Merge pull request #182 from avast/iequals

Added iequals operator

Author: metthal

docs/rtd/creating_rulesets.rst

@@ -253,6 +253,7 @@ basic expressions and find the most suitable one.
         * ``call(args)`` - represents call to function (``id("func").call({int_val(100), int_val(200)})``)
         * ``contains(rhs)`` - represents operator ``contains`` (``id("signature").contains(string_val("hello"))``)
         * ``matches(rhs)`` - represents operator ``matches`` (``id("signature").matches(regexp("^a.*b$", "i"))``)
+        * ``iequals(rhs)`` - represents operator ``iequals`` (``id("signature").iequals(string_val("hello"))``)
         * ``access(rhs)`` - represents operator ``.`` as access to structure (``id("pe").access("numer_of_sections")``)
         * ``__getitem__`` - represents operator ``[]`` as access to array (``id("pe").access("sections")[int_val(0)]``)
         * ``read_int8(be)`` - represents call to special function ``int8(be)`` (``int_val(100).read_int8()``)
@@ -364,6 +365,7 @@ basic expressions and find the most suitable one.
         * ``call(args)`` - represents call to function (``id("func").call({intVal(100), intVal(200)})``)
         * ``contains(rhs)`` - represents operator ``contains`` (``id("signature").contains(stringVal("hello"))``)
         * ``matches(rhs)`` - represents operator ``matches`` (``id("signature").matches(regexp("^a.*b$", "i"))``)
+        * ``iequals(rhs)`` - represents operator ``iequals`` (``id("signature").iequals(stringVal("hello"))``)
         * ``access(rhs)`` - represents operator ``.`` as access to structure (``id("pe").access("numer_of_sections")``)
         * ``operator[]`` - represents operator ``[]`` as access to array (``id("pe").access("sections")[intVal(0)]``)
         * ``readInt8(be)`` - represents call to special function ``int8(be)`` (``intVal(100).readInt8()``)

docs/rtd/parsing_rulesets.rst

@@ -336,6 +336,7 @@ All of these provide methods ``getLeftOperand()`` and ``getRightOperand()`` (``l
   * ``NeqExpression`` - refers to ``!=`` operator (``!str1 != !str2``)
   * ``ContainsExpression`` - refers to ``contains`` operator (``pe.sections[0].name contains "text"``)
   * ``MatchesExpression`` - refers to ``matches`` operator (``pe.sections[0].name matches /(text|data)/``)
+  * ``IequalsExpression`` - refers to ``iequals`` operator (``pe.sections[0].name iequals "text"``)
   * ``PlusExpression`` - refers to ``+`` operator (``@str1 + 0x100``)
   * ``MinusExpression`` - refers to ``-`` operator (``@str1 - 0x100``)
   * ``MultiplyExpression`` - refers to ``*`` operator (``@str1 * 0x100``)

include/yaramod/builder/yara_expression_builder.h

@@ -185,6 +185,7 @@ class YaraExpressionBuilder
 
 	YaraExpressionBuilder& contains(const YaraExpressionBuilder& other);
 	YaraExpressionBuilder& matches(const YaraExpressionBuilder& other);
+	YaraExpressionBuilder& iequals(const YaraExpressionBuilder& other);
 	YaraExpressionBuilder& defined();
 
 	YaraExpressionBuilder& access(const std::string& attr);

include/yaramod/types/expressions.h

@@ -733,7 +733,7 @@ class ContainsExpression : public BinaryOpExpression
  *
  * For example:
  * @code
- * pe.sections[0] matches /(text|data)/
+ * pe.sections[0].name matches /(text|data)/
  * @endcode
  */
 class MatchesExpression : public BinaryOpExpression
@@ -748,6 +748,26 @@ class MatchesExpression : public BinaryOpExpression
 	}
 };
 
