vthib
commented
1 year ago Linter is failing but unrelated to this MR: rust 1.67 just got released and some new lints are reported on existing code.
Closed vthib closed 1 year ago
vthib
commented
1 year ago Linter is failing but unrelated to this MR: rust 1.67 just got released and some new lints are reported on existing code.
vthib
commented
1 year ago Anything blocking this MR, or that you want me to change @Hugal31 ?
Hugal31
commented
1 year ago Nop, it's fine. Thank you!
I need to be able to read and enumerate the module values that YARA generated during a scan. This can be done by listening for the ModuleImported callback msg, and going through the object given by YARA.
This MR adds helper to be able to do this with Rust bindings:
Handle the "ModuleImported" scan message: this returns a pointer to a YR_OBJECT.
Add helpers to investigate the values stored in a YR_OBJECT. This is done lazily, so instead of converting a YR_OBJECT to a rust version, the values are converted when the
object.value()function is called.This isn't the cleaner code i've ever written, but the yara code is quite messy as well. the YR_OBJECT is a "simulated OOP in C"-style struct, and like all OOP impls in C, it is terribly unsafe. So I have used a big unsafe block when converting the YR_OBJECT to a rust enum (YrObjectValue), which does the same thing that is done on yara's side when it is reading those values. I could remove this huge unsafe block and replace it with multiple local unsafe blocks, but i'm not sure how much it would really improve this code.
Please tell me what you think, thanks!