DBG+GUI: removed yara

Author: mrexodia

release.bat

@@ -12,8 +12,6 @@ mkdir %RELEASEDIR%\pluginsdk\jansson
 mkdir %RELEASEDIR%\pluginsdk\lz4
 mkdir %RELEASEDIR%\pluginsdk\TitanEngine
 mkdir %RELEASEDIR%\pluginsdk\XEDParse
-mkdir %RELEASEDIR%\pluginsdk\yara
-mkdir %RELEASEDIR%\pluginsdk\yara\yara
 
 xcopy src\dbg\dbghelp %RELEASEDIR%\pluginsdk\dbghelp /S /Y
 xcopy src\dbg\DeviceNameResolver %RELEASEDIR%\pluginsdk\DeviceNameResolver /S /Y
@@ -22,7 +20,6 @@ xcopy src\dbg\lz4 %RELEASEDIR%\pluginsdk\lz4 /S /Y
 xcopy src\dbg\TitanEngine %RELEASEDIR%\pluginsdk\TitanEngine /S /Y
 del %RELEASEDIR%\pluginsdk\TitanEngine\TitanEngine.txt /F /Q
 xcopy src\dbg\XEDParse %RELEASEDIR%\pluginsdk\XEDParse /S /Y
-xcopy src\dbg\yara %RELEASEDIR%\pluginsdk\yara /S /Y
 copy src\dbg\_plugin_types.h %RELEASEDIR%\pluginsdk\_plugin_types.h
 copy src\dbg\_plugins.h %RELEASEDIR%\pluginsdk\_plugins.h
 copy src\dbg\_scriptapi*.h %RELEASEDIR%\pluginsdk\_scriptapi*.h

src/dbg/commands/cmd-searching.cpp

@@ -7,7 +7,6 @@
 #include "debugger.h"
 #include "filehelper.h"
 #include "label.h"
-#include "yara/yara.h"
 #include "stringformat.h"
 #include "disasm_helper.h"
 #include "symbolinfo.h"
@@ -947,299 +946,6 @@ bool cbInstrGUIDFind(int argc, char* argv[])
     return true;
 }
 
