feat: implement time module (#17)

VirusTotal · Aug 18, 2023 · 8d0a143 · 8d0a143
1 parent c2e9703
commit 8d0a143
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 1 deletion.
diff --git a/yara-x/Cargo.toml b/yara-x/Cargo.toml
@@ -27,6 +27,9 @@ test_proto3-module = []
 text-module = [
     "dep:lingua"
 ]
+# The Time module allows you to retrieve epoch in seconds that can
+# be used in conditions of a rule to check againts other epoch time.
+time-module = []
 
 # Features that are enabled by default.
 default = [
@@ -69,7 +72,6 @@ yara-x-proto = { workspace = true }
 
 lingua = { version = "1.4.0", optional = true, default-features = false, features = ["english", "german", "french", "spanish"] }
 
-
 [build-dependencies]
 protobuf = { workspace = true }
 protobuf-codegen = { workspace = true }

diff --git a/yara-x/src/modules/modules.rs b/yara-x/src/modules/modules.rs
@@ -3,5 +3,7 @@
 pub mod text;
 #[cfg(feature = "test_proto2-module")]
 pub mod test_proto2;
+#[cfg(feature = "time-module")]
+pub mod time;
 #[cfg(feature = "test_proto3-module")]
 pub mod test_proto3;
diff --git a/yara-x/src/modules/protos/time.proto b/yara-x/src/modules/protos/time.proto
@@ -0,0 +1,13 @@
+syntax = "proto2";
+
+import "yara.proto";
+
+option (yara.module_options) = {
+  name : "time"
+  root_message: "Time"
+  rust_module: "time"
+};
+
+message Time {
+  // This module contains only exported functions, and doesn't return any data
+}
diff --git a/yara-x/src/modules/time.rs b/yara-x/src/modules/time.rs
@@ -0,0 +1,37 @@
+use crate::modules::prelude::*;
+use crate::modules::protos::time::*;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+#[module_main]
+fn main(_ctx: &ScanContext) -> Time {
+    // Nothing to do, but we have to return our protobuf
+    Time::new()
+}
+
+#[module_export]
+fn now(ctx: &ScanContext) -> Option<i64> {
+    Some(SystemTime::now().duration_since(UNIX_EPOCH).ok()?.as_secs() as i64)
+}
+
+#[cfg(test)]
+mod tests {
+    #[test]
+    fn end2end() {
+        let rules = crate::compiler::Compiler::new()
+            .add_source(
+                r#"import "time"
+                rule rule_1 { condition: time.now() >= 0 }
+                rule rule_2 { condition: time.now() <= 0 }
+                rule rule_3 { condition: time.now() != 0 }
+                rule rule_4 { condition: time.now() == 0 }
+                "#,
+            )
+            .unwrap()
+            .build()
+            .unwrap();
+
+        let mut scanner = crate::scanner::Scanner::new(&rules);
+
+        assert_eq!(scanner.scan(&[]).num_matching_rules(), 2);
+    }
+}