YaraX solver in GatoROM CLI, inclusion of library. #132

travisgoodspeed · travisgoodspeed · commit 5a38f6459358 · 2025-10-24T17:09:12.000-04:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1,4 +1,7 @@
 cmake_minimum_required(VERSION 3.5)
+include(CMakeFindDependencyMacro)
+
+configure_file(config.h.in config.h)
 
 # X86 is no longer supported, but you could edit this to bring it back.
 # set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64" CACHE STRING "" FORCE)
@@ -15,8 +18,26 @@ set(CMAKE_AUTORCC ON)
 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
-find_package(QT NAMES Qt6 REQUIRED COMPONENTS Widgets LinguistTools Charts PrintSupport Core Quick Qml)
-find_package(Qt${QT_VERSION_MAJOR} REQUIRED COMPONENTS Widgets LinguistTools Charts PrintSupport Core  Quick Qml)
+#find_package(QT NAMES Qt6 REQUIRED COMPONENTS Widgets LinguistTools Charts PrintSupport Core Quick Qml)
+find_package(Qt6 REQUIRED COMPONENTS Widgets LinguistTools Charts PrintSupport Core  Quick Qml)
+
+# Optional packages.
+# https://virustotal.github.io/yara-x/docs/api/c/c-/
+#find_library(YARAX NAMES yara_x_capi)
+#find_library(YARAX NAMES libyara_x_capi.a)
+
+
+find_package(PkgConfig REQUIRED)
+pkg_check_modules(YARAX REQUIRED IMPORTED_TARGET yara_x_capi)
+
+
+# Check if the library was found
+if (YARAX_FOUND)
+    set(YARAX ${YARAX_STATIC_LIBRARIES} )
+    message(STATUS "Found yarax: ${YARAX}")
+else()
+    message(STATUS "Yarax not found.  Will build without it.")
+endif()
 
 # GoodASM as a disassembler and library.
 if(NOT EXISTS "${PROJECT_SOURCE_DIR}/extern/goodasm/CMakeLists.txt")
@@ -54,12 +75,11 @@ set(GATOROM_SOURCES
     gatograderbytes.h gatograderbytes.cpp
     gatograderstring.h gatograderstring.cpp
     gatograderascii.h gatograderascii.cpp
-    gatograderyara.h gatograderyara.cpp
+    gatograderyara.h gatograderyara.cpp    # Old Yara from CLI.
+    gatograderyarax.h gatograderyarax.cpp  # New Yara-X from library.
     gatogradergoodasm.h gatogradergoodasm.cpp
     # Decoders that are new to GatoRom.
     gatodecoderinfo.h gatodecoderinfo.cpp  # Just info, no details.
-    # gatodecoderarm6.h gatodecoderarm6.cpp  # MYK82 Clipper Chip Decoder.  Use cols-left instead.
-    # gatodecodermsp430.h gatodecodermsp430.cpp # MSP430 ROM
     gatodecodertlcsfont.h gatodecodertlcsfont.cpp # TMP47C434N Font ROM
     gatodecoderz86x1.h gatodecoderz86x1.cpp # Zilog Z8 Z86x1
     gatodecodercolsdownlswap.h gatodecodercolsdownlswap.cpp # Used in NEC uCOM4 Micros
@@ -97,7 +117,6 @@ set(MRT_SOURCES
         romdecoderasciidamage.h romdecoderasciidamage.cpp
         romdecoderjson.h romdecoderjson.cpp
         romdecodercsv.h romdecodercsv.cpp
-#        romdecodermarc4.h romdecodermarc4.cpp   # Deprecated, needs to move to gatorom.
         romdecoderphotograph.h romdecoderphotograph.cpp
         romdecoderhistogram.h romdecoderhistogram.cpp
         romencoderdiff.h romencoderdiff.cpp
@@ -133,12 +152,17 @@ if(NOT WIN32)
 endif()
 