+/**
+ * Class representing iequals operation for case-insensitive string compare.
+ *
+ * For example:
+ * @code
+ * pe.sections[0].name iequals ".TEXT"
+ * @endcode
+ */
+class IequalsExpression : public BinaryOpExpression
+{
+public:
+	template <typename ExpPtr1, typename ExpPtr2>
+	IequalsExpression(ExpPtr1&& left, TokenIt op, ExpPtr2&& right) : BinaryOpExpression(std::forward<ExpPtr1>(left), op, std::forward<ExpPtr2>(right)) {}
+
+	virtual VisitResult accept(Visitor* v) override
+	{
+		return v->visit(this);
+	}
+};
+
 /**
  * Class representing arithmetic plus operation.
  *

include/yaramod/types/token_type.h

@@ -94,6 +94,7 @@ enum class TokenType
 	FILESIZE,
 	CONTAINS,
 	MATCHES,
+	IEQUALS,
 	SLASH,
 	STRING_LITERAL,
 	INTEGER,

include/yaramod/utils/modifying_visitor.h

@@ -215,6 +215,11 @@ class ModifyingVisitor : public Visitor
 		return _handleBinaryOperation(expr);
 	}
 
+	virtual VisitResult visit(IequalsExpression* expr) override
+	{
+		return _handleBinaryOperation(expr);
+	}
+
 	virtual VisitResult visit(PlusExpression* expr) override
 	{
 		return _handleBinaryOperation(expr);

include/yaramod/utils/observing_visitor.h

@@ -160,6 +160,13 @@ class ObservingVisitor : public Visitor
 		return {};
 	}
 
+	virtual VisitResult visit(IequalsExpression* expr) override
+	{
+		expr->getLeftOperand()->accept(this);
+		expr->getRightOperand()->accept(this);
+		return {};
+	}
+
 	virtual VisitResult visit(PlusExpression* expr) override
 	{
 		expr->getLeftOperand()->accept(this);

include/yaramod/utils/visitor.h

@@ -33,6 +33,7 @@ class EqExpression;
 class NeqExpression;
 class ContainsExpression;
 class MatchesExpression;
+class IequalsExpression;
 class PlusExpression;
 class MinusExpression;
 class MultiplyExpression;
@@ -98,6 +99,7 @@ class Visitor
 	virtual VisitResult visit(NeqExpression* expr) = 0;
 	virtual VisitResult visit(ContainsExpression* expr) = 0;
 	virtual VisitResult visit(MatchesExpression* expr) = 0;
+	virtual VisitResult visit(IequalsExpression* expr) = 0;
 	virtual VisitResult visit(PlusExpression* expr) = 0;
 	virtual VisitResult visit(MinusExpression* expr) = 0;
 	virtual VisitResult visit(MultiplyExpression* expr) = 0;

src/builder/yara_expression_builder.cpp

@@ -529,6 +529,23 @@ YaraExpressionBuilder& YaraExpressionBuilder::matches(const YaraExpressionBuilde
 	return *this;
 }
 
+/**
+ * Applies operation iequals on two expression.
+ *
+ * @param other The other expression.
+ *
+ * @return Builder.
+ */
+YaraExpressionBuilder& YaraExpressionBuilder::iequals(const YaraExpressionBuilder& other)
+{
+	TokenIt token = _tokenStream->emplace_back(TokenType::IEQUALS, "iequals");
+	_tokenStream->moveAppend(other.getTokenStream());
+
+	_expr = std::make_shared<IequalsExpression>(std::move(_expr), token, other.get());
+	setType(Expression::Type::Bool);
+	return *this;
+}
+
 /**
  * Applies operation defined on two expression.
  *

src/parser/parser_driver.cpp

@@ -156,6 +156,7 @@ void ParserDriver::defineTokens()
 	_parser.token("filesize").symbol("FILESIZE").description("filesize").action([&](std::string_view str) -> Value { return emplace_back(TokenType::FILESIZE, std::string{str}); });
 	_parser.token("contains").symbol("CONTAINS").description("contains").action([&](std::string_view str) -> Value { return emplace_back(TokenType::CONTAINS, std::string{str}); });
 	_parser.token("matches").symbol("MATCHES").description("matches").action([&](std::string_view str) -> Value { return emplace_back(TokenType::MATCHES, std::string{str}); });
+	_parser.token("iequals").symbol("IEQUALS").description("iequals").action([&](std::string_view str) -> Value { return emplace_back(TokenType::IEQUALS, std::string{str}); });
 
