Skip to content
Permalink
Browse files

DBG+GUI: removed yara

  • Loading branch information...
mrexodia committed Apr 6, 2019
1 parent 7d727d0 commit 386e242645f4418412c2c28ba972b6c405f653fd
Showing with 4 additions and 6,307 deletions.
  1. +0 −3 release.bat
  2. +0 −294 src/dbg/commands/cmd-searching.cpp
  3. +0 −2 src/dbg/commands/cmd-searching.h
  4. +0 −7 src/dbg/x64dbg.cpp
  5. +4 −37 src/dbg/x64dbg_dbg.vcxproj
  6. +0 −105 src/dbg/x64dbg_dbg.vcxproj.filters
  7. +0 −43 src/dbg/yara/yara.h
  8. +0 −84 src/dbg/yara/yara/ahocorasick.h
  9. +0 −165 src/dbg/yara/yara/arena.h
  10. +0 −102 src/dbg/yara/yara/atoms.h
  11. +0 −228 src/dbg/yara/yara/compiler.h
  12. +0 −365 src/dbg/yara/yara/dotnet.h
  13. +0 −323 src/dbg/yara/yara/elf.h
  14. +0 −100 src/dbg/yara/yara/endian.h
  15. +0 −129 src/dbg/yara/yara/error.h
  16. +0 −176 src/dbg/yara/yara/exec.h
  17. +0 −43 src/dbg/yara/yara/exefiles.h
  18. +0 −90 src/dbg/yara/yara/filemap.h
  19. +0 −41 src/dbg/yara/yara/globals.h
  20. +0 −103 src/dbg/yara/yara/hash.h
  21. +0 −110 src/dbg/yara/yara/hex_lexer.h
  22. +0 −66 src/dbg/yara/yara/integers.h
  23. +0 −150 src/dbg/yara/yara/lexer.h
  24. +0 −85 src/dbg/yara/yara/libyara.h
  25. +0 −68 src/dbg/yara/yara/limits.h
  26. +0 −74 src/dbg/yara/yara/mem.h
  27. +0 −447 src/dbg/yara/yara/modules.h
  28. +0 −184 src/dbg/yara/yara/object.h
  29. +0 −138 src/dbg/yara/yara/parser.h
  30. +0 −533 src/dbg/yara/yara/pe.h
  31. +0 −114 src/dbg/yara/yara/pe_utils.h
  32. +0 −42 src/dbg/yara/yara/proc.h
  33. +0 −272 src/dbg/yara/yara/re.h
  34. +0 −109 src/dbg/yara/yara/re_lexer.h
  35. +0 −159 src/dbg/yara/yara/rules.h
  36. +0 −49 src/dbg/yara/yara/scan.h
  37. +0 −70 src/dbg/yara/yara/sizedstr.h
  38. +0 −72 src/dbg/yara/yara/stream.h
  39. +0 −91 src/dbg/yara/yara/strutils.h
  40. +0 −65 src/dbg/yara/yara/threading.h
  41. +0 −566 src/dbg/yara/yara/types.h
  42. +0 −109 src/dbg/yara/yara/utils.h
  43. BIN src/dbg/yara/yara_x64.lib
  44. BIN src/dbg/yara/yara_x86.lib
  45. +0 −13 src/gui/Src/Gui/CPUDisassembly.cpp
  46. +0 −1 src/gui/Src/Gui/CPUDisassembly.h
  47. +0 −13 src/gui/Src/Gui/CPUDump.cpp
  48. +0 −1 src/gui/Src/Gui/CPUDump.h
  49. +0 −21 src/gui/Src/Gui/MemoryMapView.cpp
  50. +0 −2 src/gui/Src/Gui/MemoryMapView.h
  51. +0 −31 src/gui/Src/Gui/SymbolView.cpp
  52. +0 −4 src/gui/Src/Gui/SymbolView.h
  53. +0 −75 src/gui/Src/Gui/YaraRuleSelectionDialog.cpp
  54. +0 −34 src/gui/Src/Gui/YaraRuleSelectionDialog.h
  55. +0 −95 src/gui/Src/Gui/YaraRuleSelectionDialog.ui
  56. +0 −1 src/gui/Src/Utils/Configuration.cpp
  57. +0 −3 src/gui/x64dbg.pro
@@ -12,8 +12,6 @@ mkdir %RELEASEDIR%\pluginsdk\jansson
mkdir %RELEASEDIR%\pluginsdk\lz4
mkdir %RELEASEDIR%\pluginsdk\TitanEngine
mkdir %RELEASEDIR%\pluginsdk\XEDParse
mkdir %RELEASEDIR%\pluginsdk\yara
mkdir %RELEASEDIR%\pluginsdk\yara\yara

