Skip to content

Instantly share code, notes, and snippets.

@genotrance

genotrance/yara.nim

Last active April 8, 2022 13:28
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save genotrance/e4a4820e7853d5d776e1b072db5d411b to your computer and use it in GitHub Desktop.
Save genotrance/e4a4820e7853d5d776e1b072db5d411b to your computer and use it in GitHub Desktop.
Download ZIP
Nim wrapper for libyara using nimterop
Raw
yara.nim
# nim c -d:yaraGit yara.nim
# nim c -d:yaraGit -d:yaraStatic yara.nim
import os
import nimterop/[build, cimport]
const
baseDir = getProjectCacheDir("nimyara")
getHeader(
"yara.h",
giturl = "https://github.com/VirusTotal/yara",
outdir = baseDir
)
static:
cDebug()
cOverride:
type
timeval = object
timespec = object
pthread_t = object
pthread_key_t = object
pthread_mutex_t = object
jmp_buf = object
cPlugin:
import strutils
proc onSymbol*(sym: var Symbol) {.exportc, dynlib.} =
if sym.name.startsWith("_"):
sym.name = sym.name[1 .. ^1]
elif sym.name.endsWith("_"):
sym.name = sym.name & "g"
cIncludeDir(yaraPath.parentDir)
cImport(yaraPath, recurse = true)
cPassL("-lssl -lcrypto -lpthread -lm")
Raw
zwrapper.nim
# Generated @ 2020-10-06T10:58:58-05:00
# Command line:
# /home/nimterop/nimterop/toast --preprocess -m:c --recurse --includeDirs+=/home/gt/.cache/nim/nimterop/nimyara/libyara/include --pnim --symOverride=timeval,timespec,pthread_t,pthread_key_t,pthread_mutex_t,jmp_buf --nim:/home/gt/.choosenim/toolchains/nim-1.0.8/bin/nim --pluginSourcePath=/home/gt/.cache/nim/nimterop/cPlugins/nimterop_2208387551.nim /home/gt/.cache/nim/nimterop/nimyara/libyara/include/yara.h -o /home/gt/.cache/nim/nimterop/toastCache/nimterop_2061842030.nim
# const 'bool' has unsupported value 'int'
# const 'YR_API' has unsupported value 'EXTERNC __attribute__((visibility ("default")))'
# const 'YR_DEPRECATED_API' has unsupported value 'YR_API __attribute__((deprecated))'
# const 'YR_FILE_DESCRIPTOR' has unsupported value 'int'
# const 'YR_ARENA_NULL_REF' has unsupported value '(YR_ARENA_REF){ UINT32_MAX, UINT32_MAX }'
# const 'YR_BITMASK' has unsupported value 'unsigned long'
# const 'YR_BITMASK_SLOT_BITS' has unsupported value '(sizeof(YR_BITMASK) * 8)'
# const 'OBJECT_COMMON_FIELDS' has unsupported value 'int canary; int8_t type; const char* identifier; YR_OBJECT* parent; void* data;'
# const 'OP_INT_END' has unsupported value 'OP_INT_MINUS'
# const 'OP_DBL_END' has unsupported value 'OP_DBL_MINUS'
# const 'YR_VERSION' has unsupported value 'version_str(YR_MAJOR_VERSION) "." version_str(YR_MINOR_VERSION) "." version_str(YR_MICRO_VERSION)'
# const 'module_declarations' has unsupported value 'YR_CONCAT(MODULE_NAME, __declarations)'
# const 'module_load' has unsupported value 'YR_CONCAT(MODULE_NAME, __load)'
# const 'module_unload' has unsupported value 'YR_CONCAT(MODULE_NAME, __unload)'
# const 'module_initialize' has unsupported value 'YR_CONCAT(MODULE_NAME, __initialize)'
# const 'module_finalize' has unsupported value 'YR_CONCAT(MODULE_NAME, __finalize)'
# const 'begin_declarations' has unsupported value 'int module_declarations(YR_OBJECT* module) { YR_OBJECT* stack[64]; int stack_top = 0; stack[stack_top] = module;'
# const 'end_declarations' has unsupported value 'return ERROR_SUCCESS; }'
{.push hint[ConvFromXtoItselfNotNeeded]: off.}
import macros
macro defineEnum(typ: untyped): untyped =
result = newNimNode(nnkStmtList)
# Enum mapped to distinct cint
result.add quote do:
type `typ`* = distinct cint
for i in ["+", "-", "*", "div", "mod", "shl", "shr", "or", "and", "xor", "<", "<=", "==", ">", ">="]:
let
ni = newIdentNode(i)
typout = if i[0] in "<=>": newIdentNode("bool") else: typ # comparisons return bool
if i[0] == '>': # cannot borrow `>` and `>=` from templates
let
nopp = if i.len == 2: newIdentNode("<=") else: newIdentNode("<")
result.add quote do:
proc `ni`*(x: `typ`, y: cint): `typout` = `nopp`(y, x)
proc `ni`*(x: cint, y: `typ`): `typout` = `nopp`(y, x)
proc `ni`*(x, y: `typ`): `typout` = `nopp`(y, x)
else:
result.add quote do:
proc `ni`*(x: `typ`, y: cint): `typout` {.borrow.}
proc `ni`*(x: cint, y: `typ`): `typout` {.borrow.}
proc `ni`*(x, y: `typ`): `typout` {.borrow.}
result.add quote do:
proc `ni`*(x: `typ`, y: int): `typout` = `ni`(x, y.cint)
proc `ni`*(x: int, y: `typ`): `typout` = `ni`(x.cint, y)
let
divop = newIdentNode("/") # `/`()
dlrop = newIdentNode("$") # `$`()
notop = newIdentNode("not") # `not`()
result.add quote do:
proc `divop`*(x, y: `typ`): `typ` = `typ`((x.float / y.float).cint)
proc `divop`*(x: `typ`, y: cint): `typ` = `divop`(x, `typ`(y))
proc `divop`*(x: cint, y: `typ`): `typ` = `divop`(`typ`(x), y)
proc `divop`*(x: `typ`, y: int): `typ` = `divop`(x, y.cint)
proc `divop`*(x: int, y: `typ`): `typ` = `divop`(x.cint, y)
proc `dlrop`*(x: `typ`): string {.borrow.}
proc `notop`*(x: `typ`): `typ` {.borrow.}
{.pragma: impyaraHdr,
header: "/home/gt/.cache/nim/nimterop/nimyara/libyara/include/yara.h".}
{.experimental: "codeReordering".}
{.passC: "-I/home/gt/.cache/nim/nimterop/nimyara/libyara/include".}
defineEnum(YR_CONFIG_NAME) ## ```
## Enumerated type listing configuration options
## ```
const
true* = 1
false* = 0
MAX_PATH* = 1024
YR_MAX_THREADS* = 32
YR_MAX_ARENA_BUFFERS* = 16
YR_MAX_COMPILER_ERROR_EXTRA_INFO* = 256
YR_MAX_ATOM_LENGTH* = 4
YR_MAX_ATOM_QUALITY* = 255
YR_MIN_ATOM_QUALITY* = 0
YR_ATOM_QUALITY_WARNING_THRESHOLD* = YR_MAX_ATOM_QUALITY -
typeof(YR_MAX_ATOM_QUALITY)(20 *
typeof(YR_MAX_ATOM_QUALITY)(YR_MAX_ATOM_LENGTH)) +
typeof(YR_MAX_ATOM_QUALITY)(38)
YR_ATOMS_PER_RULE_WARNING_THRESHOLD* = 10000
YR_MAX_LOOP_NESTING* = 4
YR_MAX_LOOP_VARS* = 2
YR_MAX_INCLUDE_DEPTH* = 16
YR_MAX_STRING_MATCHES* = 1000000
YR_MAX_FUNCTION_ARGS* = 128
YR_MAX_OVERLOADED_FUNCTIONS* = 10
YR_MAX_FAST_RE_STACK* = 300
YR_STRING_CHAINING_THRESHOLD* = 200
YR_LEX_BUF_SIZE* = 8192
YR_MATCH_VERIFICATION_PROFILING_RATE* = 1024
RE_MAX_SPLIT_ID* = 128
RE_MAX_STACK* = 1024
YR_RE_SCAN_LIMIT* = 4096
RE_MAX_FIBERS* = 1024
EOL* = (cast[uint32](-1))
YR_ARENA_FILE_VERSION* = 18
SIZED_STRING_FLAGS_NO_CASE* = 1
SIZED_STRING_FLAGS_DOT_ALL* = 2
RULE_FLAGS_PRIVATE* = 0x00000001
RULE_FLAGS_GLOBAL* = 0x00000002
RULE_FLAGS_NULL* = 0x00000004
RULE_FLAGS_DISABLED* = 0x00000008
STRING_FLAGS_REFERENCED* = 0x00000001
STRING_FLAGS_HEXADECIMAL* = 0x00000002
STRING_FLAGS_NO_CASE* = 0x00000004
STRING_FLAGS_ASCII* = 0x00000008
STRING_FLAGS_WIDE* = 0x00000010
STRING_FLAGS_REGEXP* = 0x00000020
STRING_FLAGS_FAST_REGEXP* = 0x00000040
STRING_FLAGS_FULL_WORD* = 0x00000080
STRING_FLAGS_ANONYMOUS* = 0x00000100
STRING_FLAGS_SINGLE_MATCH* = 0x00000200
STRING_FLAGS_LITERAL* = 0x00000400
STRING_FLAGS_FITS_IN_ATOM* = 0x00000800
STRING_FLAGS_LAST_IN_RULE* = 0x00001000
STRING_FLAGS_CHAIN_PART* = 0x00002000
STRING_FLAGS_CHAIN_TAIL* = 0x00004000
STRING_FLAGS_FIXED_OFFSET* = 0x00008000
STRING_FLAGS_GREEDY_REGEXP* = 0x00010000
STRING_FLAGS_DOT_ALL* = 0x00020000
STRING_FLAGS_DISABLED* = 0x00040000
STRING_FLAGS_XOR* = 0x00080000
STRING_FLAGS_PRIVATE* = 0x00100000
STRING_FLAGS_BASE64* = 0x00200000
STRING_FLAGS_BASE64_WIDE* = 0x00400000
META_TYPE_INTEGER* = 1
META_TYPE_STRING* = 2
META_TYPE_BOOLEAN* = 3
META_FLAGS_LAST_IN_RULE* = 1
EXTERNAL_VARIABLE_TYPE_NULL* = 0
EXTERNAL_VARIABLE_TYPE_FLOAT* = 1
EXTERNAL_VARIABLE_TYPE_INTEGER* = 2
EXTERNAL_VARIABLE_TYPE_BOOLEAN* = 3
EXTERNAL_VARIABLE_TYPE_STRING* = 4
EXTERNAL_VARIABLE_TYPE_MALLOC_STRING* = 5
RE_NODE_LITERAL* = 1
RE_NODE_MASKED_LITERAL* = 2
RE_NODE_ANY* = 3
RE_NODE_CONCAT* = 4
RE_NODE_ALT* = 5
RE_NODE_RANGE* = 6
RE_NODE_STAR* = 7
RE_NODE_PLUS* = 8
RE_NODE_CLASS* = 9
RE_NODE_WORD_CHAR* = 10
RE_NODE_NON_WORD_CHAR* = 11
RE_NODE_SPACE* = 12
RE_NODE_NON_SPACE* = 13
RE_NODE_DIGIT* = 14
RE_NODE_NON_DIGIT* = 15
RE_NODE_EMPTY* = 16
RE_NODE_ANCHOR_START* = 17
RE_NODE_ANCHOR_END* = 18
RE_NODE_WORD_BOUNDARY* = 19
RE_NODE_NON_WORD_BOUNDARY* = 20
RE_NODE_RANGE_ANY* = 21
RE_OPCODE_ANY* = 0x000000A0
RE_OPCODE_LITERAL* = 0x000000A2
RE_OPCODE_MASKED_LITERAL* = 0x000000A4
RE_OPCODE_CLASS* = 0x000000A5
RE_OPCODE_WORD_CHAR* = 0x000000A7
RE_OPCODE_NON_WORD_CHAR* = 0x000000A8
RE_OPCODE_SPACE* = 0x000000A9
RE_OPCODE_NON_SPACE* = 0x000000AA
RE_OPCODE_DIGIT* = 0x000000AB
RE_OPCODE_NON_DIGIT* = 0x000000AC
RE_OPCODE_MATCH* = 0x000000AD
RE_OPCODE_MATCH_AT_END* = 0x000000B0
RE_OPCODE_MATCH_AT_START* = 0x000000B1
RE_OPCODE_WORD_BOUNDARY* = 0x000000B2
RE_OPCODE_NON_WORD_BOUNDARY* = 0x000000B3
RE_OPCODE_REPEAT_ANY_GREEDY* = 0x000000B4
RE_OPCODE_REPEAT_ANY_UNGREEDY* = 0x000000B5
RE_OPCODE_SPLIT_A* = 0x000000C0
RE_OPCODE_SPLIT_B* = 0x000000C1
RE_OPCODE_JUMP* = 0x000000C2
RE_OPCODE_REPEAT_START_GREEDY* = 0x000000C3
RE_OPCODE_REPEAT_END_GREEDY* = 0x000000C4
RE_OPCODE_REPEAT_START_UNGREEDY* = 0x000000C5
RE_OPCODE_REPEAT_END_UNGREEDY* = 0x000000C6
RE_FLAGS_FAST_REGEXP* = 0x00000002
RE_FLAGS_BACKWARDS* = 0x00000004
RE_FLAGS_EXHAUSTIVE* = 0x00000008
RE_FLAGS_WIDE* = 0x00000010
RE_FLAGS_NO_CASE* = 0x00000020
RE_FLAGS_SCAN* = 0x00000040
RE_FLAGS_DOT_ALL* = 0x00000080
RE_FLAGS_GREEDY* = 0x00000400
RE_FLAGS_UNGREEDY* = 0x00000800
ATOM_TREE_LEAF* = 1
ATOM_TREE_AND* = 2
ATOM_TREE_OR* = 3
YR_AC_SLOT_OFFSET_BITS* = 9
YR_AC_MAX_TRANSITION_TABLE_SIZE* = 0x00800000
YR_AC_ROOT_STATE* = 0
YARA_ERROR_LEVEL_ERROR* = 0
YARA_ERROR_LEVEL_WARNING* = 1
EXPRESSION_TYPE_UNKNOWN* = 0
EXPRESSION_TYPE_BOOLEAN* = 1
EXPRESSION_TYPE_INTEGER* = 2
EXPRESSION_TYPE_STRING* = 4
EXPRESSION_TYPE_REGEXP* = 8
EXPRESSION_TYPE_OBJECT* = 16
EXPRESSION_TYPE_FLOAT* = 32
YR_NAMESPACES_TABLE* = 0
YR_RULES_TABLE* = 1
YR_METAS_TABLE* = 2
YR_STRINGS_TABLE* = 3
YR_EXTERNAL_VARIABLES_TABLE* = 4
YR_SZ_POOL* = 5
YR_CODE_SECTION* = 6
YR_RE_CODE_SECTION* = 7
YR_AC_TRANSITION_TABLE* = 8
YR_AC_STATE_MATCHES_TABLE* = 9
YR_AC_STATE_MATCHES_POOL* = 10
YR_SUMMARY_SECTION* = 11
YR_NUM_SECTIONS* = 12
YR_INTERNAL_LOOP_VARS* = 3
ERROR_SUCCESS* = 0
ERROR_INSUFICIENT_MEMORY* = 1
ERROR_INSUFFICIENT_MEMORY* = 1
ERROR_COULD_NOT_ATTACH_TO_PROCESS* = 2
ERROR_COULD_NOT_OPEN_FILE* = 3
ERROR_COULD_NOT_MAP_FILE* = 4
ERROR_INVALID_FILE* = 6
ERROR_CORRUPT_FILE* = 7
ERROR_UNSUPPORTED_FILE_VERSION* = 8
ERROR_INVALID_REGULAR_EXPRESSION* = 9
ERROR_INVALID_HEX_STRING* = 10
ERROR_SYNTAX_ERROR* = 11
ERROR_LOOP_NESTING_LIMIT_EXCEEDED* = 12
ERROR_DUPLICATED_LOOP_IDENTIFIER* = 13
ERROR_DUPLICATED_IDENTIFIER* = 14
