avast · metthal · Jan 16, 2020 · Jan 8, 2020 · Jan 8, 2020 · Jan 8, 2020
diff --git a/include/yaramod/builder/yara_file_builder.h b/include/yaramod/builder/yara_file_builder.h
@@ -36,8 +36,12 @@ class YaraFileBuilder
 public:
 	/// @name Constructors
 	/// @{
-	YaraFileBuilder()
+	YaraFileBuilder() : YaraFileBuilder(true, true) {}
+
+	YaraFileBuilder(bool avastSpecific, bool vtSpecific)
 		: _tokenStream(std::make_shared<TokenStream>())
+		, _avastSpecific(avastSpecific)
+		, _vtSpecific(vtSpecific)
 	{
 	}
 	/// @}
@@ -60,6 +64,8 @@ class YaraFileBuilder
 	std::shared_ptr<TokenStream> _tokenStream; ///< Tokens storage
 	std::vector<TokenIt> _modules; ///< Modules
 	std::vector<std::shared_ptr<Rule>> _rules; ///< Rules
+	bool _avastSpecific;
+	bool _vtSpecific;
 };
 
 }
diff --git a/include/yaramod/parser/parser_driver.h b/include/yaramod/parser/parser_driver.h
@@ -253,9 +253,9 @@ class ParserDriver
 	/// @name Constructors
 	/// @{
 	ParserDriver() = delete;
-  	ParserDriver(ParserMode parserMode);
-	explicit ParserDriver(const std::string& filePath, ParserMode parserMode = ParserMode::Regular);
-	explicit ParserDriver(std::istream& input, ParserMode parserMode = ParserMode::Regular);
+  	ParserDriver(ParserMode parserMode, bool avastSpecific = true, bool vtSpecific = true);
+	explicit ParserDriver(const std::string& filePath, ParserMode parserMode = ParserMode::Regular, bool avastSpecific = true, bool vtSpecific = true);
+	explicit ParserDriver(std::istream& input, ParserMode parserMode = ParserMode::Regular, bool avastSpecific = true, bool vtSpecific = true);
 	void initialize();
 	/// @}
 
@@ -369,6 +369,8 @@ class ParserDriver
 	bool _escapedContent = false; ///< flag used to determine if a currently parsed literal contains hexadecimal byte (such byte must be unescaped in getPureText())
 
 	ParserMode _mode; ///< Parser mode.
+	bool _avastSpecific; ///< Used to determine whether to include Avast-specific symbols or skip them
+	bool _vtSpecific; ///< Used to determine whether to include VirusTotal-specific symbols or skip them
 
 	std::stack<std::shared_ptr<TokenStream>> _tokenStreams; ///< _tokenStream contains all parsed tokens
 	std::stack<Location> _locations; ///< the top location tracks position of currently parsed token within current input file

diff --git a/include/yaramod/types/modules/androguard_module.h b/include/yaramod/types/modules/androguard_module.h
@@ -28,7 +28,7 @@ class AndroguardModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/cuckoo_module.h b/include/yaramod/types/modules/cuckoo_module.h
@@ -28,7 +28,7 @@ class CuckooModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/dex_module.h b/include/yaramod/types/modules/dex_module.h
@@ -28,7 +28,7 @@ class DexModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/dotnet_module.h b/include/yaramod/types/modules/dotnet_module.h
@@ -28,7 +28,7 @@ class DotnetModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/elf_module.h b/include/yaramod/types/modules/elf_module.h
@@ -28,7 +28,7 @@ class ElfModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/hash_module.h b/include/yaramod/types/modules/hash_module.h
@@ -28,7 +28,7 @@ class HashModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/macho_module.h b/include/yaramod/types/modules/macho_module.h
@@ -28,7 +28,7 @@ class MachoModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/magic_module.h b/include/yaramod/types/modules/magic_module.h
@@ -28,7 +28,7 @@ class MagicModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/math_module.h b/include/yaramod/types/modules/math_module.h
@@ -28,7 +28,7 @@ class MathModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/module.h b/include/yaramod/types/modules/module.h
@@ -32,7 +32,7 @@ class Module
 
