diff options
author | Cyrille Bagard <nocbos@gmail.com> | 2023-08-06 16:54:57 (GMT) |
---|---|---|
committer | Cyrille Bagard <nocbos@gmail.com> | 2023-08-06 16:54:57 (GMT) |
commit | 4fcc35a52ccb025b6d803d85e017931cd2452960 (patch) | |
tree | e95920f16c273e41f9cae1ea2f02571c221a514e /src/analysis/scan/items | |
parent | 74d062d4ec55d7ac3914bbf64b8b6c5ab52227df (diff) |
Extend the ROST grammar with a first batch of new features.
Diffstat (limited to 'src/analysis/scan/items')
25 files changed, 2730 insertions, 99 deletions
diff --git a/src/analysis/scan/items/Makefile.am b/src/analysis/scan/items/Makefile.am index 3a6bb62..ce39cad 100644 --- a/src/analysis/scan/items/Makefile.am +++ b/src/analysis/scan/items/Makefile.am @@ -2,14 +2,32 @@ noinst_LTLIBRARIES = libanalysisscanitems.la +if BUILD_MAGIC_SUPPORT + +MAGIC_LIBADD = magic/libanalysisscanitemsmagic.la + +MAGIC_SUBDIRS = magic + +endif + + libanalysisscanitems_la_SOURCES = \ + count.h count.c \ datasize.h datasize.c \ uint-int.h \ uint.h uint.c +libanalysisscanitems_la_LIBADD = \ + console/libanalysisscanitemsconsole.la \ + $(MAGIC_LIBADD) \ + time/libanalysisscanitemstime.la + libanalysisscanitems_la_CFLAGS = $(LIBGOBJ_CFLAGS) devdir = $(includedir)/chrysalide/$(subdir:src/%=core/%) dev_HEADERS = $(libanalysisscanitems_la_SOURCES:%c=) + + +SUBDIRS = console $(MAGIC_SUBDIRS) time diff --git a/src/analysis/scan/items/console/Makefile.am b/src/analysis/scan/items/console/Makefile.am new file mode 100644 index 0000000..4433789 --- /dev/null +++ b/src/analysis/scan/items/console/Makefile.am @@ -0,0 +1,13 @@ + +noinst_LTLIBRARIES = libanalysisscanitemsconsole.la + + +libanalysisscanitemsconsole_la_SOURCES = \ + log.h log.c + +libanalysisscanitemsconsole_la_CFLAGS = $(LIBGOBJ_CFLAGS) + + +devdir = $(includedir)/chrysalide/$(subdir:src/%=core/%) + +dev_HEADERS = $(libanalysisscanitemsconsole_la_SOURCES:%c=) diff --git a/src/analysis/scan/items/console/log.c b/src/analysis/scan/items/console/log.c new file mode 100644 index 0000000..f4031c7 --- /dev/null +++ b/src/analysis/scan/items/console/log.c @@ -0,0 +1,303 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * log.c - affichage de message à partir des conditions d'une règle + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "log.h" + + +#include <ctype.h> + + +#include "../../item-int.h" +#include "../../exprs/literal.h" + + + +/* ---------------------- INTRODUCTION D'UNE NOUVELLE FONCTION ---------------------- */ + + +/* Initialise la classe des affichages de messages. */ +static void g_scan_console_log_function_class_init(GScanConsoleLogFunctionClass *); + +/* Initialise une instance d'affichage de message. */ +static void g_scan_console_log_function_init(GScanConsoleLogFunction *); + +/* Supprime toutes les références externes. */ +static void g_scan_console_log_function_dispose(GScanConsoleLogFunction *); + +/* Procède à la libération totale de la mémoire. */ +static void g_scan_console_log_function_finalize(GScanConsoleLogFunction *); + + + +/* --------------------- IMPLEMENTATION DES FONCTIONS DE CLASSE --------------------- */ + + +/* Indique le nom associé à une expression d'évaluation. */ +static char *g_scan_console_log_function_get_name(const GScanConsoleLogFunction *); + +/* Réduit une expression à une forme plus simple. */ +static bool g_scan_console_log_function_run_call(GScanConsoleLogFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); + + + +/* ---------------------------------------------------------------------------------- */ +/* INTRODUCTION D'UNE NOUVELLE FONCTION */ +/* ---------------------------------------------------------------------------------- */ + + +/* Indique le type défini pour un afficheur de messages arbitraires. */ +G_DEFINE_TYPE(GScanConsoleLogFunction, g_scan_console_log_function, G_TYPE_REGISTERED_ITEM); + + +/****************************************************************************** +* * +* Paramètres : klass = classe à initialiser. * +* * +* Description : Initialise la classe des affichages de messages. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_console_log_function_class_init(GScanConsoleLogFunctionClass *klass) +{ + GObjectClass *object; /* Autre version de la classe */ + GRegisteredItemClass *registered; /* Version de classe parente */ + + object = G_OBJECT_CLASS(klass); + + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_console_log_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_console_log_function_finalize; + + registered = G_REGISTERED_ITEM_CLASS(klass); + + registered->get_name = (get_registered_item_name_fc)g_scan_console_log_function_get_name; + registered->run_call = (run_registered_item_call_fc)g_scan_console_log_function_run_call; + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance à initialiser. * +* * +* Description : Initialise une instance d'affichage de message. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_console_log_function_init(GScanConsoleLogFunction *func) +{ + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Supprime toutes les références externes. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_console_log_function_dispose(GScanConsoleLogFunction *func) +{ + G_OBJECT_CLASS(g_scan_console_log_function_parent_class)->dispose(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Procède à la libération totale de la mémoire. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_console_log_function_finalize(GScanConsoleLogFunction *func) +{ + G_OBJECT_CLASS(g_scan_console_log_function_parent_class)->finalize(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Constitue une fonction d'affichage de messages quelconques. * +* * +* Retour : Fonction mise en place. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GScanConsoleLogFunction *g_scan_console_log_function_new(void) +{ + GScanConsoleLogFunction *result; /* Structure à retourner */ + + result = g_object_new(G_TYPE_SCAN_CONSOLE_LOG_FUNCTION, NULL); + + return result; + +} + + + +/* ---------------------------------------------------------------------------------- */ +/* IMPLEMENTATION DES FONCTIONS DE CLASSE */ +/* ---------------------------------------------------------------------------------- */ + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* * +* Description : Indique le nom associé à une expression d'évaluation. * +* * +* Retour : Désignation humaine de l'expression d'évaluation. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static char *g_scan_console_log_function_get_name(const GScanConsoleLogFunction *item) +{ + char *result; /* Désignation à retourner */ + + result = strdup("log"); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* args = liste d'éventuels arguments fournis. * +* count = taille de cette liste. * +* ctx = contexte de suivi de l'analyse courante. * +* scope = portée courante des variables locales. * +* out = zone d'enregistrement de la résolution opérée. [OUT] * +* * +* Description : Réduit une expression à une forme plus simple. * +* * +* Retour : Réduction correspondante, expression déjà réduite, ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static bool g_scan_console_log_function_run_call(GScanConsoleLogFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +{ + bool result; /* Bilan à retourner */ + size_t i; /* Boucle de parcours #1 */ + LiteralValueType vtype; /* Type de valeur portée */ + GScanLiteralExpression *literal; /* Version plus accessible */ + bool boolean; /* Valeur booléenne */ + long long sinteger; /* Valeur entière signée */ + unsigned long long uinteger; /* Valeur entière non signée */ + const sized_string_t *string; /* Description du chaîne */ + size_t k; /* Boucle de parcours #2 */ + + result = true; + + if (count == 0) + goto done; + + for (i = 0; i < count && result; i++) + result = G_IS_SCAN_LITERAL_EXPRESSION(args[i]); + + if (!result) + goto done; + + for (i = 0; i < count; i++) + { + literal = G_SCAN_LITERAL_EXPRESSION(args[i]); + + vtype = g_scan_literal_expression_get_value_type(literal); + + switch (vtype) + { + case LVT_BOOLEAN: + result = g_scan_literal_expression_get_boolean_value(literal, &boolean); + if (result) + fprintf(stderr, "%s", boolean ? "true" : "false"); + break; + + case LVT_SIGNED_INTEGER: + result = g_scan_literal_expression_get_signed_integer_value(literal, &sinteger); + if (result) + fprintf(stderr, "0x%llx", sinteger); + break; + + case LVT_UNSIGNED_INTEGER: + result = g_scan_literal_expression_get_unsigned_integer_value(literal, &uinteger); + if (result) + fprintf(stderr, "0x%llx", uinteger); + break; + + case LVT_STRING: + result = g_scan_literal_expression_get_string_value(literal, &string); + for (k = 0; k < string->len; k++) + { + if (isprint(string->data[k])) + fprintf(stderr, "%c", string->data[k]); + else + fprintf(stderr, "\\x%02hhx", string->data[k]); + } + break; + + default: + break; + + } + + } + + fprintf(stderr, "\n"); + + done: + + if (result) + *out = G_OBJECT(g_scan_literal_expression_new(LVT_BOOLEAN, (bool []){ result })); + + return result; + +} diff --git a/src/analysis/scan/items/console/log.h b/src/analysis/scan/items/console/log.h new file mode 100644 index 0000000..3e72ad8 --- /dev/null +++ b/src/analysis/scan/items/console/log.h @@ -0,0 +1,58 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * log.h - prototypes pour l'affichage de message à partir des conditions d'une règle + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _ANALYSIS_SCAN_ITEMS_CONSOLE_LOG_H +#define _ANALYSIS_SCAN_ITEMS_CONSOLE_LOG_H + + +#include <glib-object.h> + + +#include "../../item.h" + + + +#define G_TYPE_SCAN_CONSOLE_LOG_FUNCTION g_scan_console_log_function_get_type() +#define G_SCAN_CONSOLE_LOG_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_CONSOLE_LOG_FUNCTION, GScanConsoleLogFunction)) +#define G_IS_SCAN_CONSOLE_LOG_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_CONSOLE_LOG_FUNCTION)) +#define G_SCAN_CONSOLE_LOG_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_CONSOLE_LOG_FUNCTION, GScanConsoleLogFunctionClass)) +#define G_IS_SCAN_CONSOLE_LOG_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_CONSOLE_LOG_FUNCTION)) +#define G_SCAN_CONSOLE_LOG_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_CONSOLE_LOG_FUNCTION, GScanConsoleLogFunctionClass)) + + +/* Mesure de la quantité de données scannées (instance) */ +typedef GRegisteredItem GScanConsoleLogFunction; + +/* Mesure de la quantité de données scannées (classe) */ +typedef GRegisteredItemClass GScanConsoleLogFunctionClass; + + +/* Indique le type défini pour un afficheur de messages arbitraires. */ +GType g_scan_console_log_function_get_type(void); + +/* Constitue une fonction d'affichage de messages quelconques. */ +GScanConsoleLogFunction *g_scan_console_log_function_new(void); + + + +#endif /* _ANALYSIS_SCAN_ITEMS_CONSOLE_LOG_H */ diff --git a/src/analysis/scan/items/count.c b/src/analysis/scan/items/count.c new file mode 100644 index 0000000..d87d33b --- /dev/null +++ b/src/analysis/scan/items/count.c @@ -0,0 +1,244 