diff --git a/libyara/atoms.c b/libyara/atoms.c index e7e9a15bdb..da873f871a 100644 --- a/libyara/atoms.c +++ b/libyara/atoms.c @@ -419,6 +419,22 @@ void yr_atoms_list_destroy(YR_ATOM_LIST_ITEM* list_head) } } +//////////////////////////////////////////////////////////////////////////////// +// Destroys an atom_node list. +// +void yr_atom_node_list_destroy(YR_ATOM_NODE_LIST* list_head) +{ + YR_ATOM_NODE_LIST* item = list_head; + YR_ATOM_NODE_LIST* next; + + while (item != NULL) + { + next = item->next; + yr_free(item); + item = next; + } +} + //////////////////////////////////////////////////////////////////////////////// // Concats two atoms lists. // @@ -460,6 +476,7 @@ int _yr_atoms_trim(YR_ATOM* atom) int mask_ff = 0; int trim_left = 0; + int origin_atom_length = atom->length; while (trim_left < atom->length && atom->mask[trim_left] == 0) trim_left++; @@ -501,7 +518,7 @@ int _yr_atoms_trim(YR_ATOM* atom) // Shift bytes and mask trim_left positions to the left. - for (int i = 0; i < YR_MAX_ATOM_LENGTH - trim_left; i++) + for (int i = 0; i < origin_atom_length - trim_left; i++) { atom->bytes[i] = atom->bytes[trim_left + i]; atom->mask[i] = atom->mask[trim_left + i]; @@ -510,6 +527,186 @@ int _yr_atoms_trim(YR_ATOM* atom) return trim_left; } +// find best child atom in every length, the range of length is [1, YR_MAX_ATOM_RE_LENGTH]. +// The best atom contains at most one wildcard. +// e.g. if atom is {01 02 03 ?? 04 05}, all best child atoms are {01}, {01 02}, {01 02 03}, {01 02 03 ?? 04}, {01 02 03 ?? 04 05} +// e.g. if atom is {01 02 03 ?? ?? 04 05}, all best child atoms are {01}, {01 02}, {01 02 03} +void _yr_atoms_inner_extract( + YR_ATOMS_CONFIG* config, + YR_ATOM* atom, + RE_NODE** re_nodes, + int current_atom_length, + YR_ATOM_NODE_LIST** chosen_atoms) +{ + + // if cannot find atom, just return first byte as atom + if (current_atom_length < 1) { + return; + } + + int mask_len = 0, shift_mask = 0, shift = 0; + int quality = -1; + int best_quality = -1; + int flag = 0; // when find valid atom, flag = 1 + YR_ATOM current_atom; + YR_ATOM best_atom; + RE_NODE* best_atom_re_nodes[YR_MAX_ATOM_RE_LENGTH]; + RE_NODE* recent_re_nodes[YR_MAX_ATOM_RE_LENGTH]; + YR_ATOM_NODE_LIST* item = NULL; + + best_atom.length = 0; + memset(best_atom.bytes, 0, sizeof(best_atom.bytes)); + memset(best_atom.mask, 0, sizeof(best_atom.mask)); + memset(best_atom_re_nodes, 0, sizeof(best_atom_re_nodes)); + + + for (int i = 0; i <= atom->length - current_atom_length; i++) { + + current_atom.length = current_atom_length; + mask_len = 0; + for (int j = i, k = 0; k < current_atom_length; j++, k++) { + current_atom.bytes[k] = atom->bytes[j]; + current_atom.mask[k] = atom->mask[j]; + recent_re_nodes[k] = re_nodes[j]; + if (current_atom.mask[k] == 0x00 || current_atom.mask[k] == 0x0f || current_atom.mask[k] == 0xf0) + mask_len++; + } + + shift = _yr_atoms_trim(¤t_atom); + quality = config->get_atom_quality(config, ¤t_atom); + // update re_node after trim + if (shift > 0) + { + for (int j = 0; j < current_atom_length - shift; j++) + recent_re_nodes[j] = recent_re_nodes[j + shift]; + } + + // update mask_len after trim + if (current_atom.length == 1) + mask_len = 0; + else + { + shift_mask = mask_len - (current_atom_length - current_atom.length); + mask_len = shift_mask >= 0 ? shift_mask : 0; + } + + if (quality > best_quality) + { + if (mask_len <= 1) { + for (int m = 0; m < current_atom.length; m++) + { + best_atom.bytes[m] = current_atom.bytes[m]; + best_atom.mask[m] = current_atom.mask[m]; + best_atom_re_nodes[m] = recent_re_nodes[m]; + } + best_atom.length = current_atom.length; + best_quality = quality; + + flag = 1; + } + } + } + + // add best_atom to atom_node_list + if (flag == 1 && best_atom.length > 0) { + item = (YR_ATOM_NODE_LIST*)yr_malloc(sizeof(YR_ATOM_NODE_LIST)); + if (item != NULL) + { + memcpy(&item->atom, &best_atom, sizeof(YR_ATOM)); + item->next = *chosen_atoms; + *chosen_atoms = item; + memcpy(&item->re_nodes, &best_atom_re_nodes, sizeof(best_atom_re_nodes)); + } + + } + + // recursion extract + _yr_atoms_inner_extract(config, atom, re_nodes, current_atom_length - 1, chosen_atoms); + +} + +// find the final best atom from all candidate child atoms based on quality and the number of wildcards. +// e.g. {01}, {01 02}, {01 02 03}, {01 02 03 ?? 