24 20:53:17 +01:00
|
|
|
ImGui::Disabled([this] {
|
2021-12-07 22:47:41 +01:00
|
|
|
if (ImGui::BeginCombo("hex.builtin.view.yara.header.rules"_lang, this->m_rules[this->m_selectedRule].first.c_str())) {
|
2021-02-26 13:35:19 +01:00
|
|
|
for (u32 i = 0; i < this->m_rules.size(); i++) {
|
|
|
|
const bool selected = (this->m_selectedRule == i);
|
2021-09-23 22:57:19 +02:00
|
|
|
if (ImGui::Selectable(this->m_rules[i].first.c_str(), selected))
|
2021-02-26 13:35:19 +01:00
|
|
|
this->m_selectedRule = i;
|
|
|
|
|
|
|
|
if (selected)
|
|
|
|
ImGui::SetItemDefaultFocus();
|
|
|
|
}
|
|
|
|
ImGui::EndCombo();
|
|
|
|
}
|
|
|
|
ImGui::SameLine();
|
2021-12-07 22:47:41 +01:00
|
|
|
if (ImGui::Button("hex.builtin.view.yara.reload"_lang)) this->reloadRules();
|
|
|
|
if (ImGui::Button("hex.builtin.view.yara.match"_lang)) this->applyRules();
|
2022-01-24 20:53:17 +01:00
|
|
|
},
|
2022-02-01 22:09:44 +01:00
|
|
|
this->m_matching);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
if (this->m_matching) {
|
|
|
|
ImGui::SameLine();
|
2021-12-07 22:47:41 +01:00
|
|
|
ImGui::TextSpinner("hex.builtin.view.yara.matching"_lang);
|
2021-02-26 13:35:19 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ImGui::NewLine();
|
2021-12-07 22:47:41 +01:00
|
|
|
ImGui::TextUnformatted("hex.builtin.view.yara.header.matches"_lang);
|
2021-02-26 13:35:19 +01:00
|
|
|
ImGui::Separator();
|
|
|
|
|
2021-11-04 20:41:36 +01:00
|
|
|
if (ImGui::BeginTable("matches", 4, ImGuiTableFlags_Borders | ImGuiTableFlags_Resizable | ImGuiTableFlags_Sortable | ImGuiTableFlags_Reorderable | ImGuiTableFlags_RowBg | ImGuiTableFlags_ScrollY)) {
|
2021-02-26 13:35:19 +01:00
|
|
|
ImGui::TableSetupScrollFreeze(0, 1);
|
2021-12-07 22:47:41 +01:00
|
|
|
ImGui::TableSetupColumn("hex.builtin.view.yara.matches.identifier"_lang);
|
|
|
|
ImGui::TableSetupColumn("hex.builtin.view.yara.matches.variable"_lang);
|
2022-02-02 00:36:09 +01:00
|
|
|
ImGui::TableSetupColumn("hex.builtin.common.address"_lang);
|
|
|
|
ImGui::TableSetupColumn("hex.builtin.common.size"_lang);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
ImGui::TableHeadersRow();
|
|
|
|
|
|
|
|
ImGuiListClipper clipper;
|
|
|
|
clipper.Begin(this->m_matches.size());
|
|
|
|
|
|
|
|
while (clipper.Step()) {
|
|
|
|
for (u32 i = clipper.DisplayStart; i < clipper.DisplayEnd; i++) {
|
2022-02-02 21:08:46 +01:00
|
|
|
auto &[identifier, variableName, address, size, wholeDataMatch, highlightId] = this->m_matches[i];
|
2021-02-26 13:35:19 +01:00
|
|
|
ImGui::TableNextRow();
|
|
|
|
ImGui::TableNextColumn();
|
|
|
|
ImGui::PushID(i);
|
|
|
|
if (ImGui::Selectable("match", false, ImGuiSelectableFlags_SpanAllColumns | ImGuiSelectableFlags_AllowItemOverlap)) {
|
2022-02-08 18:38:54 +01:00
|
|
|
ImHexApi::HexEditor::setSelection(address, size);
|
2021-02-26 13:35:19 +01:00
|
|
|
}
|
|
|
|
ImGui::PopID();
|
|
|
|
ImGui::SameLine();
|
|
|
|
ImGui::TextUnformatted(identifier.c_str());
|
2021-11-04 20:41:36 +01:00
|