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * count.c - récupération de la taille du contenu scanné + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "count.h" + + +#include "../item-int.h" +#include "../exprs/arithmetic.h" +#include "../exprs/literal.h" + + + +/* ---------------------- INTRODUCTION D'UNE NOUVELLE FONCTION ---------------------- */ + + +/* Initialise la classe des décomptes d'ensemble homogène. */ +static void g_scan_count_function_class_init(GScanCountFunctionClass *); + +/* Initialise une instance de décompte d'ensemble homogène. */ +static void g_scan_count_function_init(GScanCountFunction *); + +/* Supprime toutes les références externes. */ +static void g_scan_count_function_dispose(GScanCountFunction *); + +/* Procède à la libération totale de la mémoire. */ +static void g_scan_count_function_finalize(GScanCountFunction *); + + + +/* --------------------- IMPLEMENTATION DES FONCTIONS DE CLASSE --------------------- */ + + +/* Indique le nom associé à une expression d'évaluation. */ +static char *g_scan_count_function_get_name(const GScanCountFunction *); + +/* Réduit une expression à une forme plus simple. */ +static bool g_scan_count_function_run_call(GScanCountFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); + + + +/* ---------------------------------------------------------------------------------- */ +/* INTRODUCTION D'UNE NOUVELLE FONCTION */ +/* ---------------------------------------------------------------------------------- */ + + +/* Indique le type défini pour un décompte d'ensemble. */ +G_DEFINE_TYPE(GScanCountFunction, g_scan_count_function, G_TYPE_REGISTERED_ITEM); + + +/****************************************************************************** +* * +* Paramètres : klass = classe à initialiser. * +* * +* Description : Initialise la classe des décomptes d'ensemble homogène. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_count_function_class_init(GScanCountFunctionClass *klass) +{ + GObjectClass *object; /* Autre version de la classe */ + GRegisteredItemClass *registered; /* Version de classe parente */ + + object = G_OBJECT_CLASS(klass); + + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_count_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_count_function_finalize; + + registered = G_REGISTERED_ITEM_CLASS(klass); + + registered->get_name = (get_registered_item_name_fc)g_scan_count_function_get_name; + registered->run_call = (run_registered_item_call_fc)g_scan_count_function_run_call; + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance à initialiser. * +* * +* Description : Initialise une instance de décompte d'ensemble homogène. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_count_function_init(GScanCountFunction *func) +{ + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Supprime toutes les références externes. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_count_function_dispose(GScanCountFunction *func) +{ + G_OBJECT_CLASS(g_scan_count_function_parent_class)->dispose(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Procède à la libération totale de la mémoire. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_count_function_finalize(GScanCountFunction *func) +{ + G_OBJECT_CLASS(g_scan_count_function_parent_class)->finalize(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Constitue une fonction de décompte d'éléments d'un ensemble. * +* * +* Retour : Fonction mise en place. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GRegisteredItem *g_scan_count_function_new(void) +{ + GScanCountFunction *result; /* Structure à retourner */ + + result = g_object_new(G_TYPE_SCAN_COUNT_FUNCTION, NULL); + + return result; + +} + + + +/* ---------------------------------------------------------------------------------- */ +/* IMPLEMENTATION DES FONCTIONS DE CLASSE */ +/* ---------------------------------------------------------------------------------- */ + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* * +* Description : Indique le nom associé à une expression d'évaluation. * +* * +* Retour : Désignation humaine de l'expression d'évaluation. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static char *g_scan_count_function_get_name(const GScanCountFunction *item) +{ + char *result; /* Désignation à retourner */ + + result = strdup("count"); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* args = liste d'éventuels arguments fournis. * +* count = taille de cette liste. * +* ctx = contexte de suivi de l'analyse courante. * +* scope = portée courante des variables locales. * +* out = zone d'enregistrement de la résolution opérée. [OUT] * +* * +* Description : Réduit une expression à une forme plus simple. * +* * +* Retour : Réduction correspondante, expression déjà réduite, ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static bool g_scan_count_function_run_call(GScanCountFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +{ + bool result; /* Bilan à retourner */ + size_t value; /* Nouveau décompte */ + + if (count != 1) + result = false; + + else + { + result = g_scan_expression_count_items(args[0], &value); + + if (result) + *out = G_OBJECT(g_scan_literal_expression_new(LVT_UNSIGNED_INTEGER, (unsigned long long []){ value })); + + } + + return result; + +} diff --git a/src/analysis/scan/items/count.h b/src/analysis/scan/items/count.h new file mode 100644 index 0000000..2429e40 --- /dev/null +++ b/src/analysis/scan/items/count.h @@ -0,0 +1,58 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * count.h - prototypes pour la récupération de la taille du contenu scanné + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _ANALYSIS_SCAN_ITEMS_COUNT_H +#define _ANALYSIS_SCAN_ITEMS_COUNT_H + + +#include <glib-object.h> + + +#include "../item.h" + + + +#define G_TYPE_SCAN_COUNT_FUNCTION g_scan_count_function_get_type() +#define G_SCAN_COUNT_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_COUNT_FUNCTION, GScanCountFunction)) +#define G_IS_SCAN_COUNT_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_COUNT_FUNCTION)) +#define G_SCAN_COUNT_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_COUNT_FUNCTION, GScanCountFunctionClass)) +#define G_IS_SCAN_COUNT_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_COUNT_FUNCTION)) +#define G_SCAN_COUNT_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_COUNT_FUNCTION, GScanCountFunctionClass)) + + +/* Mesure de la quantité de données scannées (instance) */ +typedef GRegisteredItem GScanCountFunction; + +/* Mesure de la quantité de données scannées (classe) */ +typedef GRegisteredItemClass GScanCountFunctionClass; + + +/* Indique le type défini pour un décompte d'ensemble. */ +GType g_scan_count_function_get_type(void); + +/* Constitue une fonction de décompte d'éléments d'un ensemble. */ +GRegisteredItem *g_scan_count_function_new(void); + + + +#endif /* _ANALYSIS_SCAN_ITEMS_COUNT_H */ diff --git a/src/analysis/scan/items/datasize.c b/src/analysis/scan/items/datasize.c index 618d0c3..55e2d3b 100644 --- a/src/analysis/scan/items/datasize.c +++ b/src/analysis/scan/items/datasize.c @@ -2,7 +2,7 @@ /* Chrysalide - Outil d'analyse de fichiers binaires * datasize.c - récupération de la taille du contenu scanné * - * Copyright (C) 2022 Cyrille Bagard + * Copyright (C) 2023 Cyrille Bagard * * This file is part of Chrysalide. * @@ -33,16 +33,16 @@ /* Initialise la classe des mesures de quantité de données. */ -static void g_datasize_function_class_init(GDatasizeFunctionClass *); +static void g_scan_datasize_function_class_init(GScanDatasizeFunctionClass *); /* Initialise une instance de mesure de quantité de données. */ -static void g_datasize_function_init(GDatasizeFunction *); +static void g_scan_datasize_function_init(GScanDatasizeFunction *); /* Supprime toutes les références externes. */ -static void g_datasize_function_dispose(GDatasizeFunction *); +static void g_scan_datasize_function_dispose(GScanDatasizeFunction *); /* Procède à la libération totale de la mémoire. */ -static void g_datasize_function_finalize(GDatasizeFunction *); +static void g_scan_datasize_function_finalize(GScanDatasizeFunction *); @@ -50,13 +50,13 @@ static void g_datasize_function_finalize(GDatasizeFunction *); /* Indique le nom associé à une expression d'évaluation. */ -static char *g_datasize_function_get_name(const GDatasizeFunction *); +static char *g_scan_datasize_function_get_name(const GScanDatasizeFunction *); /* Réduit une expression à une forme plus simple. */ -static bool g_datasize_function_reduce(GDatasizeFunction *, GScanContext *, GScanScope *, GScanExpression **); +static bool g_scan_datasize_function_reduce(GScanDatasizeFunction *, GScanContext *, GScanScope *, GScanExpression **); /* Réduit une expression à une forme plus simple. */ -static bool g_datasize_function_run_call(GDatasizeFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); +static bool g_scan_datasize_function_run_call(GScanDatasizeFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); @@ -66,7 +66,7 @@ static bool g_datasize_function_run_call(GDatasizeFunction *, GScanExpression ** /* Indique le type défini pour une mesure de quantité de données scannées. */ -G_DEFINE_TYPE(GDatasizeFunction, g_datasize_function, G_TYPE_REGISTERED_ITEM); +G_DEFINE_TYPE(GScanDatasizeFunction, g_scan_datasize_function, G_TYPE_REGISTERED_ITEM); /****************************************************************************** @@ -81,21 +81,21 @@ G_DEFINE_TYPE(GDatasizeFunction, g_datasize_function, G_TYPE_REGISTERED_ITEM); * * ******************************************************************************/ -static void g_datasize_function_class_init(GDatasizeFunctionClass *klass) +static void g_scan_datasize_function_class_init(GScanDatasizeFunctionClass *klass) { GObjectClass *object; /* Autre version de la classe */ GRegisteredItemClass *registered; /* Version de classe parente */ object = G_OBJECT_CLASS(klass); - object->dispose = (GObjectFinalizeFunc/* ! */)g_datasize_function_dispose; - object->finalize = (GObjectFinalizeFunc)g_datasize_function_finalize; + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_datasize_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_datasize_function_finalize; registered = G_REGISTERED_ITEM_CLASS(klass); - registered->get_name = (get_registered_item_name_fc)g_datasize_function_get_name; - registered->reduce = (reduce_registered_item_fc)g_datasize_function_reduce; - registered->run_call = (run_registered_item_call_fc)g_datasize_function_run_call; + registered->get_name = (get_registered_item_name_fc)g_scan_datasize_function_get_name; + registered->reduce = (reduce_registered_item_fc)g_scan_datasize_function_reduce; + registered->run_call = (run_registered_item_call_fc)g_scan_datasize_function_run_call; } @@ -112,7 +112,7 @@ static void g_datasize_function_class_init(GDatasizeFunctionClass *klass) * * ******************************************************************************/ -static void g_datasize_function_init(GDatasizeFunction *func) +static void