1 /*
2 Copyright (c) 2013. The YARA Authors. All Rights Reserved.
3
4 Redistribution and use in source and binary forms, with or without modification,
5 are permitted provided that the following conditions are met:
6
7 1. Redistributions of source code must retain the above copyright notice, this
8 list of conditions and the following disclaimer.
9
10 2. Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation and/or
12 other materials provided with the distribution.
13
14 3. Neither the name of the copyright holder nor the names of its contributors
15 may be used to endorse or promote products derived from this software without
16 specific prior written permission.
17
18 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #if defined(JEMALLOC)
31 #include <jemalloc/jemalloc.h>
32 #endif
33
34 #include <ctype.h>
35 #include <stdio.h>
36 #include <string.h>
37 #include <yara/error.h>
38 #include <yara/globals.h>
39 #include <yara/mem.h>
40 #include <yara/modules.h>
41 #include <yara/re.h>
42 #include <yara/threading.h>
43
44 #include "crypto.h"
45
46 #if defined(_WIN32) || defined(__CYGWIN__)
47 #if !defined(_MSC_VER) || (defined(_MSC_VER) && (_MSC_VER < 1900))
48 #define snprintf _snprintf
49 #endif
50 #endif
51
52 YR_THREAD_STORAGE_KEY yr_yyfatal_trampoline_tls;
53 YR_THREAD_STORAGE_KEY yr_trycatch_trampoline_tls;
54
55 static int init_count = 0;
56
57 static struct yr_config_var
58 {
59 union
60 {
61 size_t sz;
62 uint32_t ui32;
63 uint64_t ui64;
64 char *str;
65 };
66
67 } yr_cfgs[YR_CONFIG_LAST];
68
69 // Global variables. See globals.h for their descriptions.
70
71 uint8_t yr_lowercase[256];
72 uint8_t yr_altercase[256];
73
74 #if 0 == YR_DEBUG_VERBOSITY
75
76 #else
77
78 uint64_t yr_debug_verbosity = YR_DEBUG_VERBOSITY;
79
80 YR_TLS int yr_debug_indent = 0;
81
82 YR_TLS int yr_debug_stopwatch_unstarted = 1;
83
84 YR_TLS YR_STOPWATCH yr_debug_stopwatch;
85
86 const char yr_debug_spaces[] = " " /* 16 spaces * 1 */
87 " " /* 16 spaces * 2 */
88 " " /* 16 spaces * 3 */
89 " " /* 16 spaces * 4 */
90 " " /* 16 spaces * 5 */
91 " " /* 16 spaces * 6 */
92 " " /* 16 spaces * 7 */
93 " " /* 16 spaces * 8 */;
94
95 size_t yr_debug_spaces_len = sizeof(yr_debug_spaces);
96
yr_debug_get_elapsed_seconds(void)97 double yr_debug_get_elapsed_seconds(void)
98 {
99 if (yr_debug_stopwatch_unstarted)
100 {
101 yr_debug_stopwatch_unstarted = 0;
102 yr_stopwatch_start(&yr_debug_stopwatch);
103 }
104
105 uint64_t elapsed_ns = yr_stopwatch_elapsed_ns(&yr_debug_stopwatch);
106
107 double seconds = (double) elapsed_ns / 1000000000;
108
109 return seconds;
110 }
111
yr_debug_callback_message_as_string(int message)112 char *yr_debug_callback_message_as_string(int message)
113 {
114 char *s = "CALLBACK_MSG_?";
115 switch (message)
116 { // clang-format off
