diff options
| author | Leonard Kugis <leonard@kug.is> | 2025-04-29 23:18:20 +0000 |
|---|---|---|
| committer | Leonard Kugis <leonard@kug.is> | 2025-04-29 23:18:20 +0000 |
| commit | 3eb2c2ed62170f31850eeb8a234c085a667bc6d3 (patch) | |
| tree | 9a73ef8c5fb4fe78459e45767538b0cd6377d81a | |
| parent | 0ba07d6ab47519f7551cf242c60f3dab9d98fa53 (diff) | |
| download | yara-compiler-3eb2c2ed62170f31850eeb8a234c085a667bc6d3.tar.gz yara-compiler-3eb2c2ed62170f31850eeb8a234c085a667bc6d3.tar.bz2 yara-compiler-3eb2c2ed62170f31850eeb8a234c085a667bc6d3.zip | |
yara: Compiling identifiers for signatures.
| -rw-r--r-- | yara.py | 20 |
1 files changed, 14 insertions, 6 deletions
@@ -174,8 +174,8 @@ class StringBlockRange(StringBlock): class YaraSignature(object): - # big endian, modifiers, n_blocks_data, index_map_data, blocks_data - __FORMAT = "<H{size_n_blocks_data}s{size_index_map_data}s{size_blocks_data}s" + # big endian, modifiers, identifier_size_data, identifier_data, n_blocks_data, index_map_data, blocks_data + __FORMAT = "<H{size_identifier_size_data}s{size_identifier_data}s{size_n_blocks_data}s{size_index_map_data}s{size_blocks_data}s" __STRING_TYPE_STRING = 0 __STRING_TYPE_HEX = 1 @@ -314,13 +314,21 @@ class YaraSignature(object): blocks_data.extend(block.compile()) index_elements = YaraIndex.from_size(len(self.blocks)) index_data = YaraIndex.from_size(len(blocks_data)) + identifier_data = self.identifier.encode("UTF-8") + index_identifier = YaraIndex.from_size(len(identifier_data)) index_map = YaraIndexMap(index_data, indices) index_map_data = index_map.compile() n_blocks_data = index_elements.compile_index(len(self.blocks)) - modifiers = self.modifiers_origin | (index_elements.compile_modifier()[0] << 8) | (index_data.compile_modifier()[0] << 10) | ((1 if store_index_map_string_blocks else 0) << 12) - fmt = self.__FORMAT.format(size_n_blocks_data=len(n_blocks_data), size_index_map_data=(len(index_map_data) if store_index_map_string_blocks else 0), size_blocks_data=len(blocks_data)) - logger.debug("{}: fmt = {}, modifiers = {}, n_blocks_data = {}, index_map_data = {}, blocks_data = {}".format("YaraSignature", fmt, modifiers, n_blocks_data, index_map_data, blocks_data)) - return struct.pack(fmt, modifiers, n_blocks_data, index_map_data, blocks_data) + identifier_size_data = index_identifier.compile_index(len(identifier_data)) + modifiers = self.modifiers_origin | (index_elements.compile_modifier()[0] << 8) | (index_data.compile_modifier()[0] << 10) | ((1 if store_index_map_string_blocks else 0) << 14) + fmt = self.__FORMAT.format( + size_identifier_size_data=(len(identifier_size_data) if store_identifier_signature else 0), + size_identifier_data=(len(identifier_data) if store_identifier_signature else 0), + size_n_blocks_data=len(n_blocks_data), + size_index_map_data=(len(index_map_data) if store_index_map_string_blocks else 0), + size_blocks_data=len(blocks_data)) + logger.debug("{}: fmt = {}, modifiers = {}, identifier_size_data = {}, identifier_data ={}, n_blocks_data = {}, index_map_data = {}, blocks_data = {}".format("YaraSignature", fmt, bin(modifiers), identifier_size_data, identifier_data, n_blocks_data, index_map_data, blocks_data)) + return struct.pack(fmt, modifiers, identifier_size_data, identifier_data, n_blocks_data, index_map_data, blocks_data) class YaraCondition(object): |