Cache regex compilation

mandiant · Oct 9, 2023 · 532f64c · 532f64c
1 parent 9a35d65
commit 532f64c
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 20 deletions.
diff --git a/debug/elf/file.go b/debug/elf/file.go
@@ -689,6 +689,10 @@ func getString(section []byte, start int) (string, bool) {
 }
 
 func (f *File) DataAfterSection(target *Section) []byte {
+	if cached, ok := f.dataAfterSectionCache[uint64(target.Addr)]; ok {
+		return cached
+	}
+
 	data := []byte{}
 	found := false
 	for _, s := range f.Sections {
@@ -707,6 +711,8 @@ func (f *File) DataAfterSection(target *Section) []byte {
 			}
 		}
 	}
+
+	f.dataAfterSectionCache[uint64(target.Addr)] = data
 	return data
 }
 

diff --git a/debug/pe/file.go b/debug/pe/file.go
@@ -213,6 +213,10 @@ func (f *File) Section(name string) *Section {
 }
 
 func (f *File) DataAfterSection(target *Section) []byte {
+	if cached, ok := f.dataAfterSectionCache[uint64(target.VirtualAddress)]; ok {
+		return cached
+	}
+
 	data := []byte{}
 	found := false
 	for _, s := range f.Sections {
@@ -231,6 +235,7 @@ func (f *File) DataAfterSection(target *Section) []byte {
 			}
 		}
 	}
+	f.dataAfterSectionCache[uint64(target.VirtualAddress)] = data
 	return data
 }
 

diff --git a/objfile/scanner.go b/objfile/scanner.go
@@ -6,28 +6,33 @@ type signatureModuleDataInitx64 struct {
 	moduleDataPtrLoc       uint64 // offset in signature to the location of the pointer to the PCHeader
 	moduleDataPtrOffsetLoc uint64 // Ptr is a relative ptr, we need to include the instruction length + next instruction IP to resolve final VA
 	signature              string
+	compiledRegex          *RegexAndNeedle
 }
 
 type signatureModuleDataInitx86 struct {
 	moduleDataPtrLoc uint64 // offset in signature to the location of the pointer to the PCHeader (ptr is absolute addr)
 	signature        string
+	compiledRegex    *RegexAndNeedle
 }
 
 type signatureModuleDataInitPPC struct {
 	moduleDataPtrHi uint64
 	moduleDataPtrLo uint64
 	signature       string
+	compiledRegex   *RegexAndNeedle
 }
 
 type signatureModuleDataInitARM64 struct {
 	moduleDataPtrADRP uint64 // offset to ADRP instruction holding PAGE address
 	moduleDataPtrADD  uint64 // offset to ADD instruction holding PAGE offset
 	signature         string
+	compiledRegex     *RegexAndNeedle
 }
 
 type signatureModuleDataInitARM32 struct {
 	moduleDataPtrLDR uint64 // offset to LDR instruction holding pc relative imm offset to PCHeader
 	signature        string
+	compiledRegex    *RegexAndNeedle
 }
 
 type SignatureMatch struct {
@@ -38,7 +43,7 @@ type SignatureMatch struct {
 // 0x000000000044D811: EB 0D                                   jmp     short loc_44D820
 // 0x000000000044D813: 48 8B 89 30 02 00 00                    mov     rcx, [rcx+230h]
 // 0x000000000044D81A: 66 0F 1F 44 00 00                       nop     word ptr [rax+rax+00h]    <- always seems to be present
-var x64sig = signatureModuleDataInitx64{3, 7, `{ 48 8D 0? ?? ?? ?? ?? EB ?? 48 8? 8? ?? 02 00 00 66 0F 1F 44 00 00 }`}
+var x64sig = signatureModuleDataInitx64{3, 7, `{ 48 8D 0? ?? ?? ?? ?? EB ?? 48 8? 8? ?? 02 00 00 66 0F 1F 44 00 00 }`, nil}
 
