XOR Values. (#1745)

* XOR Values.

When the xor modifier is used we have not displayed (or even kept) the xor key.
This diff adds a -X option to the CLI that will display the xor key. To do this
I am recording the xor key in _yr_scan_xor_compare() and _yr_scan_xor_wcompare()
and then populating that in the YR_MATCH structure. This way it is available to
the consumers of libyara to handle how they see fit.

I'll be adding support for exposing this in yara-python if this PR is accepted.

* xor key fixes.

Per suggestion from Victor, always display the xor key when -X is specified,
even if the string is not an xor string. This makes it more consistent to parse
with common tools because the number of fields will always be the same.

Also, specify that it is an xor key using "xor(0x01)" format.

Author: wxsBSD

cli/yara.c

@@ -147,6 +147,7 @@ static bool show_tags = false;
 static bool show_stats = false;
 static bool show_strings = false;
 static bool show_string_length = false;
+static bool show_xor_key = false;
 static bool show_meta = false;
 static bool show_namespace = false;
 static bool show_version = false;
@@ -296,6 +297,12 @@ args_option_t options[] = {
         &show_string_length,
         _T("print length of matched strings")),
 
+    OPT_BOOLEAN(
+        'X',
+        _T("print-xor-key"),
+        &show_xor_key,
+        _T("print xor key of matched strings")),
+
     OPT_BOOLEAN('g', _T("print-tags"), &show_tags, _T("print tags")),
 
     OPT_BOOLEAN(
@@ -1081,7 +1088,7 @@ static int handle_message(
 
     // Show matched strings.
 
-    if (show_strings || show_string_length)
+    if (show_strings || show_string_length || show_xor_key)
     {
       YR_STRING* string;
 
@@ -1103,6 +1110,9 @@ static int handle_message(
                 match->base + match->offset,
                 string->identifier);
 
+          if (show_xor_key)
+            _tprintf(_T(":xor(0x%02x)"), match->xor_key);
+
           if (show_strings)
           {
             _tprintf(_T(": "));

libyara/include/yara/types.h

@@ -496,6 +496,9 @@ struct YR_MATCH
 
   // True if this is match for a private string.
   bool is_private;
+
+  // Set to the xor key if this is an xor string.
+  uint8_t xor_key;
 };
 
 struct YR_AC_STATE

libyara/scan.c

@@ -55,14 +55,16 @@ typedef struct _CALLBACK_ARGS
 
   int forward_matches;
   int full_word;
+  int xor_key;
 
 } CALLBACK_ARGS;
 
 static int _yr_scan_xor_compare(
     const uint8_t* data,
     size_t data_size,
     uint8_t* string,
-    size_t string_length)
+    size_t string_length,
+    uint8_t* xor_key)
 {
   int result = 0;
   const uint8_t* s1 = data;
@@ -94,15 +96,20 @@ _exit:;
       string_length,
       result);
 
+  if (result > 0)
+    *xor_key = k;
+
   return result;
 }
 
 static int _yr_scan_xor_wcompare(
     const uint8_t* data,
     size_t data_size,
     uint8_t* string,
-    size_t string_length)
+    size_t string_length,
+    uint8_t* xor_key)
 {
+  int result = 0;
   const uint8_t* s1 = data;
   const uint8_t* s2 = string;
   uint8_t k = 0;
@@ -124,7 +131,12 @@ static int _yr_scan_xor_wcompare(
     i++;
   }
 
-  return (int) ((i == string_length) ? i * 2 : 0);
+  result = (int) ((i == string_length) ? i * 2 : 0);
+
+  if (result > 0)
+    *xor_key = k;
+
+  return result;
 }
 
 static int _yr_scan_compare(
@@ -397,7 +409,8 @@ static int _yr_scan_verify_chained_string_match(
     const uint8_t* match_data,
     uint64_t match_base,
     uint64_t match_offset,
-    int32_t match_length)
+    int32_t match_length,
+    uint8_t xor_key)
 {
   YR_DEBUG_FPRINTF(
       2,
@@ -584,6 +597,7 @@ static int _yr_scan_verify_chained_string_match(
       new_match->prev = NULL;
       new_match->next = NULL;
       new_match->is_private = STRING_IS_PRIVATE(matching_string);
+      new_match->xor_key = xor_key;
 
       // A copy of the matching data is written to the matches_arena, the
       // amount of data copies is limited by YR_CONFIG_MAX_MATCH_DATA.
@@ -687,7 +701,8 @@ static int _yr_scan_match_callback(
         match_data,
         callback_args->data_base,
         match_offset,
-        match_length);
+        match_length,
+        callback_args->xor_key);
   }
   else
   {
@@ -733,6 +748,7 @@ static int _yr_scan_match_callback(
       new_match->prev = NULL;
       new_match->next = NULL;
       new_match->is_private = STRING_IS_PRIVATE(string);
+      new_match->xor_key = callback_args->xor_key;
 
       FAIL_ON_ERROR(_yr_scan_add_match_to_list(
           new_match,
@@ -843,6 +859,8 @@ static int _yr_scan_verify_re_match(
   callback_args.data_base = data_base;
   callback_args.forward_matches = forward_matches;
   callback_args.full_word = STRING_IS_FULL_WORD(ac_match->string);
+  // xor modifier is not valid for RE but set it so we don't leak stack values.
+  callback_args.xor_key = 0;
 
   if (ac_match->backward_code != NULL)
   {
@@ -886,6 +904,7 @@ static int _yr_scan_verify_literal_match(
 
   int flags = 0;
   int forward_matches = 0;
+  uint8_t xor_key = 0;
 
   CALLBACK_ARGS callback_args;
   YR_STRING* string = ac_match->string;
@@ -927,13 +946,21 @@ static int _yr_scan_verify_literal_match(
       if (STRING_IS_WIDE(string))
       {
         forward_matches = _yr_scan_xor_wcompare(
-            data + offset, data_size - offset, string->string, string->length);
+            data + offset,
+            data_size - offset,
+            string->string,
+            string->length,
+            &xor_key);
       }
 
       if (forward_matches == 0)
       {
         forward_matches = _yr_scan_xor_compare(
-            data + offset, data_size - offset, string->string, string->length);
+            data + offset,
+            data_size - offset,
+            string->string,
+            string->length,
+            &xor_key);
       }
     }
   }
@@ -954,6 +981,7 @@ static int _yr_scan_verify_literal_match(
   callback_args.data_base = data_base;
   callback_args.forward_matches = forward_matches;
   callback_args.full_word = STRING_IS_FULL_WORD(string);
+  callback_args.xor_key = xor_key;
 
   FAIL_ON_ERROR(
       _yr_scan_match_callback(data + offset, 0, flags, &callback_args));