117 case CALLBACK_MSG_RULE_MATCHING : s = "CALLBACK_MSG_RULE_MATCHING" ; break;
118 case CALLBACK_MSG_RULE_NOT_MATCHING: s = "CALLBACK_MSG_RULE_NOT_MATCHING"; break;
119 case CALLBACK_MSG_SCAN_FINISHED : s = "CALLBACK_MSG_SCAN_FINISHED" ; break;
120 case CALLBACK_MSG_IMPORT_MODULE : s = "CALLBACK_MSG_IMPORT_MODULE" ; break;
121 case CALLBACK_MSG_MODULE_IMPORTED : s = "CALLBACK_MSG_MODULE_IMPORTED" ; break;
122 } // clang-format on
123 return s;
124 }
125
yr_debug_error_as_string(int error)126 char *yr_debug_error_as_string(int error)
127 {
128 char *s = "ERROR_?";
129 switch (error)
130 { // clang-format off
131 case ERROR_SUCCESS : s = "ERROR_SUCCESS 0" ; break;
132 case ERROR_INSUFFICIENT_MEMORY : s = "ERROR_INSUFFICIENT_MEMORY" ; break;
133 case ERROR_COULD_NOT_ATTACH_TO_PROCESS : s = "ERROR_COULD_NOT_ATTACH_TO_PROCESS" ; break;
134 case ERROR_COULD_NOT_OPEN_FILE : s = "ERROR_COULD_NOT_OPEN_FILE" ; break;
135 case ERROR_COULD_NOT_MAP_FILE : s = "ERROR_COULD_NOT_MAP_FILE" ; break;
136 case ERROR_INVALID_FILE : s = "ERROR_INVALID_FILE" ; break;
137 case ERROR_CORRUPT_FILE : s = "ERROR_CORRUPT_FILE" ; break;
138 case ERROR_UNSUPPORTED_FILE_VERSION : s = "ERROR_UNSUPPORTED_FILE_VERSION" ; break;
139 case ERROR_INVALID_REGULAR_EXPRESSION : s = "ERROR_INVALID_REGULAR_EXPRESSION" ; break;
140 case ERROR_INVALID_HEX_STRING : s = "ERROR_INVALID_HEX_STRING" ; break;
141 case ERROR_SYNTAX_ERROR : s = "ERROR_SYNTAX_ERROR" ; break;
142 case ERROR_LOOP_NESTING_LIMIT_EXCEEDED : s = "ERROR_LOOP_NESTING_LIMIT_EXCEEDED" ; break;
143 case ERROR_DUPLICATED_LOOP_IDENTIFIER : s = "ERROR_DUPLICATED_LOOP_IDENTIFIER" ; break;
144 case ERROR_DUPLICATED_IDENTIFIER : s = "ERROR_DUPLICATED_IDENTIFIER" ; break;
145 case ERROR_DUPLICATED_TAG_IDENTIFIER : s = "ERROR_DUPLICATED_TAG_IDENTIFIER" ; break;
146 case ERROR_DUPLICATED_META_IDENTIFIER : s = "ERROR_DUPLICATED_META_IDENTIFIER" ; break;
147 case ERROR_DUPLICATED_STRING_IDENTIFIER : s = "ERROR_DUPLICATED_STRING_IDENTIFIER" ; break;
148 case ERROR_UNREFERENCED_STRING : s = "ERROR_UNREFERENCED_STRING" ; break;
149 case ERROR_UNDEFINED_STRING : s = "ERROR_UNDEFINED_STRING" ; break;
150 case ERROR_UNDEFINED_IDENTIFIER : s = "ERROR_UNDEFINED_IDENTIFIER" ; break;
151 case ERROR_MISPLACED_ANONYMOUS_STRING : s = "ERROR_MISPLACED_ANONYMOUS_STRING" ; break;
152 case ERROR_INCLUDES_CIRCULAR_REFERENCE : s = "ERROR_INCLUDES_CIRCULAR_REFERENCE" ; break;
153 case ERROR_INCLUDE_DEPTH_EXCEEDED : s = "ERROR_INCLUDE_DEPTH_EXCEEDED" ; break;
154 case ERROR_WRONG_TYPE : s = "ERROR_WRONG_TYPE" ; break;
155 case ERROR_EXEC_STACK_OVERFLOW : s = "ERROR_EXEC_STACK_OVERFLOW" ; break;
156 case ERROR_SCAN_TIMEOUT : s = "ERROR_SCAN_TIMEOUT" ; break;
157 case ERROR_TOO_MANY_SCAN_THREADS : s = "ERROR_TOO_MANY_SCAN_THREADS" ; break;
158 case ERROR_CALLBACK_ERROR : s = "ERROR_CALLBACK_ERROR" ; break;