 // 0x00438A94: 8D 05 60 49 6A 00                       lea     eax, off_6A4960
 // 0x00438A9A: EB 1A                                   jmp     short loc_438AB6
@@ -49,15 +54,15 @@ var x64sig = signatureModuleDataInitx64{3, 7, `{ 48 8D 0? ?? ?? ?? ?? EB ?? 48 8
 // 0x00438AB6:                         loc_438AB6:                             ; CODE XREF: sub_438A60+3A↑j
 // 0x00438AB6: 85 C0                                   test    eax, eax
 // 0x00438AB8: 75 E2                                   jnz     short loc_438A9C
-var x86sig = signatureModuleDataInitx86{2, `{ 8D ?? ?? ?? ?? ?? EB ?? [0-50] 8B ?? ?? 01 00 00 8B ?? ?? ?? 85 ?? 75 ?? }`}
+var x86sig = signatureModuleDataInitx86{2, `{ 8D ?? ?? ?? ?? ?? EB ?? [0-50] 8B ?? ?? 01 00 00 8B ?? ?? ?? 85 ?? 75 ?? }`, nil}
 
 // 0x0000000000061a74:  3C 80 00 2C    lis  r4, 0x2c       // moduledata
 // 0x0000000000061a78:  38 84 80 00    addi r4, r4, 0x8000  // moduledata ((0x2c << 16) - 0x8000)
 // 0x0000000000061a7c:  48 00 00 08    b    0x61a84
 // 0x0000000000061a80:  E8 84 02 30    ld   r4, 0x230(r4)
 // 0x0000000000061a84:  7C 24 00 00    cmpd r4, r0
 // 0x0000000000061a88:  41 82 01 A8    beq  0x61c30
-var PPC_BE_sig = signatureModuleDataInitPPC{2, 6, `{ 3? 80 00 ?? 3? ?? ?? ?? 48 ?? ?? ?? E? ?? 02 ?? 7C ?? ?? ?? 41 82 ?? ?? }`}
+var PPC_BE_sig = signatureModuleDataInitPPC{2, 6, `{ 3? 80 00 ?? 3? ?? ?? ?? 48 ?? ?? ?? E? ?? 02 ?? 7C ?? ?? ?? 41 82 ?? ?? }`, nil}
 
 // 0x000000000005C1E8 41 14 00 F0        ADRP            X1, #unk_2E7000    // 0xF0001441 -> 0b1 11 10000 0000000000010100010 00001 -> op=1, immlo=0b11, immhi=0b0000000000010100010
 // ........................................................................ // X1 = ((0b0000000000010100010 11 << 12) + 0x5C1E8) = 0b1011100111000111101000 = 0b1011100111000111101000 & 0xFFFFFFFFFFFFF000 = 0x2E7000
@@ -67,21 +72,25 @@ var PPC_BE_sig = signatureModuleDataInitPPC{2, 6, `{ 3? 80 00 ?? 3? ?? ?? ?? 48
 // 0x000000000005C1F4 21 18 41 F9        LDR             X1, [X1,#0x230]
 // 0x000000000005C1F8 21 0D 00 B4        CBZ             X1, loc_5C39C   0xb4000d21
 // THIS SIG ENCODES the 0x230 struct field offset - might need to mask that more if we see misses - TODO
-var ARM64_sig = signatureModuleDataInitARM64{0, 4, `{ ?? ?? ?? (90 | b0 | f0 | d0) ?? ?? ?? 91 ?? ?? ?? (14 | 17) ?? ?? 41 F9 ?? ?? ?? B4 }`}
+var ARM64_sig = signatureModuleDataInitARM64{0, 4, `{ ?? ?? ?? (90 | b0 | f0 | d0) ?? ?? ?? 91 ?? ?? ?? (14 | 17) ?? ?? 41 F9 ?? ?? ?? B4 }`, nil}
 