g_scan_datasize_function_init(GScanDatasizeFunction *func) { } @@ -130,9 +130,9 @@ static void g_datasize_function_init(GDatasizeFunction *func) * * ******************************************************************************/ -static void g_datasize_function_dispose(GDatasizeFunction *func) +static void g_scan_datasize_function_dispose(GScanDatasizeFunction *func) { - G_OBJECT_CLASS(g_datasize_function_parent_class)->dispose(G_OBJECT(func)); + G_OBJECT_CLASS(g_scan_datasize_function_parent_class)->dispose(G_OBJECT(func)); } @@ -149,9 +149,9 @@ static void g_datasize_function_dispose(GDatasizeFunction *func) * * ******************************************************************************/ -static void g_datasize_function_finalize(GDatasizeFunction *func) +static void g_scan_datasize_function_finalize(GScanDatasizeFunction *func) { - G_OBJECT_CLASS(g_datasize_function_parent_class)->finalize(G_OBJECT(func)); + G_OBJECT_CLASS(g_scan_datasize_function_parent_class)->finalize(G_OBJECT(func)); } @@ -168,11 +168,11 @@ static void g_datasize_function_finalize(GDatasizeFunction *func) * * ******************************************************************************/ -GDatasizeFunction *g_datasize_function_new(void) +GRegisteredItem *g_scan_datasize_function_new(void) { - GDatasizeFunction *result; /* Structure à retourner */ + GScanDatasizeFunction *result; /* Structure à retourner */ - result = g_object_new(G_TYPE_DATASIZE_FUNCTION, NULL); + result = g_object_new(G_TYPE_SCAN_DATASIZE_FUNCTION, NULL); return result; @@ -197,7 +197,7 @@ GDatasizeFunction *g_datasize_function_new(void) * * ******************************************************************************/ -static char *g_datasize_function_get_name(const GDatasizeFunction *item) +static char *g_scan_datasize_function_get_name(const GScanDatasizeFunction *item) { char *result; /* Désignation à retourner */ @@ -223,7 +223,7 @@ static char *g_datasize_function_get_name(const GDatasizeFunction *item) * * ******************************************************************************/ -static bool g_datasize_function_reduce(GDatasizeFunction *item, GScanContext *ctx, GScanScope *scope, GScanExpression **out) +static bool g_scan_datasize_function_reduce(GScanDatasizeFunction *item, GScanContext *ctx, GScanScope *scope, GScanExpression **out) { bool result; /* Bilan à retourner */ GBinContent *content; /* Contenu à manipuler */ @@ -235,7 +235,7 @@ static bool g_datasize_function_reduce(GDatasizeFunction *item, GScanContext *ct size = g_binary_content_compute_size(content); - *out = g_literal_expression_new(EVT_INTEGER, (unsigned long long []){ size }); + *out = g_scan_literal_expression_new(LVT_UNSIGNED_INTEGER, (unsigned long long []){ size }); g_object_unref(G_OBJECT(content)); @@ -261,11 +261,11 @@ static bool g_datasize_function_reduce(GDatasizeFunction *item, GScanContext *ct * * ******************************************************************************/ -static bool g_datasize_function_run_call(GDatasizeFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +static bool g_scan_datasize_function_run_call(GScanDatasizeFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) { bool result; /* Bilan à retourner */ - result = g_datasize_function_reduce(item, ctx, scope, (GScanExpression **)out); + result = g_scan_datasize_function_reduce(item, ctx, scope, (GScanExpression **)out); return result; diff --git a/src/analysis/scan/items/datasize.h b/src/analysis/scan/items/datasize.h index bd8e185..476df2d 100644 --- a/src/analysis/scan/items/datasize.h +++ b/src/analysis/scan/items/datasize.h @@ -2,7 +2,7 @@ /* Chrysalide - Outil d'analyse de fichiers binaires * datasize.h - prototypes pour la récupération de la taille du contenu scanné * - * Copyright (C) 2022 Cyrille Bagard + * Copyright (C) 2023 Cyrille Bagard * * This file is part of Chrysalide. * @@ -32,26 +32,26 @@ -#define G_TYPE_DATASIZE_FUNCTION g_datasize_function_get_type() -#define G_DATASIZE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_DATASIZE_FUNCTION, GDatasizeFunction)) -#define G_IS_DATASIZE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_DATASIZE_FUNCTION)) -#define G_DATASIZE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_DATASIZE_FUNCTION, GDatasizeFunctionClass)) -#define G_IS_DATASIZE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_DATASIZE_FUNCTION)) -#define G_DATASIZE_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_DATASIZE_FUNCTION, GDatasizeFunctionClass)) +#define G_TYPE_SCAN_DATASIZE_FUNCTION g_scan_datasize_function_get_type() +#define G_SCAN_DATASIZE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_DATASIZE_FUNCTION, GScanDatasizeFunction)) +#define G_IS_SCAN_DATASIZE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_DATASIZE_FUNCTION)) +#define G_SCAN_DATASIZE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_DATASIZE_FUNCTION, GScanDatasizeFunctionClass)) +#define G_IS_SCAN_DATASIZE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_DATASIZE_FUNCTION)) +#define G_SCAN_DATASIZE_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_DATASIZE_FUNCTION, GScanDatasizeFunctionClass)) /* Mesure de la quantité de données scannées (instance) */ -typedef GRegisteredItem GDatasizeFunction; +typedef GRegisteredItem GScanDatasizeFunction; /* Mesure de la quantité de données scannées (classe) */ -typedef GRegisteredItemClass GDatasizeFunctionClass; +typedef GRegisteredItemClass GScanDatasizeFunctionClass; /* Indique le type défini pour une mesure de quantité de données scannées. */ -GType g_datasize_function_get_type(void); +GType g_scan_datasize_function_get_type(void); /* Constitue une fonction de récupération de taille de données. */ -GDatasizeFunction *g_datasize_function_new(void); +GRegisteredItem *g_scan_datasize_function_new(void); diff --git a/src/analysis/scan/items/magic/Makefile.am b/src/analysis/scan/items/magic/Makefile.am new file mode 100644 index 0000000..1d741ff --- /dev/null +++ b/src/analysis/scan/items/magic/Makefile.am @@ -0,0 +1,16 @@ + +noinst_LTLIBRARIES = libanalysisscanitemsmagic.la + + +libanalysisscanitemsmagic_la_SOURCES = \ + cookie.h cookie.c \ + mime-encoding.h mime-encoding.c \ + mime-type.h mime-type.c \ + type.h type.c + +libanalysisscanitemsmagic_la_CFLAGS = $(LIBGOBJ_CFLAGS) $(LIBMAGIC_CFLAGS) + + +devdir = $(includedir)/chrysalide/$(subdir:src/%=core/%) + +dev_HEADERS = $(libanalysisscanitemsmagic_la_SOURCES:%c=) diff --git a/src/analysis/scan/items/magic/cookie.c b/src/analysis/scan/items/magic/cookie.c new file mode 100644 index 0000000..41f26a0 --- /dev/null +++ b/src/analysis/scan/items/magic/cookie.c @@ -0,0 +1,122 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * cookie.c - chargement des motifs de reconnaissance de contenus + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "cookie.h" + + +#include <assert.h> + + +#include <i18n.h> + + +#include "../../../../core/logs.h" + + + +/* Référence des bibliothèques de reconnaissance */ +static magic_t __magic_cookie = 0; + + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Charge les motifs de reconnaissance de contenus. * +* * +* Retour : Bilan de l'opération de chargemement. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool init_magic_cookie(void) +{ + bool result; /* Bilan à retourner */ + int ret; /* Bilan d'une opération */ + + __magic_cookie = magic_open(0); + + ret = magic_load(__magic_cookie, NULL); + result = (ret != -1); + + if (!result) + log_variadic_message(LMT_EXT_ERROR, _("cannot load magic database: %s"), magic_error(__magic_cookie)); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Décharge les motifs de reconnaissance de contenus. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +void exit_magic_cookie(void) +{ + magic_close(__magic_cookie); + +} + + +/****************************************************************************** +* * +* Paramètres : flags = forme de reconnaissance à préparer. * +* * +* Description : Fournit la référence aux mécanismes de reconnaissance. * +* * +* Retour : Cookie prêt à emploi. * +* * +* Remarques : - * +* * +******************************************************************************/ + +magic_t get_magic_cookie(int flags) +{ + magic_t result; /* Référence à retourner */ +#ifndef NDEBUG + int ret; /* Bilan de la préparation */ +#endif + + result = __magic_cookie; + assert(result != 0); + +#ifndef NDEBUG + ret = magic_setflags(result, flags); + assert(ret != -1); +#else + magic_setflags(result, flags); +#endif + + return result; + +} diff --git a/src/analysis/scan/items/magic/cookie.h b/src/analysis/scan/items/magic/cookie.h new file mode 100644 index 0000000..0ee2274 --- /dev/null +++ b/src/analysis/scan/items/magic/cookie.h @@ -0,0 +1,44 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * cookie.h - prototypes pour le chargement des motifs de reconnaissance de contenus + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _ANALYSIS_SCAN_ITEMS_MAGIC_COOKIE_H +#define _ANALYSIS_SCAN_ITEMS_MAGIC_COOKIE_H + + +#include <magic.h> +#include <stdbool.h> + + + +/* Charge les motifs de reconnaissance de contenus. */ +bool init_magic_cookie(void); + +/* Décharge les motifs de reconnaissance de contenus. */ +void exit_magic_cookie(void); + +/* Fournit la référence aux mécanismes de reconnaissance. */ +magic_t get_magic_cookie(int); + + + +#endif /* _ANALYSIS_SCAN_ITEMS_MAGIC_COOKIE_H */ diff --git a/src/analysis/scan/items/magic/mime-encoding.c b/src/analysis/scan/items/magic/mime-encoding.c new file mode 100644 index 0000000..935515d --- /dev/null +++ b/src/analysis/scan/items/magic/mime-encoding.c @@ -0,0 +1,270 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * mime-encoding.c - reconnaissance de l'encodage d'un contenu + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "mime-encoding.h" + + +#include "cookie.h" +#include "../../item-int.h" +#include "../../exprs/literal.h" + + + +/* ---------------------- INTRODUCTION D'UNE NOUVELLE FONCTION ---------------------- */ + + +/* Initialise la classe des reconnaissances de contenus. */ +static void g_scan_mime_encoding_function_class_init(GScanMimeEncodingFunctionClass *); + +/* Initialise une instance de reconnaissance de contenus. */ +static void g_scan_mime_encoding_function_init(GScanMimeEncodingFunction *); + +/* Supprime toutes les références externes. */ +static void g_scan_mime_encoding_function_dispose(GScanMimeEncodingFunction *); + +/* Procède à la libération totale de la mémoire. */ +static void g_scan_mime_encoding_function_finalize(GScanMimeEncodingFunction *); + + + +/* --------------------- IMPLEMENTATION DES FONCTIONS DE CLASSE --------------------- */ + + +/* Indique le nom associé à une expression d'évaluation. */ +static char *g_scan_mime_encoding_function_get_name(const GScanMimeEncodingFunction *); + +/* Réduit une expression à une forme plus simple. */ +static bool g_scan_mime_encoding_function_run_call(GScanMimeEncodingFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); + + + +/* ---------------------------------------------------------------------------------- */ +/* INTRODUCTION D'UNE NOUVELLE FONCTION */ +/* ---------------------------------------------------------------------------------- */ + + +/* Indique le type défini pour une reconnaissance d'encodages de contenus. */ +G_DEFINE_TYPE(GScanMimeEncodingFunction, g_scan_mime_encoding_function, G_TYPE_REGISTERED_ITEM); + + +/****************************************************************************** +* * +* Paramètres : klass = classe à initialiser. * +* * +* Description : Initialise la classe des reconnaissances de contenus. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_mime_encoding_function_class_init(GScanMimeEncodingFunctionClass *klass) +{ + GObjectClass *object; /* Autre version de la classe */ + GRegisteredItemClass *registered; /* Version de classe parente */ + + object = G_OBJECT_CLASS(klass); + + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_mime_encoding_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_mime_encoding_function_finalize; + + registered = G_REGISTERED_ITEM_CLASS(klass); + + registered->get_name = (get_registered_item_name_fc)g_scan_mime_encoding_function_get_name; + registered->run_call = (run_registered_item_call_fc)g_scan_mime_encoding_function_run_call; + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance à initialiser. * +* * +* Description : Initialise une instance de reconnaissance de contenus. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_mime_encoding_function_init(GScanMimeEncodingFunction *func) +{ + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Supprime toutes les références externes. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_mime_encoding_function_dispose(GScanMimeEncodingFunction *func) +{ + G_OBJECT_CLASS(g_scan_mime_encoding_function_parent_class)->dispose(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Procède à la libération totale de la mémoire. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_mime_encoding_function_finalize(GScanMimeEncodingFunction *func) +{ + G_OBJECT_CLASS(g_scan_mime_encoding_function_parent_class)->finalize(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Constitue une fonction de cernement d'encodages de contenus. * +* * +* Retour : Fonction mise en place. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GRegisteredItem *g_scan_mime_encoding_function_new(void) +{ + GRegisteredItem *result; /* Structure à retourner */ + + result = g_object_new(G_TYPE_SCAN_MIME_ENCODING_FUNCTION, NULL); + + return result; + +} + + + +/* ---------------------------------------------------------------------------------- */ +/* IMPLEMENTATION DES FONCTIONS DE CLASSE */ +/* ---------------------------------------------------------------------------------- */ + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* * +* Description : Indique le nom associé à une expression d'évaluation. * +* * +* Retour : Désignation humaine de l'expression d'évaluation. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static char *g_scan_mime_encoding_function_get_name(const GScanMimeEncodingFunction *item) +{ + char *result; /* Désignation à retourner */ + + result = strdup("mime_encoding"); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* args = liste d'éventuels arguments fournis. * +* count = taille de cette liste. * +* ctx = contexte de suivi de l'analyse courante. * +* scope = portée courante des variables locales. * +* out = zone d'enregistrement de la résolution opérée. [OUT] * +* * +* Description : Réduit une expression à une forme plus simple. * +* * +* Retour : Réduction correspondante, expression déjà réduite, ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static bool g_scan_mime_encoding_function_run_call(GScanMimeEncodingFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +{ + bool result; /* Bilan à retourner */ + magic_t cookie; /* Référence des bibliothèques */ + GBinContent *content; /* Contenu à manipuler */ + vmpa2t pos; /* Tête de lecture */ + phys_t size; /* Quantité de données dispos. */ + const bin_t *data; /* Accès à des données */ + const char *desc; /* Description du contenu */ + sized_string_t string; /* Description à diffuser */ + + result = (count == 0); + if (!result) goto exit; + + cookie = get_magic_cookie(MAGIC_MIME_ENCODING); + + content = g_scan_context_get_content(ctx); + + g_binary_content_compute_start_pos(content, &pos); + + size = g_binary_content_compute_size(content); + + data = g_binary_content_get_raw_access(content, &pos, size); + + desc = magic_buffer(cookie, data, size); + + if (desc != NULL) + { + string.data = (char *)desc; + string.len = strlen(desc); + } + else + { + string.data = ""; + string.len = 0; + } + + *out = G_OBJECT(g_scan_literal_expression_new(LVT_STRING, &string)); + + g_object_unref(G_OBJECT(content)); + + exit: + + return result; + +} diff --git a/src/analysis/scan/items/magic/mime-encoding.h b/src/analysis/scan/items/magic/mime-encoding.h new file mode 100644 index 0000000..9349d55 --- /dev/null +++ b/src/analysis/scan/items/magic/mime-encoding.h @@ -0,0 +1,58 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * mime-encoding.h - prototypes pour la reconnaissance de l'encodage d'un contenu + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _ANALYSIS_SCAN_ITEMS_MAGIC_MIME_ENCODING_H +#define _ANALYSIS_SCAN_ITEMS_MAGIC_MIME_ENCODING_H + + +#include <glib-object.h> + + +#include "../../item.h" + + + +#define G_TYPE_SCAN_MIME_ENCODING_FUNCTION g_scan_mime_encoding_function_get_type() +#define G_SCAN_MIME_ENCODING_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_MIME_ENCODING_FUNCTION, GScanMimeEncodingFunction)) +#define G_IS_SCAN_MIME_ENCODING_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_MIME_ENCODING_FUNCTION)) +#define G_SCAN_MIME_ENCODING_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_MIME_ENCODING_FUNCTION, GScanMimeEncodingFunctionClass)) +#define G_IS_SCAN_MIME_ENCODING_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_MIME_ENCODING_FUNCTION)) +#define G_SCAN_MIME_ENCODING_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_MIME_ENCODING_FUNCTION, GScanMimeEncodingFunctionClass)) + + +/* Reconnaissance d'encodages de contenus (instance) */ +typedef GRegisteredItem GScanMimeEncodingFunction; + +/* Reconnaissance d'encodages de contenus (classe) */ +typedef GRegisteredItemClass GScanMimeEncodingFunctionClass; + + +/* Indique le type défini pour une reconnaissance d'encodages de contenus. */ +GType g_scan_mime_encoding_function_get_type(void); + +/* Constitue une fonction de cernement d'encodages de contenus. */ +GRegisteredItem *g_scan_mime_encoding_function_new(void); + + + +#endif /* _ANALYSIS_SCAN_ITEMS_MAGIC_MIME_ENCODING_H */ diff --git a/src/analysis/scan/items/magic/mime-type.c b/src/analysis/scan/items/magic/mime-type.c new file mode 100644 index 0000000..95e441d --- /dev/null +++ b/src/analysis/scan/items/magic/mime-type.c @@ -0,0 +1,270 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * type.c - reconnaissance du type MIME d'un contenu + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "mime-type.h" + + +#include "cookie.h" +#include "../../item-int.h" +#include "../../exprs/literal.h" + + + +/* ---------------------- INTRODUCTION D'UNE NOUVELLE FONCTION ---------------------- */ + + +/* Initialise la classe des reconnaissances de contenus. */ +static void g_scan_mime_type_function_class_init(GScanMimeTypeFunctionClass *); + +/* Initialise une instance de reconnaissance de contenus. */ +static void g_scan_mime_type_function_init(GScanMimeTypeFunction *); + +/* Supprime toutes les références externes. */ +static void g_scan_mime_type_function_dispose(GScanMimeTypeFunction *); + +/* Procède à la libération totale de la mémoire. */ +static void g_scan_mime_type_function_finalize(GScanMimeTypeFunction *); + + + +/* --------------------- IMPLEMENTATION DES FONCTIONS DE CLASSE --------------------- */ + + +/* Indique le nom associé à une expression d'évaluation. */ +static char *g_scan_mime_type_function_get_name(const GScanMimeTypeFunction *); + +/* Réduit une expression à une forme plus simple. */ +static bool g_scan_mime_type_function_run_call(GScanMimeTypeFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); + + + +/* ---------------------------------------------------------------------------------- */ +/* INTRODUCTION D'UNE NOUVELLE FONCTION */ +/* ---------------------------------------------------------------------------------- */ + + +/* Indique le type défini pour une reconnaissance de types de contenus. */ +G_DEFINE_TYPE(GScanMimeTypeFunction, g_scan_mime_type_function, G_TYPE_REGISTERED_ITEM); + + +/****************************************************************************** +* * +* Paramètres : klass = classe à initialiser. * +* * +* Description : Initialise la classe des reconnaissances de contenus. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_mime_type_function_class_init(GScanMimeTypeFunctionClass *klass) +{ + GObjectClass *object; /* Autre version de la classe */ + GRegisteredItemClass *registered; /* Version de classe parente */ + + object = G_OBJECT_CLASS(klass); + + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_mime_type_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_mime_type_function_finalize; + + registered = G_REGISTERED_ITEM_CLASS(klass); + + registered->get_name = (get_registered_item_name_fc)g_scan_mime_type_function_get_name; + registered->run_call = (run_registered_item_call_fc)g_scan_mime_type_function_run_call; + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance à initialiser. * +* * +* Description : Initialise une instance de reconnaissance de contenus. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_mime_type_function_init(GScanMimeTypeFunction *func) +{ + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Supprime toutes les références externes. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_mime_type_function_dispose(GScanMimeTypeFunction *func) +{ + G_OBJECT_CLASS(g_scan_mime_type_function_parent_class)->dispose(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Procède à la libération totale de la mémoire. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_mime_type_function_finalize(GScanMimeTypeFunction *func) +{ + G_OBJECT_CLASS(g_scan_mime_type_function_parent_class)->finalize(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Constitue une fonction d'identification de types de contenus.* +* * +* Retour : Fonction mise en place. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GRegisteredItem *g_scan_mime_type_function_new(void) +{ + GRegisteredItem *result; /* Structure à retourner */ + + result = g_object_new(G_TYPE_SCAN_MIME_TYPE_FUNCTION, NULL); + + return result; + +} + + + +/* ---------------------------------------------------------------------------------- */ +/* IMPLEMENTATION DES FONCTIONS DE CLASSE */ +/* ---------------------------------------------------------------------------------- */ + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* * +* Description : Indique le nom associé à une expression d'évaluation. * +* * +* Retour : Désignation humaine de l'expression d'évaluation. