1
0
mirror of synced 2025-01-18 00:56:49 +01:00

impr: Move advanced analysis yara rules to the patterns repo

This commit is contained in:
WerWolv 2024-02-25 11:32:05 +01:00
parent c4f3ea901a
commit 7434fdec6f
6 changed files with 21 additions and 155 deletions

View File

@ -37,6 +37,7 @@ namespace hex::fs {
Magic,
Plugins,
Yara,
YaraAdvancedAnalysis,
Config,
Backups,
Resources,

View File

@ -410,6 +410,9 @@ namespace hex::fs {
case ImHexPath::Yara:
result = appendPath(getDataPaths(), "yara");
break;
case ImHexPath::YaraAdvancedAnalysis:
result = appendPath(getDefaultPaths(ImHexPath::Yara), "advanced_analysis");
break;
case ImHexPath::Recent:
result = appendPath(getConfigPaths(), "recent");
break;

View File

@ -1,40 +0,0 @@
rule CompilerMSVC {
meta:
category = "Compiler"
name = "MSVC"
strings:
$iostreams_mangled_name = "$basic_iostream@DU" ascii
$std_namespace = "@@std@@" ascii
condition:
any of them
}
rule CompilerGCC {
meta:
category = "Compiler"
name = "GCC"
strings:
$iostreams_mangled_name = "_ZSt4cout" ascii
$std_namespace = "_ZSt" ascii
$gcc_version = "GCC: (GNU) " ascii
condition:
2 of them
}
rule CompilerClang {
meta:
category = "Compiler"
name = "Clang"
strings:
$iostreams_mangled_name = "_ZSt4cout" ascii
$std_namespace = "_ZSt" ascii
$clang_version = "clang version " ascii
condition:
2 of them
}

View File

@ -1,36 +0,0 @@
rule EnvironmentMingw {
meta:
category = "Environment"
name = "MinGW"
strings:
$mingw_runtime = "Mingw runtime failure" ascii
$mingw64_runtime = "Mingw-w64 runtime failure:" ascii fullword
$msys2 = "Built by MSYS2 project" ascii
condition:
2 of them
}
rule EnvironmentWin32 {
meta:
category = "Environment"
name = "Win32"
strings:
$kernel32 = "KERNEL32.dll" ascii
$user32 = "USER32.dll" ascii
$advapi32 = "ADVAPI32.dll" ascii
$ole32 = "OLE32.dll" ascii
$oleaut32 = "OLEAUT32.dll" ascii
$shell32 = "SHELL32.dll" ascii
$shlwapi = "SHLWAPI.dll" ascii
$comctl32 = "COMCTL32.dll" ascii
$comdlg32 = "COMDLG32.dll" ascii
$gdi32 = "GDI32.dll" ascii
$imm32 = "IMM32.dll" ascii
$msvcrt = "MSVCRT.dll" ascii
condition:
4 of them
}

View File

@ -1,61 +0,0 @@
rule LanguageCpp {
meta:
category = "Programming Language"
name = "C++"
strings:
$exception_windows = "_CxxThrowException" ascii fullword
$iostreams = "iostream" ascii
condition:
any of them
}
rule LanguageC {
meta:
category = "Programming Language"
name = "C++"
strings:
$printf = "printf" ascii
$scanf = "scanf" ascii
$malloc = "malloc" ascii
$calloc = "calloc" ascii
$realloc = "realloc" ascii
$free = "free" ascii
condition:
any of them and not LanguageCpp
}
rule LanguageRust {
meta:
category = "Programming Language"
name = "Rust"
strings:
$option_unwrap = "called `Option::unwrap()` on a `None`" ascii
$result_unwrap = "called `Result::unwrap()` on an `Err`" ascii
$panic_1 = "panicked at" ascii
$panic_2 = "thread '' panicked at" ascii
$panic_3 = "thread panicked while processing panic. aborting." ascii
$panicking_file = "panicking.rs" ascii fullword
condition:
any of them
}
rule LanguageGo {
meta:
category = "Programming Language"
name = "Go"
strings:
$max_procs = "runtime.GOMAXPROCS" ascii fullword
$panic = "runtime.gopanic" ascii fullword
$go_root = "runtime.GOROOT" ascii fullword
condition:
any of them
}

View File

@ -27,29 +27,28 @@ namespace hex::plugin::yara {
};
void process(Task &task, prv::Provider *provider, Region region) override {
const auto &ruleFilePaths = romfs::list("rules");
task.setMaxValue(ruleFilePaths.size());
for (const auto &yaraSignaturePath : fs::getDefaultPaths(fs::ImHexPath::YaraAdvancedAnalysis)) {
for (const auto &ruleFilePath : std::fs::recursive_directory_iterator(yaraSignaturePath)) {
const std::string fileContent = romfs::get(ruleFilePath).data<const char>();
for (const auto &ruleFilePath : ruleFilePaths) {
const std::string fileContent = romfs::get(ruleFilePath).data<const char>();
YaraRule yaraRule(fileContent);
task.setInterruptCallback([&yaraRule] {
yaraRule.interrupt();
});
YaraRule yaraRule(fileContent);
task.setInterruptCallback([&yaraRule] {
yaraRule.interrupt();
});
const auto result = yaraRule.match(provider, region);
if (result.has_value()) {
const auto &rules = result.value().matchedRules;
for (const auto &rule : rules) {
if (!rule.metadata.contains("category")) continue;
const auto result = yaraRule.match(provider, region);
if (result.has_value()) {
const auto &rules = result.value().matchedRules;
for (const auto &rule : rules) {
if (!rule.metadata.contains("category")) continue;
const auto &categoryName = rule.metadata.at("category");
m_categories[categoryName].matchedRules.insert(rule);
const auto &categoryName = rule.metadata.at("category");
m_categories[categoryName].matchedRules.insert(rule);
}
}
}
task.increment();
task.update();
}
}
}