public ScanResult(YR_RULE matchingRule)
{
MatchingRule = new Rule(matchingRule);
Matches = new Dictionary <string, List <Match> >();
ObjRefHelper.ForEachYaraStringInObjRef(matchingRule.strings, str =>
{
var identifier = str.identifier;
if (identifier == IntPtr.Zero)
{
return;
}
ObjRefHelper.ForEachStringMatches(str, match =>
{
string matchText = ObjRefHelper.GetYRString(identifier);
if (!Matches.ContainsKey(matchText))
{
Matches.Add(matchText, new List <Match>());
}
Matches[matchText].Add(new Match(match));
});
});
}
public Rule(YR_RULE rule)
{
IntPtr ptr = rule.identifier;
Identifier = Marshal.PtrToStringAnsi(ptr);
Tags = ObjRefHelper.IterateCStrings(rule.tags).ToList();
Metas = ObjRefHelper.GetMetas(rule.metas).Select(ExtractMetaValue).ToDictionary();
AtomsCount = rule.num_atoms;
}
public Rule(YR_RULE rule)
{
IntPtr ptr = rule.identifier;
Identifier = Marshal.PtrToStringAnsi(ptr);
Tags = new List <string>();
ObjRefHelper.ForEachStringInObjRef(rule.tags, Tags.Add);
Metas = ObjRefHelper.GetMetas(rule.metas).Select(ExtractMetaValue).ToDictionary();
TimeCost = rule.time_cost;
}
public Rule(YR_RULE rule)
{
IntPtr ptr = rule.identifier;
Identifier = Marshal.PtrToStringAnsi(ptr);
Tags = new List <string>();
ObjRefHelper.ForEachStringInObjRef(rule.tags, Tags.Add);
}
private YR_CALLBACK_RESULT HandleMessage(
int message,
IntPtr data,
IntPtr context)
{
if (message == Constants.CALLBACK_MSG_RULE_MATCHING)
{
var resultsHandle = GCHandle.FromIntPtr(context);
var results = (List <ScanResult>)resultsHandle.Target;
YR_RULE rule = Marshal.PtrToStructure <YR_RULE>(data);
results.Add(new ScanResult(rule));
}
return(YR_CALLBACK_RESULT.Continue);
}
public ScanResult(IntPtr scanContext, YR_RULE matchingRule)
{
IntPtr matchesPtr = GetMatchesPtr(scanContext);
IntPtr profilingInfoPtr = GetProfilingInfoPtr(scanContext);
MatchingRule = new Rule(matchingRule);
Matches = new Dictionary <string, List <Match> >();
var matchingStrings = ObjRefHelper.GetYaraStrings(matchingRule.strings);
foreach (var str in matchingStrings)
{
var identifier = str.identifier;
if (identifier == IntPtr.Zero)
{
return;
}
var matches = ObjRefHelper.GetStringMatches(matchesPtr, str);
foreach (var match in matches)
{
string matchText = ObjRefHelper.ReadYaraString(str);
if (!Matches.ContainsKey(matchText))
{
Matches.Add(matchText, new List <Match>());
}
Matches[matchText].Add(new Match(match));
if (ProfilingInfo == null)
{
var profInfo = ObjRefHelper.TryGetProfilingInfoForRule(profilingInfoPtr, (int)str.rule_idx);
if (profInfo.HasValue)
{
ProfilingInfo = new ProfilingInfo(profInfo.Value);
}
}
}
}
}
