CODEWITHSUNDEEP
yara
Award
Award

Reputation: 3

Problem while using scanner with libyara in C++

So, I'm using libyara in C++ and trying to create a scanner that scans a file against given yara rules and return if it finds any matches. Here's the flow of the project -

  1. A yara rules source file is compiled into a compiled yara rules file using compiler.cpp (my own c++ compiler made using libyara)
  2. The compiled rule is then used in my scanner.cpp file to scan a file against the compiled rule file provided to it.

Here's my yara rules source file with a .yar extension - rule AlwaysTrue {condition:true }

Below, I've attached my compiler.cpp and scanner.cpp files (uploaded here in txt format cuz cpp isn't allowed) scan.txt compile.txt

And now, according to the rules file, I should always get a match as the rule is always true, but I get a unknown callback msg. as mentioned in my scanner file

Though, when I try to scan my file with yara cli using the same .yar rules file, it works and gives me a match.

Now I don't know where I went wrong but would appreciate any help:) (been stuck with this for 2 days now:/)

I compiled my code, and ran ./scanner but it gives me this output -

whereas, it should give me a match to my yara rule instead of Callback: Message received with code -2052980432 Callback: Message received with code -2052980432

Upvotes: -1

Views: 239

Answers (1)

Botje
Botje

Reputation: 31020

The definition of YR_CALLBACK_FUNC is as follows:

typedef int (*YR_CALLBACK_FUNC)(
    YR_SCAN_CONTEXT* context,
    int message,
    void* message_data,
    void* user_data);

And your callback function has the following signature:

int callback(int message, void* message_data, void* user_data);

Which means your "message" is actually the address of the YR_SCAN_CONTEXT. After fixing up the prototype of callback, I get:

Scanning a file...
Match found for rule: AlwaysTrue
Callback: Message received with code 3
File scanned successfully
Libyara finalized successfully

Upvotes: 0

Related Questions