Collect some open PRs for inclusion for 4.3.0 (VirusTotal#1835)

* Fix `pe_rva_to_offset`

* Fix: checking if RVA is inside section
* Fix: real pointer to raw data is aligned down to sector size

* Add pe.import_rva() functions.

Add pe.import_rva("foo.dll", "func1") which returns the RVA of the imported
function. Also add pe.import_rva("foo.dll", 1) which does the same but the
import is done by ordinal.

* Implement delayed import RVA and add docs.

* Add math.length()

Add a math.length() which will return the length of the sequence of bytes,
including any NULL bytes.

Fixes VirusTotal#1778.

* Add string module.

Move the math.to_int() functions and math.length() over to the new string
module. I decided to move the to_int() because it seems logical to convert from
a string to an integer using a string module rather than the math module.

You still use math.to_string() to convert an integer to a string, and use
string.to_int() to convert a string to an integer.

Add tests and docs for string module. Move the appropriate tests from the math
module over to the new string tests.

While here, also add the console module to the bazel build as it was apparently
missing (this is untested).

* Remove unused include.

* Add tests for VirusTotal#1561

* Fix copyright year in string module.

Co-authored-by: Peter Babka <peter.babka@avast.com>

BUILD.bazel

@@ -78,6 +78,8 @@ yara_library(
         "pe",
         "tests",
         "time",
+        "console",
+        "string",
     ],
     modules_srcs = [
         "libyara/modules/cuckoo/cuckoo.c",
@@ -92,6 +94,8 @@ yara_library(
         "libyara/modules/pe/pe_utils.c",
         "libyara/modules/tests/tests.c",
         "libyara/modules/time/time.c",
+        "libyara/modules/console/console.c",
+        "libyara/modules/string/string.c",
     ],
     deps = [
         "@jansson",

Makefile.am

@@ -86,6 +86,8 @@ test_bitmask_SOURCES = tests/test-bitmask.c tests/util.c
 test_bitmask_LDADD = libyara/.libs/libyara.a
 test_math_SOURCES = tests/test-math.c tests/util.c
 test_math_LDADD = libyara/.libs/libyara.a
+test_string_SOURCES = tests/test-string.c tests/util.c
+test_string_LDADD = libyara/.libs/libyara.a
 test_stack_SOURCES = tests/test-stack.c tests/util.c
 test_stack_LDADD = libyara/.libs/libyara.a
 test_re_split_SOURCES = tests/test-re-split.c tests/util.c
@@ -109,7 +111,8 @@ check_PROGRAMS = \
   test-math \
   test-stack \
   test-re-split \
-  test-async
+  test-async \
+  test-string
 
 EXTRA_PROGRAMS = tests/mapper
 CLEANFILES = tests/mapper$(EXEEXT)

docs/modules.rst

@@ -21,6 +21,7 @@ modules in the :ref:`writing-modules` section.
    Dotnet <modules/dotnet>
    Time <modules/time>
    Console <modules/console>
+   String <modules/string>
 
 
 

docs/modules/math.rst

@@ -184,27 +184,3 @@ file and create signatures based on those results.
 
     *Example: math.to_string(32, 16) == "20"*
     *Example: math.to_string(-1, 16) == "ffffffffffffffff"*
-
-.. c:function:: to_int(string)
-
-    .. versionadded:: 4.3.0
-
-    Convert the given string to a signed integer. If the string starts with "0x"
-    it is treated as base 16. If the string starts with "0" it is treated base
-    8. Leading '+' or '-' is also supported.
-
-    *Example: math.to_int("1234") == 1234*
-    *Example: math.to_int("-10") == -10*
-    *Example: math.to_int("-010" == -8*
-
-.. c:function:: to_int(string, base)
-
-    .. versionadded:: 4.3.0
-
-    Convert the given string, interpreted with the given base, to a signed
-    integer. Base must be 0 or between 2 and 32 inclusive. If it is zero then
-    the string will be intrepreted as base 16 if it starts with "0x" or as base
-    8 if it starts with "0". Leading '+' or '-' is also supported.
-
-    *Example: math.to_int("011", 8) == "9"*
-    *Example: math.to_int("-011", 0) == "-9"*

docs/modules/pe.rst

@@ -1373,6 +1373,42 @@ Reference
 
     *Example: pe.delayed_import_details[1].name == "library_name"
 
