public ScanResult(YR_RULE matchingRule) { MatchingRule = new Rule(matchingRule); Matches = new Dictionary <string, List <Match> >(); ObjRefHelper.ForEachYaraStringInObjRef(matchingRule.strings, str => { var identifier = str.identifier; if (identifier == IntPtr.Zero) { return; } ObjRefHelper.ForEachStringMatches(str, match => { string matchText = ObjRefHelper.GetYRString(identifier); if (!Matches.ContainsKey(matchText)) { Matches.Add(matchText, new List <Match>()); } Matches[matchText].Add(new Match(match)); }); }); }
public Rule(YR_RULE rule) { IntPtr ptr = rule.identifier; Identifier = Marshal.PtrToStringAnsi(ptr); Tags = ObjRefHelper.IterateCStrings(rule.tags).ToList(); Metas = ObjRefHelper.GetMetas(rule.metas).Select(ExtractMetaValue).ToDictionary(); AtomsCount = rule.num_atoms; }
public Rule(YR_RULE rule) { IntPtr ptr = rule.identifier; Identifier = Marshal.PtrToStringAnsi(ptr); Tags = new List <string>(); ObjRefHelper.ForEachStringInObjRef(rule.tags, Tags.Add); Metas = ObjRefHelper.GetMetas(rule.metas).Select(ExtractMetaValue).ToDictionary(); TimeCost = rule.time_cost; }
public Rule(YR_RULE rule) { IntPtr ptr = rule.identifier; Identifier = Marshal.PtrToStringAnsi(ptr); Tags = new List <string>(); ObjRefHelper.ForEachStringInObjRef(rule.tags, Tags.Add); }
private YR_CALLBACK_RESULT HandleMessage( int message, IntPtr data, IntPtr context) { if (message == Constants.CALLBACK_MSG_RULE_MATCHING) { var resultsHandle = GCHandle.FromIntPtr(context); var results = (List <ScanResult>)resultsHandle.Target; YR_RULE rule = Marshal.PtrToStructure <YR_RULE>(data); results.Add(new ScanResult(rule)); } return(YR_CALLBACK_RESULT.Continue); }
public ScanResult(IntPtr scanContext, YR_RULE matchingRule) { IntPtr matchesPtr = GetMatchesPtr(scanContext); IntPtr profilingInfoPtr = GetProfilingInfoPtr(scanContext); MatchingRule = new Rule(matchingRule); Matches = new Dictionary <string, List <Match> >(); var matchingStrings = ObjRefHelper.GetYaraStrings(matchingRule.strings); foreach (var str in matchingStrings) { var identifier = str.identifier; if (identifier == IntPtr.Zero) { return; } var matches = ObjRefHelper.GetStringMatches(matchesPtr, str); foreach (var match in matches) { string matchText = ObjRefHelper.ReadYaraString(str); if (!Matches.ContainsKey(matchText)) { Matches.Add(matchText, new List <Match>()); } Matches[matchText].Add(new Match(match)); if (ProfilingInfo == null) { var profInfo = ObjRefHelper.TryGetProfilingInfoForRule(profilingInfoPtr, (int)str.rule_idx); if (profInfo.HasValue) { ProfilingInfo = new ProfilingInfo(profInfo.Value); } } } } }