 	// $include
 	_parser.token("include").symbol("INCLUDE_DIRECTIVE").description("include").enter_state("$include").action([&](std::string_view str) -> Value {
@@ -1339,6 +1340,19 @@ void ParserDriver::defineGrammar()
 			output->setTokenStream(currentTokenStream());
 			return output;
 		})
+		.production("primary_expression", "IEQUALS", "primary_expression", [&](auto&& args) -> Value {
+			auto left = std::move(args[0].getExpression());
+			TokenIt op_token = args[1].getTokenIt();
+			auto right = std::move(args[2].getExpression());
+			if (!left->isString())
+				error_handle(op_token->getLocation(), "operator 'iequals' expects string on the left-hand side of the expression");
+			if (!right->isString())
+				error_handle(op_token->getLocation(), "operator 'iequals' expects string on the right-hand side of the expression");
+			auto output = std::make_shared<IequalsExpression>(std::move(left), op_token, std::move(right));
+			output->setType(Expression::Type::Bool);
+			output->setTokenStream(currentTokenStream());
+			return output;
+		})
 		.production("primary_expression", [](auto&& args) -> Value {
 			return std::move(args[0]);
 		}).precedence(0, pog::Associativity::Left)

src/python/py_visitor.cpp

@@ -40,6 +40,7 @@ void addVisitorClasses(py::module& module)
 		.def("visit_NeqExpression", py::overload_cast<NeqExpression*>(&Visitor::visit))
 		.def("visit_ContainsExpression", py::overload_cast<ContainsExpression*>(&Visitor::visit))
 		.def("visit_MatchesExpression", py::overload_cast<MatchesExpression*>(&Visitor::visit))
+		.def("visit_IequalsExpression", py::overload_cast<IequalsExpression*>(&Visitor::visit))
 		.def("visit_PlusExpression", py::overload_cast<PlusExpression*>(&Visitor::visit))
 		.def("visit_MinusExpression", py::overload_cast<MinusExpression*>(&Visitor::visit))
 		.def("visit_MultiplyExpression", py::overload_cast<MultiplyExpression*>(&Visitor::visit))
@@ -98,6 +99,7 @@ void addVisitorClasses(py::module& module)
 		.def("visit_NeqExpression", py::overload_cast<NeqExpression*>(&ObservingVisitor::visit))
 		.def("visit_ContainsExpression", py::overload_cast<ContainsExpression*>(&ObservingVisitor::visit))
 		.def("visit_MatchesExpression", py::overload_cast<MatchesExpression*>(&ObservingVisitor::visit))
+		.def("visit_IequalsExpression", py::overload_cast<IequalsExpression*>(&ObservingVisitor::visit))
 		.def("visit_PlusExpression", py::overload_cast<PlusExpression*>(&ObservingVisitor::visit))
 		.def("visit_MinusExpression", py::overload_cast<MinusExpression*>(&ObservingVisitor::visit))
 		.def("visit_MultiplyExpression", py::overload_cast<MultiplyExpression*>(&ObservingVisitor::visit))
@@ -157,6 +159,7 @@ void addVisitorClasses(py::module& module)
 		.def("visit_NeqExpression", py::overload_cast<NeqExpression*>(&ModifyingVisitor::visit))
 		.def("visit_ContainsExpression", py::overload_cast<ContainsExpression*>(&ModifyingVisitor::visit))
 		.def("visit_MatchesExpression", py::overload_cast<MatchesExpression*>(&ModifyingVisitor::visit))
+		.def("visit_IequalsExpression", py::overload_cast<IequalsExpression*>(&ModifyingVisitor::visit))
 		.def("visit_PlusExpression", py::overload_cast<PlusExpression*>(&ModifyingVisitor::visit))
 		.def("visit_MinusExpression", py::overload_cast<MinusExpression*>(&ModifyingVisitor::visit))
 		.def("visit_MultiplyExpression", py::overload_cast<MultiplyExpression*>(&ModifyingVisitor::visit))
@@ -208,6 +211,7 @@ void addVisitorClasses(py::module& module)
 		.def("default_handler", static_cast<VisitResult(ModifyingVisitor::*)(const TokenStreamContext&, NeqExpression*, const VisitResult&, const VisitResult&)>(&ModifyingVisitor::defaultHandler))
 		.def("default_handler", static_cast<VisitResult(ModifyingVisitor::*)(const TokenStreamContext&, ContainsExpression*, const VisitResult&, const VisitResult&)>(&ModifyingVisitor::defaultHandler))
 		.def("default_handler", static_cast<VisitResult(ModifyingVisitor::*)(const TokenStreamContext&, MatchesExpression*, const VisitResult&, const VisitResult&)>(&ModifyingVisitor::defaultHandler))
+		.def("default_handler", static_cast<VisitResult(ModifyingVisitor::*)(const TokenStreamContext&, IequalsExpression*, const VisitResult&, const VisitResult&)>(&ModifyingVisitor::defaultHandler))
 		.def("default_handler", static_cast<VisitResult(ModifyingVisitor::*)(const TokenStreamContext&, PlusExpression*, const VisitResult&, const VisitResult&)>(&ModifyingVisitor::defaultHandler))
 		.def("default_handler", static_cast<VisitResult(ModifyingVisitor::*)(const TokenStreamContext&, MinusExpression*, const VisitResult&, const VisitResult&)>(&ModifyingVisitor::defaultHandler))
 		.def("default_handler", static_cast<VisitResult(ModifyingVisitor::*)(const TokenStreamContext&, MultiplyExpression*, const VisitResult&, const VisitResult&)>(&ModifyingVisitor::defaultHandler))

