Implement yr_scanner_last_error_string and yr_scanner_last_error_rule functions for getting information about the rule and string that caused a scanning error.

For implementing this feature it was necessary to add a new field to YR_STRING pointing to the YR_RULE that owns the string.

Author: plusvic

libyara/include/yara/scanner.h

@@ -106,4 +106,17 @@ YR_API int yr_scanner_scan_fd(
     YR_SCANNER* scanner,
     YR_FILE_DESCRIPTOR fd);
 
+
+YR_API int yr_scanner_scan_proc(
+    YR_SCANNER* scanner,
+    int pid);
+
+
+YR_API YR_RULE* yr_scanner_last_error_rule(
+    YR_SCANNER* scanner);
+
+
+YR_API YR_STRING* yr_scanner_last_error_string(
+    YR_SCANNER* scanner);
+
 #endif

libyara/include/yara/types.h

@@ -202,6 +202,7 @@ typedef struct _YR_META
 } YR_META;
 
 
+struct _YR_RULE;
 struct _YR_MATCH;
 
 
@@ -223,6 +224,7 @@ typedef struct _YR_STRING
   DECLARE_REFERENCE(char*, identifier);
   DECLARE_REFERENCE(uint8_t*, string);
   DECLARE_REFERENCE(struct _YR_STRING*, chained_to);
+  DECLARE_REFERENCE(struct _YR_RULE*, rule);
 
   int32_t chain_gap_min;
   int32_t chain_gap_max;
@@ -481,8 +483,8 @@ typedef struct _YR_AC_AUTOMATON
 } YR_AC_AUTOMATON;
 
 
-typedef struct _YR_RULES {
-
+typedef struct _YR_RULES
+{
   unsigned char tidx_mask[YR_BITARRAY_NCHARS(MAX_THREADS)];
   const uint8_t* code_start;
 
@@ -538,30 +540,60 @@ typedef int (*YR_CALLBACK_FUNC)(
 
 typedef struct _YR_SCAN_CONTEXT
 {
+  // File size of the file being scanned.
   uint64_t file_size;
+
+  // Entry point of the file being scanned, if the file is PE or ELF.
   uint64_t entry_point;
 
+  // Scanning flags.
   int flags;
+
+  // Thread index for the thread using this scan context. The number of threads
+  // that can use a YR_RULES object simultaneusly is limited by the MAX_THREADS
+  // constant. Each thread using a YR_RULES get assigned a unique thread index
+  // in the range [0, MAX_THREADS)
   int tidx;
+
+  // Scan timeout in seconds.
   int timeout;
 
+  // Pointer to user-provided data passed to the callback function.
   void* user_data;
 
+  // Pointer to the user-provided callback function that is called when an
+  // event occurs during the scan (a rule matching, a module being loaded, etc)
+  YR_CALLBACK_FUNC callback;
+
+  // Pointer to the YR_RULES object associated to this scan context.
   YR_RULES* rules;
+
+  // Pointer to the YR_STRING causing the most recent scan error.
+  YR_STRING* last_error_string;
+
+  // Pointer to the iterator used for scanning
   YR_MEMORY_BLOCK_ITERATOR* iterator;
+
+  // Pointer to a table mapping identifiers to YR_OBJECT structures. This table
+  // contains entries for external variables and modules.
   YR_HASH_TABLE* objects_table;
-  YR_CALLBACK_FUNC callback;
 
+  // Arena used for storing YR_MATCH structures asociated to the matches found.
   YR_ARENA* matches_arena;
+
+  // Arena used for storing pointers to the YR_STRING struct for each matching
+  // string. The pointers are used by _yr_scanner_clean_matches.
   YR_ARENA* matching_strings_arena;
 
+  // Fiber pool used by yr_re_exec.
   RE_FIBER_POOL re_fiber_pool;
 
 } YR_SCAN_CONTEXT;
 
 
 struct _YR_OBJECT;
 
