impr: Move advanced analysis yara rules to the patterns repo
This commit is contained in:
WerWolv
parent
c4f3ea901a
commit
7434fdec6f
@ -37,6 +37,7 @@ namespace hex::fs {
|
||||
Magic,
|
||||
Plugins,
|
||||
Yara,
|
||||
YaraAdvancedAnalysis,
|
||||
Config,
|
||||
Backups,
|
||||
Resources,
|
||||
|
||||
@ -410,6 +410,9 @@ namespace hex::fs {
|
||||
case ImHexPath::Yara:
|
||||
result = appendPath(getDataPaths(), "yara");
|
||||
break;
|
||||
case ImHexPath::YaraAdvancedAnalysis:
|
||||
result = appendPath(getDefaultPaths(ImHexPath::Yara), "advanced_analysis");
|
||||
break;
|
||||
case ImHexPath::Recent:
|
||||
result = appendPath(getConfigPaths(), "recent");
|
||||
break;
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
rule CompilerMSVC {
|
||||
meta:
|
||||
category = "Compiler"
|
||||
name = "MSVC"
|
||||
|
||||
strings:
|
||||
$iostreams_mangled_name = "$basic_iostream@DU" ascii
|
||||
$std_namespace = "@@std@@" ascii
|
||||
|
||||
condition:
|
||||
any of them
|
||||
}
|
||||
|
||||
rule CompilerGCC {
|
||||
meta:
|
||||
category = "Compiler"
|
||||
name = "GCC"
|
||||
|
||||
strings:
|
||||
$iostreams_mangled_name = "_ZSt4cout" ascii
|
||||
$std_namespace = "_ZSt" ascii
|
||||
$gcc_version = "GCC: (GNU) " ascii
|
||||
|
||||
condition:
|
||||
2 of them
|
||||
}
|
||||
|
||||
rule CompilerClang {
|
||||
meta:
|
||||
category = "Compiler"
|
||||
name = "Clang"
|
||||
|
||||
strings:
|
||||
$iostreams_mangled_name = "_ZSt4cout" ascii
|
||||
$std_namespace = "_ZSt" ascii
|
||||
$clang_version = "clang version " ascii
|
||||
|
||||
condition:
|
||||
2 of them
|
||||
}
|
||||
@ -1,36 +0,0 @@
|
||||
rule EnvironmentMingw {
|
||||
meta:
|
||||
category = "Environment"
|
||||
name = "MinGW"
|
||||
|
||||
strings:
|
||||
$mingw_runtime = "Mingw runtime failure" ascii
|
||||
$mingw64_runtime = "Mingw-w64 runtime failure:" ascii fullword
|
||||
$msys2 = "Built by MSYS2 project" ascii
|
||||
|
||||
condition:
|
||||
2 of them
|
||||
}
|
||||
|
||||
rule EnvironmentWin32 {
|
||||
meta:
|
||||
category = "Environment"
|
||||
name = "Win32"
|
||||
|
||||
strings:
|
||||
$kernel32 = "KERNEL32.dll" ascii
|
||||
$user32 = "USER32.dll" ascii
|
||||
$advapi32 = "ADVAPI32.dll" ascii
|
||||
$ole32 = "OLE32.dll" ascii
|
||||
$oleaut32 = "OLEAUT32.dll" ascii
|
||||
$shell32 = "SHELL32.dll" ascii
|
||||
$shlwapi = "SHLWAPI.dll" ascii
|
||||
$comctl32 = "COMCTL32.dll" ascii
|
||||
$comdlg32 = "COMDLG32.dll" ascii
|
||||
$gdi32 = "GDI32.dll" ascii
|
||||
$imm32 = "IMM32.dll" ascii
|
||||
$msvcrt = "MSVCRT.dll" ascii
|
||||
|
||||
condition:
|
||||
4 of them
|
||||
}
|
||||
@ -1,61 +0,0 @@
|
||||
rule LanguageCpp {
|
||||
meta:
|
||||
category = "Programming Language"
|
||||
name = "C++"
|
||||
|
||||
strings:
|
||||
$exception_windows = "_CxxThrowException" ascii fullword
|
||||
$iostreams = "iostream" ascii
|
||||
|
||||
condition:
|
||||
any of them
|
||||
}
|
||||
|
||||
rule LanguageC {
|
||||
meta:
|
||||
category = "Programming Language"
|
||||
name = "C++"
|
||||
|
||||