ERROR_DUPLICATED_TAG_IDENTIFIER* = 15
ERROR_DUPLICATED_META_IDENTIFIER* = 16
ERROR_DUPLICATED_STRING_IDENTIFIER* = 17
ERROR_UNREFERENCED_STRING* = 18
ERROR_UNDEFINED_STRING* = 19
ERROR_UNDEFINED_IDENTIFIER* = 20
ERROR_MISPLACED_ANONYMOUS_STRING* = 21
ERROR_INCLUDES_CIRCULAR_REFERENCE* = 22
ERROR_INCLUDE_DEPTH_EXCEEDED* = 23
ERROR_WRONG_TYPE* = 24
ERROR_EXEC_STACK_OVERFLOW* = 25
ERROR_SCAN_TIMEOUT* = 26
ERROR_TOO_MANY_SCAN_THREADS* = 27
ERROR_CALLBACK_ERROR* = 28
ERROR_INVALID_ARGUMENT* = 29
ERROR_TOO_MANY_MATCHES* = 30
ERROR_INTERNAL_FATAL_ERROR* = 31
ERROR_NESTED_FOR_OF_LOOP* = 32
ERROR_INVALID_FIELD_NAME* = 33
ERROR_UNKNOWN_MODULE* = 34
ERROR_NOT_A_STRUCTURE* = 35
ERROR_NOT_INDEXABLE* = 36
ERROR_NOT_A_FUNCTION* = 37
ERROR_INVALID_FORMAT* = 38
ERROR_TOO_MANY_ARGUMENTS* = 39
ERROR_WRONG_ARGUMENTS* = 40
ERROR_WRONG_RETURN_TYPE* = 41
ERROR_DUPLICATED_STRUCTURE_MEMBER* = 42
ERROR_EMPTY_STRING* = 43
ERROR_DIVISION_BY_ZERO* = 44
ERROR_REGULAR_EXPRESSION_TOO_LARGE* = 45
ERROR_TOO_MANY_RE_FIBERS* = 46
ERROR_COULD_NOT_READ_PROCESS_MEMORY* = 47
ERROR_INVALID_EXTERNAL_VARIABLE_TYPE* = 48
ERROR_REGULAR_EXPRESSION_TOO_COMPLEX* = 49
ERROR_INVALID_MODULE_NAME* = 50
ERROR_TOO_MANY_STRINGS* = 51
ERROR_INTEGER_OVERFLOW* = 52
ERROR_CALLBACK_REQUIRED* = 53
ERROR_INVALID_OPERAND* = 54
ERROR_COULD_NOT_READ_FILE* = 55
ERROR_DUPLICATED_EXTERNAL_VARIABLE* = 56
ERROR_INVALID_MODULE_DATA* = 57
ERROR_WRITING_FILE* = 58
ERROR_INVALID_MODIFIER* = 59
ERROR_DUPLICATED_MODIFIER* = 60
SCAN_FLAGS_FAST_MODE* = 1
SCAN_FLAGS_PROCESS_MEMORY* = 2
SCAN_FLAGS_NO_TRYCATCH* = 4
SCAN_FLAGS_REPORT_RULES_MATCHING* = 8
SCAN_FLAGS_REPORT_RULES_NOT_MATCHING* = 16
CALLBACK_MSG_RULE_MATCHING* = 1
CALLBACK_MSG_RULE_NOT_MATCHING* = 2
CALLBACK_MSG_SCAN_FINISHED* = 3
CALLBACK_MSG_IMPORT_MODULE* = 4
CALLBACK_MSG_MODULE_IMPORTED* = 5
CALLBACK_CONTINUE* = 0
CALLBACK_ABORT* = 1
CALLBACK_ERROR* = 2
YR_UNDEFINED* = 0x0000000000000000'i64
OP_ERROR* = 0
OP_HALT* = 255
OP_NOP* = 254
OP_AND* = 1
OP_OR* = 2
OP_NOT* = 3
OP_BITWISE_NOT* = 4
OP_BITWISE_AND* = 5
OP_BITWISE_OR* = 6
OP_BITWISE_XOR* = 7
OP_SHL* = 8
OP_SHR* = 9
OP_MOD* = 10
OP_INT_TO_DBL* = 11
OP_STR_TO_BOOL* = 12
OP_PUSH* = 13
OP_POP* = 14
OP_CALL* = 15
OP_OBJ_LOAD* = 16
OP_OBJ_VALUE* = 17
OP_OBJ_FIELD* = 18
OP_INDEX_ARRAY* = 19
OP_COUNT* = 20
OP_LENGTH* = 21
OP_FOUND* = 22
OP_FOUND_AT* = 23
OP_FOUND_IN* = 24
OP_OFFSET* = 25
OP_OF* = 26
OP_PUSH_RULE* = 27
OP_INIT_RULE* = 28
OP_MATCH_RULE* = 29
OP_INCR_M* = 30
OP_CLEAR_M* = 31
OP_ADD_M* = 32
OP_POP_M* = 33
OP_PUSH_M* = 34
OP_SET_M* = 35
OP_SWAPUNDEF* = 36
OP_FILESIZE* = 37
OP_ENTRYPOINT* = 38
OP_MATCHES* = 40
OP_IMPORT* = 41
OP_LOOKUP_DICT* = 42
OP_JUNDEF* = 43
OP_JUNDEF_P* = 44
OP_JNUNDEF* = 45
OP_JNUNDEF_P* = 46
OP_JFALSE* = 47
OP_JFALSE_P* = 48
OP_JTRUE* = 49
OP_JTRUE_P* = 50
OP_JL_P* = 51
OP_JLE_P* = 52
OP_ITER_NEXT* = 53
OP_ITER_START_ARRAY* = 54
OP_ITER_START_DICT* = 55
OP_ITER_START_INT_RANGE* = 56
OP_ITER_START_INT_ENUM* = 57
OP_JZ* = 58
OP_JZ_P* = 59
OP_PUSH_8* = 60
OP_PUSH_16* = 61
OP_PUSH_32* = 62
OP_PUSH_U* = 63
OP_CONTAINS* = 64
OP_STARTSWITH* = 65
OP_ENDSWITH* = 66
OP_ICONTAINS* = 67
OP_ISTARTSWITH* = 68
OP_IENDSWITH* = 69
OP_EQ* = 0
OP_NEQ* = 1
OP_LT* = 2
OP_GT* = 3
OP_LE* = 4
OP_GE* = 5
OP_ADD* = 6
OP_SUB* = 7
OP_MUL* = 8
OP_DIV* = 9
OP_MINUS* = 10
OP_INT_BEGIN* = 100
OP_INT_EQ* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_EQ))
OP_INT_NEQ* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_NEQ))
OP_INT_LT* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_LT))
OP_INT_GT* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_GT))
OP_INT_LE* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_LE))
OP_INT_GE* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_GE))
OP_INT_ADD* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_ADD))
OP_INT_SUB* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_SUB))
OP_INT_MUL* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_MUL))
OP_INT_DIV* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_DIV))
OP_INT_MINUS* = (OP_INT_BEGIN + typeof(OP_INT_BEGIN)(OP_MINUS))
OP_DBL_BEGIN* = 120
OP_DBL_EQ* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_EQ))
OP_DBL_NEQ* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_NEQ))
OP_DBL_LT* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_LT))
OP_DBL_GT* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_GT))
OP_DBL_LE* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_LE))
OP_DBL_GE* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_GE))
OP_DBL_ADD* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_ADD))
OP_DBL_SUB* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_SUB))
OP_DBL_MUL* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_MUL))
OP_DBL_DIV* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_DIV))
OP_DBL_MINUS* = (OP_DBL_BEGIN + typeof(OP_DBL_BEGIN)(OP_MINUS))
OP_STR_BEGIN* = 140
OP_STR_EQ* = (OP_STR_BEGIN + typeof(OP_STR_BEGIN)(OP_EQ))
OP_STR_NEQ* = (OP_STR_BEGIN + typeof(OP_STR_BEGIN)(OP_NEQ))
OP_STR_LT* = (OP_STR_BEGIN + typeof(OP_STR_BEGIN)(OP_LT))
OP_STR_GT* = (OP_STR_BEGIN + typeof(OP_STR_BEGIN)(OP_GT))
OP_STR_LE* = (OP_STR_BEGIN + typeof(OP_STR_BEGIN)(OP_LE))
OP_STR_GE* = (OP_STR_BEGIN + typeof(OP_STR_BEGIN)(OP_GE))
OP_STR_END* = OP_STR_GE
OP_READ_INT* = 240
OP_INT8* = (OP_READ_INT + typeof(OP_READ_INT)(0))
OP_INT16* = (OP_READ_INT + typeof(OP_READ_INT)(1))
OP_INT32* = (OP_READ_INT + typeof(OP_READ_INT)(2))
OP_UINT8* = (OP_READ_INT + typeof(OP_READ_INT)(3))
OP_UINT16* = (OP_READ_INT + typeof(OP_READ_INT)(4))
OP_UINT32* = (OP_READ_INT + typeof(OP_READ_INT)(5))
OP_INT8BE* = (OP_READ_INT + typeof(OP_READ_INT)(6))
OP_INT16BE* = (OP_READ_INT + typeof(OP_READ_INT)(7))
OP_INT32BE* = (OP_READ_INT + typeof(OP_READ_INT)(8))
OP_UINT8BE* = (OP_READ_INT + typeof(OP_READ_INT)(9))
OP_UINT16BE* = (OP_READ_INT + typeof(OP_READ_INT)(10))
OP_UINT32BE* = (OP_READ_INT + typeof(OP_READ_INT)(11))
OBJECT_CREATE* = 1
OBJECT_TYPE_INTEGER* = 1
OBJECT_TYPE_STRING* = 2
OBJECT_TYPE_STRUCTURE* = 3
OBJECT_TYPE_ARRAY* = 4
OBJECT_TYPE_FUNCTION* = 5
OBJECT_TYPE_DICTIONARY* = 6
OBJECT_TYPE_FLOAT* = 7
YR_MAJOR_VERSION* = 4
YR_MINOR_VERSION* = 0
YR_MICRO_VERSION* = 2
YR_VERSION_HEX* = ((YR_MAJOR_VERSION shl typeof(YR_MAJOR_VERSION)(16)) or
typeof(YR_MAJOR_VERSION)((YR_MINOR_VERSION shl
typeof(YR_MAJOR_VERSION)(8))) or
typeof(YR_MAJOR_VERSION)((YR_MICRO_VERSION shl
typeof(YR_MAJOR_VERSION)(0))))
YR_CONFIG_STACK_SIZE* = (0).YR_CONFIG_NAME
YR_CONFIG_MAX_STRINGS_PER_RULE* = (YR_CONFIG_STACK_SIZE + 1).YR_CONFIG_NAME
YR_CONFIG_MAX_MATCH_DATA* = (YR_CONFIG_MAX_STRINGS_PER_RULE + 1).YR_CONFIG_NAME
YR_CONFIG_LAST* = (YR_CONFIG_MAX_MATCH_DATA + 1).YR_CONFIG_NAME ## ```
## End-of-enum marker, not a configuration
## ```
DEFAULT_STACK_SIZE* = 16384
DEFAULT_MAX_STRINGS_PER_RULE* = 10000
DEFAULT_MAX_MATCH_DATA* = 512
type
pthread_key_t = object
pthread_mutex_t = object
jmp_buf = object
pthread_t = object
timespec = object
timeval = object
YR_MAPPED_FILE* {.bycopy, impyaraHdr, importc: "struct _YR_MAPPED_FILE".} = object
file*: cint
size*: uint
data*: ptr uint8
YR_STREAM_READ_FUNC* {.importc, impyaraHdr.} = proc (`ptr`: pointer; size: uint;
count: uint; user_data: pointer): uint {.cdecl.}
YR_STREAM_WRITE_FUNC* {.importc, impyaraHdr.} = proc (`ptr`: pointer; size: uint;
count: uint; user_data: pointer): uint {.cdecl.}
YR_STREAM* {.bycopy, impyaraHdr, importc: "struct _YR_STREAM".} = object
user_data*: pointer
read*: YR_STREAM_READ_FUNC
write*: YR_STREAM_WRITE_FUNC
yr_arena_off_t* {.importc, impyaraHdr.} = uint32
YR_ARENA* {.importc, impyaraHdr, bycopy.} = object
xrefs*: cint ## ```
## Number of users of this arena. This is set to one when the arena is created,
## and can be incremented by calling yr_arena_acquire. On each call
## to yr_arena_release it gets decremented by one, if xrefs reaches zero
## the buffers and the YR_ARENA structures are freed.
## ```
num_buffers*: cint ## ```
## Number of buffers in this arena.
## ```
buffers*: array[16, YR_ARENA_BUFFER] ## ```
## Status of individual buffers.
## ```
initial_buffer_size*: uint ## ```
## Initial size for each buffer.
## ```
reloc_list_head*: ptr YR_RELOC ## ```
## Head of the list containing relocation entries.
## ```
reloc_list_tail*: ptr YR_RELOC ## ```
## Tail of the list containing relocation entries.
## ```
YR_ARENA_BUFFER* {.importc, impyaraHdr, bycopy.} = object
data*: ptr uint8 ## ```
## Pointer the buffer's data.
## ```
size*: uint ## ```
## Total buffer size, including the used and unused areas.
## ```
used*: uint ## ```
## Number of bytes that are actually used (equal to or lower than size).
## ```
YR_ARENA_REF* {.importc, impyaraHdr, bycopy.} = object
buffer_id*: uint32
offset*: uint32
YR_RELOC* {.importc, impyaraHdr, bycopy.} = object
buffer_id*: uint32 ## ```
## Buffer ID associated to this relocation entry.
## ```
offset*: yr_arena_off_t ## ```
## Offset within the buffer where the relocatable pointer resides.
## ```
next*: ptr YR_RELOC ## ```
## Pointer to the next entry in the list.
## ```
YR_HASH_TABLE_ENTRY* {.bycopy, impyaraHdr, importc: "struct _YR_HASH_TABLE_ENTRY".} = object
key*: pointer
key_length*: uint
ns*: cstring
value*: pointer
next*: ptr YR_HASH_TABLE_ENTRY
YR_HASH_TABLE* {.bycopy, impyaraHdr, importc: "struct _YR_HASH_TABLE".} = object
size*: cint
buckets*: array[1, ptr YR_HASH_TABLE_ENTRY]
YR_HASH_TABLE_FREE_VALUE_FUNC* {.importc, impyaraHdr.} = proc (value: pointer): cint {.
cdecl.}
SIZED_STRING* {.bycopy, impyaraHdr, importc: "struct _SIZED_STRING".} = object ## ```
## This struct is used to support strings containing null chars. The length of
## the string is stored along the string data. However the string data is also
## terminated with a null char.
## ```
length*: uint32
flags*: uint32
c_string*: array[1, cchar]
YR_STOPWATCH* {.bycopy, impyaraHdr, importc: "struct _YR_STOPWATCH".} = object
tv_start*: timeval
ts_start*: timespec
YR_THREAD_ID* {.importc, impyaraHdr.} = pthread_t
YR_THREAD_STORAGE_KEY* {.importc, impyaraHdr.} = pthread_key_t
YR_MUTEX* {.importc, impyaraHdr.} = pthread_mutex_t
YR_NOTEBOOK* {.importc, impyaraHdr, incompleteStruct.} = object
RE* {.importc, impyaraHdr, bycopy.} = object
flags*: uint32
code*: array[0, uint8]
