Add Yara rule matching interface (#178)

* build: Added YARA as submodule

* ui: Added basic yara rules matching interface

* build: Make libyara link libpthread on Unix

* ui: Add jump-to feature to yara matches list

* yara: Add more modules and patch yara to support mbedtls crypto

* yara: Started to fix scanning of bigger data

* yara: Fixed implementation

* ui: Improved yara matcher interface and added localization

* build: Ignore changed files in yara submodule

* yara: Fixed rules matching agianst entire file

* yara: Properly handle compiler errors

external/yara/CMakeLists.txt

@@ -0,0 +1,125 @@
+cmake_minimum_required(VERSION 3.10)
+
+set(LIBYARA_SOURCE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/yara/libyara")
+
+set(LIBYARA_INCLUDES
+        ${LIBYARA_SOURCE_PATH}/include/yara/ahocorasick.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/arena.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/atoms.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/bitmask.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/compiler.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/error.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/exec.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/exefiles.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/filemap.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/hash.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/integers.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/libyara.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/limits.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/mem.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/modules.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/object.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/parser.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/proc.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/re.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/rules.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/scan.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/scanner.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/sizedstr.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/stack.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/stopwatch.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/stream.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/strutils.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/threading.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/types.h
+        ${LIBYARA_SOURCE_PATH}/include/yara/utils.h
+        ${LIBYARA_SOURCE_PATH}/crypto.h
+        )
+
+set(LIBYARA_SOURCE
+        ${LIBYARA_SOURCE_PATH}/grammar.y
+        ${LIBYARA_SOURCE_PATH}/ahocorasick.c
+        ${LIBYARA_SOURCE_PATH}/arena.c
+        ${LIBYARA_SOURCE_PATH}/atoms.c
+        ${LIBYARA_SOURCE_PATH}/base64.c
+        ${LIBYARA_SOURCE_PATH}/bitmask.c
+        ${LIBYARA_SOURCE_PATH}/compiler.c
+        ${LIBYARA_SOURCE_PATH}/endian.c