strings:
|
||||
$printf = "printf" ascii
|
||||
$scanf = "scanf" ascii
|
||||
$malloc = "malloc" ascii
|
||||
$calloc = "calloc" ascii
|
||||
$realloc = "realloc" ascii
|
||||
$free = "free" ascii
|
||||
|
||||
condition:
|
||||
any of them and not LanguageCpp
|
||||
}
|
||||
|
||||
rule LanguageRust {
|
||||
meta:
|
||||
category = "Programming Language"
|
||||
name = "Rust"
|
||||
|
||||
strings:
|
||||
$option_unwrap = "called `Option::unwrap()` on a `None`" ascii
|
||||
$result_unwrap = "called `Result::unwrap()` on an `Err`" ascii
|
||||
$panic_1 = "panicked at" ascii
|
||||
$panic_2 = "thread '' panicked at" ascii
|
||||
$panic_3 = "thread panicked while processing panic. aborting." ascii
|
||||
$panicking_file = "panicking.rs" ascii fullword
|
||||
|
||||
condition:
|
||||
any of them
|
||||
}
|
||||
|
||||
rule LanguageGo {
|
||||
meta:
|
||||
category = "Programming Language"
|
||||
name = "Go"
|
||||
|
||||
strings:
|
||||
$max_procs = "runtime.GOMAXPROCS" ascii fullword
|
||||
$panic = "runtime.gopanic" ascii fullword
|
||||
$go_root = "runtime.GOROOT" ascii fullword
|
||||
|
||||
condition:
|
||||
any of them
|
||||
|
||||
}
|
||||
@ -27,29 +27,28 @@ namespace hex::plugin::yara {
|
||||
};
|
||||
|
||||
void process(Task &task, prv::Provider *provider, Region region) override {
|
||||
const auto &ruleFilePaths = romfs::list("rules");
|
||||
task.setMaxValue(ruleFilePaths.size());
|
||||
for (const auto &yaraSignaturePath : fs::getDefaultPaths(fs::ImHexPath::YaraAdvancedAnalysis)) {
|
||||
for (const auto &ruleFilePath : std::fs::recursive_directory_iterator(yaraSignaturePath)) {
|
||||
const std::string fileContent = romfs::get(ruleFilePath).data<const char>();
|
||||
|
||||
for (const auto &ruleFilePath : ruleFilePaths) {
|
||||
const std::string fileContent = romfs::get(ruleFilePath).data<const char>();
|
||||
YaraRule yaraRule(fileContent);
|
||||
task.setInterruptCallback([&yaraRule] {
|
||||
yaraRule.interrupt();
|
||||
});
|
||||
|
||||
YaraRule yaraRule(fileContent);
|
||||
task.setInterruptCallback([&yaraRule] {
|
||||
yaraRule.interrupt();
|
||||
});
|
||||
const auto result = yaraRule.match(provider, region);
|
||||
if (result.has_value()) {
|
||||
const auto &rules = result.value().matchedRules;
|
||||
for (const auto &rule : rules) {
|
||||
if (!rule.metadata.contains("category")) continue;
|
||||
|
||||
const auto result = yaraRule.match(provider, region);
|
||||
if (result.has_value()) {
|
||||
const auto &rules = result.value().matchedRules;
|
||||
for (const auto &rule : rules) {
|
||||
if (!rule.metadata.contains("category")) continue;
|
||||
|
||||
const auto &categoryName = rule.metadata.at("category");
|
||||
m_categories[categoryName].matchedRules.insert(rule);
|
||||
const auto &categoryName = rule.metadata.at("category");
|
||||
m_categories[categoryName].matchedRules.insert(rule);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
task.increment();
|
||||
task.update();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user