RE_AST* {.importc, impyaraHdr, bycopy.} = object
flags*: uint32
root_node*: ptr RE_NODE
RE_NODE* {.importc, impyaraHdr, bycopy.} = object
`type`*: cint
value*: cint
count*: cint
start*: cint
mask*: cint
`end`*: cint
greedy*: cint
re_class*: ptr RE_CLASS
children_head*: ptr RE_NODE
children_tail*: ptr RE_NODE
prev_sibling*: ptr RE_NODE
next_sibling*: ptr RE_NODE
forward_code_ref*: YR_ARENA_REF
backward_code_ref*: YR_ARENA_REF
RE_CLASS* {.importc, impyaraHdr, bycopy.} = object
negated*: uint8
bitmap*: array[32, uint8]
RE_ERROR* {.importc, impyaraHdr, bycopy.} = object
message*: array[384, cchar]
RE_FIBER* {.importc, impyaraHdr, bycopy.} = object
ip*: ptr uint8 ## ```
## instruction pointer
## ```
sp*: int32 ## ```
## stack pointer
## ```
rc*: int32 ## ```
## repeat counter
## ```
prev*: ptr RE_FIBER
next*: ptr RE_FIBER
stack*: array[1024, uint16]
RE_FIBER_LIST* {.importc, impyaraHdr, bycopy.} = object
head*: ptr RE_FIBER
tail*: ptr RE_FIBER
RE_FIBER_POOL* {.importc, impyaraHdr, bycopy.} = object
fiber_count*: cint
fibers*: RE_FIBER_LIST
YR_AC_STATE* {.importc, impyaraHdr, bycopy.} = object
failure*: ptr YR_AC_STATE
first_child*: ptr YR_AC_STATE
siblings*: ptr YR_AC_STATE
matches_ref*: YR_ARENA_REF ## ```
## Reference to the YR_AC_MATCH structure that heads the list of matches
## for this state.
## ```
depth*: uint8
input*: uint8
t_table_slot*: uint32
YR_AC_AUTOMATON* {.importc, impyaraHdr, bycopy.} = object
arena*: ptr YR_ARENA ## ```
## Arena used by this automaton to store the transition and match tables.
## ```
tables_size*: uint32 ## ```
## Both m_table and t_table have the same number of elements, which is
## stored in tables_size.
## ```
t_table_unused_candidate*: uint32 ## ```
## The first slot in the transition table (t_table) that may be be unused.
## Used for speeding up the construction of the transition table.
## ```
bitmask*: ptr culong ## ```
## Bitmask where each bit indicates if the corresponding slot in the
## transition table is already in use.
## ```
root*: ptr YR_AC_STATE ## ```
## Pointer to the root Aho-Corasick state.
## ```
YR_AC_TABLES* {.importc, impyaraHdr, incompleteStruct.} = object
YR_AC_MATCH_LIST_ENTRY* {.importc, impyaraHdr, bycopy.} = object
backtrack*: uint16
string_idx*: uint32
`ref`*: YR_ARENA_REF
forward_code_ref*: YR_ARENA_REF
backward_code_ref*: YR_ARENA_REF
next*: ptr YR_AC_MATCH_LIST_ENTRY
YR_AC_MATCH* {.importc, impyaraHdr, bycopy.} = object
string*: ptr YR_STRING
string_g*: YR_ARENA_REF
forward_code*: ptr uint8
forward_code_g*: YR_ARENA_REF
backward_code*: ptr uint8
backward_code_g*: YR_ARENA_REF
next*: ptr YR_AC_MATCH
next_g*: YR_ARENA_REF
backtrack*: uint16 ## ```
## When the Aho-Corasick automaton reaches some state that has associated
## matches, the current position in the input buffer is a few bytes past
## the point where the match actually occurs, for example, when looking for
## string "bar" in "foobarbaz", when the automaton reaches the state associated
## to the ending "r" in "bar, which is the one that has a match, the current
## position in the input is 6 (the "b" after the "r"), but the match is at
## position 3. The backtrack field indicates how many bytes the scanner has
## to go back to find the point where the match actually start.
##
## YR_ALIGN(8) forces the backtrack field to be treated as a 8-bytes field
## and therefore the struct's size is 40 bytes. This is necessary only for
## 32-bits versions of YARA compiled with Visual Studio. See: #1358.
## ```
YR_NAMESPACE* {.importc, impyaraHdr, bycopy.} = object
name*: cstring
name_g*: YR_ARENA_REF
idx*: uint32 ## ```
## Index of this namespace in the array of YR_NAMESPACE structures stored
## in YR_NAMESPACES_TABLE.
##
## YR_ALIGN(8) forces the idx field to be treated as a 8-bytes field
## and therefore the struct's size is 16 bytes. This is necessary only for
## 32-bits versions of YARA compiled with Visual Studio. See: #1358.
## ```
YR_META* {.importc, impyaraHdr, bycopy.} = object
identifier*: cstring
identifier_g*: YR_ARENA_REF
string*: cstring
string_g*: YR_ARENA_REF
integer*: int64
`type`*: int32
flags*: int32
YR_MATCHES* {.importc, impyaraHdr, bycopy.} = object
head*: ptr YR_MATCH
tail*: ptr YR_MATCH
count*: int32
YR_STRING* {.importc, impyaraHdr, bycopy.} = object
flags*: uint32 ## ```
## Flags, see STRING_FLAGS_XXX macros defined above.
## ```
idx*: uint32 ## ```
## Index of this string in the array of YR_STRING structures stored in
## YR_STRINGS_TABLE.
## ```
fixed_offset*: int64 ## ```
## If the string can only match at a specific offset (for example if the
## condition is "$a at 0" the string $a can only match at offset 0), the
## fixed_offset field contains the offset, it have the YR_UNDEFINED value for
## strings that can match anywhere.
## ```
rule_idx*: uint32 ## ```
## Index of the rule containing this string in the array of YR_RULE
## structures stored in YR_RULES_TABLE.
## ```
length*: int32 ## ```
## String's length.
## ```
string*: ptr uint8
string_g*: YR_ARENA_REF
chained_to*: ptr YR_STRING
chained_to_g*: YR_ARENA_REF
chain_gap_min*: int32 ## ```
## When this string is chained to some other string, chain_gap_min and
## chain_gap_max contain the minimum and maximum distance between the two
## strings. For example in { 01 02 03 04 [X-Y] 05 06 07 08 }, the string
## { 05 06 07 08 } is chained to { 01 02 03 04 } and chain_gap_min is X
## and chain_gap_max is Y. These fields are ignored for strings that are not
## part of a string chain.
## ```
chain_gap_max*: int32
identifier*: cstring
identifier_g*: YR_ARENA_REF
YR_RULE* {.importc, impyaraHdr, bycopy.} = object
flags*: int32
num_atoms*: int32 ## ```
## Number of atoms generated for this rule.
## ```
identifier*: cstring
identifier_g*: YR_ARENA_REF
tags*: cstring
tags_g*: YR_ARENA_REF
metas*: ptr YR_META
metas_g*: YR_ARENA_REF
strings*: ptr YR_STRING
strings_g*: YR_ARENA_REF
ns*: ptr YR_NAMESPACE
ns_g*: YR_ARENA_REF
YR_RULES* {.importc, impyaraHdr, bycopy.} = object
arena*: ptr YR_ARENA
rules_list_head*: ptr YR_RULE
strings_list_head*: ptr YR_STRING
externals_list_head*: ptr YR_EXTERNAL_VARIABLE
ac_transition_table*: ptr YR_AC_TRANSITION
ac_match_pool*: ptr YR_AC_MATCH
ac_match_table*: ptr uint32
code_start*: ptr uint8
num_rules*: uint32 ## ```
## Total number of rules.
## ```
num_strings*: uint32 ## ```
## Total number of strings.
## ```
num_namespaces*: uint32 ## ```
## Total number of namespaces.
## ```
YR_SUMMARY* {.importc, impyaraHdr, bycopy.} = object
num_rules*: uint32
num_strings*: uint32
num_namespaces*: uint32
YR_RULES_STATS* {.importc, impyaraHdr, bycopy.} = object
num_rules*: uint32 ## ```
## Total number of rules
## ```
num_strings*: uint32 ## ```
## Total number of strings across all rules.
## ```
ac_matches*: uint32 ## ```
## Total number of Aho-Corasick matches. Each node in the Aho-Corasick
## automaton has a list of YR_AC_MATCH_LIST_ENTRY structures (match list)
## pointing to strings that are potential matches. This field holds the total
## number of those structures across all nodes in the automaton.
## ```
ac_root_match_list_length*: uint32 ## ```
## Length of the match list for the root node in the Aho-Corasick automaton.
## ```
ac_average_match_list_length*: cfloat ## ```
## Average number of matches per match list.
## ```
top_ac_match_list_lengths*: array[100, uint32] ## ```
## Top 10 longest match lists.
## ```
ac_match_list_length_pctls*: array[101, uint32] ## ```
## Percentiles of match lists' lengths. If the i-th value in the array is N
## then i percent of the match lists have N or less items.
## ```
ac_tables_size*: uint32 ## ```
## Size of Aho-Corasick transition & match tables.
## ```
YR_PROFILING_INFO* {.importc, impyaraHdr, bycopy.} = object ## ```
## YR_PROFILING_INFO contains profiling information for a rule.
## ```
atom_matches*: uint32 ## ```
## Number of times that some atom belonging to the rule matched. Each
## matching atom means a potential string match that needs to be verified.
## ```
match_time*: uint64 ## ```
## Amount of time (in nanoseconds) spent verifying atom matches for
## determining if the corresponding string actually matched or not. This
## time is not measured for all atom matches, only 1 out of 1024 matches
## are actually measured.
## ```
exec_time*: uint64 ## ```
## Amount of time (in nanoseconds) spent evaluating the rule condition.
## ```
YR_RULE_PROFILING_INFO* {.importc, impyaraHdr, bycopy.} = object ## ```
## YR_RULE_PROFILING_INFO is the structure returned by
## yr_scanner_get_profiling_info
## ```
rule*: ptr YR_RULE
cost*: uint64
YR_EXTERNAL_VARIABLE* {.importc, impyaraHdr, bycopy.} = object
`type`*: int32
value*: Union_yarah13
identifier*: cstring
identifier_g*: YR_ARENA_REF
YR_MATCH* {.importc, impyaraHdr, bycopy.} = object
base*: int64 ## ```
## Base address for the match
## ```
offset*: int64 ## ```
## Offset relative to base for the match
## ```
match_length*: int32 ## ```
## Match length
## ```
data_length*: int32 ## ```
## Match length
## ```
data*: ptr uint8 ## ```
## Pointer to a buffer containing a portion of the matched data. The size of
## the buffer is data_length. data_length is always <= length and is limited
## to YR_CONFIG_MAX_MATCH_DATA bytes.
## ```
prev*: ptr YR_MATCH
next*: ptr YR_MATCH
chain_length*: int32 ## ```
## If the match belongs to a chained string chain_length contains the
## length of the chain. This field is used only in unconfirmed matches.
## ```
is_private*: bool
YR_SCAN_CONTEXT* {.importc, impyaraHdr, bycopy.} = object
file_size*: uint64 ## ```
## File size of the file being scanned.
## ```
entry_point*: uint64 ## ```
## Entry point of the file being scanned, if the file is PE or ELF.
## ```
flags*: cint ## ```
## Scanning flags.
## ```
canary*: cint ## ```
## Canary value used for preventing hand-crafted objects from being embedded
## in compiled rules and used to exploit YARA. The canary value is initialized
## to a random value and is subsequently set to all objects created by
## yr_object_create. The canary is verified when objects are used by
## yr_execute_code.
## ```
timeout*: uint64 ## ```
## Scan timeout in nanoseconds.
## ```
user_data*: pointer ## ```
## Pointer to user-provided data passed to the callback function.
## ```
callback*: YR_CALLBACK_FUNC ## ```