+
 typedef union _YR_VALUE
 {
   int64_t i;

libyara/parser.c

@@ -316,6 +316,7 @@ static int _yr_parser_write_string(
       offsetof(YR_STRING, identifier),
       offsetof(YR_STRING, string),
       offsetof(YR_STRING, chained_to),
+      offsetof(YR_STRING, rule),
       EOL);
 
   if (result != ERROR_SUCCESS)
@@ -358,6 +359,7 @@ static int _yr_parser_write_string(
   (*string)->g_flags = flags;
   (*string)->chained_to = NULL;
   (*string)->fixed_offset = UNDEFINED;
+  (*string)->rule = compiler->current_rule;
 
   #ifdef PROFILING_ENABLED
   (*string)->clock_ticks = 0;

libyara/scan.c

@@ -756,6 +756,8 @@ int yr_scan_verify_match(
 {
   YR_STRING* string = ac_match->string;
 
+  int result;
+
   if (data_size - offset <= 0)
     return ERROR_SUCCESS;
 
@@ -778,18 +780,21 @@ int yr_scan_verify_match(
 
   if (STRING_IS_LITERAL(string))
   {
-    FAIL_ON_ERROR(_yr_scan_verify_literal_match(
-        context, ac_match, data, data_size, data_base, offset));
+    result = _yr_scan_verify_literal_match(
+        context, ac_match, data, data_size, data_base, offset);
   }
   else
   {
-    FAIL_ON_ERROR(_yr_scan_verify_re_match(
-        context, ac_match, data, data_size, data_base, offset));
+    result = _yr_scan_verify_re_match(
+        context, ac_match, data, data_size, data_base, offset);
   }
 
+  if (result != ERROR_SUCCESS)
+    context->last_error_string = string;
+ 
   #ifdef PROFILING_ENABLED
   string->clock_ticks += yr_stopwatch_elapsed_ns(&stopwatch, FALSE);
   #endif
 
-  return ERROR_SUCCESS;
+  return result;
 }

libyara/scanner.c

@@ -600,3 +600,20 @@ YR_API int yr_scanner_scan_proc(
 
   return result;
 }
+
+
+YR_API YR_STRING* yr_scanner_last_error_string(
+    YR_SCANNER* scanner)
+{
+  return scanner->last_error_string;
+}
+
+
+YR_API YR_RULE* yr_scanner_last_error_rule(
+    YR_SCANNER* scanner)
+{
+  if (scanner->last_error_string == NULL)
+    return NULL;
+
+  return scanner->last_error_string->rule;
+}

tests/test-alignment.c

@@ -79,14 +79,15 @@ int main (int argc, char **argv)
   CHECK_OFFSET(YR_MATCHES, 8,  head);
   CHECK_OFFSET(YR_MATCHES, 16, tail);
 
-  CHECK_SIZE(YR_STRING, 56 + 2 * 24 /* YR_MATCHES */ * MAX_THREADS);
+  CHECK_SIZE(YR_STRING, 64 + 2 * 24 /* YR_MATCHES */ * MAX_THREADS);
   CHECK_OFFSET(YR_STRING, 4,  length);
   CHECK_OFFSET(YR_STRING, 8,  identifier);
   CHECK_OFFSET(YR_STRING, 16, string);
   CHECK_OFFSET(YR_STRING, 24, chained_to);
-  CHECK_OFFSET(YR_STRING, 32, chain_gap_min);
-  CHECK_OFFSET(YR_STRING, 36, chain_gap_max);
-  CHECK_OFFSET(YR_STRING, 40, fixed_offset);
+  CHECK_OFFSET(YR_STRING, 32, rule);
+  CHECK_OFFSET(YR_STRING, 40, chain_gap_min);
+  CHECK_OFFSET(YR_STRING, 44, chain_gap_max);
+  CHECK_OFFSET(YR_STRING, 48, fixed_offset);
 
   CHECK_SIZE(YR_RULE, 16 + 4 * MAX_THREADS + 40);
   CHECK_OFFSET(YR_RULE, 4,                        t_flags);