Removed compiler yara rules generating a lot of false positives.

Replace all header guardians with #pragma once. Slightly altered the summary so it displays exploit mitigation techniques used by the binary. Added more unit tests.
JusticeRage · Jan 18, 2016 · 4fa827f · 4fa827f
1 parent 4696759
commit 4fa827f
Show file tree

Hide file tree

Showing 25 changed files with 309 additions and 142 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -23,7 +23,6 @@ before_script:
 script:
   - make
   - bin/manalyze --version
-  - python bin/yara_rules/update_clamav_signatures.py
   - bin/manalyze-tests
 after_success:
   - coveralls --exclude external/yara --exclude test --gcov gcov-4.8
diff --git a/bin/yara_rules/compilers.yara b/bin/yara_rules/compilers.yara
@@ -229,18 +229,6 @@ condition:
 }
 
 
-rule Free_Pascal_1_06
-{
-meta:
-    description = "Free Pascal 1.06"
-strings:
-    	$a0 = { C6 05 ?? ?? 40 00 ?? E8 ?? ?? 00 00 }
-
-condition:
-    	$a0
-}
-
-
 rule InstallAnywhere_6_1___Zero_G_Software_Inc
 {
 meta:
@@ -999,19 +987,6 @@ condition:
 }
 
 
-rule MASM_TASM___sig4__h_
-{
-meta:
-    description = "MASM/TASM - sig4 (h)"
-strings:
-    	$a0 = { FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 }
-	$a1 = { C3 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 FF 25 ?? ?? ?? 00 }
-
-condition:
-    	$a0 or $a1
-}
-
-
 rule Microsoft_Visual_C___6_0_DLL__Debug_
 {
 meta:
@@ -2427,18 +2402,6 @@ condition:
 }
 
 
-rule Free_Pascal_v1_06
-{
-meta:
-    description = "Free Pascal v1.06"
-strings:
-    	$a0 = { C6 05 ?? ?? 40 00 ?? E8 ?? ?? 00 00 }
-
-condition:
-    	$a0
-}
-
-
 rule Microsoft_C
 {
 meta:

diff --git a/docs/before-contributing.rst b/docs/before-contributing.rst
@@ -42,7 +42,7 @@ All code contributions should make every effort to match Manalyze's coding style
 * Code structure
     * All your code should reside in a meaningful namespace.
     * Declare class and functions in header (".h") files.
-    * Protect header files against multiple inclusions.
+    * Protect header files against multiple inclusions with ``#pragma once``.
     * Inclusion of system headers should precede inclusion of user-defined headers. Boost headers are considered system headers.
     * Put function implementations in .cpp files.
     * Function declarations must be documented following the `Doxygen <https://www.stack.nl/~dimitri/doxygen/manual/docblocks.html>`_ convention. 

diff --git a/include/config_parser.h b/include/config_parser.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _CONFIG_PARSER_H_
-#define _CONFIG_PARSER_H_
+#pragma once
 
 #include <string>
 #include <map>
@@ -49,5 +48,3 @@ typedef std::map<std::string, std::map<std::string, std::string> > config;
  *	@return	The parsed data.
  */
 config parse_config(const std::string& config_file);
-
-#endif // !_CONFIG_PARSER_H_
diff --git a/include/dump.h b/include/dump.h
@@ -15,8 +15,7 @@ You should have received a copy of the GNU General Public License
 along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _DUMP_H_
-#define _DUMP_H_
+#pragma once
 
 #include <set>
 #include <vector>
@@ -46,5 +45,3 @@ void dump_summary(const mana::PE& pe, io::OutputFormatter& formatter);
 void dump_hashes(const mana::PE& pe, io::OutputFormatter& formatter);
 
 } // !namespace sg
-
-#endif // !_DUMP_H_
diff --git a/include/manacommons/color.h b/include/manacommons/color.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _COLOR_H_
-#define _COLOR_H_
+#pragma once
 
 #include <iostream>
 #include <string>
@@ -84,5 +83,3 @@ void set_color(Color c);
 #endif
 