## Pointer to the user-provided callback function that is called when an
## event occurs during the scan (a rule matching, a module being loaded, etc)
## ```
rules*: ptr YR_RULES ## ```
## Pointer to the YR_RULES object associated to this scan context.
## ```
last_error_string*: ptr YR_STRING ## ```
## Pointer to the YR_STRING causing the most recent scan error.
## ```
`iterator`*: ptr YR_MEMORY_BLOCK_ITERATOR ## ```
## Pointer to the iterator used for scanning
## ```
objects_table*: ptr YR_HASH_TABLE ## ```
## Pointer to a table mapping identifiers to YR_OBJECT structures. This table
## contains entries for external variables and modules.
## ```
matches_notebook*: ptr YR_NOTEBOOK ## ```
## Notebook used for storing YR_MATCH structures associated to the matches
## found.
## ```
stopwatch*: YR_STOPWATCH ## ```
## Stopwatch used for measuring the time elapsed during the scan.
## ```
re_fiber_pool*: RE_FIBER_POOL ## ```
## Fiber pool used by yr_re_exec.
## ```
rule_matches_flags*: ptr culong ## ```
## A bitmap with one bit per rule, bit N is set when the rule with index N
## has matched.
## ```
ns_unsatisfied_flags*: ptr culong ## ```
## A bitmap with one bit per namespace, bit N is set if the namespace with
## index N has some global rule that is not satisfied.
## ```
matches*: ptr YR_MATCHES ## ```
## Array with pointers to lists of matches. Item N in the array has the
## list of matches for string with index N.
## ```
unconfirmed_matches*: ptr YR_MATCHES ## ```
## "unconfirmed_matches" is like "matches" but for strings that are part of
## a chain. Let's suppose that the string S is split in two chained strings
## S1 <- S2. When a match is found for S1, we can't be sure that S matches
## until a match for S2 is found (within the range defined by chain_gap_min
## and chain_gap_max), so the matches for S1 are put in "unconfirmed_matches"
## until they can be confirmed or discarded.
## ```
profiling_info*: ptr YR_PROFILING_INFO ## ```
## profiling_info is a pointer to an array of YR_PROFILING_INFO structures,
## one per rule. Entry N has the profiling information for rule with index N.
## ```
YR_VALUE* {.importc, impyaraHdr, bycopy.} = object
i*: int64
d*: cdouble
p*: pointer
o*: ptr YR_OBJECT
s*: ptr YR_STRING
it*: ptr YR_ITERATOR
ss*: ptr SIZED_STRING
re*: ptr RE
YR_VALUE_STACK* {.importc, impyaraHdr, bycopy.} = object
sp*: int32
capacity*: int32
items*: ptr YR_VALUE
YR_OBJECT* {.importc, impyaraHdr, bycopy.} = object
canary*: cint
`type`*: int8
identifier*: cstring
parent*: ptr YR_OBJECT
data*: pointer
value*: YR_VALUE
YR_OBJECT_STRUCTURE* {.importc, impyaraHdr, bycopy.} = object
canary*: cint
`type`*: int8
identifier*: cstring
parent*: ptr YR_OBJECT
data*: pointer
members*: ptr YR_STRUCTURE_MEMBER
YR_OBJECT_ARRAY* {.importc, impyaraHdr, bycopy.} = object
canary*: cint
`type`*: int8
identifier*: cstring
parent*: ptr YR_OBJECT
data*: pointer
prototype_item*: ptr YR_OBJECT
items*: ptr YR_ARRAY_ITEMS
YR_OBJECT_DICTIONARY* {.importc, impyaraHdr, bycopy.} = object
canary*: cint
`type`*: int8
identifier*: cstring
parent*: ptr YR_OBJECT
data*: pointer
prototype_item*: ptr YR_OBJECT
items*: ptr YR_DICTIONARY_ITEMS
YR_OBJECT_FUNCTION* {.importc, impyaraHdr, bycopy.} = object
canary*: cint
`type`*: int8
identifier*: cstring
parent*: ptr YR_OBJECT
data*: pointer
return_obj*: ptr YR_OBJECT
arguments_fmt*: cstring
code*: YR_MODULE_FUNC
YR_STRUCTURE_MEMBER* {.importc, impyaraHdr, bycopy.} = object
`object`*: ptr YR_OBJECT
next*: ptr YR_STRUCTURE_MEMBER
YR_ARRAY_ITEMS* {.importc, impyaraHdr, bycopy.} = object
capacity*: cint ## ```
## Capacity is the size of the objects array.
## ```
length*: cint ## ```
## Length is determined by the last element in the array. If the index of the
## last element is N, then length is N+1 because indexes start at 0.
## ```
objects*: array[1, ptr YR_OBJECT]
YR_DICTIONARY_ITEMS* {.importc, impyaraHdr, bycopy.} = object
used*: cint
free*: cint
key*: ptr SIZED_STRING
obj*: ptr YR_OBJECT
YR_MODULE* {.importc, impyaraHdr, bycopy.} = object
name*: cstring
declarations*: YR_EXT_DECLARATIONS_FUNC
load*: YR_EXT_LOAD_FUNC
unload*: YR_EXT_UNLOAD_FUNC
initialize*: YR_EXT_INITIALIZE_FUNC
finalize*: YR_EXT_FINALIZE_FUNC
YR_MODULE_IMPORT* {.importc, impyaraHdr, bycopy.} = object
module_name*: cstring
module_data*: pointer
module_data_size*: uint
YR_MEMORY_BLOCK* {.importc, impyaraHdr, bycopy.} = object
size*: uint
base*: uint64
context*: pointer
fetch_data*: YR_MEMORY_BLOCK_FETCH_DATA_FUNC
YR_MEMORY_BLOCK_ITERATOR* {.importc, impyaraHdr, bycopy.} = object
context*: pointer
first*: YR_MEMORY_BLOCK_ITERATOR_FUNC
next*: YR_MEMORY_BLOCK_ITERATOR_FUNC
YR_MODIFIER* {.importc, impyaraHdr, bycopy.} = object
flags*: int32
xor_min*: uint8
xor_max*: uint8
alphabet*: ptr SIZED_STRING
YR_ITERATOR* {.importc, impyaraHdr, bycopy.} = object
next*: YR_ITERATOR_NEXT_FUNC
array_it*: YR_ARRAY_ITERATOR
dict_it*: YR_DICT_ITERATOR
int_range_it*: YR_INT_RANGE_ITERATOR
int_enum_it*: YR_INT_ENUM_ITERATOR
YR_AC_TRANSITION* {.importc, impyaraHdr.} = uint32
Union_yarah13* {.union, bycopy, impyaraHdr, importc: "union Union_yarah13".} = object
i*: int64
f*: cdouble
s*: cstring
YR_MEMORY_BLOCK_FETCH_DATA_FUNC* {.importc, impyaraHdr.} = proc (
self: ptr YR_MEMORY_BLOCK): ptr uint8 {.cdecl.}
YR_MEMORY_BLOCK_ITERATOR_FUNC* {.importc, impyaraHdr.} = proc (
self: ptr YR_MEMORY_BLOCK_ITERATOR): ptr YR_MEMORY_BLOCK {.cdecl.}
YR_CALLBACK_FUNC* {.importc, impyaraHdr.} = proc (context: ptr YR_SCAN_CONTEXT;
message: cint; message_data: pointer; user_data: pointer): cint {.cdecl.}
YR_MODULE_FUNC* {.importc, impyaraHdr.} = proc (args: ptr YR_VALUE;
context: ptr YR_SCAN_CONTEXT; function_obj: ptr YR_OBJECT_FUNCTION): cint {.cdecl.}
YR_ITERATOR_NEXT_FUNC* {.importc, impyaraHdr.} = proc (self: ptr YR_ITERATOR;
stack: ptr YR_VALUE_STACK): cint {.cdecl.}
YR_ARRAY_ITERATOR* {.bycopy, impyaraHdr, importc: "struct YR_ARRAY_ITERATOR".} = object
array*: ptr YR_OBJECT
index*: cint
YR_DICT_ITERATOR* {.bycopy, impyaraHdr, importc: "struct YR_DICT_ITERATOR".} = object
dict*: ptr YR_OBJECT
index*: cint
YR_INT_RANGE_ITERATOR* {.bycopy, impyaraHdr,
importc: "struct YR_INT_RANGE_ITERATOR".} = object
next*: int64
last*: int64
YR_INT_ENUM_ITERATOR* {.bycopy, impyaraHdr,
importc: "struct YR_INT_ENUM_ITERATOR".} = object
next*: cint
count*: cint
items*: array[1, int64]
RE_MATCH_CALLBACK_FUNC* {.importc, impyaraHdr.} = proc (match: ptr uint8;
match_length: cint; flags: cint; args: pointer): cint {.cdecl.}
YR_ATOM* {.importc, impyaraHdr, bycopy.} = object
length*: uint8
bytes*: array[4, uint8]
mask*: array[4, uint8]
YR_ATOM_TREE_NODE* {.importc, impyaraHdr, bycopy.} = object
`type`*: uint8
atom*: YR_ATOM
re_nodes*: array[4, ptr RE_NODE] ## ```
## RE nodes that correspond to each byte in the atom.
## ```
children_head*: ptr YR_ATOM_TREE_NODE
children_tail*: ptr YR_ATOM_TREE_NODE
next_sibling*: ptr YR_ATOM_TREE_NODE
YR_ATOM_TREE* {.importc, impyaraHdr, bycopy.} = object
root_node*: ptr YR_ATOM_TREE_NODE
YR_ATOM_LIST_ITEM* {.importc, impyaraHdr, bycopy.} = object
atom*: YR_ATOM
backtrack*: uint16
forward_code_ref*: YR_ARENA_REF
backward_code_ref*: YR_ARENA_REF
next*: ptr YR_ATOM_LIST_ITEM
YR_ATOM_QUALITY_TABLE_ENTRY* {.importc, impyaraHdr, bycopy.} = object
atom*: array[4, uint8]
quality*: uint8
YR_ATOMS_CONFIG* {.importc, impyaraHdr, bycopy.} = object
get_atom_quality*: YR_ATOMS_QUALITY_FUNC
quality_table*: ptr YR_ATOM_QUALITY_TABLE_ENTRY
quality_warning_threshold*: cint
quality_table_entries*: cint
free_quality_table*: bool
YR_ATOMS_QUALITY_FUNC* {.importc, impyaraHdr.} = proc (config: ptr YR_ATOMS_CONFIG;
atom: ptr YR_ATOM): cint {.cdecl.}
Union_yarah22* {.union, bycopy, impyaraHdr, importc: "union Union_yarah22".} = object
integer*: int64
`object`*: ptr YR_OBJECT
sized_string_ref*: YR_ARENA_REF
Type_yarah3* {.bycopy, impyaraHdr, importc: "struct Type_yarah3".} = object ## ```
## An expression can have an associated identifier, if "ptr" is not NULL it
## points to the identifier name, if it is NULL, then "ref" holds a reference
## to the identifier within YR_SZ_POOL. When the identifier is in YR_SZ_POOL
## a pointer can't be used as the YR_SZ_POOL can be moved to a different
## memory location.
## ```
`ptr`*: cstring
`ref`*: YR_ARENA_REF
YR_EXPRESSION* {.bycopy, impyaraHdr, importc: "struct _YR_EXPRESSION".} = object
`type`*: cint
value*: Union_yarah22
identifier*: Type_yarah3 ## ```
## An expression can have an associated identifier, if "ptr" is not NULL it
## points to the identifier name, if it is NULL, then "ref" holds a reference
## to the identifier within YR_SZ_POOL. When the identifier is in YR_SZ_POOL
## a pointer can't be used as the YR_SZ_POOL can be moved to a different
## memory location.
## ```
YR_COMPILER_CALLBACK_FUNC* {.importc, impyaraHdr.} = proc (error_level: cint;
file_name: cstring; line_number: cint; rule: ptr YR_RULE; message: cstring;
user_data: pointer) {.cdecl.}
YR_COMPILER_INCLUDE_CALLBACK_FUNC* {.importc, impyaraHdr.} = proc (
include_name: cstring; calling_rule_filename: cstring;
calling_rule_namespace: cstring; user_data: pointer): cstring {.cdecl.}
YR_COMPILER_INCLUDE_FREE_FUNC* {.importc, impyaraHdr.} = proc (
callback_result_ptr: cstring; user_data: pointer) {.cdecl.}
YR_COMPILER_RE_AST_CALLBACK_FUNC* {.importc, impyaraHdr.} = proc (
rule: ptr YR_RULE; string_identifier: cstring; re_ast: ptr RE_AST;
user_data: pointer) {.cdecl.}
YR_FIXUP* {.bycopy, impyaraHdr, importc: "struct _YR_FIXUP".} = object
`ref`*: YR_ARENA_REF
next*: ptr YR_FIXUP
YR_LOOP_CONTEXT* {.bycopy, impyaraHdr, importc: "struct _YR_LOOP_CONTEXT".} = object
start_ref*: YR_ARENA_REF ## ```
## Reference indicating the the place in the code where the loop starts. The
## loop goes back to this address on each iteration.
## ```
vars_count*: cint ## ```
## vars_count is the number of local variables defined by the loop, and vars
## is an array of expressions with the identifier and type for each of those
## local variables.
## ```
vars*: array[2, YR_EXPRESSION]
vars_internal_count*: cint ## ```
