Cool_Tools/ImHex
1
0
Fork 0
mirror of synced 2025-01-18 00:56:49 +01:00
Code Releases Wiki Activity

impr: Move advanced analysis yara rules to the patterns repo

Browse Source
This commit is contained in:
WerWolv 2024-02-25 11:32:05 +01:00
parent c4f3ea901a
commit 7434fdec6f
6 changed files with 21 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/libimhex/include/hex/helpers/fs.hpp
View File

@ -37,6 +37,7 @@ namespace hex::fs {
Magic, Magic,
Plugins, Plugins,
Yara, Yara,
YaraAdvancedAnalysis,
Config, Config,
Backups, Backups,
Resources, Resources,

3
lib/libimhex/source/helpers/fs.cpp
View File

@ -410,6 +410,9 @@ namespace hex::fs {
case ImHexPath::Yara: case ImHexPath::Yara:
result = appendPath(getDataPaths(), "yara"); result = appendPath(getDataPaths(), "yara");
break; break;
case ImHexPath::YaraAdvancedAnalysis:
result = appendPath(getDefaultPaths(ImHexPath::Yara), "advanced_analysis");
break;
case ImHexPath::Recent: case ImHexPath::Recent:
result = appendPath(getConfigPaths(), "recent"); result = appendPath(getConfigPaths(), "recent");
break; break;

40
plugins/yara_rules/romfs/rules/compiler.yar
View File

@ -1,40 +0,0 @@
rule CompilerMSVC {
meta:
category = "Compiler"
name = "MSVC"
strings:
$iostreams_mangled_name = "$basic_iostream@DU" ascii
$std_namespace = "@@std@@" ascii
condition:
any of them
}
rule CompilerGCC {
meta:
category = "Compiler"
name = "GCC"
strings:
$iostreams_mangled_name = "_ZSt4cout" ascii
$std_namespace = "_ZSt" ascii
$gcc_version = "GCC: (GNU) " ascii
condition:
2 of them
}
rule CompilerClang {
meta:
category = "Compiler"
name = "Clang"
strings:
$iostreams_mangled_name = "_ZSt4cout" ascii
$std_namespace = "_ZSt" ascii
$clang_version = "clang version " ascii
condition:
2 of them
}

36
plugins/yara_rules/romfs/rules/environment.yar
View File

@ -1,36 +0,0 @@
rule EnvironmentMingw {
meta:
category = "Environment"
name = "MinGW"
strings:
$mingw_runtime = "Mingw runtime failure" ascii
$mingw64_runtime = "Mingw-w64 runtime failure:" ascii fullword
$msys2 = "Built by MSYS2 project" ascii
condition:
2 of them
}
rule EnvironmentWin32 {
meta:
category = "Environment"
name = "Win32"
strings:
$kernel32 = "KERNEL32.dll" ascii
$user32 = "USER32.dll" ascii
$advapi32 = "ADVAPI32.dll" ascii
$ole32 = "OLE32.dll" ascii
$oleaut32 = "OLEAUT32.dll" ascii
$shell32 = "SHELL32.dll" ascii
$shlwapi = "SHLWAPI.dll" ascii
$comctl32 = "COMCTL32.dll" ascii
$comdlg32 = "COMDLG32.dll" ascii
$gdi32 = "GDI32.dll" ascii
$imm32 = "IMM32.dll" ascii
$msvcrt = "MSVCRT.dll" ascii
condition:
4 of them
}

61
plugins/yara_rules/romfs/rules/language.yar
View File

@ -1,61 +0,0 @@
rule LanguageCpp {
meta:
category = "Programming Language"
name = "C++"
strings:
$exception_windows = "_CxxThrowException" ascii fullword
$iostreams = "iostream" ascii
condition:
any of them
}
rule LanguageC {
meta:
category = "Programming Language"
name = "C++"
strings:
$printf = "printf" ascii
$scanf = "scanf" ascii
$malloc = "malloc" ascii
$calloc = "calloc" ascii
$realloc = "realloc" ascii
$free = "free" ascii
condition:
any of them and not LanguageCpp
}
rule LanguageRust {
meta:
category = "Programming Language"
name = "Rust"
strings:
$option_unwrap = "called `Option::unwrap()` on a `None`" ascii
$result_unwrap = "called `Result::unwrap()` on an `Err`" ascii
$panic_1 = "panicked at" ascii
$panic_2 = "thread '' panicked at" ascii
$panic_3 = "thread panicked while processing panic. aborting." ascii
$panicking_file = "panicking.rs" ascii fullword
condition:
any of them
}
rule LanguageGo {
meta:
category = "Programming Language"
name = "Go"
strings:
$max_procs = "runtime.GOMAXPROCS" ascii fullword
$panic = "runtime.gopanic" ascii fullword
$go_root = "runtime.GOROOT" ascii fullword
condition:
any of them
}

35
plugins/yara_rules/source/content/data_information_sections.cpp
View File

@ -27,29 +27,28 @@ namespace hex::plugin::yara {
}; };
void process(Task &task, prv::Provider *provider, Region region) override { void process(Task &task, prv::Provider *provider, Region region) override {
const auto &ruleFilePaths = romfs::list("rules"); for (const auto &yaraSignaturePath : fs::getDefaultPaths(fs::ImHexPath::YaraAdvancedAnalysis)) {
task.setMaxValue(ruleFilePaths.size()); for (const auto &ruleFilePath : std::fs::recursive_directory_iterator(yaraSignaturePath)) {
const std::string fileContent = romfs::get(ruleFilePath).data<const char>();
for (const auto &ruleFilePath : ruleFilePaths) { YaraRule yaraRule(fileContent);
const std::string fileContent = romfs::get(ruleFilePath).data<const char>(); task.setInterruptCallback([&yaraRule] {
yaraRule.interrupt();
});
YaraRule yaraRule(fileContent); const auto result = yaraRule.match(provider, region);
task.setInterruptCallback([&yaraRule] { if (result.has_value()) {
yaraRule.interrupt(); const auto &rules = result.value().matchedRules;
}); for (const auto &rule : rules) {
if (!rule.metadata.contains("category")) continue;
const auto result = yaraRule.match(provider, region); const auto &categoryName = rule.metadata.at("category");
if (result.has_value()) { m_categories[categoryName].matchedRules.insert(rule);
const auto &rules = result.value().matchedRules; }
for (const auto &rule : rules) {
if (!rule.metadata.contains("category")) continue;
const auto &categoryName = rule.metadata.at("category");
m_categories[categoryName].matchedRules.insert(rule);
} }
}
task.increment(); task.update();
}
} }
} }