|
|
ImGui::TableNextColumn();
|
|
|
|
ImGui::TextUnformatted(variableName.c_str());
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
if (!wholeDataMatch) {
|
|
|
|
ImGui::TableNextColumn();
|
2021-12-31 01:10:06 +01:00
|
|
|
ImGui::TextFormatted("0x{0:X} : 0x{1:X}", address, address + size - 1);
|
2021-02-26 13:35:19 +01:00
|
|
|
ImGui::TableNextColumn();
|
2021-12-31 01:10:06 +01:00
|
|
|
ImGui::TextFormatted("0x{0:X}", size);
|
2021-02-26 13:35:19 +01:00
|
|
|
} else {
|
|
|
|
ImGui::TableNextColumn();
|
2022-01-15 14:14:53 +01:00
|
|
|
ImGui::TextFormattedColored(ImVec4(0.92F, 0.25F, 0.2F, 1.0F), "{}", "hex.builtin.view.yara.whole_data"_lang);
|
2021-02-26 13:35:19 +01:00
|
|
|
ImGui::TableNextColumn();
|
|
|
|
ImGui::TextUnformatted("");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
clipper.End();
|
|
|
|
|
|
|
|
ImGui::EndTable();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
ImGui::End();
|
|
|
|
}
|
|
|
|
|
|
|
|
void ViewYara::reloadRules() {
|
|
|
|
this->m_rules.clear();
|
|
|
|
|
2022-02-01 18:09:40 +01:00
|
|
|
for (const auto path : hex::getPath(ImHexPath::Yara)) {
|
2021-09-23 22:57:19 +02:00
|
|
|
if (!fs::exists(path))
|
|
|
|
continue;
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2021-09-23 22:57:19 +02:00
|
|
|
for (const auto &entry : fs::recursive_directory_iterator(path)) {
|
|
|
|
if (entry.is_regular_file() && entry.path().extension() == ".yar") {
|
|
|
|
this->m_rules.push_back({ fs::relative(entry.path(), fs::path(path)).string(), entry.path().string() });
|
|
|
|
}
|
|
|
|
}
|
2021-02-26 13:35:19 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void ViewYara::applyRules() {
|
2022-02-02 21:08:46 +01:00
|
|
|
for (const auto &match : this->m_matches)
|
|
|
|
ImHexApi::HexEditor::removeHighlight(match.highlightId);
|
|
|
|
|
2021-02-26 13:35:19 +01:00
|
|
|
this->m_matches.clear();
|
|
|
|
this->m_errorMessage.clear();
|
|
|
|
this->m_matching = true;
|
|
|
|
|
|
|
|
std::thread([this] {
|
2021-12-16 23:48:52 +01:00
|
|
|
if (!ImHexApi::Provider::isValid()) return;
|
|
|
|
|
|
|
|
auto provider = ImHexApi::Provider::get();
|
2022-02-01 22:09:44 +01:00
|
|
|
auto task = ImHexApi::Tasks::createTask("hex.builtin.view.yara.matching", provider->getActualSize());
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
YR_COMPILER *compiler = nullptr;
|
|
|
|
yr_compiler_create(&compiler);
|
2021-09-23 22:57:19 +02:00
|
|
|
ON_SCOPE_EXIT {
|
|
|
|
yr_compiler_destroy(compiler);
|
|
|
|
this->m_matching = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
yr_compiler_set_include_callback(
|
2022-01-24 20:53:17 +01:00
|
|
|
compiler,
|
|
|
|
[](const char *includeName, const char *callingRuleFileName, const char *callingRuleNamespace, void *userData) -> const char * {
|
|
|
|
auto currFilePath = static_cast<const char *>(userData);
|
2021-09-23 22:57:19 +02:00
|
|
|
|
2022-01-24 20:53:17 +01:00
|
|
|
File file((fs::path(currFilePath).parent_path() / includeName).string(), File::Mode::Read);