159 case ERROR_INVALID_ARGUMENT : s = "ERROR_INVALID_ARGUMENT" ; break;
160 case ERROR_TOO_MANY_MATCHES : s = "ERROR_TOO_MANY_MATCHES" ; break;
161 case ERROR_INTERNAL_FATAL_ERROR : s = "ERROR_INTERNAL_FATAL_ERROR" ; break;
162 case ERROR_NESTED_FOR_OF_LOOP : s = "ERROR_NESTED_FOR_OF_LOOP" ; break;
163 case ERROR_INVALID_FIELD_NAME : s = "ERROR_INVALID_FIELD_NAME" ; break;
164 case ERROR_UNKNOWN_MODULE : s = "ERROR_UNKNOWN_MODULE" ; break;
165 case ERROR_NOT_A_STRUCTURE : s = "ERROR_NOT_A_STRUCTURE" ; break;
166 case ERROR_NOT_INDEXABLE : s = "ERROR_NOT_INDEXABLE" ; break;
167 case ERROR_NOT_A_FUNCTION : s = "ERROR_NOT_A_FUNCTION" ; break;
168 case ERROR_INVALID_FORMAT : s = "ERROR_INVALID_FORMAT" ; break;
169 case ERROR_TOO_MANY_ARGUMENTS : s = "ERROR_TOO_MANY_ARGUMENTS" ; break;
170 case ERROR_WRONG_ARGUMENTS : s = "ERROR_WRONG_ARGUMENTS" ; break;
171 case ERROR_WRONG_RETURN_TYPE : s = "ERROR_WRONG_RETURN_TYPE" ; break;
172 case ERROR_DUPLICATED_STRUCTURE_MEMBER : s = "ERROR_DUPLICATED_STRUCTURE_MEMBER" ; break;
173 case ERROR_EMPTY_STRING : s = "ERROR_EMPTY_STRING" ; break;
174 case ERROR_DIVISION_BY_ZERO : s = "ERROR_DIVISION_BY_ZERO" ; break;
175 case ERROR_REGULAR_EXPRESSION_TOO_LARGE : s = "ERROR_REGULAR_EXPRESSION_TOO_LARGE" ; break;
176 case ERROR_TOO_MANY_RE_FIBERS : s = "ERROR_TOO_MANY_RE_FIBERS" ; break;
177 case ERROR_COULD_NOT_READ_PROCESS_MEMORY : s = "ERROR_COULD_NOT_READ_PROCESS_MEMORY" ; break;
178 case ERROR_INVALID_EXTERNAL_VARIABLE_TYPE: s = "ERROR_INVALID_EXTERNAL_VARIABLE_TYPE"; break;
179 case ERROR_REGULAR_EXPRESSION_TOO_COMPLEX: s = "ERROR_REGULAR_EXPRESSION_TOO_COMPLEX"; break;
180 case ERROR_INVALID_MODULE_NAME : s = "ERROR_INVALID_MODULE_NAME" ; break;
181 case ERROR_TOO_MANY_STRINGS : s = "ERROR_TOO_MANY_STRINGS" ; break;
182 case ERROR_INTEGER_OVERFLOW : s = "ERROR_INTEGER_OVERFLOW" ; break;
183 case ERROR_CALLBACK_REQUIRED : s = "ERROR_CALLBACK_REQUIRED" ; break;
184 case ERROR_INVALID_OPERAND : s = "ERROR_INVALID_OPERAND" ; break;
185 case ERROR_COULD_NOT_READ_FILE : s = "ERROR_COULD_NOT_READ_FILE" ; break;
186 case ERROR_DUPLICATED_EXTERNAL_VARIABLE : s = "ERROR_DUPLICATED_EXTERNAL_VARIABLE" ; break;
187 case ERROR_INVALID_MODULE_DATA : s = "ERROR_INVALID_MODULE_DATA" ; break;
188 case ERROR_WRITING_FILE : s = "ERROR_WRITING_FILE" ; break;
189 case ERROR_INVALID_MODIFIER : s = "ERROR_INVALID_MODIFIER" ; break;
190 case ERROR_DUPLICATED_MODIFIER : s = "ERROR_DUPLICATED_MODIFIER" ; break;
191 case ERROR_BLOCK_NOT_READY : s = "ERROR_BLOCK_NOT_READY" ; break;
192 } // clang-format on
193 return s;
194 }
195
196 #endif
197
198 #if defined(HAVE_LIBCRYPTO) && OPENSSL_VERSION_NUMBER < 0x10100000L
199
200 // The OpenSSL library before version 1.1 requires some locks in order
201 // to be thread-safe. These locks are initialized in yr_initialize
202 // function.