 	/// @name Pure virtual initialization method
 	/// @{
-	virtual bool initialize() = 0;
+	virtual bool initialize(bool avastSpecific) = 0;
 	/// @}
 
 	/// @name Getter methods
@@ -48,7 +48,8 @@ class Module
 
 	/// @name Static module loading
 	/// @{
-	static std::shared_ptr<Module> load(const std::string& name);
+	static void reset(const std::string& name);
+	static std::shared_ptr<Module> load(const std::string& name, bool avastSpecific);
 	/// @}
 
 protected:

diff --git a/include/yaramod/types/modules/pe_module.h b/include/yaramod/types/modules/pe_module.h
@@ -28,7 +28,7 @@ class PeModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/phish_module.h b/include/yaramod/types/modules/phish_module.h
@@ -28,7 +28,7 @@ class PhishModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/modules/time_module.h b/include/yaramod/types/modules/time_module.h
@@ -28,7 +28,7 @@ class TimeModule : public Module
 
 	/// @name Initialization method
 	/// @{
-	virtual bool initialize() override;
+	virtual bool initialize(bool avastSpecific) override;
 	/// @}
 };
 

diff --git a/include/yaramod/types/yara_file.h b/include/yaramod/types/yara_file.h
@@ -37,12 +37,12 @@ class YaraFile
 
 	/// @name Addition methods
 	/// @{
-	bool addImport(TokenIt import);
+	bool addImport(TokenIt import, bool avastSpecific);
 	void addRule(Rule&& rule);
 	void addRule(std::unique_ptr<Rule>&& rule);
 	void addRule(const std::shared_ptr<Rule>& rule);
 	void addRules(const std::vector<std::shared_ptr<Rule>>& rules);
-	bool addImports(const std::vector<TokenIt>& imports);
+	bool addImports(const std::vector<TokenIt>& imports, bool avastSpecific);
 	void insertRule(std::size_t position, std::unique_ptr<Rule>&& rule);
 	void insertRule(std::size_t position, const std::shared_ptr<Rule>& rule);
 	/// @}
@@ -77,7 +77,7 @@ class YaraFile
 
 	/// @name Symbol methods
 	/// @{
-	std::shared_ptr<Symbol> findSymbol(const std::string& name) const;
+	std::shared_ptr<Symbol> findSymbol(const std::string& name, bool vtSpecific) const;
 	/// @}
 
 	/// @name Detection methods

diff --git a/src/builder/yara_file_builder.cpp b/src/builder/yara_file_builder.cpp
@@ -20,7 +20,7 @@ namespace yaramod {
 std::unique_ptr<YaraFile> YaraFileBuilder::get(bool recheck, ParserDriver* external_driver)
 {
 	auto yaraFile = std::make_unique<YaraFile>(std::move(_tokenStream));
-	yaraFile->addImports(_modules);
+	yaraFile->addImports(_modules, _avastSpecific);
 	yaraFile->addRules(_rules);
 
 	_modules.clear();