|
|
|
|
if (!file.isValid())
|
|
|
|
return nullptr;
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2022-02-01 22:09:44 +01:00
|
|
|
auto size = file.getSize();
|
2022-01-24 20:53:17 +01:00
|
|
|
char *buffer = new char[size + 1];
|
|
|
|
file.readBuffer(reinterpret_cast<u8 *>(buffer), size);
|
|
|
|
buffer[size] = 0x00;
|
2021-09-23 22:57:19 +02:00
|
|
|
|
2022-01-24 20:53:17 +01:00
|
|
|
return buffer;
|
|
|
|
},
|
|
|
|
[](const char *ptr, void *userData) {
|
|
|
|
delete[] ptr;
|
|
|
|
},
|
|
|
|
this->m_rules[this->m_selectedRule].second.data());
|
2021-09-23 22:57:19 +02:00
|
|
|
|
|
|
|
|
|
|
|
File file(this->m_rules[this->m_selectedRule].second, File::Mode::Read);
|
2021-09-08 15:18:24 +02:00
|
|
|
if (!file.isValid()) return;
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2021-09-08 15:18:24 +02:00
|
|
|
if (yr_compiler_add_file(compiler, file.getHandle(), nullptr, nullptr) != 0) {
|
2021-02-26 13:35:19 +01:00
|
|
|
this->m_errorMessage.resize(0xFFFF);
|
|
|
|
yr_compiler_get_error_message(compiler, this->m_errorMessage.data(), this->m_errorMessage.size());
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
YR_RULES *rules;
|
|
|
|
yr_compiler_get_rules(compiler, &rules);
|
2021-09-23 22:57:19 +02:00
|
|
|
ON_SCOPE_EXIT { yr_rules_destroy(rules); };
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
std::vector<YaraMatch> newMatches;
|
|
|
|
|
|
|
|
YR_MEMORY_BLOCK_ITERATOR iterator;
|
|
|
|
|
|
|
|
struct ScanContext {
|
2021-12-16 23:48:52 +01:00
|
|
|
Task *task;
|
2021-02-26 13:35:19 +01:00
|
|
|
std::vector<u8> buffer;
|
|
|
|
YR_MEMORY_BLOCK currBlock;
|
|
|
|
};
|
|
|
|
|
|
|
|
ScanContext context;
|
2022-02-01 22:09:44 +01:00
|
|
|
context.task = &task;
|
|
|
|
context.currBlock.base = 0;
|
2022-01-24 20:53:17 +01:00
|
|
|
context.currBlock.fetch_data = [](auto *block) -> const u8 * {
|
|
|
|
auto &context = *static_cast<ScanContext *>(block->context);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2021-09-21 02:29:54 +02:00
|
|
|
auto provider = ImHexApi::Provider::get();
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2021-12-15 22:52:35 +01:00
|
|
|
context.buffer.resize(context.currBlock.size);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
if (context.buffer.empty()) return nullptr;
|
|
|
|
|
2021-12-15 22:52:35 +01:00
|
|
|
block->size = context.currBlock.size;
|
|
|
|
|
2021-12-15 21:13:45 +01:00
|
|
|
provider->read(context.currBlock.base + provider->getBaseAddress(), context.buffer.data(), context.buffer.size());
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
return context.buffer.data();
|
|
|
|
};
|
|
|
|
iterator.file_size = [](auto *iterator) -> u64 {
|
2021-12-15 22:52:35 +01:00
|
|
|
return ImHexApi::Provider::get()->getActualSize();
|
2021-02-26 13:35:19 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
iterator.context = &context;
|
2022-02-01 22:09:44 +01:00
|
|
|
iterator.first = [](YR_MEMORY_BLOCK_ITERATOR *iterator) -> YR_MEMORY_BLOCK *{