 } //namespace utils
-
-#endif // !_COLOR_H_
diff --git a/include/manacommons/output_tree_node.h b/include/manacommons/output_tree_node.h
@@ -15,8 +15,7 @@ You should have received a copy of the GNU General Public License
 along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _OUTPUT_TREE_NODE_
-#define _OUTPUT_TREE_NODE_
+#pragma once
 
 #include <vector>
 #include <string>
@@ -292,5 +291,3 @@ typedef boost::shared_ptr<nodes> pNodes;
 DECLSPEC_MANACOMMONS unsigned int determine_max_width(pNode node);
 
 } // !namespace io
-
-#endif // !_OUTPUT_TREE_NODE_
diff --git a/include/manape/imports.h b/include/manape/imports.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _IMPORTS_H_
-#define _IMPORTS_H_
+#pragma once
 
 #include <string>
 #include <algorithm>
@@ -42,5 +41,3 @@ namespace hash {
 DECLSPEC pString hash_imports(const mana::PE& pe);
 
 } //namespace hash
-
-#endif
diff --git a/include/manape/nt_values.h b/include/manape/nt_values.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef  _NT_VALUES_H_
-# define _NT_VALUES_H_
+#pragma once
 
 #include <string>
 #include <map>
@@ -106,5 +105,3 @@ DECLSPEC const_shared_strings translate_to_flags(int value, const flag_dict& dic
 DECLSPEC pString translate_to_flag(int value, const flag_dict& dict);
 
 } // !namespace nt
-
-#endif
diff --git a/include/manape/pe.h b/include/manape/pe.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _PE_H_
-#define _PE_H_
+#pragma once
 
 #include <stdio.h>
 #include <string.h>
@@ -406,5 +405,3 @@ class PE
 
 
 } /* !namespace sg */
-
-#endif /* !_PE_H_ */
diff --git a/include/manape/pe_structs.h b/include/manape/pe_structs.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _PE_STRUCTS_H_
-#define _PE_STRUCTS_H_
+#pragma once
 
 #include <vector>
 #include <string>
@@ -358,5 +357,3 @@ typedef struct win_certificate_t
 typedef boost::shared_ptr<win_certificate> pwin_certificate;
 
 } // !namespace sg
-
-#endif // !_PE_STRUCTS_H_
diff --git a/include/manape/resources.h b/include/manape/resources.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _RESOURCES_H_
-#define _RESOURCES_H_
+#pragma once
 
 #include <string>
 #include <vector>
@@ -178,5 +177,3 @@ std::vector<boost::uint8_t> reconstruct_icon(pgroup_icon_directory directory, co
 bool parse_version_info_header(vs_version_info_header& header, FILE* f);
 
 } // !namespace sg
-
-#endif // !_RESOURCES_H_
diff --git a/include/manape/section.h b/include/manape/section.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _SECTION_H_
-#define _SECTION_H_
+#pragma once
 
 #include <stdio.h>
 #include <boost/make_shared.hpp>
@@ -127,5 +126,3 @@ bool DECLSPEC is_address_in_section(boost::uint64_t rva, mana::pSection section,
 mana::pSection DECLSPEC find_section(unsigned int rva, const std::vector<mana::pSection>& section_list);
 
 } // !namespace sg
-
-#endif // !_SECTION_H_
diff --git a/include/manape/utils.h b/include/manape/utils.h
@@ -15,10 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _UTILS_H_
-#define _UTILS_H_
-
-#define BOOST_SPIRIT_USE_PHOENIX_V3
+#pragma once
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -116,5 +113,3 @@ bool read_string_at_offset(FILE* f, unsigned int offset, std::string& out, bool
 double DECLSPEC shannon_entropy(const std::vector<boost::uint8_t>& bytes);
 
 }
-
-#endif
diff --git a/include/output_formatter.h b/include/output_formatter.h
@@ -15,8 +15,7 @@ You should have received a copy of the GNU General Public License
 along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _OUTPUT_FORMATTER_H_
-#define _OUTPUT_FORMATTER_H_
+#pragma once
 
