Fix issue VirusTotal#524

Author: plusvic

libyara/include/yara/pe.h

@@ -290,11 +290,6 @@ typedef struct _IMAGE_OPTIONAL_HEADER64 {
 #define IMAGE_NT_OPTIONAL_HDR32_MAGIC      0x10b
 #define IMAGE_NT_OPTIONAL_HDR64_MAGIC      0x20b
 
-#define OptionalHeader(pe,field)                \
-  (IS_64BITS_PE(pe) ?                           \
-   pe->header64->OptionalHeader.field :         \
-   pe->header->OptionalHeader.field)
-
 
 typedef struct _IMAGE_NT_HEADERS32 {
     DWORD Signature;
@@ -311,51 +306,6 @@ typedef struct _IMAGE_NT_HEADERS64 {
 
 } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
 
-
-//
-// Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the
-// name of the DLL and a pointer to another linked list of IMPORTED_FUNCTION
-// structures containing the names of imported functions.
-//
-
-typedef struct _IMPORTED_DLL
-{
-  char *name;
-
-  struct _IMPORTED_FUNCTION *functions;
-  struct _IMPORTED_DLL *next;
-
-} IMPORTED_DLL, *PIMPORTED_DLL;
-
-
-typedef struct _IMPORTED_FUNCTION
-{
-  char *name;
-  uint8_t has_ordinal;
-  uint16_t ordinal;
-
-  struct _IMPORTED_FUNCTION *next;
-
-} IMPORTED_FUNCTION, *PIMPORTED_FUNCTION;
-
-
-typedef struct _PE
-{
-  uint8_t* data;
-  size_t data_size;
-
-  union {
-    PIMAGE_NT_HEADERS32 header;
-    PIMAGE_NT_HEADERS64 header64;
-  };
-
-  YR_OBJECT* object;
-  IMPORTED_DLL* imported_dlls;
-  uint32_t resources;
-
-} PE;
-
-
 // IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is
 // the same either way.
 
@@ -535,5 +485,6 @@ typedef struct _RICH_SIGNATURE {
 #define RICH_DANS 0x536e6144 // "DanS"
 #define RICH_RICH 0x68636952 // "Rich"
 
+
 #pragma pack(pop)
 #endif

libyara/include/yara/pe_utils.h

@@ -5,9 +5,61 @@
 
 #define MAX_PE_SECTIONS              96
 
+
 #define IS_64BITS_PE(pe) \
     (pe->header64->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
 
+
+#define OptionalHeader(pe,field)                \
+  (IS_64BITS_PE(pe) ?                           \
+   pe->header64->OptionalHeader.field :         \
+   pe->header->OptionalHeader.field)
+
+
+//
+// Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the
+// name of the DLL and a pointer to another linked list of IMPORTED_FUNCTION
+// structures containing the names of imported functions.
+//
+
+typedef struct _IMPORTED_DLL
+{
+  char *name;
+
+  struct _IMPORTED_FUNCTION *functions;
+  struct _IMPORTED_DLL *next;
+
+} IMPORTED_DLL, *PIMPORTED_DLL;
+
+
+typedef struct _IMPORTED_FUNCTION
+{
+  char *name;
+  uint8_t has_ordinal;
+  uint16_t ordinal;
+
+  struct _IMPORTED_FUNCTION *next;
+
+} IMPORTED_FUNCTION, *PIMPORTED_FUNCTION;
+
+
+typedef struct _PE
+{
+  uint8_t* data;
+  size_t data_size;
+
+  union {
+    PIMAGE_NT_HEADERS32 header;
+    PIMAGE_NT_HEADERS64 header64;
+  };
+
+  YR_OBJECT* object;
+  IMPORTED_DLL* imported_dlls;
+  uint32_t resources;
+
+} PE;
+
+
 #define fits_in_pe(pe, pointer, size) \
     ((size_t) size <= pe->data_size && \
      (uint8_t*) (pointer) >= pe->data && \
@@ -16,11 +68,31 @@
 #define struct_fits_in_pe(pe, pointer, struct_type) \
     fits_in_pe(pe, pointer, sizeof(struct_type))
 
-PIMAGE_NT_HEADERS32 pe_get_header(uint8_t* data, size_t data_size);
-PIMAGE_DATA_DIRECTORY pe_get_directory_entry(PE* pe, int entry);
-PIMAGE_DATA_DIRECTORY pe_get_directory_entry(PE* pe, int entry);
-int64_t pe_rva_to_offset(PE* pe, uint64_t rva);
-char *ord_lookup(char *dll, uint16_t ord);
+
+PIMAGE_NT_HEADERS32 pe_get_header(
+    uint8_t* data,
+    size_t data_size);
+
+
+PIMAGE_DATA_DIRECTORY pe_get_directory_entry(
+    PE* pe,
+    int entry);
+
+
+PIMAGE_DATA_DIRECTORY pe_get_directory_entry(
+    PE* pe,
+    int entry);
+
+
+int64_t pe_rva_to_offset(
+    PE* pe,
+    uint64_t rva);
+
+
+char *ord_lookup(
+    char *dll,
+    uint16_t ord);
+
 
 #if HAVE_LIBCRYPTO
 #include <openssl/asn1.h>