|
2022-01-24 20:53:17 +01:00
|
|
|
auto &context = *static_cast<ScanContext *>(iterator->context);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
context.currBlock.base = 0;
|
|
|
|
context.currBlock.size = 0;
|
|
|
|
context.buffer.clear();
|
|
|
|
iterator->last_error = ERROR_SUCCESS;
|
|
|
|
|
|
|
|
return iterator->next(iterator);
|
|
|
|
};
|
2022-01-24 20:53:17 +01:00
|
|
|
iterator.next = [](YR_MEMORY_BLOCK_ITERATOR *iterator) -> YR_MEMORY_BLOCK * {
|
|
|
|
auto &context = *static_cast<ScanContext *>(iterator->context);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
u64 address = context.currBlock.base + context.currBlock.size;
|
|
|
|
|
2022-02-01 22:09:44 +01:00
|
|
|
iterator->last_error = ERROR_SUCCESS;
|
|
|
|
context.currBlock.base = address;
|
|
|
|
context.currBlock.size = ImHexApi::Provider::get()->getActualSize() - address;
|
2021-02-26 13:35:19 +01:00
|
|
|
context.currBlock.context = &context;
|
2021-12-16 23:48:52 +01:00
|
|
|
context.task->update(address);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
|
|
|
if (context.currBlock.size == 0) return nullptr;
|
|
|
|
|
|
|
|
return &context.currBlock;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2022-01-24 20:53:17 +01:00
|
|
|
yr_rules_scan_mem_blocks(
|
|
|
|
rules, &iterator, 0, [](YR_SCAN_CONTEXT *context, int message, void *data, void *userData) -> int {
|
|
|
|
if (message == CALLBACK_MSG_RULE_MATCHING) {
|
|
|
|
auto &newMatches = *static_cast<std::vector<YaraMatch> *>(userData);
|
2022-02-01 22:09:44 +01:00
|
|
|
auto rule = static_cast<YR_RULE *>(data);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2022-01-24 20:53:17 +01:00
|
|
|
YR_STRING *string;
|
|
|
|
YR_MATCH *match;
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2022-01-24 20:53:17 +01:00
|
|
|
if (rule->strings != nullptr) {
|
|
|
|
yr_rule_strings_foreach(rule, string) {
|
|
|
|
yr_string_matches_foreach(context, string, match) {
|
2022-02-02 21:08:46 +01:00
|
|
|
newMatches.push_back({ rule->identifier, string->identifier, u64(match->offset), size_t(match->match_length), false });
|
2022-01-24 20:53:17 +01:00
|
|
|
}
|
2021-02-26 13:35:19 +01:00
|
|
|
}
|
2022-01-24 20:53:17 +01:00
|
|
|
} else {
|
|
|
|
newMatches.push_back({ rule->identifier, "", 0, 0, true });
|
2021-02-26 13:35:19 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-01-24 20:53:17 +01:00
|
|
|
return CALLBACK_CONTINUE;
|
|
|
|
},
|
|
|
|
&newMatches,
|
|
|
|
0);
|
2021-02-26 13:35:19 +01:00
|
|
|
|
2022-02-02 21:08:46 +01:00
|
|
|
for (auto &match : newMatches) {
|
|
|
|
match.highlightId = ImHexApi::HexEditor::addHighlight({ match.address, match.size }, 0x70B4771F, hex::format("{0} [{1}]", match.identifier, match.variable));
|
|
|
|
}
|
|
|
|
|
2021-02-26 13:35:19 +01:00
|
|
|
std::copy(newMatches.begin(), newMatches.end(), std::back_inserter(this->m_matches));
|
|
|
|
}).detach();
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|