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static char *g_scan_mime_type_function_get_name(const GScanMimeTypeFunction *item) +{ + char *result; /* Désignation à retourner */ + + result = strdup("mime_type"); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* args = liste d'éventuels arguments fournis. * +* count = taille de cette liste. * +* ctx = contexte de suivi de l'analyse courante. * +* scope = portée courante des variables locales. * +* out = zone d'enregistrement de la résolution opérée. [OUT] * +* * +* Description : Réduit une expression à une forme plus simple. * +* * +* Retour : Réduction correspondante, expression déjà réduite, ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static bool g_scan_mime_type_function_run_call(GScanMimeTypeFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +{ + bool result; /* Bilan à retourner */ + magic_t cookie; /* Référence des bibliothèques */ + GBinContent *content; /* Contenu à manipuler */ + vmpa2t pos; /* Tête de lecture */ + phys_t size; /* Quantité de données dispos. */ + const bin_t *data; /* Accès à des données */ + const char *desc; /* Description du contenu */ + sized_string_t string; /* Description à diffuser */ + + result = (count == 0); + if (!result) goto exit; + + cookie = get_magic_cookie(MAGIC_MIME_TYPE); + + content = g_scan_context_get_content(ctx); + + g_binary_content_compute_start_pos(content, &pos); + + size = g_binary_content_compute_size(content); + + data = g_binary_content_get_raw_access(content, &pos, size); + + desc = magic_buffer(cookie, data, size); + + if (desc != NULL) + { + string.data = (char *)desc; + string.len = strlen(desc); + } + else + { + string.data = ""; + string.len = 0; + } + + *out = G_OBJECT(g_scan_literal_expression_new(LVT_STRING, &string)); + + g_object_unref(G_OBJECT(content)); + + exit: + + return result; + +} diff --git a/src/analysis/scan/items/magic/mime-type.h b/src/analysis/scan/items/magic/mime-type.h new file mode 100644 index 0000000..e02ce0f --- /dev/null +++ b/src/analysis/scan/items/magic/mime-type.h @@ -0,0 +1,58 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * mime-type.h - prototypes pour la reconnaissance du type MIME d'un contenu + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _ANALYSIS_SCAN_ITEMS_MAGIC_MIME_TYPE_H +#define _ANALYSIS_SCAN_ITEMS_MAGIC_MIME_TYPE_H + + +#include <glib-object.h> + + +#include "../../item.h" + + + +#define G_TYPE_SCAN_MIME_TYPE_FUNCTION g_scan_mime_type_function_get_type() +#define G_SCAN_MIME_TYPE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_MIME_TYPE_FUNCTION, GScanMimeTypeFunction)) +#define G_IS_SCAN_MIME_TYPE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_MIME_TYPE_FUNCTION)) +#define G_SCAN_MIME_TYPE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_MIME_TYPE_FUNCTION, GScanMimeTypeFunctionClass)) +#define G_IS_SCAN_MIME_TYPE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_MIME_TYPE_FUNCTION)) +#define G_SCAN_MIME_TYPE_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_MIME_TYPE_FUNCTION, GScanMimeTypeFunctionClass)) + + +/* Reconnaissance de types de contenus (instance) */ +typedef GRegisteredItem GScanMimeTypeFunction; + +/* Reconnaissance de types de contenus (classe) */ +typedef GRegisteredItemClass GScanMimeTypeFunctionClass; + + +/* Indique le type défini pour une reconnaissance de types de contenus. */ +GType g_scan_mime_type_function_get_type(void); + +/* Constitue une fonction d'identification de types de contenus. */ +GRegisteredItem *g_scan_mime_type_function_new(void); + + + +#endif /* _ANALYSIS_SCAN_ITEMS_MAGIC_MIME_TYPE_H */ diff --git a/src/analysis/scan/items/magic/type.c b/src/analysis/scan/items/magic/type.c new file mode 100644 index 0000000..f87c34a --- /dev/null +++ b/src/analysis/scan/items/magic/type.c @@ -0,0 +1,270 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * type.c - reconnaissance du type d'un contenu + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "type.h" + + +#include "cookie.h" +#include "../../item-int.h" +#include "../../exprs/literal.h" + + + +/* ---------------------- INTRODUCTION D'UNE NOUVELLE FONCTION ---------------------- */ + + +/* Initialise la classe des reconnaissances de contenus. */ +static void g_scan_magic_type_function_class_init(GScanMagicTypeFunctionClass *); + +/* Initialise une instance de reconnaissance de contenus. */ +static void g_scan_magic_type_function_init(GScanMagicTypeFunction *); + +/* Supprime toutes les références externes. */ +static void g_scan_magic_type_function_dispose(GScanMagicTypeFunction *); + +/* Procède à la libération totale de la mémoire. */ +static void g_scan_magic_type_function_finalize(GScanMagicTypeFunction *); + + + +/* --------------------- IMPLEMENTATION DES FONCTIONS DE CLASSE --------------------- */ + + +/* Indique le nom associé à une expression d'évaluation. */ +static char *g_scan_magic_type_function_get_name(const GScanMagicTypeFunction *); + +/* Réduit une expression à une forme plus simple. */ +static bool g_scan_magic_type_function_run_call(GScanMagicTypeFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); + + + +/* ---------------------------------------------------------------------------------- */ +/* INTRODUCTION D'UNE NOUVELLE FONCTION */ +/* ---------------------------------------------------------------------------------- */ + + +/* Indique le type défini pour une reconnaissance de types de contenus. */ +G_DEFINE_TYPE(GScanMagicTypeFunction, g_scan_magic_type_function, G_TYPE_REGISTERED_ITEM); + + +/****************************************************************************** +* * +* Paramètres : klass = classe à initialiser. * +* * +* Description : Initialise la classe des reconnaissances de contenus. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_magic_type_function_class_init(GScanMagicTypeFunctionClass *klass) +{ + GObjectClass *object; /* Autre version de la classe */ + GRegisteredItemClass *registered; /* Version de classe parente */ + + object = G_OBJECT_CLASS(klass); + + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_magic_type_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_magic_type_function_finalize; + + registered = G_REGISTERED_ITEM_CLASS(klass); + + registered->get_name = (get_registered_item_name_fc)g_scan_magic_type_function_get_name; + registered->run_call = (run_registered_item_call_fc)g_scan_magic_type_function_run_call; + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance à initialiser. * +* * +* Description : Initialise une instance de reconnaissance de contenus. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_magic_type_function_init(GScanMagicTypeFunction *func) +{ + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Supprime toutes les références externes. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_magic_type_function_dispose(GScanMagicTypeFunction *func) +{ + G_OBJECT_CLASS(g_scan_magic_type_function_parent_class)->dispose(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Procède à la libération totale de la mémoire. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_magic_type_function_finalize(GScanMagicTypeFunction *func) +{ + G_OBJECT_CLASS(g_scan_magic_type_function_parent_class)->finalize(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Constitue une fonction d'identification de types de contenus.* +* * +* Retour : Fonction mise en place. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GRegisteredItem *g_scan_magic_type_function_new(void) +{ + GRegisteredItem *result; /* Structure à retourner */ + + result = g_object_new(G_TYPE_SCAN_MAGIC_TYPE_FUNCTION, NULL); + + return result; + +} + + + +/* ---------------------------------------------------------------------------------- */ +/* IMPLEMENTATION DES FONCTIONS DE CLASSE */ +/* ---------------------------------------------------------------------------------- */ + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* * +* Description : Indique le nom associé à une expression d'évaluation. * +* * +* Retour : Désignation humaine de l'expression d'évaluation. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static char *g_scan_magic_type_function_get_name(const GScanMagicTypeFunction *item) +{ + char *result; /* Désignation à retourner */ + + result = strdup("type"); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* args = liste d'éventuels arguments fournis. * +* count = taille de cette liste. * +* ctx = contexte de suivi de l'analyse courante. * +* scope = portée courante des variables locales. * +* out = zone d'enregistrement de la résolution opérée. [OUT] * +* * +* Description : Réduit une expression à une forme plus simple. * +* * +* Retour : Réduction correspondante, expression déjà réduite, ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static bool g_scan_magic_type_function_run_call(GScanMagicTypeFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +{ + bool result; /* Bilan à retourner */ + magic_t cookie; /* Référence des bibliothèques */ + GBinContent *content; /* Contenu à manipuler */ + vmpa2t pos; /* Tête de lecture */ + phys_t size; /* Quantité de données dispos. */ + const bin_t *data; /* Accès à des données */ + const char *desc; /* Description du contenu */ + sized_string_t string; /* Description à diffuser */ + + result = (count == 0); + if (!result) goto exit; + + cookie = get_magic_cookie(MAGIC_NONE); + + content = g_scan_context_get_content(ctx); + + g_binary_content_compute_start_pos(content, &pos); + + size = g_binary_content_compute_size(content); + + data = g_binary_content_get_raw_access(content, &pos, size); + + desc = magic_buffer(cookie, data, size); + + if (desc != NULL) + { + string.data = (char *)desc; + string.len = strlen(desc); + } + else + { + string.data = ""; + string.len = 0; + } + + *out = G_OBJECT(g_scan_literal_expression_new(LVT_STRING, &string)); + + g_object_unref(G_OBJECT(content)); + + exit: + + return result; + +} diff --git a/src/analysis/scan/items/magic/type.h b/src/analysis/scan/items/magic/type.h new file mode 100644 index 0000000..bfad213 --- /dev/null +++ b/src/analysis/scan/items/magic/type.h @@ -0,0 +1,58 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * type.h - prototypes pour la reconnaissance du type d'un contenu + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _ANALYSIS_SCAN_ITEMS_MAGIC_TYPE_H +#define _ANALYSIS_SCAN_ITEMS_MAGIC_TYPE_H + + +#include <glib-object.h> + + +#include "../../item.h" + + + +#define G_TYPE_SCAN_MAGIC_TYPE_FUNCTION g_scan_magic_type_function_get_type() +#define G_SCAN_MAGIC_TYPE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_MAGIC_TYPE_FUNCTION, GScanMagicTypeFunction)) +#define G_IS_SCAN_MAGIC_TYPE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_MAGIC_TYPE_FUNCTION)) +#define G_SCAN_MAGIC_TYPE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_MAGIC_TYPE_FUNCTION, GScanMagicTypeFunctionClass)) +#define