203
204 static YR_MUTEX *openssl_locks;
205
_thread_id(CRYPTO_THREADID * id)206 static void _thread_id(CRYPTO_THREADID *id)
207 {
208 CRYPTO_THREADID_set_numeric(id, (unsigned long) yr_current_thread_id());
209 }
210
_locking_function(int mode,int n,const char * file,int line)211 static void _locking_function(int mode, int n, const char *file, int line)
212 {
213 if (mode & CRYPTO_LOCK)
214 yr_mutex_lock(&openssl_locks[n]);
215 else
216 yr_mutex_unlock(&openssl_locks[n]);
217 }
218
219 #endif
220
221 #if defined(HAVE_WINCRYPT_H)
222
223 HCRYPTPROV yr_cryptprov;
224
225 #endif
226
227 ////////////////////////////////////////////////////////////////////////////////
228 // Should be called by main thread before using any other
229 // function from libyara.
230 //
yr_initialize(void)231 YR_API int yr_initialize(void)
232 {
233 YR_DEBUG_FPRINTF(2, stderr, "+ %s() {\n", __FUNCTION__);
234
235 uint32_t def_stack_size = DEFAULT_STACK_SIZE;
236 uint32_t def_max_strings_per_rule = DEFAULT_MAX_STRINGS_PER_RULE;
237 uint32_t def_max_match_data = DEFAULT_MAX_MATCH_DATA;
238
239 init_count++;
240
241 if (init_count > 1)
242 return ERROR_SUCCESS;
243
244 // Initialize random number generator, as it is used for generating object
245 // canaries.
246 srand((unsigned) time(NULL));
247
248 for (int i = 0; i < 256; i++)
249 {
250 if (i >= 'a' && i <= 'z')
251 yr_altercase[i] = i - 32;
252 else if (i >= 'A' && i <= 'Z')
253 yr_altercase[i] = i + 32;
254 else
255 yr_altercase[i] = i;
256
257 yr_lowercase[i] = tolower(i);
258 }
259
260 FAIL_ON_ERROR(yr_heap_alloc());
261 FAIL_ON_ERROR(yr_thread_storage_create(&yr_yyfatal_trampoline_tls));
262 FAIL_ON_ERROR(yr_thread_storage_create(&yr_trycatch_trampoline_tls));
263
264 #if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L
265
266 openssl_locks = (YR_MUTEX *) OPENSSL_malloc(
267 CRYPTO_num_locks() * sizeof(YR_MUTEX));
268
269 for (int i = 0; i < CRYPTO_num_locks(); i++)
270 yr_mutex_create(&openssl_locks[i]);
271
272 CRYPTO_THREADID_set_callback(_thread_id);
273 CRYPTO_set_locking_callback(_locking_function);
274
275 #elif defined(HAVE_WINCRYPT_H)
276
277 if (!CryptAcquireContext(
278 &yr_cryptprov, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
279 {
280 return ERROR_INTERNAL_FATAL_ERROR;
281 }
282
283 #elif defined(HAVE_COMMON_CRYPTO)
284
285 ...
286
287 #endif
288
289 FAIL_ON_ERROR(yr_modules_initialize());
290
291 // Initialize default configuration options
292
293 FAIL_ON_ERROR(yr_set_configuration(YR_CONFIG_STACK_SIZE, &def_stack_size));
294
295 FAIL_ON_ERROR(yr_set_configuration(
296 YR_CONFIG_MAX_STRINGS_PER_RULE, &def_max_strings_per_rule));
297
298 FAIL_ON_ERROR(
299 yr_set_configuration(YR_CONFIG_MAX_MATCH_DATA, &def_max_match_data));
300
301 YR_DEBUG_FPRINTF(2, stderr, "} // %s()\n", __FUNCTION__);
302
303 return ERROR_SUCCESS;
304 }
305
306 ////////////////////////////////////////////////////////////////////////////////
307 // Should be called by main thread before exiting.