-static void yaraCompilerCallback(int error_level, const char* file_name, int line_number, const char* message, void* user_data)
-{
-    switch(error_level)
-    {
-    case YARA_ERROR_LEVEL_ERROR:
-        dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA ERROR] "));
-        break;
-    case YARA_ERROR_LEVEL_WARNING:
-        dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA WARNING] "));
-        break;
-    }
-    dprintf(QT_TRANSLATE_NOOP("DBG", "File: \"%s\", Line: %d, Message: \"%s\"\n"), file_name, line_number, message);
-}
-
-static String yara_print_string(const uint8_t* data, int length)
-{
-    String result = "\"";
-    const char* str = (const char*)data;
-    for(int i = 0; i < length; i++)
-    {
-        char cur[16] = "";
-        if(str[i] >= 32 && str[i] <= 126)
-            sprintf_s(cur, "%c", str[i]);
-        else
-            sprintf_s(cur, "\\x%02X", (uint8_t)str[i]);
-        result += cur;
-    }
-    result += "\"";
-    return result;
-}
-
-static String yara_print_hex_string(const uint8_t* data, int length)
-{
-    String result = "";
-    for(int i = 0; i < length; i++)
-    {
-        if(i)
-            result += " ";
-        char cur[16] = "";
-        sprintf_s(cur, "%02X", (uint8_t)data[i]);
-        result += cur;
-    }
-    return result;
-}
-
-struct YaraScanInfo
-{
-    duint base;
-    int index;
-    bool rawFile;
-    const char* modname;
-    bool debug;
-
-    YaraScanInfo(duint base, bool rawFile, const char* modname, bool debug)
-        : base(base), index(0), rawFile(rawFile), modname(modname), debug(debug)
-    {
-    }
-};
-
-static int yaraScanCallback(int message, void* message_data, void* user_data)
-{
-    YaraScanInfo* scanInfo = (YaraScanInfo*)user_data;
-    bool debug = scanInfo->debug;
-    switch(message)
-    {
-    case CALLBACK_MSG_RULE_MATCHING:
-    {
-        duint base = scanInfo->base;
-        YR_RULE* yrRule = (YR_RULE*)message_data;
-        auto addReference = [scanInfo, yrRule](duint addr, const char* identifier, const std::string & pattern)
-        {
-            auto index = scanInfo->index;
-            GuiReferenceSetRowCount(index + 1);
-            scanInfo->index++;
-
-            char addr_text[deflen] = "";
-            sprintf_s(addr_text, "%p", addr);
-            GuiReferenceSetCellContent(index, 0, addr_text); //Address
-            String ruleFullName = "";
-            ruleFullName += yrRule->identifier;
-            if(identifier)
-            {
-                ruleFullName += ".";
-                ruleFullName += identifier;
-            }
-            GuiReferenceSetCellContent(index, 1, ruleFullName.c_str()); //Rule
-            GuiReferenceSetCellContent(index, 2, pattern.c_str()); //Data
-        };
-
-        if(STRING_IS_NULL(yrRule->strings))
-        {
-            if(debug)
-                dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Global rule \"%s\" matched!\n"), yrRule->identifier);
-            addReference(base, nullptr, "");
-        }
-        else
-        {
-            if(debug)
-                dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Rule \"%s\" matched:\n"), yrRule->identifier);
-            YR_STRING* string;
-            yr_rule_strings_foreach(yrRule, string)
-            {
-                YR_MATCH* match;
-                yr_string_matches_foreach(string, match)
-                {
-                    String pattern;
-                    if(STRING_IS_HEX(string))
-                        pattern = yara_print_hex_string(match->data, match->match_length);
-                    else
-                        pattern = yara_print_string(match->data, match->match_length);
-                    auto offset = duint(match->base + match->offset);
-                    duint addr;
-                    if(scanInfo->rawFile) //convert raw offset to virtual offset
-                        addr = valfileoffsettova(scanInfo->modname, offset);
-                    else
-                        addr = base + offset;
-
-                    if(debug)
-                        dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] String \"%s\" : %s on %p\n"), string->identifier, pattern.c_str(), addr);
-
-                    addReference(addr, string->identifier, pattern);
-                }
-            }
-        }
-    }
-    break;
-
-    case CALLBACK_MSG_RULE_NOT_MATCHING:
-    {
-        YR_RULE* yrRule = (YR_RULE*)message_data;
-        if(debug)
-            dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Rule \"%s\" did not match!\n"), yrRule->identifier);
-    }
-    break;
-
-    case CALLBACK_MSG_SCAN_FINISHED:
-    {
-        if(debug)
-            dputs(QT_TRANSLATE_NOOP("DBG", "[YARA] Scan finished!"));
-    }
-    break;
-
-    case CALLBACK_MSG_IMPORT_MODULE:
-    {
-        YR_MODULE_IMPORT* yrModuleImport = (YR_MODULE_IMPORT*)message_data;
-        if(debug)
-            dprintf(QT_TRANSLATE_NOOP("DBG", "[YARA] Imported module \"%s\"!\n"), yrModuleImport->module_name);
-    }
-    break;
-    }
-    return ERROR_SUCCESS; //nicely undocumented what this should be
-}
-
-bool cbInstrYara(int argc, char* argv[])
-{
-    if(IsArgumentsLessThan(argc, 2))
-        return false;
-    duint addr = 0;
