1 /* 2 Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 4 Redistribution and use in source and binary forms, with or without modification, 5 are permitted provided that the following conditions are met: 6 7 1. Redistributions of source code must retain the above copyright notice, this 8 list of conditions and the following disclaimer. 9 10 2. Redistributions in binary form must reproduce the above copyright notice, 11 this list of conditions and the following disclaimer in the documentation and/or 12 other materials provided with the distribution. 13 14 3. Neither the name of the copyright holder nor the names of its contributors 15 may be used to endorse or promote products derived from this software without 16 specific prior written permission. 17 18 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #ifndef YR_MODULES_H 31 #define YR_MODULES_H 32 33 #include <assert.h> 34 #include <math.h> 35 #include <stdio.h> 36 #include <string.h> 37 #include <yara/error.h> 38 #include <yara/exec.h> 39 #include <yara/libyara.h> 40 #include <yara/limits.h> 41 #include <yara/object.h> 42 #include <yara/re.h> 43 #include <yara/types.h> 44 #include <yara/utils.h> 45 46 // Concatenation that macro-expands its arguments. 47 48 #define YR_CONCAT(arg1, arg2) _YR_CONCAT(arg1, arg2) // expands the arguments. 49 #define _YR_CONCAT(arg1, arg2) arg1##arg2 // do the actual concatenation. 50 51 #define module_declarations YR_CONCAT(MODULE_NAME, __declarations) 52 #define module_load YR_CONCAT(MODULE_NAME, __load) 53 #define module_unload YR_CONCAT(MODULE_NAME, __unload) 54 #define module_initialize YR_CONCAT(MODULE_NAME, __initialize) 55 #define module_finalize YR_CONCAT(MODULE_NAME, __finalize) 56 57 #define begin_declarations \ 58 int module_declarations(YR_OBJECT* module) \ 59 { \ 60 YR_OBJECT* stack[64]; \ 61 int stack_top = 0; \ 62 stack[stack_top] = module; 63 64 #define end_declarations \ 65 return ERROR_SUCCESS; \ 66 } 67 68 #define begin_struct(name) \ 69 { \ 70 YR_OBJECT* structure; \ 71 FAIL_ON_ERROR(yr_object_create( \ 72 OBJECT_TYPE_STRUCTURE, name, stack[stack_top], &structure)); \ 73 assertf( \ 74 stack_top < sizeof(stack) / sizeof(stack[0]) - 1, \ 75 "too many nested structures"); \ 76 stack[++stack_top] = structure; \ 77 } 78 79 #define begin_struct_array(name) \ 80 { \ 81 YR_OBJECT* structure; \ 82 YR_OBJECT* array; \ 83 FAIL_ON_ERROR( \ 84 yr_object_create(OBJECT_TYPE_ARRAY, name, stack[stack_top], &array)); \ 85 FAIL_ON_ERROR( \ 86 yr_object_create(OBJECT_TYPE_STRUCTURE, name, array, &structure)); \ 87 assertf( \ 88 stack_top < sizeof(stack) / sizeof(stack[0]) - 1, \ 89 "too many nested structures"); \ 90 stack[++stack_top] = structure; \ 91 } 92 93 #define begin_struct_dictionary(name) \ 94 { \ 95 YR_OBJECT* structure; \ 96 YR_OBJECT* array; \ 97 FAIL_ON_ERROR(yr_object_create( \ 98 OBJECT_TYPE_DICTIONARY, name, stack[stack_top], &array)); \ 99 FAIL_ON_ERROR( \ 100 yr_object_create(OBJECT_TYPE_STRUCTURE, name, array, &structure)); \ 101 assertf( \ 102 stack_top < sizeof(stack) / sizeof(stack[0]) - 1, \ 103 "too many nested structures"); \ 104 stack[++stack_top] = structure; \ 105 } 106 107 #define end_struct(name) \ 108 { \ 109 assert(stack[stack_top]->type == OBJECT_TYPE_STRUCTURE); \ 110 assertf( \ 111 strcmp(stack[stack_top]->identifier, name) == 0, \ 112 "unbalanced begin_struct/end_struct"); \ 113 stack_top--; \ 114 } 115 116 #define end_struct_array(name) \ 117 end_struct \ 118 (name) 119 120 #define end_struct_dictionary(name) \ 121 end_struct \ 122 (name) 123 124 #define declare_integer(name) \ 125 { \ 126 FAIL_ON_ERROR( \ 127 yr_object_create(OBJECT_TYPE_INTEGER, name, stack[stack_top], NULL)); \ 128 } 129 130 #define declare_integer_array(name) \ 131 { \ 132 YR_OBJECT* array; \ 133 FAIL_ON_ERROR( \ 134 yr_object_create(OBJECT_TYPE_ARRAY, name, stack[stack_top], &array)); \ 135 FAIL_ON_ERROR(yr_object_create(OBJECT_TYPE_INTEGER, name, array, NULL)); \ 136 } 137 138 #define declare_integer_dictionary(name) \ 139 { \ 140 YR_OBJECT* dict; \ 141 FAIL_ON_ERROR(yr_object_create( \ 142 OBJECT_TYPE_DICTIONARY, name, stack[stack_top], &dict)); \ 143 FAIL_ON_ERROR(yr_object_create(OBJECT_TYPE_INTEGER, name, dict, NULL)); \ 144 } 145 146 #define declare_float(name) \ 147 { \ 148 FAIL_ON_ERROR( \ 149 yr_object_create(OBJECT_TYPE_FLOAT, name, stack[stack_top], NULL)); \ 150 } 151 152 #define declare_float_array(name) \ 153 { \ 154 YR_OBJECT* array; \ 155 FAIL_ON_ERROR( \ 156 yr_object_create(OBJECT_TYPE_ARRAY, name, stack[stack_top], &array)); \ 157 FAIL_ON_ERROR(yr_object_create(OBJECT_TYPE_FLOAT, name, array, NULL)); \ 158 } 159 160 #define declare_float_dictionary(name) \ 161 { \ 162 YR_OBJECT* dict; \ 163 FAIL_ON_ERROR(yr_object_create( \ 164 OBJECT_TYPE_DICTIONARY, name, stack[stack_top], &dict)); \ 165 FAIL_ON_ERROR(yr_object_create(OBJECT_TYPE_FLOAT, name, dict, NULL)); \ 166 } 167 168 #define declare_string(name) \ 169 { \ 170 FAIL_ON_ERROR( \ 171 yr_object_create(OBJECT_TYPE_STRING, name, stack[stack_top], NULL)); \ 172 } 173 174 #define declare_string_array(name) \ 175 { \ 176 YR_OBJECT* array; \ 177 FAIL_ON_ERROR( \ 178 yr_object_create(OBJECT_TYPE_ARRAY, name, stack[stack_top], &array)); \ 179 FAIL_ON_ERROR(yr_object_create(OBJECT_TYPE_STRING, name, array, NULL)); \ 180 } 181 182 #define declare_string_dictionary(name) \ 183 { \ 184 YR_OBJECT* dict; \ 185 FAIL_ON_ERROR(yr_object_create( \ 186 OBJECT_TYPE_DICTIONARY, name, stack[stack_top], &dict)); \ 187 FAIL_ON_ERROR(yr_object_create(OBJECT_TYPE_STRING, name, dict, NULL)); \ 188 } 189 190 #define declare_function(name, args_fmt, ret_fmt, func) \ 191 { \ 192 YR_OBJECT* function; \ 193 FAIL_ON_ERROR(yr_object_function_create( \ 194 name, args_fmt, ret_fmt, func, stack[stack_top], &function)); \ 195 } 196 197 #define define_function(func) \ 198 int func( \ 199 YR_VALUE* __args, \ 200 YR_SCAN_CONTEXT* __context, \ 201 YR_OBJECT_FUNCTION* __function_obj) 202 203 #define sized_string_argument(n) (__args[n - 1].ss) 204 205 #define string_argument(n) (sized_string_argument(n)->c_string) 206 207 #define integer_argument(n) (__args[n - 1].i) 208 209 #define float_argument(n) (__args[n - 1].d) 210 211 #define regexp_argument(n) ((RE*) (__args[n - 1].re)) 212 213 #define module() yr_object_get_root((YR_OBJECT*) __function_obj) 214 #define parent() (__function_obj->parent) 215 #define scan_context() (__context) 216 217 #define foreach_memory_block(iterator, block) \ 218 for (block = iterator->first(iterator); block != NULL; \ 219 block = iterator->next(iterator)) 220 221 #define first_memory_block(context) \ 222 (context)->iterator->first((context)->iterator) 223 224 #define is_undefined(object, ...) \ 225 yr_object_has_undefined_value(object, __VA_ARGS__) 226 227 #define get_object(object, ...) yr_object_lookup(object, 0, __VA_ARGS__) 228 229 #define get_integer(object, ...) yr_object_get_integer(object, __VA_ARGS__) 230 231 #define get_float(object, ...) yr_object_get_float(object, __VA_ARGS__) 232 233 #define get_string(object, ...) yr_object_get_string(object, __VA_ARGS__) 234 235 #define set_integer(value, object, ...) \ 236 yr_object_set_integer(value, object, __VA_ARGS__) 237 238 #define set_float(value, object, ...) \ 239 yr_object_set_float(value, object, __VA_ARGS__) 240 241 #define set_sized_string(value, len, object, ...) \ 242 yr_object_set_string(value, len, object, __VA_ARGS__) 243 244 #define set_string(value, object, ...) \ 245 set_sized_string( \ 246 value, (value == NULL) ? 0 : strlen(value), object, __VA_ARGS__) 247 248 #define return_integer(integer) \ 249 { \ 250 assertf( \ 251 __function_obj->return_obj->type == OBJECT_TYPE_INTEGER, \ 252 "return type differs from function declaration"); \ 253 return yr_object_set_integer((integer), __function_obj->return_obj, NULL); \ 254 } 255 256 #define return_float(double_) \ 257 { \ 258 double d = (double) (double_); \ 259 assertf( \ 260 __function_obj->return_obj->type == OBJECT_TYPE_FLOAT, \ 261 "return type differs from function declaration"); \ 262 return yr_object_set_float( \ 263 (d != (double) YR_UNDEFINED) ? d : NAN, \ 264 __function_obj->return_obj, \ 265 NULL); \ 266 } 267 268 #define return_string(string) \ 269 { \ 270 char* s = (char*) (string); \ 271 assertf( \ 272 __function_obj->return_obj->type == OBJECT_TYPE_STRING, \ 273 "return type differs from function declaration"); \ 274 return yr_object_set_string( \ 275 (s != (char*) YR_UNDEFINED) ? s : NULL, \ 276 (s != (char*) YR_UNDEFINED) ? strlen(s) : 0, \ 277 __function_obj->return_obj, \ 278 NULL); \ 279 } 280 281 typedef int (*YR_EXT_INITIALIZE_FUNC)(YR_MODULE* module); 282 283 typedef int (*YR_EXT_FINALIZE_FUNC)(YR_MODULE* module); 284 285 typedef int (*YR_EXT_DECLARATIONS_FUNC)(YR_OBJECT* module_object); 286 287 typedef int (*YR_EXT_LOAD_FUNC)( 288 YR_SCAN_CONTEXT* context, 289 YR_OBJECT* module_object, 290 void* module_data, 291 size_t module_data_size); 292 293 typedef int (*YR_EXT_UNLOAD_FUNC)(YR_OBJECT* module_object); 294 295 struct YR_MODULE 296 { 297 char* name; 298 299 YR_EXT_DECLARATIONS_FUNC declarations; 300 YR_EXT_LOAD_FUNC load; 301 YR_EXT_UNLOAD_FUNC unload; 302 YR_EXT_INITIALIZE_FUNC initialize; 303 YR_EXT_FINALIZE_FUNC finalize; 304 }; 305 306 struct YR_MODULE_IMPORT 307 { 308 const char* module_name; 309 void* module_data; 310 size_t module_data_size; 311 }; 312 313 int yr_modules_initialize(void); 314 315 int yr_modules_finalize(void); 316 317 int yr_modules_do_declarations( 318 const char* module_name, 319 YR_OBJECT* main_structure); 320 321 int yr_modules_load(const char* module_name, YR_SCAN_CONTEXT* context); 322 323 int yr_modules_unload_all(YR_SCAN_CONTEXT* context); 324 325 #endif 326