+        ${LIBYARA_SOURCE_PATH}/exec.c
+        ${LIBYARA_SOURCE_PATH}/exefiles.c
+        ${LIBYARA_SOURCE_PATH}/filemap.c
+        ${LIBYARA_SOURCE_PATH}/hash.c
+        ${LIBYARA_SOURCE_PATH}/hex_grammar.y
+        ${LIBYARA_SOURCE_PATH}/hex_lexer.l
+        ${LIBYARA_SOURCE_PATH}/lexer.l
+        ${LIBYARA_SOURCE_PATH}/libyara.c
+        ${LIBYARA_SOURCE_PATH}/mem.c
+        ${LIBYARA_SOURCE_PATH}/modules.c
+        ${LIBYARA_SOURCE_PATH}/notebook.c
+        ${LIBYARA_SOURCE_PATH}/object.c
+        ${LIBYARA_SOURCE_PATH}/parser.c
+        ${LIBYARA_SOURCE_PATH}/proc.c
+        ${LIBYARA_SOURCE_PATH}/re.c
+        ${LIBYARA_SOURCE_PATH}/re_grammar.y
+        ${LIBYARA_SOURCE_PATH}/re_lexer.l
+        ${LIBYARA_SOURCE_PATH}/rules.c
+        ${LIBYARA_SOURCE_PATH}/scan.c
+        ${LIBYARA_SOURCE_PATH}/scanner.c
+        ${LIBYARA_SOURCE_PATH}/sizedstr.c
+        ${LIBYARA_SOURCE_PATH}/stack.c
+        ${LIBYARA_SOURCE_PATH}/stopwatch.c
+        ${LIBYARA_SOURCE_PATH}/strutils.c
+        ${LIBYARA_SOURCE_PATH}/stream.c
+        ${LIBYARA_SOURCE_PATH}/threading.c
+        ${LIBYARA_SOURCE_PATH}/lexer.c
+        ${LIBYARA_SOURCE_PATH}/hex_lexer.c
+        ${LIBYARA_SOURCE_PATH}/grammar.c
+        ${LIBYARA_SOURCE_PATH}/re_lexer.c
+        ${LIBYARA_SOURCE_PATH}/hex_grammar.c
+        ${LIBYARA_SOURCE_PATH}/re_grammar.c
+        ${LIBYARA_SOURCE_PATH}/proc/none.c
+        )
+
+set(LIBYARA_MODULES
+        ${LIBYARA_SOURCE_PATH}/modules/tests/tests.c
+        ${LIBYARA_SOURCE_PATH}/modules/pe/pe.c
+        ${LIBYARA_SOURCE_PATH}/modules/pe/pe_utils.c
+        ${LIBYARA_SOURCE_PATH}/modules/elf/elf.c
+        ${LIBYARA_SOURCE_PATH}/modules/math/math.c
+        ${LIBYARA_SOURCE_PATH}/modules/time/time.c
+        ${LIBYARA_SOURCE_PATH}/modules/macho/macho.c
+        ${LIBYARA_SOURCE_PATH}/modules/hash/hash.c
+        ${LIBYARA_SOURCE_PATH}/modules/dex/dex.c
+        ${LIBYARA_SOURCE_PATH}/modules/dotnet/dotnet.c
+        ${LIBYARA_SOURCE_PATH}/modules/magic/magic.c)
+
+# Add mbedtls crypto wrappers
+file(READ crypto_mbedtls.h MBEDTLS_CRYPTO_H)
+file(WRITE ${LIBYARA_SOURCE_PATH}/crypto.h "${MBEDTLS_CRYPTO_H}")
+add_compile_definitions("HAVE_MBEDTLS")
+
+add_compile_definitions("USE_NO_PROC")
+
+add_compile_definitions("HASH_MODULE")
+add_compile_definitions("DOTNET_MODULE")
+add_compile_definitions("MAGIC_MODULE")
+add_compile_definitions("MACHO_MODULE")
+add_compile_definitions("DEX_MODULE")
+
+
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-shift-count-overflow")
+add_library(libyara STATIC ${LIBYARA_SOURCE} ${LIBYARA_INCLUDES} ${LIBYARA_MODULES})
+
+target_include_directories(
+        libyara
+        PUBLIC $<BUILD_INTERFACE:${LIBYARA_SOURCE_PATH}/include> $<INSTALL_INTERFACE:include>
+        PRIVATE ${LIBYARA_SOURCE_PATH}
+)
+
+if (UNIX)
+    target_link_libraries(libyara pthread)
+endif ()
+
+include(GNUInstallDirs)
+configure_file(${LIBYARA_SOURCE_PATH}/yara.pc.in
+        ${LIBYARA_SOURCE_PATH}/yara.pc @ONLY)

