From 1c39bd16305ca00f4eeb27611b1b987d43b21c10 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Fri, 1 Dec 2023 15:24:24 +0100 Subject: [PATCH 1/3] feat: expose xor_key --- rule.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rule.go b/rule.go index 3b7100d..5cdb886 100644 --- a/rule.go +++ b/rule.go @@ -249,6 +249,11 @@ func (m *Match) Offset() int64 { return int64(m.cptr.offset) } +// XorKey returns the XOR value with which the string match occurred. +func (m *Match) XorKey() uint8 { + return uint8(m.cptr.xor_key) +} + // Data returns the blob of data associated with the string match. func (m *Match) Data() []byte { return C.GoBytes(unsafe.Pointer(m.cptr.data), C.int(m.cptr.data_length)) From e18a9307aacabd208d59a036d24b5107d72bfae6 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Fri, 8 Dec 2023 10:25:57 +0100 Subject: [PATCH 2/3] feat: Add XorKey to MatchString --- rule.go | 1 + rules.go | 1 + 2 files changed, 2 insertions(+) diff --git a/rule.go b/rule.go index 5cdb886..87bb7ed 100644 --- a/rule.go +++ b/rule.go @@ -267,6 +267,7 @@ func (r *Rule) getMatchStrings(sc *ScanContext) (matchstrings []MatchString) { Base: uint64(m.Base()), Offset: uint64(m.Offset()), Data: m.Data(), + XorKey: m.XorKey(), }) } } diff --git a/rules.go b/rules.go index 77ba0e1..c8ced48 100644 --- a/rules.go +++ b/rules.go @@ -46,6 +46,7 @@ type MatchString struct { Base uint64 Offset uint64 Data []byte + XorKey uint8 } // ScanFlags are used to tweak the behavior of Scan* functions. From 692242570c097c40aa8f617a0c51d83a1ee33e14 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Fri, 8 Dec 2023 10:26:13 +0100 Subject: [PATCH 3/3] test: check that XOR key is correct --- rules_test.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/rules_test.go b/rules_test.go index 504d234..6c649ed 100644 --- a/rules_test.go +++ b/rules_test.go @@ -358,3 +358,23 @@ func TestTooManyMatches(t *testing.T) { t.Errorf("too many matches does not contain regularly matching string: %v", cb.tooManyMatches) } } + +func TestXorKey(t *testing.T) { + var m MatchRules + r := makeRules(t, ` + rule t { strings: $s1 = "\x00\x01\x02\x03" xor condition: all of them } + `) + + if err := r.ScanMem([]byte{0x10, 0x11, 0x12, 0x13}, 0, 0, &m); err != nil { + t.Error(err) + } + if len(m) != 1 { + t.Fatalf("expected 1 match, got %d", len(m)) + } + if len(m[0].Strings) != 1 { + t.Fatalf("expected 1 string, got %d", len(m[0].Strings)) + } + if m[0].Strings[0].XorKey != 0x10 { + t.Fatalf("expected xor key 0x10, got 0x%x", m[0].Strings[0].XorKey) + } +}