G_IS_SCAN_MAGIC_TYPE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_MAGIC_TYPE_FUNCTION)) +#define G_SCAN_MAGIC_TYPE_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_MAGIC_TYPE_FUNCTION, GScanMagicTypeFunctionClass)) + + +/* Reconnaissance de types de contenus (instance) */ +typedef GRegisteredItem GScanMagicTypeFunction; + +/* Reconnaissance de types de contenus (classe) */ +typedef GRegisteredItemClass GScanMagicTypeFunctionClass; + + +/* Indique le type défini pour une reconnaissance de types de contenus. */ +GType g_scan_magic_type_function_get_type(void); + +/* Constitue une fonction d'identification de types de contenus. */ +GRegisteredItem *g_scan_magic_type_function_new(void); + + + +#endif /* _ANALYSIS_SCAN_ITEMS_MAGIC_TYPE_H */ diff --git a/src/analysis/scan/items/time/Makefile.am b/src/analysis/scan/items/time/Makefile.am new file mode 100644 index 0000000..e5330be --- /dev/null +++ b/src/analysis/scan/items/time/Makefile.am @@ -0,0 +1,14 @@ + +noinst_LTLIBRARIES = libanalysisscanitemstime.la + + +libanalysisscanitemstime_la_SOURCES = \ + make.h make.c \ + now.h now.c + +libanalysisscanitemstime_la_CFLAGS = $(LIBGOBJ_CFLAGS) + + +devdir = $(includedir)/chrysalide/$(subdir:src/%=core/%) + +dev_HEADERS = $(libanalysisscanitemstime_la_SOURCES:%c=) diff --git a/src/analysis/scan/items/time/make.c b/src/analysis/scan/items/time/make.c new file mode 100644 index 0000000..477a77c --- /dev/null +++ b/src/analysis/scan/items/time/make.c @@ -0,0 +1,350 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * make.c - construction de volume de secondes à partir d'une date + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "make.h" + + +#include <assert.h> +#include <time.h> + + +#include "../../item-int.h" +#include "../../exprs/literal.h" + + + +/* ---------------------- INTRODUCTION D'UNE NOUVELLE FONCTION ---------------------- */ + + +/* Initialise la classe des conversions de dates en secondes. */ +static void g_scan_time_make_function_class_init(GScanTimeMakeFunctionClass *); + +/* Initialise une instance de convertisseur de date en secondes. */ +static void g_scan_time_make_function_init(GScanTimeMakeFunction *); + +/* Supprime toutes les références externes. */ +static void g_scan_time_make_function_dispose(GScanTimeMakeFunction *); + +/* Procède à la libération totale de la mémoire. */ +static void g_scan_time_make_function_finalize(GScanTimeMakeFunction *); + + + +/* --------------------- IMPLEMENTATION DES FONCTIONS DE CLASSE --------------------- */ + + +/* Indique le nom associé à une expression d'évaluation. */ +static char *g_scan_time_make_function_get_name(const GScanTimeMakeFunction *); + +/* Réduit une expression à une forme plus simple. */ +static bool g_scan_time_make_function_run_call(GScanTimeMakeFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); + + + +/* ---------------------------------------------------------------------------------- */ +/* INTRODUCTION D'UNE NOUVELLE FONCTION */ +/* ---------------------------------------------------------------------------------- */ + + +/* Indique le type défini pour une conversion de date en nombre de secondes. */ +G_DEFINE_TYPE(GScanTimeMakeFunction, g_scan_time_make_function, G_TYPE_REGISTERED_ITEM); + + +/****************************************************************************** +* * +* Paramètres : klass = classe à initialiser. * +* * +* Description : Initialise la classe des conversions de dates en secondes. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_time_make_function_class_init(GScanTimeMakeFunctionClass *klass) +{ + GObjectClass *object; /* Autre version de la classe */ + GRegisteredItemClass *registered; /* Version de classe parente */ + + object = G_OBJECT_CLASS(klass); + + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_time_make_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_time_make_function_finalize; + + registered = G_REGISTERED_ITEM_CLASS(klass); + + registered->get_name = (get_registered_item_name_fc)g_scan_time_make_function_get_name; + registered->run_call = (run_registered_item_call_fc)g_scan_time_make_function_run_call; + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance à initialiser. * +* * +* Description : Initialise une instance de convertisseur de date en secondes.* +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_time_make_function_init(GScanTimeMakeFunction *func) +{ + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Supprime toutes les références externes. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_time_make_function_dispose(GScanTimeMakeFunction *func) +{ + G_OBJECT_CLASS(g_scan_time_make_function_parent_class)->dispose(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Procède à la libération totale de la mémoire. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_time_make_function_finalize(GScanTimeMakeFunction *func) +{ + G_OBJECT_CLASS(g_scan_time_make_function_parent_class)->finalize(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Constitue une fonction de décompte du temps écoulé. * +* * +* Retour : Fonction mise en place. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GRegisteredItem *g_scan_time_make_function_new(void) +{ + GRegisteredItem *result; /* Structure à retourner */ + + result = g_object_new(G_TYPE_SCAN_TIME_MAKE_FUNCTION, NULL); + + return result; + +} + + + +/* ---------------------------------------------------------------------------------- */ +/* IMPLEMENTATION DES FONCTIONS DE CLASSE */ +/* ---------------------------------------------------------------------------------- */ + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* * +* Description : Indique le nom associé à une expression d'évaluation. * +* * +* Retour : Désignation humaine de l'expression d'évaluation. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static char *g_scan_time_make_function_get_name(const GScanTimeMakeFunction *item) +{ + char *result; /* Désignation à retourner */ + + result = strdup("make"); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* args = liste d'éventuels arguments fournis. * +* count = taille de cette liste. * +* ctx = contexte de suivi de l'analyse courante. * +* scope = portée courante des variables locales. * +* out = zone d'enregistrement de la résolution opérée. [OUT] * +* * +* Description : Réduit une expression à une forme plus simple. * +* * +* Retour : Réduction correspondante, expression déjà réduite, ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static bool g_scan_time_make_function_run_call(GScanTimeMakeFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +{ + bool result; /* Bilan à retourner */ + bool status; /* Possibilité de construction */ + size_t i; /* Boucle de parcours */ + LiteralValueType vtype; /* Type de valeur portée */ + struct tm date; /* Date à mettre en place */ + unsigned long long value; /* Valeur entière à utiliser */ + time_t computed; /* Nombre de secondes déterminé*/ + + /* Validation des arguments */ + + result = (count == 3 || count == 6); + if (!result) goto exit; + + status = true; + + for (i = 0; i < count && status; i++) + { + status = G_IS_SCAN_LITERAL_EXPRESSION(args[i]); + if (!status) break; + + vtype = g_scan_literal_expression_get_value_type(G_SCAN_LITERAL_EXPRESSION(args[i])); + + status = (vtype == LVT_UNSIGNED_INTEGER); + if (!status) break; + + } + + if (!status) goto exit; + + /* Lecture des arguments */ + + memset(&date, 0, sizeof(struct tm)); + + status = g_scan_literal_expression_get_unsigned_integer_value(G_SCAN_LITERAL_EXPRESSION(args[0]), &value); + assert(status); + if (!status) goto exit; + + if (value < 1900) + { + result = false; + goto exit; + } + + date.tm_year = value - 1900; + + status = g_scan_literal_expression_get_unsigned_integer_value(G_SCAN_LITERAL_EXPRESSION(args[1]), &value); + assert(status); + if (!status) goto exit; + + if (value > 12) + { + result = false; + goto exit; + } + + date.tm_mon = value - 1; + + status = g_scan_literal_expression_get_unsigned_integer_value(G_SCAN_LITERAL_EXPRESSION(args[2]), &value); + assert(status); + if (!status) goto exit; + + if (value < 1 || value > 31) + { + result = false; + goto exit; + } + + date.tm_mday = value; + + if (count == 6) + { + status = g_scan_literal_expression_get_unsigned_integer_value(G_SCAN_LITERAL_EXPRESSION(args[3]), &value); + assert(status); + if (!status) goto exit; + + if (value >= 24) + { + result = false; + goto exit; + } + + date.tm_hour = value; + + status = g_scan_literal_expression_get_unsigned_integer_value(G_SCAN_LITERAL_EXPRESSION(args[4]), &value); + assert(status); + if (!status) goto exit; + + if (value >= 60) + { + result = false; + goto exit; + } + + date.tm_min = value; + + status = g_scan_literal_expression_get_unsigned_integer_value(G_SCAN_LITERAL_EXPRESSION(args[5]), &value); + assert(status); + if (!status) goto exit; + + if (value >= 60) + { + result = false; + goto exit; + } + + date.tm_sec = value; + + } + + /* Construction de la valeur finale */ + + computed = timegm(&date); + + if (computed != (time_t)-1) + *out = G_OBJECT(g_scan_literal_expression_new(LVT_UNSIGNED_INTEGER, (unsigned long long []){ computed })); + + exit: + + return result; + +} diff --git a/src/analysis/scan/items/time/make.h b/src/analysis/scan/items/time/make.h new file mode 100644 index 0000000..958a392 --- /dev/null +++ b/src/analysis/scan/items/time/make.h @@ -0,0 +1,58 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * make.h - prototypes pour une construction de volume de secondes à partir d'une date + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _ANALYSIS_SCAN_ITEMS_TIME_MAKE_H +#define _ANALYSIS_SCAN_ITEMS_TIME_MAKE_H + + +#include <glib-object.h> + + +#include "../../item.h" + + + +#define G_TYPE_SCAN_TIME_MAKE_FUNCTION g_scan_time_make_function_get_type() +#define G_SCAN_TIME_MAKE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_TIME_MAKE_FUNCTION, GScanTimeMakeFunction)) +#define G_IS_SCAN_TIME_MAKE_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_TIME_MAKE_FUNCTION)) +#define G_SCAN_TIME_MAKE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_TIME_MAKE_FUNCTION, GScanTimeMakeFunctionClass)) +#define G_IS_SCAN_TIME_MAKE_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_TIME_MAKE_FUNCTION)) +#define G_SCAN_TIME_MAKE_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_TIME_MAKE_FUNCTION, GScanTimeMakeFunctionClass)) + + +/* Convertisseur de date en nombre de secondes depuis le 01/01/1970 (instance) */ +typedef GRegisteredItem GScanTimeMakeFunction; + +/* Convertisseur de date en nombre de secondes depuis le 01/01/1970 (classe) */ +typedef GRegisteredItemClass GScanTimeMakeFunctionClass; + + +/* Indique le type défini pour une conversion de date en nombre de secondes. */ +GType g_scan_time_make_function_get_type(void); + +/* Constitue une fonction de décompte du temps écoulé. */ +GRegisteredItem *g_scan_time_make_function_new(void); + + + +#endif /* _ANALYSIS_SCAN_ITEMS_TIME_MAKE_H */ diff --git a/src/analysis/scan/items/time/now.c