 
+
+
+
 qt_add_executable(maskromtool
     MANUAL_FINALIZATION
     ${MRT_SOURCES}
 )
 qt_create_translation(QM_FILES ${CMAKE_SOURCE_DIR} ${TS_FILES})
-target_link_libraries(maskromtool PRIVATE Qt${QT_VERSION_MAJOR}::Widgets Qt${QT_VERSION_MAJOR}::Charts Qt${QT_VERSION_MAJOR}::PrintSupport libgoodasm ${READLINE})
+target_link_libraries(maskromtool PRIVATE Qt6::Widgets
+        Qt6::Charts Qt6::PrintSupport
+        libgoodasm ${READLINE} PkgConfig::YARAX)
 
 
 set_target_properties(maskromtool PROPERTIES
@@ -156,7 +180,9 @@ if(WIN32)
         MANUAL_FINALIZATION
         ${MRT_SOURCES}
     )
-    target_link_libraries(maskromtoolcli PRIVATE Qt${QT_VERSION_MAJOR}::Widgets Qt${QT_VERSION_MAJOR}::Charts Qt${QT_VERSION_MAJOR}::PrintSupport libgoodasm ${READLINE})
+    target_link_libraries(maskromtoolcli PRIVATE Qt6::Widgets
+            Qt6::Charts Qt6::PrintSupport
+            libgoodasm ${READLINE} ${YARAX_LIBRARIES} )
     qt_finalize_executable(maskromtoolcli)
     install(TARGETS maskromtoolcli DESTINATION bin)
 endif()
@@ -173,7 +199,8 @@ add_executable(gatorom
   # CLI
   gatomain.cpp
 )
-target_link_libraries(gatorom Qt${QT_VERSION_MAJOR}::Core Qt${QT_VERSION_MAJOR}::PrintSupport libgoodasm ${READLINE})
+target_link_libraries(gatorom Qt6::Core
+        Qt6::PrintSupport libgoodasm ${READLINE} ${YARAX_LIBRARIES})
 
 install(TARGETS gatorom
     LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
diff --git a/config.h.in b/config.h.in
@@ -0,0 +1,6 @@
+
+// I don't know why this doesn't work.
+#define MASKROMTOOL_VERSION_STRING "${PROJECT_VERSION}"
+
+// We don't want to fail when this library is missing.
+#cmakedefine01 YARAX_FOUND
diff --git a/gatograderyarax.cpp b/gatograderyarax.cpp
@@ -0,0 +1,55 @@
+#include <QDebug>
+#include "gatograderyarax.h"
+
+/* VERY IMPORTANT:
+ *
+ * YaraX is lovely, but it's a Rust project that many C++
+ * developers will not know how to build.  We work around
+ * this by the YARAX_FOUND definition, so that the feature
+ * gracefully degrades when YaraX is missing.
+ *
+ * In any changes to this executable, your code must compile
+ * with or without YaraX.
+ */
+
+#ifdef YARAX_FOUND
+
+GatoGraderYaraX::GatoGraderYaraX(QString rule) {
+    //Someday we might hold more than one rule.
+    this->rule=rule;
+
+    //First compile the rules.
+    YRX_RESULT res=yrx_compile(rule.toStdString().c_str(), &rules);
+    if(res!=YRX_SUCCESS){
+        qDebug()<<QString(yrx_last_error());
+    }
+
+    //Then build a scanner.
+    res=yrx_scanner_create(rules, &scanner);
+    if(res!=YRX_SUCCESS){
+        qDebug()<<QString(yrx_last_error());
+    }
+}
+
+GatoGraderYaraX::~GatoGraderYaraX(){
+    if(scanner) yrx_scanner_destroy(scanner);
+    if(rules) yrx_rules_destroy(rules);
+}
+
+static void callback(const struct YRX_RULE *rule, void *user_data){
+    GatoGraderYaraX* grader=(GatoGraderYaraX*) user_data;
+    grader->match++;
+}
+
+int GatoGraderYaraX::grade(QByteArray ba){
+    assert(scanner);
+
+    //Scan the bytes.
+    this->match=0; //Reset match count.
+    yrx_scanner_on_matching_rule(scanner, callback, (void*) this);
+    YRX_RESULT res=yrx_scanner_scan(scanner,(uint8_t*) ba.data(), ba.length());
+    return this->match*100; //Did we get a match?
+}
+
+
+#endif //YARAX_FOUND
diff --git a/gatograderyarax.h b/gatograderyarax.h
@@ -0,0 +1,43 @@
+#ifndef GATOGRADERYARAX_H
+#define GATOGRADERYARAX_H
+
+/* VERY IMPORTANT:
+ *
+ * YaraX is lovely, but it's a Rust project that many C++
+ * developers will not know how to build.  We work around
+ * this by the YARAX_FOUND definition, so that the feature
+ * gracefully degrades when YaraX is missing.
+ *
+ * In any changes to this executable, your code must compile
+ * with or without YaraX.
+ */
+
+#include "gatosolver.h"
+#include "config.h"     //Needed for "YARAX_FOUND" from Cmake.
+
+#ifdef YARAX_FOUND
+
+//Library is C, not C++, so name mangling must be disabled.
+extern "C" {
+#include <yara_x.h>
+}
+
+
+class GatoGraderYaraX : public GatoGrader
+{
+public:
+    GatoGraderYaraX(QString rule);
+    ~GatoGraderYaraX();
+    int grade(QByteArray ba);
+
+    //Incremented on a callback.
+    int match=0;
+
+private:
+    YRX_RULES* rules=0;
+    YRX_SCANNER* scanner=0;
+    QString rule="";
+};
+
+#endif // YARAX_FOUND
+#endif // GATOGRADERYARAX_H
diff --git a/gatomain.cpp b/gatomain.cpp
@@ -32,8 +32,8 @@
 #include "gatograderstring.h"
 #include "gatograderascii.h"
 #include "gatograderyara.h"
+#include "gatograderyarax.h"
 #include "gatogradergoodasm.h"
-#include "extern/goodasm/goodasm.h"
 
