Improved the handling of empty result objects, which was needed for p…

…lugins which compound multiple results. [plugin_strings] For performance reasons and to avoid FPs, only look for lowercase domain names.
JusticeRage · Feb 24, 2020 · 7af37a0 · 7af37a0
1 parent 2009e0c
commit 7af37a0
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 8 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -176,5 +176,5 @@ if ("${CMAKE_SYSTEM}" MATCHES "Linux")
             DESTINATION /etc/manalyze)
 
     # Run ldconfig.
-    execute_process(COMMAND ldconfig)
+    install(CODE "execute_process(COMMAND ldconfig)")
 endif()
diff --git a/bin/yara_rules/domains.yara b/bin/yara_rules/domains.yara
@@ -23,12 +23,12 @@ rule Domains_URLs
         author = "Sergey Mineev"
     strings:
         $domain1 = /www\.[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.[a-zA-Z]{2,}$/
-        $domain2 = /[a-zA-Z0-9\-\.]{5,}\.(com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us)/ nocase fullword
+        $domain2 = /[a-zA-Z0-9\-\.]{5,}\.(com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us)/ fullword
         $domain3 = /(https?|ftp):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-]*[\w\-])?/
         $domain4 = /(ht|f)tps?\:\/\/[a-zA-Z0-9\-\._]+(\.[a-zA-Z0-9\-\._]+){2,}(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+&%\$#_]*)/
         $domain5 = /https?\:\/\/www.[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}/ fullword
-        $domain6 = /[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]{5,}\.((com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us))/ fullword nocase
-        $domain7 = /[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]{5,}\.(com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us)/ fullword nocase
+        $domain6 = /[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]{5,}\.((com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us))/ fullword
+        $domain7 = /[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]{5,}\.(com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us)/ fullword
     condition:
 		// Calling C++ code in Manalyze takes care of filtering results in the authenticode signature or RT_MANIFEST resource.
 		// This is needed because Yara reports all matching strings if the condition evaluates to "true", even if some of the strings

diff --git a/include/manacommons/output_tree_node.h b/include/manacommons/output_tree_node.h
@@ -251,6 +251,15 @@ class OutputTreeNode
 
 	// ----------------------------------------------------------------------------
 
+	/**
+	 *	@brief	Checks whether the node contains data.
+	 *
+	 *	@return	Whether the node is empty or not.
+	 */
+	DECLSPEC_MANACOMMONS bool is_empty();
+
+	// ----------------------------------------------------------------------------
+
 	/**
 	*	@brief	Find a node in a list of nodes based on its name.
 	*

diff --git a/include/plugin_framework/result.h b/include/plugin_framework/result.h
@@ -105,6 +105,13 @@ class Result
 	 */
 	DECLSPEC_MANACOMMONS void merge(const Result& res);
 
+	/**
+	 *	@brief	Tests if a result contains any data.
+	 *
+	 *	@return	Whether the result is empty or not.
+	 */
+	DECLSPEC_MANACOMMONS bool is_empty();
+
 private:
 	// Constructor is made private, so only IPlugin::make_result() calls it.
 	DECLSPEC_MANACOMMONS Result(const std::string& plugin_name);

diff --git a/manacommons/output_tree_node.cpp b/manacommons/output_tree_node.cpp
@@ -372,4 +372,33 @@ void OutputTreeNode::append(const strings& strs)
 	}
 }
 
+// ----------------------------------------------------------------------------
+
+bool OutputTreeNode::is_empty()
+{
+	switch (_type)
+	{
+		case LIST:
+			return !_list_data || (*_list_data)->empty();
+		case STRING:
+			return !_string_data || (*_string_data)->empty();
+		case STRINGS:
+			return !_strings_data || (*_strings_data)->empty();
+		case UINT16:
+			return !_uint16_data;
+		case UINT32:
+			return !_uint32_data;
+		case UINT64:
+			return !_uint64_data;
+		case DOUBLE:
+			return !_double_data;
+		case FLOAT:
+			return !_float_data;
+		case THREAT_LEVEL:
+			return !_level_data;
+		default:
+			return true;
+	}
+}
+
 } // !namespace io
diff --git a/manacommons/plugin_framework/result.cpp b/manacommons/plugin_framework/result.cpp
@@ -79,6 +79,21 @@ LEVEL Result::get_level() const
 
 // ----------------------------------------------------------------------------
 
+bool Result::is_empty() {
+	if (!_data || _data->is_empty()) {
+		return true;
+	}
+	if (get_summary()) {
+		return false;
+	}
+	if (get_information() && !get_information()->is_empty()) {
+		return false;
+	}
+	return true;
+}
+
+// ----------------------------------------------------------------------------
+
 void Result::set_summary(const std::string& s)
 {
 	io::pNode opt_summary = _data->find_node("summary");

diff --git a/plugins/plugins_yara.cpp b/plugins/plugins_yara.cpp
@@ -358,10 +358,10 @@ class SuspiciousStringsPlugin : public YaraPlugin
 		auto domains = scan(pe, "Interesting strings found in the binary:", NO_OPINION, "description", true, exclude_microsoft_data);
 
 		// If one of the rules didn't return anything, return the output of the other one (which may be empty too).
-		if (!res || !res->get_output()) {
+		if (!res || res->is_empty()) {
 			return domains;
 		}
-		else if (!domains || !domains->get_output()) {
+		else if (!domains || domains->is_empty()) {
 			return res;
 		}
 
@@ -438,10 +438,10 @@ class CryptoCurrencyAddress : public YaraPlugin
 			[] (const mana::PE&, yara::Match::pSingleMatch m) { return hash::test_xmr_address(m->get_str()); });
 
 		// If one of the plugins didn't return anything, return the output of the other one (which may be empty too).
-		if (!btc || !btc->get_output()) {
+		if (!btc || btc->is_empty()) {
 			return monero;
 		}
-		else if (!monero || !monero->get_output()) {
+		else if (!monero || monero->is_empty()) {
 			return btc;
 		}