xcopy src\dbg\dbghelp %RELEASEDIR%\pluginsdk\dbghelp /S /Y
xcopy src\dbg\DeviceNameResolver %RELEASEDIR%\pluginsdk\DeviceNameResolver /S /Y
@@ -22,7 +20,6 @@ xcopy src\dbg\lz4 %RELEASEDIR%\pluginsdk\lz4 /S /Y
xcopy src\dbg\TitanEngine %RELEASEDIR%\pluginsdk\TitanEngine /S /Y
del %RELEASEDIR%\pluginsdk\TitanEngine\TitanEngine.txt /F /Q
xcopy src\dbg\XEDParse %RELEASEDIR%\pluginsdk\XEDParse /S /Y
xcopy src\dbg\yara %RELEASEDIR%\pluginsdk\yara /S /Y
copy src\dbg\_plugin_types.h %RELEASEDIR%\pluginsdk\_plugin_types.h
copy src\dbg\_plugins.h %RELEASEDIR%\pluginsdk\_plugins.h
copy src\dbg\_scriptapi*.h %RELEASEDIR%\pluginsdk\_scriptapi*.h
@@ -7,7 +7,6 @@
#include "debugger.h"
#include "filehelper.h"
#include "label.h"
#include "yara/yara.h"
#include "stringformat.h"
#include "disasm_helper.h"
#include "symbolinfo.h"
@@ -947,299 +946,6 @@ bool cbInstrGUIDFind(int argc, char* argv[])
return true;
}

static void yaraCompilerCallback(int error_level, const char* file_name, int line_number, const char* message, void* user_data)
{
switch(error_level)
{
case YARA_ERROR_LEVEL_ERROR:
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA ERROR] "));
break;
case YARA_ERROR_LEVEL_WARNING:
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA WARNING] "));
break;
}
dprintf(QT_TRANSLATE_NOOP("DBG", "File: \"%s\", Line: %d, Message: \"%s\"\n"), file_name, line_number, message);
}

static String yara_print_string(const uint8_t* data, int length)
{
String result = "\"";
const char* str = (const char*)data;
for(int i = 0; i < length; i++)
{
char cur[16] = "";
if(str[i] >= 32 && str[i] <= 126)
sprintf_s(cur, "%c", str[i]);
else
sprintf_s(cur, "\\x%02X", (uint8_t)str[i]);
result += cur;
}
result += "\"";
return result;
}

static String yara_print_hex_string(const uint8_t* data, int length)
{
String result = "";
for(int i = 0; i < length; i++)
{
if(i)
result += " ";
char cur[16] = "";
sprintf_s(cur, "%02X", (uint8_t)data[i]);
result += cur;
}
return result;
}

struct YaraScanInfo
{
duint base;
int index;
bool rawFile;
const char* modname;
bool debug;

YaraScanInfo(duint base, bool rawFile, const char* modname, bool debug)
: base(base), index(0), rawFile(rawFile), modname(modname), debug(debug)
{
}
};

static int yaraScanCallback(int message, void* message_data, void* user_data)
{
YaraScanInfo* scanInfo = (YaraScanInfo*)user_data;
bool debug = scanInfo->debug;
switch(message)
{
case CALLBACK_MSG_RULE_MATCHING:
{
duint base = scanInfo->base;
YR_RULE* yrRule = (YR_RULE*)message_data;
auto addReference = [scanInfo, yrRule](duint addr, const char* identifier, const std::string & pattern)
{
auto index = scanInfo->index;
GuiReferenceSetRowCount(index + 1);
scanInfo->index++;

char addr_text[deflen] = "";
sprintf_s(addr_text, "%p", addr);
GuiReferenceSetCellContent(index, 0, addr_text); //Address
String ruleFullName = "";
ruleFullName += yrRule->identifier;
if(identifier)
{
ruleFullName += ".";
ruleFullName += identifier;
}
GuiReferenceSetCellContent(index, 1, ruleFullName.c_str()); //Rule
GuiReferenceSetCellContent(index, 2, pattern.c_str()); //Data
};