-    SELECTIONDATA sel;
-    GuiSelectionGet(GUI_DISASSEMBLY, &sel);
-    addr = sel.start;
-
-    duint base = 0;
-    duint size = 0;
-    duint mod = argc > 2 ? ModBaseFromName(argv[2]) : 0;
-    bool rawFile = false;
-    if(mod)
-    {
-        base = mod;
-        size = ModSizeFromAddr(base);
-        rawFile = argc > 3 && *argv[3] == '1';
-    }
-    else
-    {
-        if(argc > 2 && !valfromstring(argv[2], &addr))
-        {
-            dprintf(QT_TRANSLATE_NOOP("DBG", "Invalid value \"%s\"!\n"), argv[2]);
-            return false;
-        }
-
-        size = 0;
-        if(argc > 3)
-            if(!valfromstring(argv[3], &size))
-                size = 0;
-        if(!size)
-            addr = MemFindBaseAddr(addr, &size);
-        base = addr;
-    }
-    std::vector<unsigned char> rawFileData;
-    if(rawFile) //read the file from disk
-    {
-        char modPath[MAX_PATH] = "";
-        if(!ModPathFromAddr(base, modPath, MAX_PATH))
-        {
-            dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to get module path for %p!\n"), base);
-            return false;
-        }
-        if(!FileHelper::ReadAllData(modPath, rawFileData))
-        {
-            dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to read file \"%s\"!\n"), modPath);
-            return false;
-        }
-        size = rawFileData.size();
-    }
-    Memory<uint8_t*> data(size);
-    if(rawFile)
-        memcpy(data(), rawFileData.data(), size);
-    else
-    {
-        memset(data(), 0xCC, data.size());
-        MemReadDumb(base, data(), size);
-    }
-
-    String rulesContent;
-    if(!FileHelper::ReadAllText(argv[1], rulesContent))
-    {
-        dprintf(QT_TRANSLATE_NOOP("DBG", "Failed to read the rules file \"%s\"\n"), argv[1]);
-        return false;
-    }
-
-    bool bSuccess = false;
-    YR_COMPILER* yrCompiler;
-    if(yr_compiler_create(&yrCompiler) == ERROR_SUCCESS)
-    {
-        yr_compiler_set_callback(yrCompiler, yaraCompilerCallback, 0);
-        if(yr_compiler_add_string(yrCompiler, rulesContent.c_str(), nullptr) == 0) //no errors found
-        {
-            YR_RULES* yrRules;
-            if(yr_compiler_get_rules(yrCompiler, &yrRules) == ERROR_SUCCESS)
-            {
-                //initialize new reference tab
-                char modname[MAX_MODULE_SIZE] = "";
-                if(!ModNameFromAddr(base, modname, true))
-                    sprintf_s(modname, "%p", base);
-                String fullName;
-                const char* fileName = strrchr(argv[1], '\\');
-                if(fileName)
-                    fullName = fileName + 1;
-                else
-                    fullName = argv[1];
-                fullName += " (";
-                fullName += modname;
-                fullName += ")"; //nanana, very ugly code (long live open source)
-                GuiReferenceInitialize(fullName.c_str());
-                GuiReferenceAddColumn(sizeof(duint) * 2, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Address")));
-                GuiReferenceAddColumn(48, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Rule")));
-                GuiReferenceAddColumn(10, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Data")));
-                GuiReferenceSetRowCount(0);
-                GuiReferenceReloadData();
-                YaraScanInfo scanInfo(base, rawFile, argc > 2 ? argv[2] : modname, settingboolget("Engine", "YaraDebug"));
-                duint ticks = GetTickCount();
-                dputs(QT_TRANSLATE_NOOP("DBG", "[YARA] Scan started..."));
-                int err = yr_rules_scan_mem(yrRules, data(), size, 0, yaraScanCallback, &scanInfo, 0);
-                GuiReferenceReloadData();
-                switch(err)
-                {
-                case ERROR_SUCCESS:
-                    dprintf(QT_TRANSLATE_NOOP("DBG", "%u scan results in %ums...\n"), DWORD(scanInfo.index), GetTickCount() - DWORD(ticks));
-                    bSuccess = true;
-                    break;
-                case ERROR_TOO_MANY_MATCHES:
-                    dputs(QT_TRANSLATE_NOOP("DBG", "Too many matches!"));
-                    break;
-                default:
-                    dputs(QT_TRANSLATE_NOOP("DBG", "Error while scanning memory!"));
-                    break;
-                }
-                yr_rules_destroy(yrRules);
-            }
-            else
-                dputs(QT_TRANSLATE_NOOP("DBG", "Error while getting the rules!"));
-        }
-        else
-            dputs(QT_TRANSLATE_NOOP("DBG", "Errors in the rules file!"));
-        yr_compiler_destroy(yrCompiler);
-    }
-    else
-        dputs(QT_TRANSLATE_NOOP("DBG", "yr_compiler_create failed!"));
-    return bSuccess;
-}
-
-bool cbInstrYaramod(int argc, char* argv[])
-{
-    if(IsArgumentsLessThan(argc, 3))
-        return false;
-    if(!ModBaseFromName(argv[2]))
-    {
-        dprintf(QT_TRANSLATE_NOOP("DBG", "Invalid module \"%s\"!\n"), argv[2]);
-        return false;
-    }
-    return cmddirectexec(StringUtils::sprintf("yara \"%s\",\"%s\",%s", argv[1], argv[2], argc > 3 && *argv[3] == '1' ? "1" : "0").c_str());
-}
-
 bool cbInstrSetMaxFindResult(int argc, char* argv[])
 {
     if(IsArgumentsLessThan(argc, 2))