 
 /* This is a quick CLI wrapper for GatoROM, which you might run on textfiles
@@ -236,6 +236,12 @@ int main(int argc, char *argv[]) {
                                     ""
                                     );
     parser.addOption(solveyaraOption);
+    QCommandLineOption solveyaraxOption(QStringList()<<"solve-yarax",
+                                       "YaraX rule file.",
+                                       "rule",
+                                       ""
+                                       );
+    parser.addOption(solveyaraxOption);
     QCommandLineOption solvegoodasmOption(QStringList()<<"solve-goodasm",
                                        "GoodASM Language Solver",
                                        "lang",
@@ -411,6 +417,7 @@ int main(int argc, char *argv[]) {
             QString bytes=parser.value(bytesOption);
             QString string=parser.value(stringOption);
             QString yararule=parser.value(solveyaraOption);
+            QString yaraxrule=parser.value(solveyaraxOption);
             QString goodasmsolver=parser.value(solvegoodasmOption);
             if(goodasmsolver.startsWith("goodasm/"))
                 goodasmsolver=goodasmsolver.right(goodasmsolver.length()-QString("goodasm/").length());
@@ -429,6 +436,14 @@ int main(int argc, char *argv[]) {
                 grader=new GatoGraderASCII();
             }else if(parser.isSet(solveyaraOption)){
                 grader=new GatoGraderYara(yararule);
+            }else if(parser.isSet(solveyaraxOption)){
+#ifdef YARAX_FOUND
+                QFile source(yaraxrule);
+                source.open(QFile::ReadOnly);
+                grader=new GatoGraderYaraX(source.readAll());
+#else
+                qDebug()<<"YaraX not linked.";
+#endif
             }else if(parser.isSet(solvegoodasmOption)){
                 gr->arch=goodasmsolver;
                 grader=new GatoGraderGoodAsm(gr->goodasm());
diff --git a/gatotests/gameboy/gameboy.yar b/gatotests/gameboy/gameboy.yar
@@ -0,0 +1,12 @@
+
+// The GameBoy boot ROM contains a bitmap of Nintendo's logo, compared
+// against a matching bitmap in every cartridge.  Here we check for the
+// first row of the logo.
+
+rule gameboy {
+strings:
+  $nintendo = {CE ED 66 66 CC 0D 00 0B 03 73 00 83 00 0C 00 0D}
+
+condition:
+  $nintendo
+}