## vars_internal_count is the number of variables used by the loop which are
## not defined by the rule itself but that are necessary for keeping the
## loop's state. One example is the iteration counter.
## ```
YR_COMPILER* {.bycopy, impyaraHdr, importc: "struct _YR_COMPILER".} = object
arena*: ptr YR_ARENA ## ```
## Arena that contains the data generated by the compiled. The arena has
## the following buffers:
##
## YR_SUMMARY_SECTION:
## A YR_SUMMARY struct.
## YR_RULES_TABLE:
## An array of YR_RULE structures, one per each rule.
## YR_STRINGS_TABLE:
## An array of YR_STRING structures, one per each string.
## YR_METAS_TABLE:
## An array of YR_META structures, one per each meta definition.
## YR_NAMESPACES_TABLE:
## An array of YR_NAMESPACE structures, one per each namespace.
## YR_EXTERNAL_VARIABLES_TABLE:
## An array of YR_EXTERNAL_VARIABLE structures, one per each external
## variable defined.
## YR_SZ_POOL:
## A collection of null-terminated strings. This buffer contains
## identifiers, literal strings, and in general any null-terminated
## string referenced by other data structures.
## YR_CODE_SECTION:
## The code for the condition section of all the rules. This is the
## code executed by yr_execute_code.
## YR_RE_CODE_SECTION:
## Similar to YR_CODE_SECTION, but it contains the code for regular
## expressions. This is the code executed by yr_re_exec and
## yr_re_fast_exec.
## YR_AC_TRANSITION_TABLE:
## An array of uint32_t containing the Aho-Corasick transition table.
## See comment in _yr_ac_build_transition_table for details.
## YR_AC_STATE_MATCHES_TABLE:
## An array of uint32_t with the same number of items than the transition
## table. If entry N in the transition table corresponds to some
## Aho-Corasick state, the N-th item in this array has the index within
## the matches pool where the list of matches for that state begins.
## YR_AC_STATE_MATCHES_POOL:
## An array of YR_AC_MATCH structures.
## ```
current_rule_idx*: uint32 ## ```
## Index of the rule being compiled in the array of YR_RULE structures
## stored in YR_RULES_TABLE. If this is MAX_UINT32 the compiler is not
## parsing a rule.
## ```
next_rule_idx*: uint32 ## ```
## Index of the rule that comes next during parsing.
## ```
current_string_idx*: uint32 ## ```
## Index of the string being compiled in the array of YR_STRING structures
## stored in YR_STRINGS_TABLE.
## ```
current_namespace_idx*: uint32 ## ```
## Index of the current namespace in the array of YR_NAMESPACE structures
## stored in YR_NAMESPACES_TABLE.
## ```
current_meta_idx*: uint32 ## ```
## Index of the current meta in the array of YR_META structures stored in
## YR_METAS_TABLE.
## ```
rules*: ptr YR_RULES ## ```
## Pointer to a YR_RULES structure that represents the compiled rules. This
## is what yr_compiler_get_rules returns. Once these rules are generated you
## can't call any of the yr_compiler_add_xxx functions.
## ```
errors*: cint
current_line*: cint
last_error*: cint
last_error_line*: cint
error_recovery*: jmp_buf
automaton*: ptr YR_AC_AUTOMATON
rules_table*: ptr YR_HASH_TABLE
objects_table*: ptr YR_HASH_TABLE
strings_table*: ptr YR_HASH_TABLE
sz_table*: ptr YR_HASH_TABLE ## ```
## Hash table that contains all the strings that has been written to the
## YR_SZ_POOL buffer in the compiler's arena. Values in the hash table are
## the offset within the YR_SZ_POOL where the string resides. This allows to
## know is some string has already been written in order to reuse instead of
## writting it again.
## ```
fixup_stack_head*: ptr YR_FIXUP
num_namespaces*: cint
loop*: array[4, YR_LOOP_CONTEXT]
loop_index*: cint
loop_for_of_var_index*: cint
file_name_stack*: array[16, cstring]
file_name_stack_ptr*: cint
last_error_extra_info*: array[256, cchar]
lex_buf*: array[8192, cchar]
lex_buf_ptr*: cstring
lex_buf_len*: cushort
include_base_dir*: array[1024, cchar]
user_data*: pointer
incl_clbk_user_data*: pointer
re_ast_clbk_user_data*: pointer
callback*: YR_COMPILER_CALLBACK_FUNC
include_callback*: YR_COMPILER_INCLUDE_CALLBACK_FUNC
include_free*: YR_COMPILER_INCLUDE_FREE_FUNC
re_ast_callback*: YR_COMPILER_RE_AST_CALLBACK_FUNC
atoms_config*: YR_ATOMS_CONFIG
YR_EXT_INITIALIZE_FUNC* {.importc, impyaraHdr.} = proc (module: ptr YR_MODULE): cint {.
cdecl.}
YR_EXT_FINALIZE_FUNC* {.importc, impyaraHdr.} = proc (module: ptr YR_MODULE): cint {.
cdecl.}
YR_EXT_DECLARATIONS_FUNC* {.importc, impyaraHdr.} = proc (
module_object: ptr YR_OBJECT): cint {.cdecl.}
YR_EXT_LOAD_FUNC* {.importc, impyaraHdr.} = proc (context: ptr YR_SCAN_CONTEXT;
module_object: ptr YR_OBJECT; module_data: pointer; module_data_size: uint): cint {.
cdecl.}
YR_EXT_UNLOAD_FUNC* {.importc, impyaraHdr.} = proc (module_object: ptr YR_OBJECT): cint {.
cdecl.}
YR_SCANNER* {.importc, impyaraHdr.} = YR_SCAN_CONTEXT
var yr_scanner_scan_mem* {.importc: "_yr_scanner_scan_mem", impyaraHdr.}: proc (
scanner: ptr YR_SCANNER; buffer: ptr uint8; buffer_size: uint): cint {.cdecl.}
proc xtoi*(hexstr: cstring): uint64 {.importc, cdecl, impyaraHdr.}
## ```
## Other "compilers" and later versions of Microsoft Visual Studio C++ and
## Borland C/C++ define the types in <stdint.h>
## Cygwin already has these functions.
## ```
proc strlcpy*(dst: cstring; src: cstring; size: uint): uint {.importc, cdecl, impyaraHdr.}
proc strlcat*(dst: cstring; src: cstring; size: uint): uint {.importc, cdecl, impyaraHdr.}
proc memmem*(haystack: pointer; haystack_size: uint; needle: pointer; needle_size: uint): pointer {.
importc, cdecl, impyaraHdr.}
proc strnlen_w*(w_str: cstring): cint {.importc, cdecl, impyaraHdr.}
proc strcmp_w*(w_str: cstring; str: cstring): cint {.importc, cdecl, impyaraHdr.}
proc strlcpy_w*(dst: cstring; w_src: cstring; n: uint): uint {.importc, cdecl, impyaraHdr.}
proc yr_filemap_map*(file_path: cstring; pmapped_file: ptr YR_MAPPED_FILE): cint {.
importc, cdecl, impyaraHdr.}
proc yr_filemap_map_fd*(file: cint; offset: clong; size: uint;
pmapped_file: ptr YR_MAPPED_FILE): cint {.importc, cdecl,
impyaraHdr.}
proc yr_filemap_map_ex*(file_path: cstring; offset: clong; size: uint;
pmapped_file: ptr YR_MAPPED_FILE): cint {.importc, cdecl,
impyaraHdr.}
proc yr_filemap_unmap*(pmapped_file: ptr YR_MAPPED_FILE) {.importc, cdecl, impyaraHdr.}
proc yr_filemap_unmap_fd*(pmapped_file: ptr YR_MAPPED_FILE) {.importc, cdecl,
impyaraHdr.}
proc yr_stream_read*(`ptr`: pointer; size: uint; count: uint; stream: ptr YR_STREAM): uint {.
importc, cdecl, impyaraHdr.}
proc yr_stream_write*(`ptr`: pointer; size: uint; count: uint; stream: ptr YR_STREAM): uint {.
importc, cdecl, impyaraHdr.}
proc yr_arena_create*(num_buffers: cint; initial_buffer_size: uint;
arena: ptr ptr YR_ARENA): cint {.importc, cdecl, impyaraHdr.}
## ```
## Creates an arena with the specified number of buffers and takes ownership of
## it. Initially each buffer is empty, the first time that some data is written
## into a buffer at least initial_buffer_size are reserved for the buffer.
## ```
proc yr_arena_acquire*(arena: ptr YR_ARENA) {.importc, cdecl, impyaraHdr.}
## ```
## Takes ownership of the arena.
## ```
proc yr_arena_release*(arena: ptr YR_ARENA): cint {.importc, cdecl, impyaraHdr.}
## ```
## Release ownership of the arena. If the number of owners drops to zero the
## arena is destroyed and all its resources are freed.
## ```
proc yr_arena_ref_to_ptr*(arena: ptr YR_ARENA; `ref`: ptr YR_ARENA_REF): pointer {.
importc, cdecl, impyaraHdr.}
## ```
## Given a reference to some data within the arena, it returns a pointer to
## the data. This pointer is valid only until the next call to any of the
## functions that allocates space in the buffer where the data resides, like
## yr_arena_allocate_xxx and yr_arena_write_xxx. These functions can cause
## the buffer to be moved to different memory location and the pointer won't
## valid any longer.
## ```
proc yr_arena_ptr_to_ref*(arena: ptr YR_ARENA; address: pointer;
`ref`: ptr YR_ARENA_REF): cint {.importc, cdecl, impyaraHdr.}
## ```
## Given a pointer into the arena, it returns a reference to it. The reference
## can be used with yr_arena_ref_to_ptr to obtain a pointer again. Unlike
## pointers, references are during the arena's lifetime, even if the buffers
## are moved to a different memory location.
## ```
proc yr_arena_get_ptr*(arena: ptr YR_ARENA; buffer_id: uint32; offset: yr_arena_off_t): pointer {.
importc, cdecl, impyaraHdr.}
## ```
## Given a buffer number and an offset within the buffer, returns a pointer
## to that offset. The same limitations explained for yr_arena_ref_to_ptr
## applies for the pointers returned by this function.
## ```
proc yr_arena_get_current_offset*(arena: ptr YR_ARENA; buffer_id: uint32): yr_arena_off_t {.
importc, cdecl, impyaraHdr.}
proc yr_arena_allocate_memory*(arena: ptr YR_ARENA; buffer_id: uint32; size: uint;
`ref`: ptr YR_ARENA_REF): cint {.importc, cdecl,
impyaraHdr.}
proc yr_arena_allocate_zeroed_memory*(arena: ptr YR_ARENA; buffer_id: uint32;
size: uint; `ref`: ptr YR_ARENA_REF): cint {.
importc, cdecl, impyaraHdr.}
proc yr_arena_allocate_struct*(arena: ptr YR_ARENA; buffer_id: uint32; size: uint;
`ref`: ptr YR_ARENA_REF): cint {.importc, cdecl,
impyaraHdr, varargs.}
proc yr_arena_make_ptr_relocatable*(arena: ptr YR_ARENA; buffer_id: uint32): cint {.
importc, cdecl, impyaraHdr, varargs.}
proc yr_arena_write_data*(arena: ptr YR_ARENA; buffer_id: uint32; data: pointer;
size: uint; `ref`: ptr YR_ARENA_REF): cint {.importc, cdecl,
impyaraHdr.}
proc yr_arena_write_string*(arena: ptr YR_ARENA; buffer_id: uint32; string: cstring;
`ref`: ptr YR_ARENA_REF): cint {.importc, cdecl, impyaraHdr.}
proc yr_arena_write_uint32*(arena: ptr YR_ARENA; buffer_id: uint32; integer: uint32;
`ref`: ptr YR_ARENA_REF): cint {.importc, cdecl, impyaraHdr.}
proc yr_arena_load_stream*(stream: ptr YR_STREAM; arena: ptr ptr YR_ARENA): cint {.
importc, cdecl, impyaraHdr.}
proc yr_arena_save_stream*(arena: ptr YR_ARENA; stream: ptr YR_STREAM): cint {.importc,
cdecl, impyaraHdr.}
proc yr_bitmask_find_non_colliding_offset*(a: ptr culong; b: ptr culong; len_a: uint32;
len_b: uint32; off_a: ptr uint32): uint32 {.importc, cdecl, impyaraHdr.}
proc yr_hash*(seed: uint32; buffer: pointer; len: uint): uint32 {.importc, cdecl,
impyaraHdr.}
proc yr_hash_table_create*(size: cint; table: ptr ptr YR_HASH_TABLE): cint {.importc,
cdecl, impyaraHdr.}