diff --git a/src/parser/parser_driver.cpp b/src/parser/parser_driver.cpp
@@ -418,7 +418,7 @@ void ParserDriver::defineGrammar()
 		.production("IMPORT_KEYWORD", "STRING_LITERAL", [&](auto&& args) -> Value {
 			TokenIt import = args[1].getTokenIt();
 			import->setType(IMPORT_MODULE);
-			if (!_file.addImport(import))
+			if (!_file.addImport(import, _avastSpecific))
 				error_handle(import->getLocation(), "Unrecognized module '" + import->getString() + "' imported");
 			return {};
 		})
@@ -1517,8 +1517,14 @@ void ParserDriver::initialize()
  * Constructor.
  *
  * @param parserMode Parsing mode.
+ * @param avastSpecific set iff we want to use aditional Avast-specific symbols in the imported modules
+ * @param vtSpecific set iff we want to use aditional VirusTotal-specific symbols in the imported modules
+ * If you need to use more instances of ParserDriver with different avastSpecific or vtSpecific flags, use
+ * Module::reset method appropriately.
  */
-ParserDriver::ParserDriver(ParserMode parserMode)
+ParserDriver::ParserDriver(ParserMode parserMode, bool avastSpecific, bool vtSpecific)
+	: _avastSpecific(avastSpecific)
+	, _vtSpecific(vtSpecific)
 {
 	reset(parserMode);
 	initialize();
@@ -1529,9 +1535,13 @@ ParserDriver::ParserDriver(ParserMode parserMode)
  *
  * @param filePath Input file path.
  * @param parserMode Parsing mode.
+ * @param avastSpecific set iff we want to use aditional Avast-specific symbols in the imported modules
+ * @param vtSpecific set iff we want to use aditional VirusTotal-specific symbols in the imported modules
+ * If you need to use more instances of ParserDriver with different avastSpecific or vtSpecific flags, use
+ * Module::reset method appropriately.
  */
-ParserDriver::ParserDriver(const std::string& filePath, ParserMode parserMode) : _mode(parserMode),
-	_valid(true), _filePath(), _currentStrings(), _stringLoop(false), _localSymbols(), _startOfRule(0), _anonStringCounter(0)
+ParserDriver::ParserDriver(const std::string& filePath, ParserMode parserMode, bool avastSpecific, bool vtSpecific) : _mode(parserMode), _avastSpecific(avastSpecific)
+	, _vtSpecific(vtSpecific), _valid(true), _filePath(), _currentStrings(), _stringLoop(false), _localSymbols(), _startOfRule(0), _anonStringCounter(0)
 {
 	initialize();
 	_tokenStreams.emplace(std::make_shared<TokenStream>());
@@ -1546,9 +1556,13 @@ ParserDriver::ParserDriver(const std::string& filePath, ParserMode parserMode) :
  *
  * @param input Input stream.
  * @param parserMode Parsing mode.
+ * @param avastSpecific set iff we want to use aditional Avast-specific symbols in the imported modules
+ * @param vtSpecific set iff we want to use aditional VirusTotal-specific symbols in the imported modules
+ * If you need to use more instances of ParserDriver with different avastSpecific or vtSpecific flags, use
+ * Module::reset method appropriately.
  */
-ParserDriver::ParserDriver(std::istream& input, ParserMode parserMode) : _mode(parserMode),
-	_optionalFirstInput(&input), _valid(true), _filePath(), _currentStrings(), _stringLoop(false), _localSymbols()
+ParserDriver::ParserDriver(std::istream& input, ParserMode parserMode, bool avastSpecific, bool vtSpecific) : _mode(parserMode), _avastSpecific(avastSpecific)
+	, _vtSpecific(vtSpecific), _optionalFirstInput(&input), _valid(true), _filePath(), _currentStrings(), _stringLoop(false), _localSymbols()
 {
 	initialize();
 	_tokenStreams.emplace(std::make_shared<TokenStream>());
@@ -1828,7 +1842,7 @@ std::shared_ptr<Symbol> ParserDriver::findSymbol(const std::string& name) const
 	if (itr != _localSymbols.end())
 		return itr->second;
 
-	return _file.findSymbol(name);
+	return _file.findSymbol(name, _vtSpecific);
 }
 
 /**

diff --git a/src/types/modules/androguard_module.cpp b/src/types/modules/androguard_module.cpp
@@ -22,9 +22,10 @@ AndroguardModule::AndroguardModule() : Module("androguard")
  *
  * @return @c true if success, otherwise @c false.
  */
-bool AndroguardModule::initialize()
+bool AndroguardModule::initialize(bool avastSpecific)
 {
 	using Type = Expression::Type;
+	(void) avastSpecific;
 
 	auto androguardStruct = std::make_shared<StructureSymbol>("androguard");
-Original file line number
+Diff line change
@@ Expand Up / @@ -28,7 +28,7 @@ class AndroguardModule : public Module @@
     	/// @name Initialization method
     	/// @{
-    	virtual bool initialize() override;
+    	virtual bool initialize(bool avastSpecific) override;
     	/// @}
     };
@@ Expand Down @@