if(STRING_IS_NULL(yrRule->strings))
{
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Global rule \"%s\" matched!\n"), yrRule->identifier);
addReference(base, nullptr, "");
}
else
{
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Rule \"%s\" matched:\n"), yrRule->identifier);
YR_STRING* string;
yr_rule_strings_foreach(yrRule, string)
{
YR_MATCH* match;
yr_string_matches_foreach(string, match)
{
String pattern;
if(STRING_IS_HEX(string))
pattern = yara_print_hex_string(match->data, match->match_length);
else
pattern = yara_print_string(match->data, match->match_length);
auto offset = duint(match->base + match->offset);
duint addr;
if(scanInfo->rawFile) //convert raw offset to virtual offset
addr = valfileoffsettova(scanInfo->modname, offset);
else
addr = base + offset;

if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] String \"%s\" : %s on %p\n"), string->identifier, pattern.c_str(), addr);

addReference(addr, string->identifier, pattern);
}
}
}
}
break;

case CALLBACK_MSG_RULE_NOT_MATCHING:
{
YR_RULE* yrRule = (YR_RULE*)message_data;
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Rule \"%s\" did not match!\n"), yrRule->identifier);
}
break;

case CALLBACK_MSG_SCAN_FINISHED:
{
if(debug)
dputs(QT_TRANSLATE_NOOP("DBG", "[YARA] Scan finished!"));
}
break;

case CALLBACK_MSG_IMPORT_MODULE:
{
YR_MODULE_IMPORT* yrModuleImport = (YR_MODULE_IMPORT*)message_data;
if(debug)
dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Imported module \"%s\"!\n"), yrModuleImport->module_name);
}
break;
}
return ERROR_SUCCESS; //nicely undocumented what this should be
}

bool cbInstrYara(int argc, char* argv[])
{
if(IsArgumentsLessThan(argc, 2))
return false;
duint addr = 0;
SELECTIONDATA sel;
GuiSelectionGet(GUI_DISASSEMBLY, &sel);
addr = sel.start;

duint base = 0;
duint size = 0;
duint mod = argc > 2 ? ModBaseFromName(argv[2]) : 0;
bool rawFile = false;
if(mod)
{
base = mod;
size = ModSizeFromAddr(base);
rawFile = argc > 3 && *argv[3] == '1';
}
else
{
if(argc > 2 && !valfromstring(argv[2], &addr))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Invalid value \"%s\"!\n"), argv[2]);
return false;
}

size = 0;
if(argc > 3)
if(!valfromstring(argv[3], &size))
size = 0;
if(!size)
addr = MemFindBaseAddr(addr, &size);
base = addr;
}
std::vector<unsigned char> rawFileData;
if(rawFile) //read the file from disk
{
char modPath[MAX_PATH] = "";
if(!ModPathFromAddr(base, modPath, MAX_PATH))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to get module path for %p!\n"), base);
return false;
}
if(!FileHelper::ReadAllData(modPath, rawFileData))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to read file \"%s\"!\n"), modPath);
return false;
}
size = rawFileData.size();
}
Memory<uint8_t*> data(size);
if(rawFile)
memcpy(data(), rawFileData.data(), size);
else
{
memset(data(), 0xCC, data.size());
MemReadDumb(base, data(), size);
}

String rulesContent;
if(!FileHelper::ReadAllText(argv[1], rulesContent))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to read the rules file \"%s\"\n"), argv[1]);
return false;
}

bool bSuccess = false;
YR_COMPILER* yrCompiler;
if(yr_compiler_create(&yrCompiler) == ERROR_SUCCESS)
{
yr_compiler_set_callback(yrCompiler, yaraCompilerCallback, 0);
if(yr_compiler_add_string(yrCompiler, rulesContent.c_str(), nullptr) == 0) //no errors found
{
YR_RULES* yrRules;
if(yr_compiler_get_rules(yrCompiler, &yrRules) == ERROR_SUCCESS)
{
//initialize new reference tab
char modname[MAX_MODULE_SIZE] = "";
if(!ModNameFromAddr(base, modname, true))
sprintf_s(modname, "%p", base);
String fullName;
const char* fileName = strrchr(argv[1], '\\');
if(fileName)
fullName = fileName + 1;
else
fullName = argv[1];
fullName += " (";
fullName += modname;
fullName += ")"; //nanana, very ugly code (long live open source)
GuiReferenceInitialize(fullName.c_str());
GuiReferenceAddColumn(sizeof(duint) * 2, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Address")));
GuiReferenceAddColumn(48, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Rule")));
GuiReferenceAddColumn(10, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Data")));
GuiReferenceSetRowCount(0);
GuiReferenceReloadData();
YaraScanInfo scanInfo(base, rawFile, argc > 2 ? argv[2] : modname, settingboolget("Engine", "YaraDebug"));
duint ticks = GetTickCount();
dputs(QT_TRANSLATE_NOOP("DBG", "[YARA] Scan started..."));
int err = yr_rules_scan_mem(yrRules, data(), size, 0, yaraScanCallback, &scanInfo, 0);
GuiReferenceReloadData();
switch(err)
{
case ERROR_SUCCESS:
dprintf(QT_TRANSLATE_NOOP("DBG", "%u scan results in %ums...\n"), DWORD(scanInfo.index), GetTickCount() - DWORD(ticks));
bSuccess = true;
break;
case ERROR_TOO_MANY_MATCHES:
dputs(QT_TRANSLATE_NOOP("DBG", "Too many matches!"));
break;
default:
dputs(QT_TRANSLATE_NOOP("DBG", "Error while scanning memory!"));
break;
}
yr_rules_destroy(yrRules);
}
else
dputs(QT_TRANSLATE_NOOP("DBG", "Error while getting the rules!"));
}
else
dputs(QT_TRANSLATE_NOOP("DBG", "Errors in the rules file!"));
yr_compiler_destroy(yrCompiler);
}
else
dputs(QT_TRANSLATE_NOOP("DBG", "yr_compiler_create failed!"));
return bSuccess;
}

bool cbInstrYaramod(int argc, char* argv[])
{
if(IsArgumentsLessThan(argc, 3))
return false;
if(!ModBaseFromName(argv[2]))
{
dprintf(QT_TRANSLATE_NOOP("DBG", "Invalid module \"%s\"!\n"), argv[2]);
return false;
}
return cmddirectexec(StringUtils::sprintf("yara \"%s\",\"%s\",%s", argv[1], argv[2], argc > 3 && *argv[3] == '1' ? "1" : "0").c_str());
}

bool cbInstrSetMaxFindResult(int argc, char* argv[])
{
if(IsArgumentsLessThan(argc, 2))
@@ -12,6 +12,4 @@ bool cbInstrRefStr(int argc, char* argv[]);
bool cbInstrRefFuncionPointer(int argc, char* argv[]);
bool cbInstrModCallFind(int argc, char* argv[]);
bool cbInstrGUIDFind(int argc, char* argv[]);
bool cbInstrYara(int argc, char* argv[]);
bool cbInstrYaramod(int argc, char* argv[]);
bool cbInstrSetMaxFindResult(int argc, char* argv[]);
@@ -26,7 +26,6 @@
#include "expressionfunctions.h"
#include "formatfunctions.h"
#include "stringformat.h"
#include "yara/yara.h"
#include "dbghelp_safe.h"

static MESSAGE_STACK* gMsgStack = 0;
@@ -275,8 +274,6 @@ static void registercommands()
dbgcmdnew("refstr,strref", cbInstrRefStr, true); //find string references
dbgcmdnew("reffunctionpointer", cbInstrRefFuncionPointer, true); //find function pointers
dbgcmdnew("modcallfind", cbInstrModCallFind, true); //find intermodular calls
dbgcmdnew("yara", cbInstrYara, true); //yara test command
dbgcmdnew("yaramod", cbInstrYaramod, true); //yara rule on module
dbgcmdnew("setmaxfindresult,findsetmaxresult", cbInstrSetMaxFindResult, false); //set the maximum number of occurences found
dbgcmdnew("guidfind,findguid", cbInstrGUIDFind, true); //find GUID references TODO: undocumented

@@ -648,9 +645,6 @@ extern "C" DLL_EXPORT const char* _dbg_dbginit()
//#endif //ENABLE_MEM_TRACE
dputs(QT_TRANSLATE_NOOP("DBG", "Initializing Zydis..."));
Zydis::GlobalInitialize();
dputs(QT_TRANSLATE_NOOP("DBG", "Initializing Yara..."));
if(yr_initialize() != ERROR_SUCCESS)
return "Failed to initialize Yara!";
dputs(QT_TRANSLATE_NOOP("DBG", "Getting directory information..."));

strcpy_s(scriptDllDir, szProgramDir);
@@ -778,7 +772,6 @@ extern "C" DLL_EXPORT void _dbg_dbgexitsignal()
dputs(QT_TRANSLATE_NOOP("DBG", "Cleaning up allocated data..."));
cmdfree();
varfree();
yr_finalize();
Zydis::GlobalFinalize();
dputs(QT_TRANSLATE_NOOP("DBG", "Cleaning up wait objects..."));
waitdeinitialize();
Oops, something went wrong.

0 comments on commit 386e242

Please sign in to comment.
You can’t perform that action at this time.