proc yr_hash_table_clean*(table: ptr YR_HASH_TABLE;
free_value: YR_HASH_TABLE_FREE_VALUE_FUNC) {.importc,
cdecl, impyaraHdr.}
proc yr_hash_table_destroy*(table: ptr YR_HASH_TABLE;
free_value: YR_HASH_TABLE_FREE_VALUE_FUNC) {.importc,
cdecl, impyaraHdr.}
proc yr_hash_table_lookup*(table: ptr YR_HASH_TABLE; key: cstring; ns: cstring): pointer {.
importc, cdecl, impyaraHdr.}
proc yr_hash_table_remove*(table: ptr YR_HASH_TABLE; key: cstring; ns: cstring): pointer {.
importc, cdecl, impyaraHdr.}
proc yr_hash_table_add*(table: ptr YR_HASH_TABLE; key: cstring; ns: cstring;
value: pointer): cint {.importc, cdecl, impyaraHdr.}
proc yr_hash_table_add_uint32*(table: ptr YR_HASH_TABLE; key: cstring; ns: cstring;
value: uint32): cint {.importc, cdecl, impyaraHdr.}
proc yr_hash_table_lookup_uint32*(table: ptr YR_HASH_TABLE; key: cstring; ns: cstring): uint32 {.
importc, cdecl, impyaraHdr.}
proc yr_hash_table_lookup_raw_key*(table: ptr YR_HASH_TABLE; key: pointer;
key_length: uint; ns: cstring): pointer {.importc,
cdecl, impyaraHdr.}
proc yr_hash_table_remove_raw_key*(table: ptr YR_HASH_TABLE; key: pointer;
key_length: uint; ns: cstring): pointer {.importc,
cdecl, impyaraHdr.}
proc yr_hash_table_add_raw_key*(table: ptr YR_HASH_TABLE; key: pointer;
key_length: uint; ns: cstring; value: pointer): cint {.
importc, cdecl, impyaraHdr.}
proc yr_hash_table_add_uint32_raw_key*(table: ptr YR_HASH_TABLE; key: pointer;
key_length: uint; ns: cstring; value: uint32): cint {.
importc, cdecl, impyaraHdr.}
proc yr_hash_table_lookup_uint32_raw_key*(table: ptr YR_HASH_TABLE; key: pointer;
key_length: uint; ns: cstring): uint32 {.importc, cdecl, impyaraHdr.}
proc ss_compare*(s1: ptr SIZED_STRING; s2: ptr SIZED_STRING): cint {.importc, cdecl,
impyaraHdr.}
proc ss_icompare*(s1: ptr SIZED_STRING; s2: ptr SIZED_STRING): cint {.importc, cdecl,
impyaraHdr.}
proc ss_contains*(s1: ptr SIZED_STRING; s2: ptr SIZED_STRING): bool {.importc, cdecl,
impyaraHdr.}
proc ss_icontains*(s1: ptr SIZED_STRING; s2: ptr SIZED_STRING): bool {.importc, cdecl,
impyaraHdr.}
proc ss_startswith*(s1: ptr SIZED_STRING; s2: ptr SIZED_STRING): bool {.importc, cdecl,
impyaraHdr.}
proc ss_istartswith*(s1: ptr SIZED_STRING; s2: ptr SIZED_STRING): bool {.importc, cdecl,
impyaraHdr.}
proc ss_endswith*(s1: ptr SIZED_STRING; s2: ptr SIZED_STRING): bool {.importc, cdecl,
impyaraHdr.}
proc ss_iendswith*(s1: ptr SIZED_STRING; s2: ptr SIZED_STRING): bool {.importc, cdecl,
impyaraHdr.}
proc ss_dup*(s: ptr SIZED_STRING): ptr SIZED_STRING {.importc, cdecl, impyaraHdr.}
proc ss_new*(s: cstring): ptr SIZED_STRING {.importc, cdecl, impyaraHdr.}
proc ss_convert_to_wide*(s: ptr SIZED_STRING): ptr SIZED_STRING {.importc, cdecl,
impyaraHdr.}
proc yr_stopwatch_start*(stopwatch: ptr YR_STOPWATCH) {.importc, cdecl, impyaraHdr.}
## ```
## yr_stopwatch_start starts measuring time.
## ```
proc yr_stopwatch_elapsed_ns*(stopwatch: ptr YR_STOPWATCH): uint64 {.importc, cdecl,
impyaraHdr.}
## ```
## yr_stopwatch_elapsed_ns returns the number of nanoseconds elapsed
## since the last call to yr_stopwatch_start.
## ```
proc yr_current_thread_id*(): YR_THREAD_ID {.importc, cdecl, impyaraHdr.}
proc yr_mutex_create*(a1: ptr YR_MUTEX): cint {.importc, cdecl, impyaraHdr.}
proc yr_mutex_destroy*(a1: ptr YR_MUTEX): cint {.importc, cdecl, impyaraHdr.}
proc yr_mutex_lock*(a1: ptr YR_MUTEX): cint {.importc, cdecl, impyaraHdr.}
proc yr_mutex_unlock*(a1: ptr YR_MUTEX): cint {.importc, cdecl, impyaraHdr.}
proc yr_thread_storage_create*(a1: ptr YR_THREAD_STORAGE_KEY): cint {.importc, cdecl,
impyaraHdr.}
proc yr_thread_storage_destroy*(a1: ptr YR_THREAD_STORAGE_KEY): cint {.importc, cdecl,
impyaraHdr.}
proc yr_thread_storage_set_value*(a1: ptr YR_THREAD_STORAGE_KEY; a2: pointer): cint {.
importc, cdecl, impyaraHdr.}
proc yr_thread_storage_get_value*(a1: ptr YR_THREAD_STORAGE_KEY): pointer {.importc,
cdecl, impyaraHdr.}
## ```
## Created by Victor Manuel Alvarez on 3/4/20.
## ```
proc yr_notebook_create*(page_size: uint; pool: ptr ptr YR_NOTEBOOK): cint {.importc,
cdecl, impyaraHdr.}
proc yr_notebook_destroy*(pool: ptr YR_NOTEBOOK): cint {.importc, cdecl, impyaraHdr.}
proc yr_notebook_alloc*(notebook: ptr YR_NOTEBOOK; size: uint): pointer {.importc,
cdecl, impyaraHdr.}
proc yr_re_ast_create*(re_ast: ptr ptr RE_AST): cint {.importc, cdecl, impyaraHdr.}
proc yr_re_ast_destroy*(re_ast: ptr RE_AST) {.importc, cdecl, impyaraHdr.}
proc yr_re_ast_print*(re_ast: ptr RE_AST) {.importc, cdecl, impyaraHdr.}
proc yr_re_ast_extract_literal*(re_ast: ptr RE_AST): ptr SIZED_STRING {.importc, cdecl,
impyaraHdr.}
proc yr_re_ast_contains_dot_star*(re_ast: ptr RE_AST): cint {.importc, cdecl,
impyaraHdr.}
proc yr_re_ast_split_at_chaining_point*(re_ast: ptr RE_AST;
remainder_re_ast: ptr ptr RE_AST;
min_gap: ptr int32; max_gap: ptr int32): cint {.
importc, cdecl, impyaraHdr.}
proc yr_re_ast_emit_code*(re_ast: ptr RE_AST; arena: ptr YR_ARENA; backwards_code: cint): cint {.
importc, cdecl, impyaraHdr.}
proc yr_re_node_create*(`type`: cint): ptr RE_NODE {.importc, cdecl, impyaraHdr.}
proc yr_re_node_destroy*(node: ptr RE_NODE) {.importc, cdecl, impyaraHdr.}
proc yr_re_node_append_child*(node: ptr RE_NODE; child: ptr RE_NODE) {.importc, cdecl,
impyaraHdr.}
proc yr_re_node_prepend_child*(node: ptr RE_NODE; child: ptr RE_NODE) {.importc, cdecl,
impyaraHdr.}
proc yr_re_exec*(context: ptr YR_SCAN_CONTEXT; code: ptr uint8; input_data: ptr uint8;
input_forwards_size: uint; input_backwards_size: uint; flags: cint;
callback: RE_MATCH_CALLBACK_FUNC; callback_args: pointer;
matches: ptr cint): cint {.importc, cdecl, impyaraHdr.}
proc yr_re_fast_exec*(context: ptr YR_SCAN_CONTEXT; code: ptr uint8;
input_data: ptr uint8; input_forwards_size: uint;
input_backwards_size: uint; flags: cint;
callback: RE_MATCH_CALLBACK_FUNC; callback_args: pointer;
matches: ptr cint): cint {.importc, cdecl, impyaraHdr.}
proc yr_re_parse*(re_string: cstring; re_ast: ptr ptr RE_AST; error: ptr RE_ERROR): cint {.
importc, cdecl, impyaraHdr.}
proc yr_re_parse_hex*(hex_string: cstring; re_ast: ptr ptr RE_AST; error: ptr RE_ERROR): cint {.
importc, cdecl, impyaraHdr.}
proc yr_re_compile*(re_string: cstring; flags: cint; arena: ptr YR_ARENA;
`ref`: ptr YR_ARENA_REF; error: ptr RE_ERROR): cint {.importc, cdecl,
impyaraHdr.}
proc yr_re_match*(context: ptr YR_SCAN_CONTEXT; re: ptr RE; target: cstring): cint {.
importc, cdecl, impyaraHdr.}
proc yr_atoms_extract_from_re*(config: ptr YR_ATOMS_CONFIG; re_ast: ptr RE_AST;
modifier: YR_MODIFIER;
atoms: ptr ptr YR_ATOM_LIST_ITEM;
min_atom_quality: ptr cint): cint {.importc, cdecl,
impyaraHdr.}
proc yr_atoms_extract_from_string*(config: ptr YR_ATOMS_CONFIG; string: ptr uint8;
string_length: cint; modifier: YR_MODIFIER;
atoms: ptr ptr YR_ATOM_LIST_ITEM;
min_atom_quality: ptr cint): cint {.importc, cdecl,
impyaraHdr.}
proc yr_atoms_extract_triplets*(re_node: ptr RE_NODE;
atoms: ptr ptr YR_ATOM_LIST_ITEM): cint {.importc,
cdecl, impyaraHdr.}
proc yr_atoms_heuristic_quality*(config: ptr YR_ATOMS_CONFIG; atom: ptr YR_ATOM): cint {.
importc, cdecl, impyaraHdr.}
proc yr_atoms_table_quality*(config: ptr YR_ATOMS_CONFIG; atom: ptr YR_ATOM): cint {.
importc, cdecl, impyaraHdr.}
proc yr_atoms_min_quality*(config: ptr YR_ATOMS_CONFIG;
atom_list: ptr YR_ATOM_LIST_ITEM): cint {.importc, cdecl,
impyaraHdr.}
proc yr_atoms_list_destroy*(list_head: ptr YR_ATOM_LIST_ITEM) {.importc, cdecl,
impyaraHdr.}
proc yr_ac_automaton_create*(arena: ptr YR_ARENA; automaton: ptr ptr YR_AC_AUTOMATON): cint {.
importc, cdecl, impyaraHdr.}
proc yr_ac_automaton_destroy*(automaton: ptr YR_AC_AUTOMATON): cint {.importc, cdecl,
impyaraHdr.}
proc yr_ac_add_string*(automaton: ptr YR_AC_AUTOMATON; string: ptr YR_STRING;
string_idx: uint32; atom: ptr YR_ATOM_LIST_ITEM;
arena: ptr YR_ARENA): cint {.importc, cdecl, impyaraHdr.}
proc yr_ac_compile*(automaton: ptr YR_AC_AUTOMATON; arena: ptr YR_ARENA): cint {.
importc, cdecl, impyaraHdr.}
proc yr_ac_print_automaton*(automaton: ptr YR_AC_AUTOMATON) {.importc, cdecl,
impyaraHdr.}
proc yr_compiler_push_file_name*(compiler: ptr YR_COMPILER; file_name: cstring): cint {.
importc: "_yr_compiler_push_file_name", cdecl, impyaraHdr.}
proc yr_compiler_pop_file_name*(compiler: ptr YR_COMPILER) {.
importc: "_yr_compiler_pop_file_name", cdecl, impyaraHdr.}
proc yr_compiler_get_var_frame*(compiler: ptr YR_COMPILER): cint {.
importc: "_yr_compiler_get_var_frame", cdecl, impyaraHdr.}
proc yr_compiler_default_include_callback*(include_name: cstring;
calling_rule_filename: cstring; calling_rule_namespace: cstring;
user_data: pointer): cstring {.importc: "_yr_compiler_default_include_callback",
cdecl, impyaraHdr.}
proc yr_compiler_get_rule_by_idx*(compiler: ptr YR_COMPILER; rule_idx: uint32): ptr YR_RULE {.
importc: "_yr_compiler_get_rule_by_idx", cdecl, impyaraHdr.}
proc yr_compiler_store_string*(compiler: ptr YR_COMPILER; string: cstring;
`ref`: ptr YR_ARENA_REF): cint {.
importc: "_yr_compiler_store_string", cdecl, impyaraHdr.}
proc yr_compiler_store_data*(compiler: ptr YR_COMPILER; data: pointer;
data_length: uint; `ref`: ptr YR_ARENA_REF): cint {.
importc: "_yr_compiler_store_data", cdecl, impyaraHdr.}
proc yr_compiler_create*(compiler: ptr ptr YR_COMPILER): cint {.importc, cdecl,
impyaraHdr.}
proc yr_compiler_destroy*(compiler: ptr YR_COMPILER) {.importc, cdecl, impyaraHdr.}
proc yr_compiler_set_callback*(compiler: ptr YR_COMPILER;
callback: YR_COMPILER_CALLBACK_FUNC;
user_data: pointer) {.importc, cdecl, impyaraHdr.}
proc yr_compiler_set_include_callback*(compiler: ptr YR_COMPILER; include_callback: YR_COMPILER_INCLUDE_CALLBACK_FUNC;
include_free: YR_COMPILER_INCLUDE_FREE_FUNC; user_data: pointer) {.importc,
cdecl, impyaraHdr.}
proc yr_compiler_set_re_ast_callback*(compiler: ptr YR_COMPILER; re_ast_callback: YR_COMPILER_RE_AST_CALLBACK_FUNC;
user_data: pointer) {.importc, cdecl,
impyaraHdr.}
proc yr_compiler_set_atom_quality_table*(compiler: ptr YR_COMPILER; table: pointer;
entries: cint; warning_threshold: cuchar) {.
importc, cdecl, impyaraHdr.}
proc yr_compiler_load_atom_quality_table*(compiler: ptr YR_COMPILER;
filename: cstring; warning_threshold: cuchar): cint {.importc, cdecl, impyaraHdr.}
proc yr_compiler_add_file*(compiler: ptr YR_COMPILER; rules_file: File;