 #include <sstream>
 #include <ostream>
@@ -249,5 +248,3 @@ std::string timestamp_to_string(boost::uint64_t epoch_timestamp);
 std::string escape(const std::string& s);
 
 } // !namespace io
-
-#endif // !_OUTPUT_FORMATTER_H_
diff --git a/include/plugin_framework/auto_register.h b/include/plugin_framework/auto_register.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _AUTO_REGISTER_H_
-#define _AUTO_REGISTER_H_
+#pragma once
 
 #include "plugin_manager.h"
 #include "plugin.h"
@@ -45,5 +44,3 @@ class AutoRegister
 };
 
 } // !namespace plugin
-
-#endif // !_AUTO_REGISTER_H_
diff --git a/include/plugin_framework/dynamic_library.h b/include/plugin_framework/dynamic_library.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _DYNAMIC_LIBRARY_H_
-#define _DYNAMIC_LIBRARY_H_
+#pragma once
 
 #include <string>
 #include <sstream>
@@ -81,5 +80,3 @@ class SharedLibrary
 typedef boost::shared_ptr<SharedLibrary> pSharedLibrary;
 
 } //!namespace plugin
-
-#endif // ! _DYNAMIC_LIBRARY_H_
diff --git a/include/plugin_framework/plugin.h b/include/plugin_framework/plugin.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _PLUGIN_H_
-#define _PLUGIN_H_
+#pragma once
 
 #include "plugin_interface.h"
 
@@ -94,5 +93,3 @@ class StaticPlugin : public Plugin
 };
 
 } // !namespace plugin
-
-#endif // !_PLUGIN_H_
diff --git a/include/plugin_framework/plugin_interface.h b/include/plugin_framework/plugin_interface.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _PLUGIN_INTERFACE_H_
-#define _PLUGIN_INTERFACE_H_
+#pragma once
 
 #include <string>
 #include <map>
@@ -102,5 +101,3 @@ class IPlugin
 typedef boost::shared_ptr<IPlugin> pIPlugin;
 
 } // !namespace plugin
-
-#endif // !_PLUGIN_INTERFACE_H_
diff --git a/include/plugin_framework/plugin_manager.h b/include/plugin_framework/plugin_manager.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _PLUGIN_MANAGER_H_
-#define _PLUGIN_MANAGER_H_
+#pragma once
 
 #include <vector>
 #include <iostream>
@@ -174,5 +173,3 @@ class PluginManager
 bool name_matches(const std::string& s, pIPlugin p);
 
 } // !namespace plugin
-
-#endif // !_PLUGIN_MANAGER_H_
diff --git a/include/plugin_framework/result.h b/include/plugin_framework/result.h
@@ -15,8 +15,7 @@
     along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _RESULT_H_
-#define _RESULT_H_
+#pragma once
 
 #include <vector>
 #include <string>
@@ -123,5 +122,3 @@ template<>
 	DECLSPEC_MANACOMMONS void Result::add_information(io::pNode node);
 
 } // !namespace plugin
-
-#endif // !_RESULT_H_
diff --git a/include/plugin_framework/threat_level.h b/include/plugin_framework/threat_level.h
@@ -15,13 +15,11 @@ You should have received a copy of the GNU General Public License
 along with Manalyze.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _THREAT_LEVEL_H_
-#define _THREAT_LEVEL_H_
+#pragma once
 
 namespace plugin {
 
 enum LEVEL { SAFE, NO_OPINION, SUSPICIOUS, MALICIOUS };
 
 }
 
-#endif // !_THREAT_LEVEL_H_
diff --git a/manape/imports.cpp b/manape/imports.cpp
@@ -216,7 +216,7 @@ std::vector<pimage_library_descriptor> PE::_find_imported_dlls(const std::string
 // ----------------------------------------------------------------------------
 
 const_shared_strings PE::find_imports(const std::string& function_name_regexp,
-					  const std::string& dll_name_regexp) const
+									  const std::string& dll_name_regexp) const
 {
 	auto destination = boost::make_shared<std::vector<std::string> >();
 	if (!_initialized) {