b/src/analysis/scan/items/time/now.c new file mode 100644 index 0000000..16c4aef --- /dev/null +++ b/src/analysis/scan/items/time/now.c @@ -0,0 +1,243 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * now.c - décompte du temps écoulé depuis Epoch + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "now.h" + + +#include <time.h> + + +#include "../../item-int.h" +#include "../../exprs/literal.h" + + + +/* ---------------------- INTRODUCTION D'UNE NOUVELLE FONCTION ---------------------- */ + + +/* Initialise la classe des décomptes de temps écoulé. */ +static void g_scan_time_now_function_class_init(GScanTimeNowFunctionClass *); + +/* Initialise une instance de décompte de temps écoulé. */ +static void g_scan_time_now_function_init(GScanTimeNowFunction *); + +/* Supprime toutes les références externes. */ +static void g_scan_time_now_function_dispose(GScanTimeNowFunction *); + +/* Procède à la libération totale de la mémoire. */ +static void g_scan_time_now_function_finalize(GScanTimeNowFunction *); + + + +/* --------------------- IMPLEMENTATION DES FONCTIONS DE CLASSE --------------------- */ + + +/* Indique le nom associé à une expression d'évaluation. */ +static char *g_scan_time_now_function_get_name(const GScanTimeNowFunction *); + +/* Réduit une expression à une forme plus simple. */ +static bool g_scan_time_now_function_run_call(GScanTimeNowFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); + + + +/* ---------------------------------------------------------------------------------- */ +/* INTRODUCTION D'UNE NOUVELLE FONCTION */ +/* ---------------------------------------------------------------------------------- */ + + +/* Indique le type défini pour un décompte de secondes écoulées depuis le 01/01/1970. */ +G_DEFINE_TYPE(GScanTimeNowFunction, g_scan_time_now_function, G_TYPE_REGISTERED_ITEM); + + +/****************************************************************************** +* * +* Paramètres : klass = classe à initialiser. * +* * +* Description : Initialise la classe des décomptes de temps écoulé. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_time_now_function_class_init(GScanTimeNowFunctionClass *klass) +{ + GObjectClass *object; /* Autre version de la classe */ + GRegisteredItemClass *registered; /* Version de classe parente */ + + object = G_OBJECT_CLASS(klass); + + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_time_now_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_time_now_function_finalize; + + registered = G_REGISTERED_ITEM_CLASS(klass); + + registered->get_name = (get_registered_item_name_fc)g_scan_time_now_function_get_name; + registered->run_call = (run_registered_item_call_fc)g_scan_time_now_function_run_call; + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance à initialiser. * +* * +* Description : Initialise une instance de décompte de temps écoulé. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_time_now_function_init(GScanTimeNowFunction *func) +{ + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Supprime toutes les références externes. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_time_now_function_dispose(GScanTimeNowFunction *func) +{ + G_OBJECT_CLASS(g_scan_time_now_function_parent_class)->dispose(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : func = instance d'objet GLib à traiter. * +* * +* Description : Procède à la libération totale de la mémoire. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void g_scan_time_now_function_finalize(GScanTimeNowFunction *func) +{ + G_OBJECT_CLASS(g_scan_time_now_function_parent_class)->finalize(G_OBJECT(func)); + +} + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Constitue une fonction de décompte du temps écoulé. * +* * +* Retour : Fonction mise en place. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GRegisteredItem *g_scan_time_now_function_new(void) +{ + GRegisteredItem *result; /* Structure à retourner */ + + result = g_object_new(G_TYPE_SCAN_TIME_NOW_FUNCTION, NULL); + + return result; + +} + + + +/* ---------------------------------------------------------------------------------- */ +/* IMPLEMENTATION DES FONCTIONS DE CLASSE */ +/* ---------------------------------------------------------------------------------- */ + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* * +* Description : Indique le nom associé à une expression d'évaluation. * +* * +* Retour : Désignation humaine de l'expression d'évaluation. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static char *g_scan_time_now_function_get_name(const GScanTimeNowFunction *item) +{ + char *result; /* Désignation à retourner */ + + result = strdup("now"); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : item = élément d'appel à consulter. * +* args = liste d'éventuels arguments fournis. * +* count = taille de cette liste. * +* ctx = contexte de suivi de l'analyse courante. * +* scope = portée courante des variables locales. * +* out = zone d'enregistrement de la résolution opérée. [OUT] * +* * +* Description : Réduit une expression à une forme plus simple. * +* * +* Retour : Réduction correspondante, expression déjà réduite, ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static bool g_scan_time_now_function_run_call(GScanTimeNowFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +{ + bool result; /* Bilan à retourner */ + time_t now; /* Date relative courante */ + + result = (count == 0); + if (!result) goto exit; + + now = time(NULL); + + *out = G_OBJECT(g_scan_literal_expression_new(LVT_UNSIGNED_INTEGER, (unsigned long long []){ now })); + + exit: + + return result; + +} diff --git a/src/analysis/scan/items/time/now.h b/src/analysis/scan/items/time/now.h new file mode 100644 index 0000000..6b3faa2 --- /dev/null +++ b/src/analysis/scan/items/time/now.h @@ -0,0 +1,58 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * now.h - prototypes pour le décompte du temps écoulé depuis Epoch + * + * Copyright (C) 2023 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _ANALYSIS_SCAN_ITEMS_TIME_NOW_H +#define _ANALYSIS_SCAN_ITEMS_TIME_NOW_H + + +#include <glib-object.h> + + +#include "../../item.h" + + + +#define G_TYPE_SCAN_TIME_NOW_FUNCTION g_scan_time_now_function_get_type() +#define G_SCAN_TIME_NOW_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_TIME_NOW_FUNCTION, GScanTimeNowFunction)) +#define G_IS_SCAN_TIME_NOW_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_TIME_NOW_FUNCTION)) +#define G_SCAN_TIME_NOW_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_TIME_NOW_FUNCTION, GScanTimeNowFunctionClass)) +#define G_IS_SCAN_TIME_NOW_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_TIME_NOW_FUNCTION)) +#define G_SCAN_TIME_NOW_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_TIME_NOW_FUNCTION, GScanTimeNowFunctionClass)) + + +/* Décompte du nombre de seccondes écoulées depuis le 01/01/1970 (instance) */ +typedef GRegisteredItem GScanTimeNowFunction; + +/* Décompte du nombre de seccondes écoulées depuis le 01/01/1970 (classe) */ +typedef GRegisteredItemClass GScanTimeNowFunctionClass; + + +/* Indique le type défini pour un décompte de secondes écoulées depuis le 01/01/1970. */ +GType g_scan_time_now_function_get_type(void); + +/* Constitue une fonction de décompte du temps écoulé. */ +GRegisteredItem *g_scan_time_now_function_new(void); + + + +#endif /* _ANALYSIS_SCAN_ITEMS_TIME_NOW_H */ diff --git a/src/analysis/scan/items/uint-int.h b/src/analysis/scan/items/uint-int.h index 1fa83c5..972d7a0 100644 --- a/src/analysis/scan/items/uint-int.h +++ b/src/analysis/scan/items/uint-int.h @@ -2,7 +2,7 @@ /* Chrysalide - Outil d'analyse de fichiers binaires * uint-int.h - prototypes internes pour la lecture d'un mot à partir de données binaires * - * Copyright (C) 2022 Cyrille Bagard + * Copyright (C) 2023 Cyrille Bagard * * This file is part of Chrysalide. * @@ -33,7 +33,7 @@ /* Fonction conduisant à la lecture d'un mot (instance) */ -struct _GUintFunction +struct _GScanUintFunction { GRegisteredItem parent; /* A laisser en premier */ @@ -43,7 +43,7 @@ struct _GUintFunction }; /* Fonction conduisant à la lecture d'un mot (classe) */ -struct _GUintFunctionClass +struct _GScanUintFunctionClass { GRegisteredItemClass parent; /* A laisser en premier */ @@ -51,7 +51,7 @@ struct _GUintFunctionClass /* Met en place un nouvelle fonction de lecture d'entiers. */ -bool g_uint_function_create(GUintFunction *, MemoryDataSize); +bool g_scan_uint_function_create(GScanUintFunction *, MemoryDataSize, SourceEndian); diff --git a/src/analysis/scan/items/uint.c b/src/analysis/scan/items/uint.c index 4fea494..66c7fa9 100644 --- a/src/analysis/scan/items/uint.c +++ b/src/analysis/scan/items/uint.c @@ -2,7 +2,7 @@ /* Chrysalide - Outil d'analyse de fichiers binaires * uint.c - lecture d'un mot à partir de données binaires * - * Copyright (C) 2022 Cyrille Bagard + * Copyright (C) 2023 Cyrille Bagard * * This file is part of Chrysalide. * @@ -29,6 +29,7 @@ #include "uint-int.h" #include "../exprs/literal.h" +#include "../../../common/extstr.h" @@ -36,16 +37,16 @@ /* Initialise la classe des lectures de valeurs entières. */ -static void g_uint_function_class_init(GUintFunctionClass *); +static void g_scan_uint_function_class_init(GScanUintFunctionClass *); /* Initialise une instance de lecture de valeur entière. */ -static void g_uint_function_init(GUintFunction *); +static void g_scan_uint_function_init(GScanUintFunction *); /* Supprime toutes les références externes. */ -static void g_uint_function_dispose(GUintFunction *); +static void g_scan_uint_function_dispose(GScanUintFunction *); /* Procède à la libération totale de la mémoire. */ -static void g_uint_function_finalize(GUintFunction *); +static void g_scan_uint_function_finalize(GScanUintFunction *); @@ -53,10 +54,10 @@ static void g_uint_function_finalize(GUintFunction *); /* Indique le nom associé à une expression d'évaluation. */ -static char *g_uint_function_get_name(const GUintFunction *); +static char *g_scan_uint_function_get_name(const GScanUintFunction *); /* Réduit une expression à une forme plus simple. */ -static bool g_uint_function_run_call(GUintFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); +static bool g_scan_uint_function_run_call(GScanUintFunction *, GScanExpression **, size_t, GScanContext *, GScanScope *, GObject **); @@ -66,7 +67,7 @@ static bool g_uint_function_run_call(GUintFunction *, GScanExpression **, size_t /* Indique le type défini pour une lecture de mot à partir de données binaires. */ -G_DEFINE_TYPE(GUintFunction, g_uint_function, G_TYPE_REGISTERED_ITEM); +G_DEFINE_TYPE(GScanUintFunction, g_scan_uint_function, G_TYPE_REGISTERED_ITEM); /****************************************************************************** @@ -81,20 +82,20 @@ G_DEFINE_TYPE(GUintFunction, g_uint_function, G_TYPE_REGISTERED_ITEM); * * ******************************************************************************/ -static void g_uint_function_class_init(GUintFunctionClass *klass) +static void