readpe
readpe copied to clipboard
mentebinaria
Scan plugins support and Libyara
This PR adds a LOT of things, here is everything included
Scan plugin basic structure
general_plugin
A pre-defined exported function for PE scans, if any plugin has a function called plugin_scan, it will be called with pe_ctx_t structure, this is used by the Yara plugin
Yara plugin support in pescan
yarascan.c
Using the scan plugin structure, at the end of all pescan work, we can call the general_plugin function scan_plugins_run_scan that will run ALL plugins that have the scan_pe exported function
Also, in the general makefile is created a plugin configuration folder and in the plugins makefile is created a yara_rule folder in this plugin config folder.
Example of rule: /usr/local/share/pev/plugins/yara_rules/<any_rule>.yar
The yara scan plugin will load all rules in the folder.
Example:
pescan -f json VirusShare_92c2bb8f606b2d01b42502eee3210396
{
"file entropy": "6.725520 (normal)",
"fpu anti-disassembly": "no",
"imagebase": "normal",
"entrypoint": "normal",
"DOS stub": "normal",
"TLS directory": "not found",
"timestamp": "normal",
"section count": "4",
"sections": [
{
".text": "normal"
},
{
".rdata": "normal"
},
{
".data": "normal"
},
{
".rsrc": "normal"
}
],
"Yara": [
"Microsoft_Visual_Cpp_v60",
"Microsoft_Visual_Cpp_v50v60_MFC_additional",
"Microsoft_Visual_Cpp_50",
"Microsoft_Visual_Cpp_v50v60_MFC",
"Armadillo_v4x",
"Microsoft_Visual_Cpp"
]
}
Other changes
Move all the struct defintion and header includes from plugins.c to plugins.h, created a output interface for all plugins using function pointers to output functions like,output_open_scope, in pev_api struct.
