Feature: Pass external variables into YARA matching

Neo23x0 / Raccine

A Simple Ransomware Vaccine

The Unlicense

942 stars 123 forks source link

Feature: Pass external variables into YARA matching #68

Closed Neo23x0 closed 3 years ago

Eran-YT commented 3 years ago

I opened a PR that fixes the conflicts, it compile and the tests pass, but there are no tests for the new features, so I don't know if they work

Neo23x0 commented 3 years ago

It builds but fails to run.

Faulting application name: Raccine.exe, version: 0.0.0.0, time stamp: 0x5f95c384
Faulting module name: Raccine.exe, version: 0.0.0.0, time stamp: 0x5f95c384
Exception code: 0xc0000409
Fault offset: 0x0000000000024e4d
Faulting process id: 0x1a08
Faulting application start time: 0x01d6aafc89879cec
Faulting application path: C:\Program Files\Raccine\Raccine.exe
Faulting module path: C:\Program Files\Raccine\Raccine.exe
Report Id: 9e9e573c-3bb7-4d40-8404-62c346d4238a
Faulting package full name: 
Faulting package-relative application ID:

Screenshot 2020-10-25 192815

Eran-YT commented 3 years ago

I don't know why that is, works fine on my machine. What command line did you use?

Neo23x0 commented 3 years ago

Any command line that triggers Raccine causes this crash on my machine.

Exception code: 0xc0000409 means STATUS_STACK_BUFFER_OVERRUN

Neo23x0 commented 3 years ago

I'll start debugging ... I already found out that it happens when the YARA rules are read.

Screenshot 2020-10-25 225217

Neo23x0 commented 3 years ago

It seems to be a problem with the directory_iterator that I haven't seen before. It tried it with several existing paths and even rebooted the system once in between.

Screenshot 2020-10-25 231537

Neo23x0 commented 3 years ago

It works when I set it manually to a wstring of L"C:\\ProgramData\\Raccine\\yara" Screenshot 2020-10-25 233721

And it doesn't appear when I use .c_str() Screenshot 2020-10-25 234644

According to the documentation, the current version should be okay. https://docs.w3cub.com/cpp/filesystem/directory_iterator/directory_iterator/

I don't understand why that happens.

Eran-YT commented 3 years ago

Try to see if you have a null character at the end of the yara_rules_dir variable, that might cause this

Neo23x0 commented 3 years ago

I've edited the value in Registry multiple times while testing, removed it with an uninstall, added it again using:

REG.EXE ADD HKLM\Software\Raccine /v RulesDir /t REG_SZ /d %ProgramData%\Raccine\yara /F

Maybe the function that reads Registry string values has an error.

Eran-YT commented 3 years ago

From a quick look, it seems raccineconfig::read_string_from_registry has a bug, I’ll see if I can fix it

Eran-YT commented 3 years ago

@Neo23x0 try to see if #71 solves this crash