Fix problem with string matches offsets not being treated as virtual …

…addresses while scanning a process

libyara/exec.c

@@ -505,14 +505,14 @@ int yr_execute_code(
 
         while (match != NULL)
         {
-          if (r1 == match->offset)
+          if (r1 == match->base + match->offset)
           {
             push(1);
             found = 1;
             break;
           }
 
-          if (r1 < match->offset)
+          if (r1 < match->base + match->offset)
             break;
 
           match = match->next;
@@ -540,13 +540,14 @@ int yr_execute_code(
 
         while (match != NULL && !found)
         {
-          if (match->offset >= r1 && match->offset <= r2)
+          if (match->base + match->offset >= r1 &&
+              match->base + match->offset <= r2)
           {
             push(1);
             found = TRUE;
           }
 
-          if (match->offset > r2)
+          if (match->base + match->offset > r2)
             break;
 
           match = match->next;
@@ -582,7 +583,7 @@ int yr_execute_code(
         {
           if (r1 == i)
           {
-            push(match->offset);
+            push(match->base + match->offset);
             found = TRUE;
           }
 

libyara/include/yara/scan.h

@@ -45,6 +45,7 @@ int yr_scan_verify_match(
     YR_AC_MATCH* ac_match,
     uint8_t* data,
     size_t data_size,
+    size_t data_base,
     size_t offset,
     YR_ARENA* matches_arena,
     int flags);

libyara/include/yara/types.h

@@ -167,6 +167,7 @@ typedef struct _YR_META
 
 typedef struct _YR_MATCH
 {
+  int64_t base;
   int64_t offset;
   int32_t length;
 

libyara/rules.c

@@ -215,8 +215,7 @@ void yr_rules_print_profiling_info(
 
 int yr_rules_scan_mem_block(
     YR_RULES* rules,
-    uint8_t* data,
-    size_t data_size,
+    YR_MEMORY_BLOCK* block,
     int flags,
     int timeout,
     time_t start_time,
@@ -231,7 +230,7 @@ int yr_rules_scan_mem_block(
   current_state = rules->automaton->root;
   i = 0;
 
-  while (i < data_size)
+  while (i < block->size)
   {
     ac_match = current_state->matches;
 
@@ -241,8 +240,9 @@ int yr_rules_scan_mem_block(
       {
         FAIL_ON_ERROR(yr_scan_verify_match(
             ac_match,
-            data,
-            data_size,
+            block->data,
+            block->size,
+            block->base,
             i - ac_match->backtrack,
             matches_arena,
             flags));
@@ -251,12 +251,12 @@ int yr_rules_scan_mem_block(
       ac_match = ac_match->next;
     }
 
-    next_state = yr_ac_next_state(current_state, data[i]);
+    next_state = yr_ac_next_state(current_state, block->data[i]);
 
     while (next_state == NULL && current_state->depth > 0)
     {
       current_state = current_state->failure;
-      next_state = yr_ac_next_state(current_state, data[i]);
+      next_state = yr_ac_next_state(current_state, block->data[i]);
     }
 
     if (next_state != NULL)
@@ -275,13 +275,14 @@ int yr_rules_scan_mem_block(
 
   while (ac_match != NULL)
   {
-    if (ac_match->backtrack <= data_size)
+    if (ac_match->backtrack <= block->size)
     {
       FAIL_ON_ERROR(yr_scan_verify_match(
           ac_match,
-          data,
-          data_size,
-          data_size - ac_match->backtrack,
+          block->data,
+          block->size,
+          block->base,
+          block->size - ac_match->backtrack,
           matches_arena,
           flags));
     }
@@ -397,8 +398,7 @@ int yr_rules_scan_mem_blocks(
 
     result = yr_rules_scan_mem_block(
         rules,
-        block->data,
-        block->size,
+        block,
         flags,
         timeout,
         start_time,

libyara/scan.c

@@ -32,9 +32,12 @@ typedef struct _CALLBACK_ARGS
 {
   YR_STRING* string;
   YR_ARENA* matches_arena;
-  int forward_matches;
+
   uint8_t* data;
-  int data_size;
+  size_t data_size;
+  size_t data_base;
+
+  int forward_matches;
   int full_word;
   int tidx;
 