namespace_g: cstring; file_name: cstring): cint {.importc,
cdecl, impyaraHdr.}
proc yr_compiler_add_fd*(compiler: ptr YR_COMPILER; rules_fd: cint;
namespace_g: cstring; file_name: cstring): cint {.importc,
cdecl, impyaraHdr.}
proc yr_compiler_add_string*(compiler: ptr YR_COMPILER; rules_string: cstring;
namespace_g: cstring): cint {.importc, cdecl, impyaraHdr.}
proc yr_compiler_get_error_message*(compiler: ptr YR_COMPILER; buffer: cstring;
buffer_size: cint): cstring {.importc, cdecl,
impyaraHdr.}
proc yr_compiler_get_current_file_name*(compiler: ptr YR_COMPILER): cstring {.
importc, cdecl, impyaraHdr.}
proc yr_compiler_define_integer_variable*(compiler: ptr YR_COMPILER;
identifier: cstring; value: int64): cint {.importc, cdecl, impyaraHdr.}
proc yr_compiler_define_boolean_variable*(compiler: ptr YR_COMPILER;
identifier: cstring; value: cint): cint {.importc, cdecl, impyaraHdr.}
proc yr_compiler_define_float_variable*(compiler: ptr YR_COMPILER;
identifier: cstring; value: cdouble): cint {.
importc, cdecl, impyaraHdr.}
proc yr_compiler_define_string_variable*(compiler: ptr YR_COMPILER;
identifier: cstring; value: cstring): cint {.
importc, cdecl, impyaraHdr.}
proc yr_compiler_get_rules*(compiler: ptr YR_COMPILER; rules: ptr ptr YR_RULES): cint {.
importc, cdecl, impyaraHdr.}
proc yr_scan_verify_match*(context: ptr YR_SCAN_CONTEXT; ac_match: ptr YR_AC_MATCH;
data: ptr uint8; data_size: uint; data_base: uint64;
offset: uint): cint {.importc, cdecl, impyaraHdr.}
proc yr_rules_scan_mem_blocks*(rules: ptr YR_RULES;
`iterator`: ptr YR_MEMORY_BLOCK_ITERATOR;
flags: cint; callback: YR_CALLBACK_FUNC;
user_data: pointer; timeout: cint): cint {.importc,
cdecl, impyaraHdr.}
proc yr_rules_scan_mem*(rules: ptr YR_RULES; buffer: ptr uint8; buffer_size: uint;
flags: cint; callback: YR_CALLBACK_FUNC; user_data: pointer;
timeout: cint): cint {.importc, cdecl, impyaraHdr.}
proc yr_rules_scan_file*(rules: ptr YR_RULES; filename: cstring; flags: cint;
callback: YR_CALLBACK_FUNC; user_data: pointer;
timeout: cint): cint {.importc, cdecl, impyaraHdr.}
proc yr_rules_scan_fd*(rules: ptr YR_RULES; fd: cint; flags: cint;
callback: YR_CALLBACK_FUNC; user_data: pointer; timeout: cint): cint {.
importc, cdecl, impyaraHdr.}
proc yr_rules_scan_proc*(rules: ptr YR_RULES; pid: cint; flags: cint;
callback: YR_CALLBACK_FUNC; user_data: pointer;
timeout: cint): cint {.importc, cdecl, impyaraHdr.}
proc yr_rules_save*(rules: ptr YR_RULES; filename: cstring): cint {.importc, cdecl,
impyaraHdr.}
proc yr_rules_save_stream*(rules: ptr YR_RULES; stream: ptr YR_STREAM): cint {.importc,
cdecl, impyaraHdr.}
proc yr_rules_load*(filename: cstring; rules: ptr ptr YR_RULES): cint {.importc, cdecl,
impyaraHdr.}
proc yr_rules_load_stream*(stream: ptr YR_STREAM; rules: ptr ptr YR_RULES): cint {.
importc, cdecl, impyaraHdr.}
proc yr_rules_destroy*(rules: ptr YR_RULES): cint {.importc, cdecl, impyaraHdr.}
proc yr_rules_define_integer_variable*(rules: ptr YR_RULES; identifier: cstring;
value: int64): cint {.importc, cdecl,
impyaraHdr.}
proc yr_rules_define_boolean_variable*(rules: ptr YR_RULES; identifier: cstring;
value: cint): cint {.importc, cdecl, impyaraHdr.}
proc yr_rules_define_float_variable*(rules: ptr YR_RULES; identifier: cstring;
value: cdouble): cint {.importc, cdecl,
impyaraHdr.}
proc yr_rules_define_string_variable*(rules: ptr YR_RULES; identifier: cstring;
value: cstring): cint {.importc, cdecl,
impyaraHdr.}
proc yr_rules_get_stats*(rules: ptr YR_RULES; stats: ptr YR_RULES_STATS): cint {.
importc, cdecl, impyaraHdr.}
proc yr_rule_disable*(rule: ptr YR_RULE) {.importc, cdecl, impyaraHdr.}
proc yr_rule_enable*(rule: ptr YR_RULE) {.importc, cdecl, impyaraHdr.}
proc yr_rules_from_arena*(arena: ptr YR_ARENA; rules: ptr ptr YR_RULES): cint {.importc,
cdecl, impyaraHdr.}
proc yr_execute_code*(context: ptr YR_SCAN_CONTEXT): cint {.importc, cdecl, impyaraHdr.}
proc yr_object_create*(`type`: int8; identifier: cstring; parent: ptr YR_OBJECT;
`object`: ptr ptr YR_OBJECT): cint {.importc, cdecl, impyaraHdr.}
proc yr_object_set_canary*(`object`: ptr YR_OBJECT; canary: cint) {.importc, cdecl,
impyaraHdr.}
proc yr_object_function_create*(identifier: cstring; arguments_fmt: cstring;
return_fmt: cstring; `func`: YR_MODULE_FUNC;
parent: ptr YR_OBJECT; function: ptr ptr YR_OBJECT): cint {.
importc, cdecl, impyaraHdr.}
proc yr_object_from_external_variable*(external: ptr YR_EXTERNAL_VARIABLE;
`object`: ptr ptr YR_OBJECT): cint {.importc,
cdecl, impyaraHdr.}
proc yr_object_destroy*(`object`: ptr YR_OBJECT) {.importc, cdecl, impyaraHdr.}
proc yr_object_copy*(`object`: ptr YR_OBJECT; object_copy: ptr ptr YR_OBJECT): cint {.
importc, cdecl, impyaraHdr.}
proc yr_object_lookup_field*(`object`: ptr YR_OBJECT; field_name: cstring): ptr YR_OBJECT {.
importc, cdecl, impyaraHdr.}
proc yr_object_lookup*(root: ptr YR_OBJECT; flags: cint; pattern: cstring): ptr YR_OBJECT {.
importc, cdecl, impyaraHdr, varargs.}
proc yr_object_has_undefined_value*(`object`: ptr YR_OBJECT; field: cstring): bool {.
importc, cdecl, impyaraHdr, varargs.}
proc yr_object_get_float*(`object`: ptr YR_OBJECT; field: cstring): cdouble {.importc,
cdecl, impyaraHdr, varargs.}
proc yr_object_get_integer*(`object`: ptr YR_OBJECT; field: cstring): int64 {.importc,
cdecl, impyaraHdr, varargs.}
proc yr_object_get_string*(`object`: ptr YR_OBJECT; field: cstring): ptr SIZED_STRING {.
importc, cdecl, impyaraHdr, varargs.}
proc yr_object_set_integer*(value: int64; `object`: ptr YR_OBJECT; field: cstring): cint {.
importc, cdecl, impyaraHdr, varargs.}
proc yr_object_set_float*(value: cdouble; `object`: ptr YR_OBJECT; field: cstring): cint {.
importc, cdecl, impyaraHdr, varargs.}
proc yr_object_set_string*(value: cstring; len: uint; `object`: ptr YR_OBJECT;
field: cstring): cint {.importc, cdecl, impyaraHdr, varargs.}
proc yr_object_array_length*(`object`: ptr YR_OBJECT): cint {.importc, cdecl,
impyaraHdr.}
proc yr_object_array_get_item*(`object`: ptr YR_OBJECT; flags: cint; index: cint): ptr YR_OBJECT {.
importc, cdecl, impyaraHdr.}
proc yr_object_array_set_item*(`object`: ptr YR_OBJECT; item: ptr YR_OBJECT;
index: cint): cint {.importc, cdecl, impyaraHdr.}
proc yr_object_dict_get_item*(`object`: ptr YR_OBJECT; flags: cint; key: cstring): ptr YR_OBJECT {.
importc, cdecl, impyaraHdr.}
proc yr_object_dict_set_item*(`object`: ptr YR_OBJECT; item: ptr YR_OBJECT;
key: cstring): cint {.importc, cdecl, impyaraHdr.}
proc yr_object_structure_set_member*(`object`: ptr YR_OBJECT; member: ptr YR_OBJECT): cint {.
importc, cdecl, impyaraHdr.}
proc yr_object_get_root*(`object`: ptr YR_OBJECT): ptr YR_OBJECT {.importc, cdecl,
impyaraHdr.}
proc yr_object_print_data*(`object`: ptr YR_OBJECT; indent: cint;
print_identifier: cint) {.importc, cdecl, impyaraHdr.}
proc yr_initialize*(): cint {.importc, cdecl, impyaraHdr.}
proc yr_finalize*(): cint {.importc, cdecl, impyaraHdr.}
proc yr_set_configuration*(a1: YR_CONFIG_NAME; a2: pointer): cint {.importc, cdecl,
impyaraHdr.}
proc yr_get_configuration*(a1: YR_CONFIG_NAME; a2: pointer): cint {.importc, cdecl,
impyaraHdr.}
proc yr_modules_initialize*(): cint {.importc, cdecl, impyaraHdr.}
proc yr_modules_finalize*(): cint {.importc, cdecl, impyaraHdr.}
proc yr_modules_do_declarations*(module_name: cstring;
main_structure: ptr YR_OBJECT): cint {.importc,
cdecl, impyaraHdr.}
proc yr_modules_load*(module_name: cstring; context: ptr YR_SCAN_CONTEXT): cint {.
importc, cdecl, impyaraHdr.}
proc yr_modules_unload_all*(context: ptr YR_SCAN_CONTEXT): cint {.importc, cdecl,
impyaraHdr.}
proc yr_scanner_create*(rules: ptr YR_RULES; scanner: ptr ptr YR_SCANNER): cint {.
importc, cdecl, impyaraHdr.}
proc yr_scanner_destroy*(scanner: ptr YR_SCANNER) {.importc, cdecl, impyaraHdr.}
proc yr_scanner_set_callback*(scanner: ptr YR_SCANNER; callback: YR_CALLBACK_FUNC;
user_data: pointer) {.importc, cdecl, impyaraHdr.}
proc yr_scanner_set_timeout*(scanner: ptr YR_SCANNER; timeout: cint) {.importc, cdecl,
impyaraHdr.}
proc yr_scanner_set_flags*(scanner: ptr YR_SCANNER; flags: cint) {.importc, cdecl,
impyaraHdr.}
proc yr_scanner_define_integer_variable*(scanner: ptr YR_SCANNER;
identifier: cstring; value: int64): cint {.
importc, cdecl, impyaraHdr.}
proc yr_scanner_define_boolean_variable*(scanner: ptr YR_SCANNER;
identifier: cstring; value: cint): cint {.
importc, cdecl, impyaraHdr.}
proc yr_scanner_define_float_variable*(scanner: ptr YR_SCANNER; identifier: cstring;
value: cdouble): cint {.importc, cdecl,
impyaraHdr.}
proc yr_scanner_define_string_variable*(scanner: ptr YR_SCANNER;
identifier: cstring; value: cstring): cint {.
importc, cdecl, impyaraHdr.}
proc yr_scanner_scan_mem_blocks*(scanner: ptr YR_SCANNER;
`iterator`: ptr YR_MEMORY_BLOCK_ITERATOR): cint {.
importc, cdecl, impyaraHdr.}
proc yr_scanner_scan_file*(scanner: ptr YR_SCANNER; filename: cstring): cint {.importc,
cdecl, impyaraHdr.}
proc yr_scanner_scan_fd*(scanner: ptr YR_SCANNER; fd: cint): cint {.importc, cdecl,
impyaraHdr.}
proc yr_scanner_scan_proc*(scanner: ptr YR_SCANNER; pid: cint): cint {.importc, cdecl,
impyaraHdr.}
proc yr_scanner_last_error_rule*(scanner: ptr YR_SCANNER): ptr YR_RULE {.importc,
cdecl, impyaraHdr.}
proc yr_scanner_last_error_string*(scanner: ptr YR_SCANNER): ptr YR_STRING {.importc,
cdecl, impyaraHdr.}
proc yr_scanner_get_profiling_info*(scanner: ptr YR_SCANNER): ptr YR_RULE_PROFILING_INFO {.
importc, cdecl, impyaraHdr.}
proc yr_scanner_reset_profiling_info*(scanner: ptr YR_SCANNER) {.importc, cdecl,
impyaraHdr.}
proc yr_scanner_print_profiling_info*(scanner: ptr YR_SCANNER): cint {.importc, cdecl,
impyaraHdr.}
proc yr_calloc*(count: uint; size: uint): pointer {.importc, cdecl, impyaraHdr.}
proc yr_malloc*(size: uint): pointer {.importc, cdecl, impyaraHdr.}
proc yr_realloc*(`ptr`: pointer; size: uint): pointer {.importc, cdecl, impyaraHdr.}
proc yr_free*(`ptr`: pointer) {.importc, cdecl, impyaraHdr.}
proc yr_strdup*(str: cstring): cstring {.importc, cdecl, impyaraHdr.}
proc yr_strndup*(str: cstring; n: uint): cstring {.importc, cdecl, impyaraHdr.}
proc yr_heap_alloc*(): cint {.importc, cdecl, impyaraHdr.}
proc yr_heap_free*(): cint {.importc, cdecl, impyaraHdr.}
{.pop.}
@dmknght
Copy link