src/python/py_visitor.h

@@ -49,6 +49,7 @@ class PyVisitor : public yaramod::Visitor
 	PURE_VISIT(NeqExpression)
 	PURE_VISIT(ContainsExpression)
 	PURE_VISIT(MatchesExpression)
+	PURE_VISIT(IequalsExpression)
 	PURE_VISIT(PlusExpression)
 	PURE_VISIT(MinusExpression)
 	PURE_VISIT(MultiplyExpression)
@@ -121,6 +122,7 @@ class PyObservingVisitor : public yaramod::ObservingVisitor
 	VISIT(ObservingVisitor, NeqExpression)
 	VISIT(ObservingVisitor, ContainsExpression)
 	VISIT(ObservingVisitor, MatchesExpression)
+	VISIT(ObservingVisitor, IequalsExpression)
 	VISIT(ObservingVisitor, PlusExpression)
 	VISIT(ObservingVisitor, MinusExpression)
 	VISIT(ObservingVisitor, MultiplyExpression)
@@ -182,6 +184,7 @@ class PyModifyingVisitor : public yaramod::ModifyingVisitor
 	VISIT(ModifyingVisitor, NeqExpression)
 	VISIT(ModifyingVisitor, ContainsExpression)
 	VISIT(ModifyingVisitor, MatchesExpression)
+	VISIT(ModifyingVisitor, IequalsExpression)
 	VISIT(ModifyingVisitor, PlusExpression)
 	VISIT(ModifyingVisitor, MinusExpression)
 	VISIT(ModifyingVisitor, MultiplyExpression)