g_scan_uint_function_class_init(GScanUintFunctionClass *klass) { GObjectClass *object; /* Autre version de la classe */ GRegisteredItemClass *registered; /* Version de classe parente */ object = G_OBJECT_CLASS(klass); - object->dispose = (GObjectFinalizeFunc/* ! */)g_uint_function_dispose; - object->finalize = (GObjectFinalizeFunc)g_uint_function_finalize; + object->dispose = (GObjectFinalizeFunc/* ! */)g_scan_uint_function_dispose; + object->finalize = (GObjectFinalizeFunc)g_scan_uint_function_finalize; registered = G_REGISTERED_ITEM_CLASS(klass); - registered->get_name = (get_registered_item_name_fc)g_uint_function_get_name; - registered->run_call = (run_registered_item_call_fc)g_uint_function_run_call; + registered->get_name = (get_registered_item_name_fc)g_scan_uint_function_get_name; + registered->run_call = (run_registered_item_call_fc)g_scan_uint_function_run_call; } @@ -111,7 +112,7 @@ static void g_uint_function_class_init(GUintFunctionClass *klass) * * ******************************************************************************/ -static void g_uint_function_init(GUintFunction *func) +static void g_scan_uint_function_init(GScanUintFunction *func) { func->size = MDS_UNDEFINED; func->endian = SRE_LITTLE; @@ -131,9 +132,9 @@ static void g_uint_function_init(GUintFunction *func) * * ******************************************************************************/ -static void g_uint_function_dispose(GUintFunction *func) +static void g_scan_uint_function_dispose(GScanUintFunction *func) { - G_OBJECT_CLASS(g_uint_function_parent_class)->dispose(G_OBJECT(func)); + G_OBJECT_CLASS(g_scan_uint_function_parent_class)->dispose(G_OBJECT(func)); } @@ -150,9 +151,9 @@ static void g_uint_function_dispose(GUintFunction *func) * * ******************************************************************************/ -static void g_uint_function_finalize(GUintFunction *func) +static void g_scan_uint_function_finalize(GScanUintFunction *func) { - G_OBJECT_CLASS(g_uint_function_parent_class)->finalize(G_OBJECT(func)); + G_OBJECT_CLASS(g_scan_uint_function_parent_class)->finalize(G_OBJECT(func)); } @@ -169,13 +170,13 @@ static void g_uint_function_finalize(GUintFunction *func) * * ******************************************************************************/ -GUintFunction *g_uint_function_new(MemoryDataSize size) +GRegisteredItem *g_scan_uint_function_new(MemoryDataSize size, SourceEndian endian) { - GUintFunction *result; /* Structure à retourner */ + GRegisteredItem *result; /* Structure à retourner */ - result = g_object_new(G_TYPE_UINT_FUNCTION, NULL); + result = g_object_new(G_TYPE_SCAN_UINT_FUNCTION, NULL); - if (!g_uint_function_create(result, size)) + if (!g_scan_uint_function_create(G_SCAN_UINT_FUNCTION(result), size, endian)) g_clear_object(&result); return result; @@ -196,13 +197,14 @@ GUintFunction *g_uint_function_new(MemoryDataSize size) * * ******************************************************************************/ -bool g_uint_function_create(GUintFunction *func, MemoryDataSize size) +bool g_scan_uint_function_create(GScanUintFunction *func, MemoryDataSize size, SourceEndian endian) { bool result; /* Bilan à retourner */ result = true; func->size = size; + func->endian = endian; return result; @@ -227,26 +229,26 @@ bool g_uint_function_create(GUintFunction *func, MemoryDataSize size) * * ******************************************************************************/ -static char *g_uint_function_get_name(const GUintFunction *item) +static char *g_scan_uint_function_get_name(const GScanUintFunction *item) { char *result; /* Désignation à retourner */ - switch (item->size) + switch (item->size & ~MDS_SIGN) { case MDS_8_BITS_UNSIGNED: - result = strdup("uint8"); + result = strdup("int8"); break; case MDS_16_BITS_UNSIGNED: - result = strdup("uint16"); + result = strdup("int16"); break; case MDS_32_BITS_UNSIGNED: - result = strdup("uint32"); + result = strdup("int32"); break; case MDS_64_BITS_UNSIGNED: - result = strdup("uint64"); + result = strdup("int64"); break; default: @@ -256,6 +258,16 @@ static char *g_uint_function_get_name(const GUintFunction *item) } + if (result) + { + if (!MDS_IS_SIGNED(item->size)) + result = strprep(result, "u"); + + if (item->endian == SRE_BIG) + result = stradd(result, "be"); + + } + return result; } @@ -278,21 +290,25 @@ static char *g_uint_function_get_name(const GUintFunction *item) * * ******************************************************************************/ -static bool g_uint_function_run_call(GUintFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) +static bool g_scan_uint_function_run_call(GScanUintFunction *item, GScanExpression **args, size_t count, GScanContext *ctx, GScanScope *scope, GObject **out) { bool result; /* Bilan à retourner */ unsigned long long offset; /* Position du mot ciblé */ GBinContent *content; /* Contenu à manipuler */ vmpa2t pos; /* Tête de lecture */ - uint8_t val_8; /* Valeur entière sur 8 bits */ - uint16_t val_16; /* Valeur entière sur 16 bits */ - uint32_t val_32; /* Valeur entière sur 32 bits */ - uint64_t val_64; /* Valeur entière sur 64 bits */ - - result = (count == 1 && G_IS_LITERAL_EXPRESSION(args[0])); + uint8_t val_s8; /* Valeur entière sur 8 bits */ + uint8_t val_u8; /* Valeur entière sur 8 bits */ + uint16_t val_s16; /* Valeur entière sur 16 bits */ + uint16_t val_u16; /* Valeur entière sur 16 bits */ + uint32_t val_s32; /* Valeur entière sur 32 bits */ + uint32_t val_u32; /* Valeur entière sur 32 bits */ + uint64_t val_s64; /* Valeur entière sur 64 bits */ + uint64_t val_u64; /* Valeur entière sur 64 bits */ + + result = (count == 1 && G_IS_SCAN_LITERAL_EXPRESSION(args[0])); if (!result) goto exit; - result = g_literal_expression_get_integer_value(G_LITERAL_EXPRESSION(args[0]), &offset); + result = g_scan_literal_expression_get_unsigned_integer_value(G_SCAN_LITERAL_EXPRESSION(args[0]), &offset); if (!result) goto exit; content = g_scan_context_get_content(ctx); @@ -302,29 +318,60 @@ static bool g_uint_function_run_call(GUintFunction *item, GScanExpression **args switch (item->size) { + case MDS_8_BITS_SIGNED: + result = g_binary_content_read_s8(content, &pos, &val_s8); + if (result) + *out = G_OBJECT(g_scan_literal_expression_new(LVT_SIGNED_INTEGER, + (long long []){ val_s8 })); + break; + case MDS_8_BITS_UNSIGNED: - result = g_binary_content_read_u8(content, &pos, &val_8); + result = g_binary_content_read_u8(content, &pos, &val_u8); if (result) - *out = G_OBJECT(g_literal_expression_new(EVT_INTEGER, (unsigned long long []){ val_8 })); + *out = G_OBJECT(g_scan_literal_expression_new(LVT_UNSIGNED_INTEGER, + (unsigned long long []){ val_u8 })); + break; + + case MDS_16_BITS_SIGNED: + result = g_binary_content_read_s16(content, &pos, item->endian, &val_s16); + if (result) + *out = G_OBJECT(g_scan_literal_expression_new(LVT_SIGNED_INTEGER, + (long long []){ val_s16 })); break; case MDS_16_BITS_UNSIGNED: - result = g_binary_content_read_u16(content, &pos, item->endian, &val_16); + result = g_binary_content_read_u16(content, &pos, item->endian, &val_u16); if (result) - *out = G_OBJECT(g_literal_expression_new(EVT_INTEGER, (unsigned long long []){ val_16 })); + *out = G_OBJECT(g_scan_literal_expression_new(LVT_UNSIGNED_INTEGER, + (unsigned long long []){ val_u16 })); + break; + + case MDS_32_BITS_SIGNED: + result = g_binary_content_read_s32(content, &pos, item->endian, &val_s32); + if (result) + *out = G_OBJECT(g_scan_literal_expression_new(LVT_SIGNED_INTEGER, + (long long []){ val_s32 })); break; case MDS_32_BITS_UNSIGNED: - result = g_binary_content_read_u32(content, &pos, item->endian, &val_32); + result = g_binary_content_read_u32(content, &pos, item->endian, &val_u32); if (result) - *out = G_OBJECT(g_literal_expression_new(EVT_INTEGER, (unsigned long long []){ val_32 })); + *out = G_OBJECT(g_scan_literal_expression_new(LVT_UNSIGNED_INTEGER, + (unsigned long long []){ val_u32 })); break; + case MDS_64_BITS_SIGNED: + result = g_binary_content_read_s64(content, &pos, item->endian, &val_s64); + if (result) + *out = G_OBJECT(g_scan_literal_expression_new(LVT_SIGNED_INTEGER, + (long long []){ val_s64 })); + break; case MDS_64_BITS_UNSIGNED: - result = g_binary_content_read_u64(content, &pos, item->endian, &val_64); + result = g_binary_content_read_u64(content, &pos, item->endian, &val_u64); if (result) - *out = G_OBJECT(g_literal_expression_new(EVT_INTEGER, (unsigned long long []){ val_64 })); + *out = G_OBJECT(g_scan_literal_expression_new(LVT_UNSIGNED_INTEGER, + (unsigned long long []){ val_u64 })); break; default: diff --git a/src/analysis/scan/items/uint.h b/src/analysis/scan/items/uint.h index 60f2975..abc2231 100644 --- a/src/analysis/scan/items/uint.h +++ b/src/analysis/scan/items/uint.h @@ -2,7 +2,7 @@ /* Chrysalide - Outil d'analyse de fichiers binaires * uint.h - prototypes pour la lecture d'un mot à partir de données binaires * - * Copyright (C) 2022 Cyrille Bagard + * Copyright (C) 2023 Cyrille Bagard * * This file is part of Chrysalide. * @@ -28,30 +28,31 @@ #include <glib-object.h> +#include "../item.h" #include "../../../arch/archbase.h" -#define G_TYPE_UINT_FUNCTION g_uint_function_get_type() -#define G_UINT_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_UINT_FUNCTION, GUintFunction)) -#define G_IS_UINT_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_UINT_FUNCTION)) -#define G_UINT_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_UINT_FUNCTION, GUintFunctionClass)) -#define G_IS_UINT_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_UINT_FUNCTION)) -#define G_UINT_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_UINT_FUNCTION, GUintFunctionClass)) +#define G_TYPE_SCAN_UINT_FUNCTION g_scan_uint_function_get_type() +#define G_SCAN_UINT_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), G_TYPE_SCAN_UINT_FUNCTION, GScanUintFunction)) +#define G_IS_SCAN_UINT_FUNCTION(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), G_TYPE_SCAN_UINT_FUNCTION)) +#define G_SCAN_UINT_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), G_TYPE_SCAN_UINT_FUNCTION, GScanUintFunctionClass)) +#define G_IS_SCAN_UINT_FUNCTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), G_TYPE_SCAN_UINT_FUNCTION)) +#define G_SCAN_UINT_FUNCTION_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), G_TYPE_SCAN_UINT_FUNCTION, GScanUintFunctionClass)) /* Fonction conduisant à la lecture d'un mot (instance) */ -typedef struct _GUintFunction GUintFunction; +typedef struct _GScanUintFunction GScanUintFunction; /* Fonction conduisant à la lecture d'un mot (classe) */ -typedef struct _GUintFunctionClass GUintFunctionClass; +typedef struct _GScanUintFunctionClass GScanUintFunctionClass; /* Indique le type défini pour une lecture de mot à partir de données binaires. */ -GType g_uint_function_get_type(void); +GType g_scan_uint_function_get_type(void); /* Constitue une fonction de lecture de valeur entière. */ -GUintFunction *g_uint_function_new(MemoryDataSize); +GRegisteredItem *g_scan_uint_function_new(MemoryDataSize, SourceEndian); |