+.. c:function:: import_rva(dll, function)
+
+    .. versionadded:: 4.3.0
+
+    Function returning the RVA of an import that matches the DLL name and
+    function name.
+
+    *Example: pe.import_rva("PtImageRW.dll", "ord4") == 254924
+
+.. c:function:: import_rva(dll, ordinal)
+
+    .. versionadded:: 4.3.0
+
+    Function returning the RVA of an import that matches the DLL name and
+    ordinal number.
+
+    *Example: pe.import_rva("PtPDF417Decode.dll", 4) == 254924
+
+.. c:function:: delayed_import_rva(dll, function)
+
+    .. versionadded:: 4.3.0
+
+    Function returning the RVA of a delayed import that matches the DLL name and
+    function name.
+
+    *Example: pe.delayed_import_rva("QDB.dll", "ord116") == 6110705
+
+.. c:function:: delayed_import_rva(dll, ordinal)
+
+    .. versionadded:: 4.3.0
+
+    Function returning the RVA of a delayed import that matches the DLL name and
+    ordinal number.
+
+    *Example: pe.delayed_import_rva("QDB.dll", 116) == 6110705
+
 .. c:function:: locale(locale_identifier)
 
     .. versionadded:: 3.2.0

docs/modules/string.rst

@@ -0,0 +1,46 @@
+
+.. _string-module:
+
+###########
+String module
+###########
+
+.. versionadded:: 4.3.0
+
+The String module provides functions for manipulating strings as returned by
+modules. The strings referenced here are not YARA strings as defined in the
+strings section of your rule.
+
+.. c:function:: to_int(string)
+
+    .. versionadded:: 4.3.0
+
+    Convert the given string to a signed integer. If the string starts with "0x"
+    it is treated as base 16. If the string starts with "0" it is treated base
+    8. Leading '+' or '-' is also supported.
+
+    *Example: string.to_int("1234") == 1234*
+    *Example: string.to_int("-10") == -10*
+    *Example: string.to_int("-010" == -8*
+
+.. c:function:: to_int(string, base)
+
+    .. versionadded:: 4.3.0
+
+    Convert the given string, interpreted with the given base, to a signed
+    integer. Base must be 0 or between 2 and 32 inclusive. If it is zero then
+    the string will be intrepreted as base 16 if it starts with "0x" or as base
+    8 if it starts with "0". Leading '+' or '-' is also supported.
+
+    *Example: string.to_int("011", 8) == "9"*
+    *Example: string.to_int("-011", 0) == "-9"*
+
+.. c:function:: length(string)
+
+    .. versionadded:: 4.3.0
+
+    Return the length of the string, which can be any sequence of bytes. NULL
+    bytes included.
+
+    *Example: string.length("AXS\x00ERS") == 7*
+

libyara/Makefile.am

@@ -48,6 +48,8 @@ MODULES += modules/pe/pe_utils.c
 
 MODULES += modules/console/console.c
 
+MODULES += modules/string/string.c
+
 if CUCKOO_MODULE
 MODULES += modules/cuckoo/cuckoo.c
 endif

libyara/include/yara/pe.h

@@ -874,6 +874,9 @@ typedef struct _RICH_SIGNATURE
 #define RICH_DANS 0x536e6144  // "DanS"
 #define RICH_RICH 0x68636952  // "Rich"
 
+#define PE_PAGE_SIZE   0x1000
+#define PE_SECTOR_SIZE 0x0200
+
 #pragma pack(pop)
 
 #endif

libyara/modules/math/math.c

@@ -28,7 +28,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
 #include <stdlib.h>
-#include <errno.h>
 #include <math.h>
 #include <yara/mem.h>
 #include <yara/modules.h>
@@ -759,21 +758,6 @@ define_function(to_string_base)
   return_string(&str);
 }
 
-define_function(to_int)
-{
-  char* s = string_argument(1);
-  int64_t result = strtoll(s, NULL, 0);
-  return_integer(result == 0 && errno ? YR_UNDEFINED : result);
-}
-
-define_function(to_int_base)
-{
-  char* s = string_argument(1);
-  int64_t base = integer_argument(2);
-  int64_t result = strtoll(s, NULL, base);
-  return_integer(result == 0 && errno ? YR_UNDEFINED : result);
-}
-
 begin_declarations
   declare_float("MEAN_BYTES");
   declare_function("in_range", "fff", "i", in_range);
@@ -799,8 +783,6 @@ begin_declarations
   declare_function("mode", "", "i", mode_global);
   declare_function("to_string", "i", "s", to_string);
   declare_function("to_string", "ii", "s", to_string_base);
-  declare_function("to_int", "s", "i", to_int);
-  declare_function("to_int", "si", "i", to_int_base);
 end_declarations
 
 int module_initialize(YR_MODULE* module)

libyara/modules/module_list

@@ -4,6 +4,7 @@ MODULE(elf)
 MODULE(math)
 MODULE(time)
 MODULE(console)
+MODULE(string)
 
 #ifdef DOTNET_MODULE
 MODULE(dotnet)