src/python/yaramod_python.cpp

@@ -198,6 +198,7 @@ void addEnums(py::module& module)
 		.value("Filesize", TokenType::FILESIZE)
 		.value("Contains", TokenType::CONTAINS)
 		.value("Matches", TokenType::MATCHES)
+		.value("Iequals", TokenType::IEQUALS)
 		.value("Slash", TokenType::SLASH)
 		.value("StringLiteral", TokenType::STRING_LITERAL)
 		.value("Integer", TokenType::INTEGER)
@@ -608,6 +609,7 @@ void addExpressionClasses(py::module& module)
 	binaryOpClass<NeqExpression>(module, "NeqExpression");
 	binaryOpClass<ContainsExpression>(module, "ContainsExpression");
 	binaryOpClass<MatchesExpression>(module, "MatchesExpression");
+	binaryOpClass<IequalsExpression>(module, "IequalsExpression");
 	binaryOpClass<PlusExpression>(module, "PlusExpression");
 	binaryOpClass<MinusExpression>(module, "MinusExpression");
 	binaryOpClass<MultiplyExpression>(module, "MultiplyExpression");
@@ -822,6 +824,7 @@ void addBuilderClasses(py::module& module)
 		.def("comment", &YaraExpressionBuilder::comment, py::arg("message"), py::arg("multiline") = false, py::arg("indent") = "")
 		.def("contains", &YaraExpressionBuilder::contains)
 		.def("matches", &YaraExpressionBuilder::matches)
+		.def("iequals", &YaraExpressionBuilder::iequals)
 		.def("defined", &YaraExpressionBuilder::defined)
 		.def("read_int8", &YaraExpressionBuilder::readInt8)
 		.def("read_int16", &YaraExpressionBuilder::readInt16)

tests/cpp/builder_tests.cpp

@@ -1900,7 +1900,7 @@ ConjunctionWithSingleTerm) {
 
 TEST_F(BuilderTests,
 DefinedTerm) {
-auto cond = boolVal(false).defined().get();
+	auto cond = boolVal(false).defined().get();
 
 	YaraRuleBuilder newRule;
 	auto rule = newRule
@@ -1957,5 +1957,39 @@ FloatValueWorks) {
 )", yaraFile->getTextFormatted());
 }
 
+TEST_F(BuilderTests,
+IequalsWorks) {
+	auto cond = id("pe").access("pdb_path").iequals(stringVal("C:\\PATH")).get();
+
+	YaraRuleBuilder newRule;
+	auto rule = newRule
+			.withName("iequals_builder")
+			.withCondition(cond)
+			.get();
+
+	YaraFileBuilder newFile;
+	auto yaraFile = newFile
+			.withModule("pe")
+			.withRule(std::move(rule))
+			.get(true);
+
+	ASSERT_NE(nullptr, yaraFile);
+	EXPECT_EQ(R"(import "pe"
+
+rule iequals_builder {
+	condition:
+		pe.pdb_path iequals "C:\\PATH"
+})", yaraFile->getText());
+
+	EXPECT_EQ(R"(import "pe"
+
+rule iequals_builder
+{
+	condition:
+		pe.pdb_path iequals "C:\\PATH"
+}
+)", yaraFile->getTextFormatted());
+}
+
 }
 }

tests/cpp/parser_tests.cpp

@@ -7151,7 +7151,7 @@ rule empty_rule
 }
 
 TEST_F(ParserTests,
-DefinedExpresion) {
+DefinedExpression) {
 	prepareInput(
 R"(
 rule defined_expr
@@ -7166,11 +7166,34 @@ rule defined_expr
 	const auto& rule = driver.getParsedFile().getRules()[0];
 
 	EXPECT_EQ("defined 1", rule->getCondition()->getText());
-	EXPECT_EQ("\"defined\"", rule->getCondition()->getFirstTokenIt()->getText());
+	EXPECT_EQ("defined", rule->getCondition()->getFirstTokenIt()->getPureText());
 	EXPECT_EQ("1", rule->getCondition()->getLastTokenIt()->getPureText());
 
 	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
 }
 
+TEST_F(ParserTests,
+IequalsExpression) {
+	prepareInput(
+R"(import "pe"
+
+rule iequals_expr
+{
+	condition:
+		pe.sections[0].name iequals ".TEXT"
+}
+)");
+
+	EXPECT_TRUE(driver.parse(input));
+	ASSERT_EQ(1u, driver.getParsedFile().getRules().size());
+	const auto& rule = driver.getParsedFile().getRules()[0];
+
+	EXPECT_EQ("pe.sections[0].name iequals \".TEXT\"", rule->getCondition()->getText());
+	EXPECT_EQ("pe", rule->getCondition()->getFirstTokenIt()->getPureText());
+	EXPECT_EQ("\".TEXT\"", rule->getCondition()->getLastTokenIt()->getText());
+
+	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
+}
+
 }
 }