 // 0x0006AA00 80 12 9F E5    LDR             R1, =firstmoduleData   // 0xE59F1280 -> 0b11 100101100111110001001010000000 -> size = 11,
 // 0x0006AA04 00 00 00 EA    B               loc_6AA0C
 // 0x0006AA08 18 11 91 E5    LDR             R1, [R1,#0x118]
 // 0x0006AA0C 00 00 51 E3    CMP             R1, #0
 // 0x0006AA10 69 00 00 0A    BEQ             loc_6ABBC
-var ARM32_sig = signatureModuleDataInitARM32{0, `{ ?? ?? 9F E5 ?? ?? ?? EA ?? ?? ?? E5 ?? ?? ?? E3 ?? ?? ?? 0A }`}
+var ARM32_sig = signatureModuleDataInitARM32{0, `{ ?? ?? 9F E5 ?? ?? ?? EA ?? ?? ?? E5 ?? ?? ?? E3 ?? ?? ?? 0A }`, nil}
 
 func findModuleInitPCHeader(data []byte, sectionBase uint64) []SignatureMatch {
 	var matches []SignatureMatch = make([]SignatureMatch, 0)
 
-	x64reg, err := RegexpPatternFromYaraPattern(x64sig.signature)
-	if err != nil {
-		panic(err)
+	var x64reg = x64sig.compiledRegex
+	if x64reg == nil {
+		var err error
+		x64reg, err = RegexpPatternFromYaraPattern(x64sig.signature)
+		if err != nil {
+			panic(err)
+		}
 	}
 
 	for _, match := range FindRegex(data, x64reg) {
@@ -99,9 +108,13 @@ func findModuleInitPCHeader(data []byte, sectionBase uint64) []SignatureMatch {
 		})
 	}
 
-	x86reg, err := RegexpPatternFromYaraPattern(x86sig.signature)
-	if err != nil {
-		panic(err)
+	var x86reg = x86sig.compiledRegex
+	if x86reg == nil {
+		var err error
+		x86reg, err = RegexpPatternFromYaraPattern(x86sig.signature)
+		if err != nil {
+			panic(err)
+		}
 	}
 
 	for _, match := range FindRegex(data, x86reg) {
@@ -113,9 +126,13 @@ func findModuleInitPCHeader(data []byte, sectionBase uint64) []SignatureMatch {
 		})
 	}
 
-	arm64reg, err := RegexpPatternFromYaraPattern(ARM64_sig.signature)
-	if err != nil {
-		panic(err)
+	var arm64reg = ARM64_sig.compiledRegex
+	if arm64reg == nil {
+		var err error
+		arm64reg, err = RegexpPatternFromYaraPattern(ARM64_sig.signature)
+		if err != nil {
+			panic(err)
+		}
 	}
 
 	for _, match := range FindRegex(data, arm64reg) {
@@ -139,9 +156,13 @@ func findModuleInitPCHeader(data []byte, sectionBase uint64) []SignatureMatch {
 		})
 	}
 
-	arm32reg, err := RegexpPatternFromYaraPattern(ARM32_sig.signature)
-	if err != nil {
-		panic(err)
+	var arm32reg = ARM32_sig.compiledRegex
+	if arm32reg == nil {
+		var err error
+		arm32reg, err = RegexpPatternFromYaraPattern(ARM32_sig.signature)
+		if err != nil {
+			panic(err)
+		}
 	}
 
 	for _, match := range FindRegex(data, arm32reg) {
@@ -155,9 +176,13 @@ func findModuleInitPCHeader(data []byte, sectionBase uint64) []SignatureMatch {
 		})
 	}
 
-	ppcBEreg, err := RegexpPatternFromYaraPattern(PPC_BE_sig.signature)
-	if err != nil {
-		panic(err)
+	var ppcBEreg = PPC_BE_sig.compiledRegex
+	if ppcBEreg == nil {
+		var err error
+		ppcBEreg, err = RegexpPatternFromYaraPattern(PPC_BE_sig.signature)
+		if err != nil {
+			panic(err)
+		}
 	}
 
 	for _, match := range FindRegex(data, ppcBEreg) {