04}, {01 02 03 ?? 04 05}, the final best atom is {01 02 03 ?? 04 05}. +// e.g. {01}, {01 02}, {01 02 03}, the final best atom is {01 02 03}. +void _yr_atoms_inner_choose( + YR_ATOMS_CONFIG* config, + YR_ATOM* atom, + RE_NODE** re_nodes, + YR_ATOM_NODE_LIST* chosen_atoms) +{ + YR_ATOM_NODE_LIST* item = chosen_atoms; + int best_quality[3] = { 0 }; + YR_ATOM best_atom[3]; + RE_NODE* best_atom_re_nodes[3][YR_MAX_ATOM_RE_LENGTH]; + int i = 0, mask_index = 0; + int quality = 0; + int max_length = 0, best_atom_index = 0; + + + while (item != NULL) + { + mask_index = 0; + for (i = 0; i < item->atom.length; i++) + { + if (item->atom.mask[i] == 0x00) + mask_index = 2; + if (item->atom.mask[i] == 0x0f || item->atom.mask[i] == 0xf0) + mask_index = 1; + } + quality = config->get_atom_quality(config, &item->atom); + + if (quality > best_quality[mask_index]) + { + memcpy(&best_atom[mask_index], &item->atom, sizeof(item->atom)); + memcpy(&best_atom_re_nodes[mask_index], &item->re_nodes, sizeof(item->re_nodes)); + best_quality[mask_index] = quality; + + } + + item = item->next; + } + + // first choose no-wildcard atom + if (best_quality[0] != 0 && best_atom[0].length >= YR_MIN_VALID_ATOM_LENGTH) + { + best_atom_index = 0; + } + + // if not no-wildcard atom, then choose half-wildcard atom + else if (best_quality[1] != 0 && best_atom[1].length >= YR_MIN_VALID_ATOM_LENGTH + 1) + { + best_atom_index = 1; + } + // else, just choose max_len best atom + else + { + for (i = 0; i < 3; i++) + { + if (best_quality[i] != 0) + { + if (best_atom[i].length > max_length) + { + max_length = best_atom[i].length; + best_atom_index = i; + } + } + } + } + + // copy atom and re_node to leaf + memset(atom->bytes, 0, sizeof(atom->bytes)); + memset(atom->mask, 0, sizeof(atom->mask)); + atom->length = best_atom[best_atom_index].length; + for (i = 0; i < best_atom[best_atom_index].length; i++) + { + atom->bytes[i] = best_atom[best_atom_index].bytes[i]; + atom->mask[i] = best_atom[best_atom_index].mask[i]; + re_nodes[i] = best_atom_re_nodes[best_atom_index][i]; + } + + return; +} + //////////////////////////////////////////////////////////////////////////////// // This function receives an atom tree and returns a list of atoms to be added // to the Aho-Corasick automaton. @@ -888,19 +1085,23 @@ static int _yr_atoms_extract_from_re( int quality; int best_quality = -1; int n = 0; + int mask_len = 0; // the number of wildcard YR_ATOM_TREE_NODE* and_node; YR_ATOM_TREE_NODE* left_node; YR_ATOM_TREE_NODE* right_node; + // A list of child atoms extracted from the best atom + YR_ATOM_NODE_LIST* choose_atoms = NULL; + // The RE_NODEs most recently visited that can conform an atom (ie: // RE_NODE_LITERAL, RE_NODE_MASKED_LITERAL and RE_NODE_ANY). The number of // items in this array is n. - RE_NODE* recent_re_nodes[YR_MAX_ATOM_LENGTH]; + RE_NODE* recent_re_nodes[YR_MAX_ATOM_RE_LENGTH]; // The RE_NODEs corresponding to the best atom found so far for the current // appending node. - RE_NODE* best_atom_re_nodes[YR_MAX_ATOM_LENGTH]; + RE_NODE* best_atom_re_nodes[YR_MAX_ATOM_RE_LENGTH]; // This holds the ATOM_TREE_OR node where leaves (ATOM_TREE_LEAF) are // currently being appended. @@ -962,12 +1163,30 @@ static int _yr_atoms_extract_from_re( &leaf->re_nodes, &best_atom_re_nodes, sizeof(best_atom_re_nodes)); } + // count the number of wildcard in leaf->atom, include half-wildcard. + // e.g. {01 ?2 03} has half-wildcard, its max_len is 1. + // e.g. {01 ?? ?2 03} has one wildcard and one half-wildcard, its max_len is 2. + for (int j = 0; j < leaf->atom.length; j++) + { + if (leaf->atom.mask[j] == 0x00 || leaf->atom.mask[j] == 0x0f || leaf->atom.mask[j] == 0xf0) + mask_len++; + } + + // when too many wildcards (above one wildcard) in leaf->atom, the Aho-Corasick automaton will be larger, and need to extract shorter child atoms and further choose + if (mask_len >= 1) { + _yr_atoms_inner_extract(config, &leaf->atom, (RE_NODE**)&leaf->re_nodes, YR_MAX_ATOM_RE_LENGTH, &choose_atoms); + _yr_atoms_inner_choose(config, &leaf->atom, (RE_NODE**)&leaf->re_nodes, choose_atoms); + yr_atom_node_list_destroy(choose_atoms); + choose_atoms = NULL; + } + _yr_atoms_tree_node_append(current_appending_node, leaf); n = 0; } current_appending_node = si.new_appending_node; best_quality = -1; + mask_len = 0; } if (si.re_node != NULL) @@ -978,7 +1197,7 @@ static int _yr_atoms_extract_from_re( case RE_NODE_MASKED_LITERAL: case RE_NODE_ANY: - if (n < YR_MAX_ATOM_LENGTH) + if (n < YR_MAX_ATOM_RE_LENGTH) { recent_re_nodes[n] = si.re_node; best_atom_re_nodes[n] = si.re_node; @@ -1005,10 +1224,10 @@ static int _yr_atoms_extract_from_re( best_quality = quality; } - for (i = 1; i < YR_MAX_ATOM_LENGTH; i++) + for (i = 1; i < YR_MAX_ATOM_RE_LENGTH; i++) recent_re_nodes[i - 1] = recent_re_nodes[i]; - recent_re_nodes[YR_MAX_ATOM_LENGTH - 1] = si.re_node; + recent_re_nodes[YR_MAX_ATOM_RE_LENGTH - 1] = si.re_node; } break; @@ -1120,7 +1339,7 @@ static int _yr_atoms_extract_from_re( // will append one 'a' to the atom, so YR_MAX_ATOM_LENGTH iterations // are enough. - for (i = 0; i < yr_min(re_node->start, YR_MAX_ATOM_LENGTH); i++) + for (i = 0; i < yr_min(re_node->start, YR_MAX_ATOM_RE_LENGTH); i++) { FAIL_ON_ERROR_WITH_CLEANUP( yr_stack_push(stack, &si), yr_stack_destroy(stack)); diff --git a/libyara/include/yara/atoms.h b/libyara/include/yara/atoms.h index 5a92898071..b7bf9ac56f 100644 --- a/libyara/include/yara/atoms.h +++ b/libyara/include/yara/atoms.h @@ -41,6 +41,7 @@ typedef struct YR_ATOM YR_ATOM; typedef struct YR_ATOM_TREE_NODE YR_ATOM_TREE_NODE; typedef struct YR_ATOM_TREE YR_ATOM_TREE; +typedef struct YR_ATOM_NODE_LIST YR_ATOM_NODE_LIST; typedef struct YR_ATOM_LIST_ITEM YR_ATOM_LIST_ITEM; typedef struct YR_ATOM_QUALITY_TABLE_ENTRY YR_ATOM_QUALITY_TABLE_ENTRY; @@ -72,6 +73,13 @@ struct YR_ATOM_TREE YR_ATOM_TREE_NODE* root_node; }; +struct YR_ATOM_NODE_LIST +{ + YR_ATOM atom; + RE_NODE* re_nodes[YR_MAX_ATOM_RE_LENGTH]; + YR_ATOM_NODE_LIST* next; +}; + struct YR_ATOM_LIST_ITEM { YR_ATOM atom; diff --git a/libyara/include/yara/limits.h b/libyara/include/yara/limits.h index 1e2c78236b..12c6d702ae 100644 --- a/libyara/include/yara/limits.h +++ b/libyara/include/yara/limits.h @@ -60,11 +60,26 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #define YR_MAX_COMPILER_ERROR_EXTRA_INFO 256 #endif -// Maximum size for the substring (atoms) extracted from strings and regular +// Maximum size for the substring (atoms) extracted from regular // expressions and put into the Aho-Corasick automaton. The maximum allows size // for this constant is 255. +#ifndef YR_MAX_ATOM_RE_LENGTH +#define YR_MAX_ATOM_RE_LENGTH 8 +#endif + +// Maximum size for the substring (atoms) extracted from strings +// and put into the Aho-Corasick automaton. The maximum allows size +// for this constant is 255. #ifndef YR_MAX_ATOM_LENGTH -#define YR_MAX_ATOM_LENGTH 4 +#define YR_MAX_ATOM_LENGTH 8 +#endif + +// Minimum size for the substring(atoms) extracted from regular +// expressions and put into the Aho-Corasick automaton. The minimum +// is advised to set based on real rules. If the minimum is too large, +// the atom may be extracted failed, and if the minimum is too small, the quality of atom may be a little low. +#ifndef YR_MIN_VALID_ATOM_LENGTH +#define YR_MIN_VALID_ATOM_LENGTH 4 #endif #ifndef YR_MAX_ATOM_QUALITY