@@ -408,6 +411,7 @@ int _yr_scan_verify_chained_string_match(
     YR_ARENA* matches_arena,
     YR_STRING* matching_string,
     uint8_t* match_data,
+    size_t match_base,
     size_t match_offset,
     int32_t match_length,
     int tidx)
@@ -521,6 +525,7 @@ int _yr_scan_verify_chained_string_match(
           sizeof(YR_MATCH),
           (void**) &new_match));
 
+      new_match->base = match_base;
       new_match->offset = match_offset;
       new_match->length = match_length;
       new_match->data = match_data;
@@ -588,6 +593,7 @@ int _yr_scan_match_callback(
         callback_args->matches_arena,
         string,
         match_data,
+        callback_args->data_base,
         match_offset,
         match_length,
         tidx);
@@ -601,6 +607,7 @@ int _yr_scan_match_callback(
 
     if (result == ERROR_SUCCESS)
     {
+      new_match->base = callback_args->data_base;
       new_match->offset = match_offset;
       new_match->length = match_length;
       new_match->data = match_data;
@@ -630,6 +637,7 @@ int _yr_scan_verify_re_match(
     YR_AC_MATCH* ac_match,
     uint8_t* data,
     size_t data_size,
+    size_t data_base,
     size_t offset,
     YR_ARENA* matches_arena)
 {
@@ -684,6 +692,7 @@ int _yr_scan_verify_re_match(
   callback_args.string = ac_match->string;
   callback_args.data = data;
   callback_args.data_size = data_size;
+  callback_args.data_base = data_base;
   callback_args.matches_arena = matches_arena;
   callback_args.forward_matches = forward_matches;
   callback_args.full_word = STRING_IS_FULL_WORD(ac_match->string);
@@ -719,6 +728,7 @@ int _yr_scan_verify_literal_match(
     YR_AC_MATCH* ac_match,
     uint8_t* data,
     size_t data_size,
+    size_t data_base,
     size_t offset,
     YR_ARENA* matches_arena)
 {
@@ -811,6 +821,7 @@ int _yr_scan_verify_literal_match(
     callback_args.string = string;
     callback_args.data = data;
     callback_args.data_size = data_size;
+    callback_args.data_base = data_base;
     callback_args.matches_arena = matches_arena;
     callback_args.forward_matches = forward_matches;
     callback_args.full_word = STRING_IS_FULL_WORD(string);
@@ -828,6 +839,7 @@ int yr_scan_verify_match(
     YR_AC_MATCH* ac_match,
     uint8_t* data,
     size_t data_size,
+    size_t data_base,
     size_t offset,
     YR_ARENA* matches_arena,
     int flags)
@@ -849,12 +861,12 @@ int yr_scan_verify_match(
   if (STRING_IS_LITERAL(string))
   {
     FAIL_ON_ERROR(_yr_scan_verify_literal_match(
-        ac_match, data, data_size, offset, matches_arena));
+        ac_match, data, data_size, data_base, offset, matches_arena));
   }
   else
   {
     FAIL_ON_ERROR(_yr_scan_verify_re_match(
-        ac_match, data, data_size, offset, matches_arena));
+        ac_match, data, data_size, data_base, offset, matches_arena));
   }
 
   #ifdef PROFILING_ENABLED

yara.c

@@ -251,7 +251,7 @@ int is_directory(
 {
   DWORD attributes = GetFileAttributes(path);
 
-  if (attributes != INVALID_FILE_ATTRIBUTES && 
+  if (attributes != INVALID_FILE_ATTRIBUTES &&
 	  attributes & FILE_ATTRIBUTE_DIRECTORY)
     return TRUE;
   else
@@ -574,7 +574,9 @@ int handle_message(int message, YR_RULE* rule, void* data)
 
           while (match != NULL)
           {
-            printf("0x%" PRIx64 ":%s: ", match->offset, string->identifier);
+            printf("0x%" PRIx64 ":%s: ",
+                match->base + match->offset,
+                string->identifier);
 
             if (STRING_IS_HEX(string))
               print_hex_string(match->data, match->length);