external/yara/crypto_mbedtls.h

@@ -0,0 +1,143 @@
+/*
+Copyright (c) 2017. The YARA Authors. All Rights Reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation and/or
+other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors
+may be used to endorse or promote products derived from this software without
+specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef YR_CRYPTO_H
+#define YR_CRYPTO_H
+
+#define YR_MD5_LEN    16
+#define YR_SHA1_LEN   20
+#define YR_SHA256_LEN 32
+
+#if defined(HAVE_LIBCRYPTO)
+#include <openssl/crypto.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+
+typedef MD5_CTX yr_md5_ctx;
+typedef SHA_CTX yr_sha1_ctx;
+typedef SHA256_CTX yr_sha256_ctx;
+
+#define yr_md5_init(ctx)              MD5_Init(ctx)
+#define yr_md5_update(ctx, data, len) MD5_Update(ctx, data, len)
+#define yr_md5_final(digest, ctx)     MD5_Final(digest, ctx)
+
+#define yr_sha1_init(ctx)              SHA1_Init(ctx)
+#define yr_sha1_update(ctx, data, len) SHA1_Update(ctx, data, len)
+#define yr_sha1_final(digest, ctx)     SHA1_Final(digest, ctx)
+
+#define yr_sha256_init(ctx)              SHA256_Init(ctx)
+#define yr_sha256_update(ctx, data, len) SHA256_Update(ctx, data, len)
+#define yr_sha256_final(digest, ctx)     SHA256_Final(digest, ctx)
+
+#elif defined(HAVE_WINCRYPT_H)
+#include <windows.h>
+
+#include <wincrypt.h>
+
+extern HCRYPTPROV yr_cryptprov;
+
+typedef HCRYPTHASH yr_md5_ctx;
+typedef HCRYPTHASH yr_sha1_ctx;
+typedef HCRYPTHASH yr_sha256_ctx;
+
+#define yr_md5_init(ctx) CryptCreateHash(yr_cryptprov, CALG_MD5, 0, 0, ctx)
+#define yr_md5_update(ctx, data, len) \
+  CryptHashData(*ctx, (const BYTE*) data, len, 0)
+#define yr_md5_final(digest, ctx)                         \
+  {                                                       \
+    DWORD len = YR_MD5_LEN;                               \
+    CryptGetHashParam(*ctx, HP_HASHVAL, digest, &len, 0); \
+    CryptDestroyHash(*ctx);                               \
+  }
+
+#define yr_sha1_init(ctx) CryptCreateHash(yr_cryptprov, CALG_SHA1, 0, 0, ctx)
+#define yr_sha1_update(ctx, data, len) \
+  CryptHashData(*ctx, (const BYTE*) data, len, 0)
+#define yr_sha1_final(digest, ctx)                        \
+  {                                                       \
+    DWORD len = YR_SHA1_LEN;                              \
+    CryptGetHashParam(*ctx, HP_HASHVAL, digest, &len, 0); \
+    CryptDestroyHash(*ctx);                               \
+  }
+
+#define yr_sha256_init(ctx) \
+  CryptCreateHash(yr_cryptprov, CALG_SHA_256, 0, 0, ctx)
+#define yr_sha256_update(ctx, data, len) \
+  CryptHashData(*ctx, (const BYTE*) data, len, 0)
+#define yr_sha256_final(digest, ctx)                      \
+  {                                                       \
+    DWORD len = YR_SHA256_LEN;                            \
+    CryptGetHashParam(*ctx, HP_HASHVAL, digest, &len, 0); \
+    CryptDestroyHash(*ctx);                               \
+  }
+
+#elif defined(HAVE_COMMONCRYPTO_COMMONCRYPTO_H)
+#include <CommonCrypto/CommonDigest.h>
+
+typedef CC_MD5_CTX yr_md5_ctx;
+typedef CC_SHA1_CTX yr_sha1_ctx;
+typedef CC_SHA256_CTX yr_sha256_ctx;
+
+#define yr_md5_init(ctx)              CC_MD5_Init(ctx)
+#define yr_md5_update(ctx, data, len) CC_MD5_Update(ctx, data, len)
+#define yr_md5_final(digest, ctx)     CC_MD5_Final(digest, ctx)
+
+#define yr_sha1_init(ctx)              CC_SHA1_Init(ctx)
+#define yr_sha1_update(ctx, data, len) CC_SHA1_Update(ctx, data, len)
+#define yr_sha1_final(digest, ctx)     CC_SHA1_Final(digest, ctx)
+
+#define yr_sha256_init(ctx)              CC_SHA256_Init(ctx)
+#define yr_sha256_update(ctx, data, len) CC_SHA256_Update(ctx, data, len)
+#define yr_sha256_final(digest, ctx)     CC_SHA256_Final(digest, ctx)
+
+#elif defined(HAVE_MBEDTLS)
+#include <mbedtls/md5.h>
+#include <mbedtls/sha1.h>
+#include <mbedtls/sha256.h>
+
+typedef mbedtls_md5_context yr_md5_ctx;
+typedef mbedtls_sha1_context yr_sha1_ctx;
+typedef mbedtls_sha256_context yr_sha256_ctx;
+
+#define yr_md5_init(ctx)                    { mbedtls_md5_init(ctx); mbedtls_md5_starts_ret(ctx); }
+#define yr_md5_update(ctx, data, len)       mbedtls_md5_update_ret(ctx, data, len)
+#define yr_md5_final(digest, ctx)           { mbedtls_md5_finish_ret(ctx, digest); mbedtls_md5_free(ctx); }
+
+#define yr_sha1_init(ctx)                   { mbedtls_sha1_init(ctx); mbedtls_sha1_starts_ret(ctx); }
+#define yr_sha1_update(ctx, data, len)      mbedtls_sha1_update_ret(ctx, data, len)
+#define yr_sha1_final(digest, ctx)          { mbedtls_sha1_finish_ret(ctx, digest); mbedtls_sha1_free(ctx); }
+
+#define yr_sha256_init(ctx)                 { mbedtls_sha256_init(ctx); mbedtls_sha256_starts_ret(ctx, false); }
+#define yr_sha256_update(ctx, data, len)    mbedtls_sha256_update_ret(ctx, data, len)
+#define yr_sha256_final(digest, ctx)        { mbedtls_sha256_finish_ret(ctx, digest); mbedtls_sha256_free(ctx); }
+
+#define HAVE_COMMONCRYPTO_COMMONCRYPTO_H
+#endif
+
+#endif