From e8a6c8e8f37f6639535e127b81e69b107ee96ee7 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Thu, 29 Feb 2024 10:11:04 +0100 Subject: [PATCH 1/2] feat: support new callback for slow rules --- rules_callback.go | 13 +++++++++++++ rules_test.go | 36 ++++++++++++++++++++++++++++-------- 2 files changed, 41 insertions(+), 8 deletions(-) diff --git a/rules_callback.go b/rules_callback.go index 8e3cfab..6c23d4a 100644 --- a/rules_callback.go +++ b/rules_callback.go @@ -81,6 +81,10 @@ type ScanCallbackTooManyMatches interface { TooManyMatches(*ScanContext, *Rule, string) (bool, error) } +type ScanCallbackTooSlowScanning interface { + TooSlowScanning(*ScanContext, *Rule, string) (bool, error) +} + // scanCallbackContainer is used by to pass a ScanCallback (and // associated data) between ScanXxx methods and scanCallbackFunc(). It // stores the public callback interface and a list of malloc()'d C @@ -167,6 +171,15 @@ func scanCallbackFunc(ctx *C.YR_SCAN_CONTEXT, message C.int, messageData, userDa } abort, err = c.TooManyMatches(s, rule, yrString.Identifier()) } + case C.CALLBACK_MSG_TOO_SLOW_SCANNING: + if c, ok := cbc.ScanCallback.(ScanCallbackTooSlowScanning); ok { + yrString := String{(*C.YR_STRING)(messageData), cbc.rules} + rule := &Rule{ + cptr: C.find_rule(cbc.rules.cptr, yrString.cptr.rule_idx), + owner: cbc.rules, + } + abort, err = c.TooSlowScanning(s, rule, yrString.Identifier()) + } } if err != nil { diff --git a/rules_test.go b/rules_test.go index 6c649ed..c1ba6f6 100644 --- a/rules_test.go +++ b/rules_test.go @@ -243,13 +243,14 @@ func TestRule(t *testing.T) { } type testCallback struct { - t *testing.T - finished bool - modules map[string]struct{} - matched map[string]struct{} - notMatched map[string]struct{} - logged []string - tooManyMatches []string + t *testing.T + finished bool + modules map[string]struct{} + matched map[string]struct{} + notMatched map[string]struct{} + logged []string + tooManyMatches []string + tooSlowScanning []string } func newTestCallback(t *testing.T) *testCallback { @@ -260,6 +261,7 @@ func newTestCallback(t *testing.T) *testCallback { make(map[string]struct{}), nil, nil, + nil, } } @@ -294,7 +296,11 @@ func (c *testCallback) ConsoleLog(_ *ScanContext, s string) { c.logged = append(c.logged, s) } func (c *testCallback) TooManyMatches(_ *ScanContext, r *Rule, s string) (bool, error) { - c.tooManyMatches = append(c.logged, fmt.Sprintf("%s:%s", r.Identifier(), s)) + c.tooManyMatches = append(c.tooManyMatches, fmt.Sprintf("%s:%s", r.Identifier(), s)) + return false, nil +} +func (c *testCallback) TooSlowScanning(_ *ScanContext, r *Rule, s string) (bool, error) { + c.tooSlowScanning = append(c.tooSlowScanning, fmt.Sprintf("%s:%s", r.Identifier(), s)) return false, nil } @@ -378,3 +384,17 @@ func TestXorKey(t *testing.T) { t.Fatalf("expected xor key 0x10, got 0x%x", m[0].Strings[0].XorKey) } } + +func TestTooSlowScanning(t *testing.T) { + cb := newTestCallback(t) + r := makeRules(t, ` + rule t { strings: $s1 = /[^\x00]/ condition: any of them } + `) + + if err := r.ScanMem(make([]byte, 8000000), 0, 0, cb); err != nil { + t.Error(err) + } + if len(cb.tooSlowScanning) != 1 || cb.tooSlowScanning[0] != "t:$s1" { + t.Errorf("too slow scanning does not contain bad regex: %v", cb.tooManyMatches) + } +} From 9e6eb713f5ca7c006006cc351ecf5fa7d9316193 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Thu, 29 Feb 2024 10:12:46 +0100 Subject: [PATCH 2/2] chore: bump required YARA version --- .github/workflows/buildtest.yml | 2 +- cgo.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/buildtest.yml b/.github/workflows/buildtest.yml index c4f2ac0..b5a8dd3 100644 --- a/.github/workflows/buildtest.yml +++ b/.github/workflows/buildtest.yml @@ -28,7 +28,7 @@ jobs: - name: Build YARA from source run: | - YARA_VERSION=4.3.0 + YARA_VERSION=4.5.0 wget --no-verbose -O- https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz | tar -C .. -xzf - ( cd ../yara-${YARA_VERSION} && ./bootstrap.sh ) mkdir -p ../yara-build diff --git a/cgo.go b/cgo.go index 1d2a0bc..2a24e46 100644 --- a/cgo.go +++ b/cgo.go @@ -11,8 +11,8 @@ package yara // #cgo yara_no_pkg_config LDFLAGS: -lyara -lm /* #include -#if YR_VERSION_HEX < 0x040300 -#error YARA version 4.3 required +#if YR_VERSION_HEX < 0x040400 +#error YARA version 4.4 required #endif */ import "C"