308 //
yr_finalize(void)309 YR_API int yr_finalize(void)
310 {
311 YR_DEBUG_FPRINTF(2, stderr, "+ %s() {\n", __FUNCTION__);
312
313 #if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L
314 int i;
315 #endif
316
317 // yr_finalize shouldn't be called without calling yr_initialize first
318
319 if (init_count == 0)
320 return ERROR_INTERNAL_FATAL_ERROR;
321
322 init_count--;
323
324 if (init_count > 0)
325 return ERROR_SUCCESS;
326
327 #if defined HAVE_LIBCRYPTO && OPENSSL_VERSION_NUMBER < 0x10100000L
328
329 for (i = 0; i < CRYPTO_num_locks(); i++) yr_mutex_destroy(&openssl_locks[i]);
330
331 OPENSSL_free(openssl_locks);
332 CRYPTO_THREADID_set_callback(NULL);
333 CRYPTO_set_locking_callback(NULL);
334
335 #elif defined(HAVE_WINCRYPT_H)
336
337 CryptReleaseContext(yr_cryptprov, 0);
338
339 #endif
340
341 FAIL_ON_ERROR(yr_thread_storage_destroy(&yr_yyfatal_trampoline_tls));
342 FAIL_ON_ERROR(yr_thread_storage_destroy(&yr_trycatch_trampoline_tls));
343 FAIL_ON_ERROR(yr_modules_finalize());
344 FAIL_ON_ERROR(yr_heap_free());
345
346 #if defined(JEMALLOC)
347 malloc_stats_print(NULL, NULL, NULL);
348 mallctl("prof.dump", NULL, NULL, NULL, 0);
349 #endif
350
351 YR_DEBUG_FPRINTF(2, stderr, "} // %s()\n", __FUNCTION__);
352
353 return ERROR_SUCCESS;
354 }
355
356 ////////////////////////////////////////////////////////////////////////////////
357 // Sets a configuration option.
358 //
359 // This function receives a configuration name, as defined by the YR_CONFIG_NAME
360 // enum, and a pointer to the value being set. The type of the value depends on
361 // the configuration name.
362 //
363 // Args:
364 // name: Any of the values defined by the YR_CONFIG_NAME enum. Possible values
365 // are:
366 // YR_CONFIG_STACK_SIZE data type: uint32_t
367 // YR_CONFIG_MAX_STRINGS_PER_RULE data type: uint32_t
368 // YR_CONFIG_MAX_MATCH_DATA data type: uint32_t
369 //
370 // src: Pointer to the value being set for the option.
371 //
372 // Returns:
373 // ERROR_SUCCESS
374 // ERROR_INTERNAL_FATAL_ERROR
375 //
yr_set_configuration(YR_CONFIG_NAME name,void * src)376 YR_API int yr_set_configuration(YR_CONFIG_NAME name, void *src)
377 {
378 if (src == NULL)
379 return ERROR_INTERNAL_FATAL_ERROR;
380
381 switch (name)
382 { // lump all the cases using same types together in one cascade
383 case YR_CONFIG_STACK_SIZE:
384 case YR_CONFIG_MAX_STRINGS_PER_RULE:
385 case YR_CONFIG_MAX_MATCH_DATA:
386 yr_cfgs[name].ui32 = *(uint32_t *) src;
387 break;
388
389 default:
390 return ERROR_INTERNAL_FATAL_ERROR;
391 }
392
393 return ERROR_SUCCESS;
394 }
395
yr_get_configuration(YR_CONFIG_NAME name,void * dest)396 YR_API int yr_get_configuration(YR_CONFIG_NAME name, void *dest)
397 {
398 if (dest == NULL)
399 return ERROR_INTERNAL_FATAL_ERROR;
400
401 switch (name)
402 { // lump all the cases using same types together in one cascade
403 case YR_CONFIG_STACK_SIZE:
404 case YR_CONFIG_MAX_STRINGS_PER_RULE:
405 case YR_CONFIG_MAX_MATCH_DATA:
406 *(uint32_t *) dest = yr_cfgs[name].ui32;
407 break;
408
409 default:
410 return ERROR_INTERNAL_FATAL_ERROR;
411 }
412
413 return ERROR_SUCCESS;
414 }
415