feat: add ability to set module data in scan callback #147
Conversation
|
Looks like the macos-latest runner was updated from 12.7 to 14.4 and it no longer works well, i don't think it's related to my changes |
src/internals/module_import.rs
Outdated
| /// The caller must guarantee that: | ||
| /// - `ptr` is valid for reads of `size` bytes. | ||
| /// - `ptr` stays valid for the full duration of the scan. | ||
| pub unsafe fn set_module_data(&mut self, ptr: *mut c_void, size: u64) { |
There was a problem hiding this comment.
@vthib hello! Are you sure to make a raw pointer as a public interface?
There was a problem hiding this comment.
I don't really see any other way, making this function safe would mean changing this pointer to a borrowed ref, but it would need to be tied to a lifetime that outlives the borrow on Rules/Scanner, which i don't think would be easy to express here. And even then, there isn't really a type to expose, since the type depends on the module.
I feel like exposing the raw pointer, with a clear unsafe function, is the best trade-off here. This is a very niche use-case, and leaving it to the user to properly set it makes the API changes minimal and still make it possible to set this module data if needed
Some modules in YARA need to be fed data to be usable, notably the cuckoo module. This works by setting the module data in the "import module" callback, as can be seen here: <https://github.com/VirusTotal/yara/blob/923368eab/cli/yara.c#L1200> This MR adds bindings to be able to do exactly this: the object related to this callback msg is wrapped in a YrModuleImport object, which exposes two functions: - one to retrieve the module name - one to set the module data This makes the code looks like this: ```rust let res = yara_scanner.scan_mem_callback(b"", |msg| { if let yara::CallbackMsg::ImportModule(mut module) = msg { if module.name() == Some(b"cuckoo") { // Safety: report is alive for longer than the scan. unsafe { module.set_module_data( report.as_mut_ptr().cast(), report.len() as u64, ); } } } yara::CallbackReturn::Continue }); ``` I haven't added a test for it, because the only module that uses this is the cuckoo module, and to use it, the module-cuckoo feature must be enabled and the libjansson-dev needs to be installed. If you prefer to have a test, I can try to update the CI to have a test like this working.
the macos-14 runner is M1 based and thus aarch64, which makes several matrix jobs fail due to missing vendored bindings. Fix the jobs by hardcoding the macos version to the one used before the update of macos-latest to macos-14.
|
I also don't see a better way to expose the setter for module data, without asking for a box or some complicated lifetimes stunts. |
Some modules in YARA need to be fed data to be usable, notably the cuckoo module. This works by setting the module data in the "import module" callback, as can be seen here:
https://github.com/VirusTotal/yara/blob/923368eab/cli/yara.c#L1200
This MR adds bindings to be able to do exactly this: the object related to this callback msg is wrapped in a YrModuleImport object, which exposes two functions:
This makes the code looks like this:
I haven't added a test for it, because the only module that uses this is the cuckoo module, and to use it, the module-cuckoo feature must be enabled and the libjansson-dev needs to be installed. If you prefer to have a test, I can try to update the CI to have a test like this working.