src/dbg/commands/cmd-searching.h

@@ -12,6 +12,4 @@ bool cbInstrRefStr(int argc, char* argv[]);
 bool cbInstrRefFuncionPointer(int argc, char* argv[]);
 bool cbInstrModCallFind(int argc, char* argv[]);
 bool cbInstrGUIDFind(int argc, char* argv[]);
-bool cbInstrYara(int argc, char* argv[]);
-bool cbInstrYaramod(int argc, char* argv[]);
 bool cbInstrSetMaxFindResult(int argc, char* argv[]);

src/dbg/x64dbg.cpp

@@ -26,7 +26,6 @@
 #include "expressionfunctions.h"
 #include "formatfunctions.h"
 #include "stringformat.h"
-#include "yara/yara.h"
 #include "dbghelp_safe.h"
 
 static MESSAGE_STACK* gMsgStack = 0;
@@ -275,8 +274,6 @@ static void registercommands()
     dbgcmdnew("refstr,strref", cbInstrRefStr, true); //find string references
     dbgcmdnew("reffunctionpointer", cbInstrRefFuncionPointer, true); //find function pointers
     dbgcmdnew("modcallfind", cbInstrModCallFind, true); //find intermodular calls
-    dbgcmdnew("yara", cbInstrYara, true); //yara test command
-    dbgcmdnew("yaramod", cbInstrYaramod, true); //yara rule on module
     dbgcmdnew("setmaxfindresult,findsetmaxresult", cbInstrSetMaxFindResult, false); //set the maximum number of occurences found
     dbgcmdnew("guidfind,findguid", cbInstrGUIDFind, true); //find GUID references TODO: undocumented
 
@@ -648,9 +645,6 @@ extern "C" DLL_EXPORT const char* _dbg_dbginit()
     //#endif //ENABLE_MEM_TRACE
     dputs(QT_TRANSLATE_NOOP("DBG", "Initializing Zydis..."));
     Zydis::GlobalInitialize();
-    dputs(QT_TRANSLATE_NOOP("DBG", "Initializing Yara..."));
-    if(yr_initialize() != ERROR_SUCCESS)
-        return "Failed to initialize Yara!";
     dputs(QT_TRANSLATE_NOOP("DBG", "Getting directory information..."));
 
     strcpy_s(scriptDllDir, szProgramDir);
@@ -778,7 +772,6 @@ extern "C" DLL_EXPORT void _dbg_dbgexitsignal()
     dputs(QT_TRANSLATE_NOOP("DBG", "Cleaning up allocated data..."));
     cmdfree();
     varfree();
-    yr_finalize();
     Zydis::GlobalFinalize();
     dputs(QT_TRANSLATE_NOOP("DBG", "Cleaning up wait objects..."));
     waitdeinitialize();