Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Callback on include #727

Closed
wants to merge 14 commits into from
Closed

Callback on include #727

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
23be010
Full structure implemented, callback available. TODO: actually use th…
edhoedt Aug 24, 2017
c985465
Importing files via external callback fully implemented and working
edhoedt Aug 27, 2017
45513f0
Merge branch 'master' of https://github.com/VirusTotal/yara into call…
edhoedt Aug 27, 2017
4a3c839
Removing useless comments
edhoedt Aug 27, 2017
99391a3
Adding documentation
edhoedt Aug 28, 2017
df2c1df
Updating doc for include callbacks
edhoedt Aug 28, 2017
dc2d3fa
Fixing compiler_set_include_callback's signature
edhoedt Aug 28, 2017
e98f434
Fixing issues according to @plusvic 's advice
edhoedt Aug 31, 2017
92877db
* fixing memory management issues in callbacks
edhoedt Sep 5, 2017
aeaf59a
fixing missing pointer cast
edhoedt Sep 5, 2017
3fd1434
re-generating lexer.c
edhoedt Sep 5, 2017
b8fe347
removing imports ununsed since commit 92877db48e408126ce0631b85c03d47…
edhoedt Sep 6, 2017
d084696
fixing default file read callback
edhoedt Sep 7, 2017
0b86464
Fixing line numbers in errors
edhoedt Sep 11, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
27 changes: 27 additions & 0 deletions docs/capi.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,27 @@ contains the file name and line number where the error or warning occurs.
you're using :c:func:`yr_compiler_add_string`. The ``user_data`` pointer is the
same you passed to :c:func:`yr_compiler_set_callback`.

By default, for rules containing references to other files
(``include "filename.yara"``), yara will try to find those files on disk.
However, if you want to fetch the imported rules from another source (eg: from a
database or remote service), a callback function can be set with
:c:func:`yr_compiler_set_include_callback`.
The callback receives the following parameters:
*``include_name``: name of the requested file.
*``calling_rule_filename``: the requesting file name (NULL if not a file).
*``calling_rule_namespace``: namespace (NULL if undefined).
And should return the requested file as a string.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no mention to who's responsible for freeing the memory pointed to by the callback's result. I assume that the external code is responsible for doing that, but it's probably a good idea to clearly state it in the documentation.


The callback function has the following prototype:

.. code-block:: c

const char* include_callback(
const char* include_name,
const char* calling_rule_filename,
const char* calling_rule_namespace,
void* user_data);

After you successfully added some sources you can get the compiled rules
using the :c:func:`yr_compiler_get_rules()` function. You'll get a pointer to
a :c:type:`YR_RULES` structure which can be used to scan your data as
Expand Down Expand Up @@ -402,6 +423,12 @@ Functions
pointer is passed to the callback function.


.. c:function:: void yr_compiler_set_include_callback(YR_COMPILER* compiler, YR_COMPILER_INCLUDE_CALLBACK_FUNC callback, void* user_data)

Set a callback to provide rules from a custom source when ``include`` directive
is invoked. The *user_data* pointer is passed to the callback function.


.. c:function:: int yr_compiler_add_file(YR_COMPILER* compiler, FILE* file, const char* namespace, const char* file_name)

Compile rules from a *file*. Rules are put into the specified *namespace*,
Expand Down
30 changes: 30 additions & 0 deletions docs/yarapython.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,36 @@ should be accepted in the source files, for example:
If the source file contains include directives the previous line would raise
an exception.

If includes are used, a python callback can be set to define a custom source for
the imported files (by default they are read from disk). This callback function
is set through the ``include_callback`` optional parameter.
It receives the following parameters:
*``requested_filename``: file requested with 'include'
*``filename``: file containing the 'include' directive if applicable, else None
*``namespace``: namespace
And returns the requested rules sources as a single string.

.. code-block:: python
import yara
import sys
if sys.version_info >= (3, 0):
import urllib.request as urllib
else:
import urllib as urllib

def mycallback(requested_filename, filename, namespace):
if requested_filename == 'req.yara':
uf = urllib.urlopen('https://pastebin.com/raw/siZ2sMTM')
sources = uf.read()
if sys.version_info >= (3, 0):
sources = str(sources, 'utf-8')
return sources
else:
raise Exception(filename+": Can't fetch "+requested_filename)

rules = yara.compile(source='include "req.yara" rule r{ condition: true }',
include_callback=mycallback)

If you are using external variables in your rules you must define those
external variables either while compiling the rules, or while applying the
rules to some file. To define your variables at the moment of compilation you
Expand Down
11 changes: 11 additions & 0 deletions libyara/compiler.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ YR_API int yr_compiler_create(

new_compiler->errors = 0;
new_compiler->callback = NULL;
new_compiler->include_callback = NULL;
new_compiler->last_error = ERROR_SUCCESS;
new_compiler->last_error_line = 0;
new_compiler->current_line = 0;
Expand Down Expand Up @@ -182,6 +183,16 @@ YR_API void yr_compiler_set_callback(
}


YR_API void yr_compiler_set_include_callback(
YR_COMPILER* compiler,
YR_COMPILER_INCLUDE_CALLBACK_FUNC include_callback,
void* user_data)
{
compiler->include_callback = include_callback;
compiler->user_data = user_data;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

compiler->user_data is being used by the error callback set with yr_compiler_set_callback, you shouldn't modify its value because both callbacks could be used at the same time.

}


int _yr_compiler_push_file(
YR_COMPILER* compiler,
FILE* fh)
Expand Down
14 changes: 14 additions & 0 deletions libyara/include/yara/compiler.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,13 @@ typedef void (*YR_COMPILER_CALLBACK_FUNC)(
void* user_data);


typedef const char* (*YR_COMPILER_INCLUDE_CALLBACK_FUNC)(
const char* include_name,
const char* calling_rule_filename,
const char* calling_rule_namespace,
void* user_data);


typedef struct _YR_FIXUP
{
void* address;
Expand Down Expand Up @@ -116,6 +123,7 @@ typedef struct _YR_COMPILER
void* user_data;

YR_COMPILER_CALLBACK_FUNC callback;
YR_COMPILER_INCLUDE_CALLBACK_FUNC include_callback;

} YR_COMPILER;

Expand Down Expand Up @@ -166,6 +174,12 @@ YR_API void yr_compiler_set_callback(
void* user_data);


YR_API void yr_compiler_set_include_callback(
YR_COMPILER* compiler,
YR_COMPILER_INCLUDE_CALLBACK_FUNC include_callback,
void* user_data);


YR_API int yr_compiler_add_file(
YR_COMPILER* compiler,
FILE* rules_file,
Expand Down