dmknght commented Oct 6, 2020

To use lib from yara binding, we have to add some flags:

switch("passL", "-lssl")
switch("passL", "-lcrypto")
switch("passL", "-lpthread")
switch("passL", "-lm")

for now, I can only use yr_rules_load. Other procs are having Illegal access error (runtime). It could be i'm using the proc in wrong way. I'm still getting to use it.

@genotrance
Copy link
Author

I've added those to the wrapper with cPassL().

@dmknght
Copy link

dmknght commented Oct 7, 2020
edited

After playing with the code, i think cast[ptr ptr Object](variable) caused the crash problem. Calling with addr() gave me now error.
Trying simulate the test code of yara https://github.com/VirusTotal/yara/blob/master/tests/test-api.c

proc compile_rule(txtRule: string, rules: ptr YR_RULES): int =
  var
    compiler: ptr YR_COMPILER
  result = ERROR_SUCCESS

  if yr_compiler_create(addr(compiler)) != ERROR_SUCCESS:
    echo "yr_compiler_create"
    return 1 # exit
  # yr_compiler_set_callback(compiler, c_compiler_callback, "nothing")
  if yr_compiler_add_string(compiler, txtRule, nil) != 0:
    return 0
  let compile_result = yr_compiler_get_rules(compiler, unsafeAddr(rules))


proc test_disabled_rule() =
  var
    rules: ptr YR_RULES
    rule: ptr YR_RULE
  let
    buf = "foo bar"
    rules_str = "rule disabled_rule {condition: true}\nrule false_rule {condition: true and disabled_rule}\nrule true_rule {condition: true or disabled_rule}"
  # var countrers: COUNTER
  discard yr_initialize()
  discard compile_rule(rules_str, rules)

@dmknght
Copy link

dmknght commented Oct 7, 2020
edited

Simulate test_scanner code
P/s: update: Add the callback function

# import wrapper here
import libyara

type
  COUNTERS = object
    rules_matching*: cint
    rules_not_matching*: cint

proc callback_count(context: ptr YR_SCAN_CONTEXT; message: cint; message_data: pointer; user_data: pointer): cint {.cdecl.} =
  case(message)
  of CALLBACK_MSG_RULE_MATCHING:
    let thisPointer = cast[ptr COUNTERS](user_data)
    thisPointer.rules_matching += 1
  of CALLBACK_MSG_RULE_NOT_MATCHING:
    let thisPointer = cast[ptr COUNTERS](user_data)
    thisPointer.rules_not_matching += 1
  else:
    discard
  return CALLBACK_CONTINUE


proc test_scanner() =
  let
    buf = "dummy"
    rules_str = "rule true_rule {\n\tcondition:true\n}\nrule false_rule\n{\n\tcondition: false\n}\nrule test\n{\n\tcondition: bool_var and int_var == 1 and str_var == \"foo\"\n}"
  var
    compiler: ptr YR_COMPILER
    rules: ptr YR_RULES
    scanner: ptr YR_SCANNER
    xResult: int
  discard yr_initialize()
  if yr_compiler_create(addr(compiler)) != ERROR_SUCCESS:
    return
  discard yr_compiler_define_integer_variable(compiler, "int_var", 0)
  discard yr_compiler_define_boolean_variable(compiler, "bool_var", 0)
  discard yr_compiler_define_string_variable(compiler, "str_var", "")
  if yr_compiler_define_string_variable(compiler, "str_var", "") != ERROR_DUPLICATED_EXTERNAL_VARIABLE:
    yr_compiler_destroy(compiler);
    echo "expecting ERROR_DUPLICATED_EXTERNAL_VARIABLE"
    return
  if yr_compiler_add_string(compiler, rules_str, nil) != 0:
    yr_compiler_destroy(compiler);
    echo "yr_compiler_add_string"
    return

  if yr_compiler_get_rules(compiler, addr(rules)) != ERROR_SUCCESS:
    yr_compiler_destroy(compiler)
    echo("yr_compiler_get_rules")
    return

  yr_compiler_destroy(compiler);

  if yr_scanner_create(rules, addr(scanner)) != ERROR_SUCCESS:
    discard yr_rules_destroy(rules)
    echo("yr_scanner_create")
    return

  xResult = yr_scanner_scan_mem(scanner, cast[ptr uint8](buf), cast[uint](len(buf)))

  if xResult != ERROR_CALLBACK_REQUIRED:
    yr_scanner_destroy(scanner)
    discard yr_rules_destroy(rules)
    echo("expecting ERROR_CALLBACK_REQUIRED (%d), got: %d\n", ERROR_CALLBACK_REQUIRED, xResult)
    return

  var counters = COUNTERS()

  counters.rules_not_matching = 0;
  counters.rules_matching = 0;

  yr_scanner_set_callback(scanner, callback_count, addr(counters));
  discard yr_scanner_define_integer_variable(scanner, "int_var", 1);
  discard yr_scanner_define_boolean_variable(scanner, "bool_var", 1)
  discard yr_scanner_define_string_variable(scanner, "str_var", "foo")

  xResult = yr_scanner_scan_mem(scanner, cast[ptr uint8](buf), cast[uint](len(buf)))
  if xResult != ERROR_SUCCESS:
    yr_scanner_destroy(scanner)
    discard yr_rules_destroy(rules)
    echo("expecting ERROR_SUCCESS (", ERROR_SUCCESS, "), got: ", xResult)

  if counters.rules_matching != 2 or counters.rules_not_matching != 1:
    yr_scanner_destroy(scanner)
    discard yr_rules_destroy(rules)
  
  echo counters.rules_not_matching
  echo counters.rules_matching

test_scanner()

@dmknght
Copy link

dmknght commented Oct 8, 2020

And other example that scan a hello world file. Custom rule and custom binary should be set

proc test_scanner() =
  let ruleFile = open("tmprule.yara")
  var
    compiler: ptr YR_COMPILER
    rules: ptr YR_RULES
    scanner: ptr YR_SCANNER
    xResult: int
  discard yr_initialize()
  if yr_compiler_create(addr(compiler)) != ERROR_SUCCESS:
    return
  discard yr_compiler_define_integer_variable(compiler, "int_var", 0)
  discard yr_compiler_define_boolean_variable(compiler, "bool_var", 0)
  discard yr_compiler_define_string_variable(compiler, "str_var", "")
  if yr_compiler_define_string_variable(compiler, "str_var", "") != ERROR_DUPLICATED_EXTERNAL_VARIABLE:
    yr_compiler_destroy(compiler);
    echo "expecting ERROR_DUPLICATED_EXTERNAL_VARIABLE"
    return

  if yr_compiler_add_file(compiler, ruleFile, "namespace", "tmprule.yara") != 0:
    yr_compiler_destroy(compiler)
    echo "Error while adding rule"
    return

  if yr_compiler_get_rules(compiler, addr(rules)) != ERROR_SUCCESS:
    yr_compiler_destroy(compiler)
    echo("yr_compiler_get_rules")
    return

  yr_compiler_destroy(compiler);

  if yr_scanner_create(rules, addr(scanner)) != ERROR_SUCCESS:
    discard yr_rules_destroy(rules)
    echo("yr_scanner_create")
    return

  var counters = COUNTERS()

  counters.rules_not_matching = 0;
  counters.rules_matching = 0;

  yr_scanner_set_callback(scanner, callback_count, addr(counters));
  discard yr_scanner_define_integer_variable(scanner, "int_var", 1);
  discard yr_scanner_define_boolean_variable(scanner, "bool_var", 1)
  discard yr_scanner_define_string_variable(scanner, "str_var", "foo")

  xResult = yr_scanner_scan_File(scanner, "/tmp/test")
  
  yr_scanner_destroy(scanner)
  discard yr_rules_destroy(rules)
  if counters.rules_matching == 1:
    echo "Catch"
  else:
    echo "Wrong"

test_scanner()

@dmknght
Copy link

dmknght commented Oct 8, 2020

I've changed some pragma for dynamic path while compiling and add compile flags

{.pragma: impyaraHdr, header: "libyara/include/yara.h".}
{.experimental: "codeReordering".}
{.passC: "-I" & currentSourcePath().splitPath.head.} # https://forum.nim-lang.org/t/2668
{.passL: currentSourcePath().splitPath.head & "/libyara/.libs/libyara.a".}
{.passL: "-lssl -lcrypto -lpthread -lm".} # Add nix Lib that yara import

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment