Add a 'which_callback' keyword to match(), which limits when the python callback will be called.

e2cb4e39 · Wesley Shields · Victor M. Alvarez · 2587a645 · e2cb4e39
Commit e2cb4e39 authored Oct 16, 2017 by Wesley Shields Committed by Victor M. Alvarez Oct 16, 2017
Show whitespace changes
Inline Side-by-side

Showing with 20 additions and 4 deletions

yara-python.c yara-python.c +20 -4

No files found.
--- a/yara-python.c
+++ b/yara-python.c
@@ -389,6 +389,7 @@ typedef struct _CALLBACK_DATA
  PyObject* callback;
  PyObject* modules_data;
  PyObject* modules_callback;
+  int which;

 } CALLBACK_DATA;

@@ -551,6 +552,10 @@ PyObject* convert_dictionary_to_python(
 }


+#define CALLBACK_ALL 0x01
+#define CALLBACK_MATCHES 0x02
+#define CALLBACK_NON_MATCHES 0x04
+
 int yara_callback(
    int message,
    void* message_data,
@@ -578,6 +583,7 @@ int yara_callback(
  PyObject* module_data;
  PyObject* callback_result;
  PyObject* module_info_dict;
+  int which = ((CALLBACK_DATA*) user_data)->which;

  Py_ssize_t data_size;
  PyGILState_STATE gil_state;
@@ -587,7 +593,12 @@ int yara_callback(
  if (message == CALLBACK_MSG_SCAN_FINISHED)
    return CALLBACK_CONTINUE;

-  if (message == CALLBACK_MSG_RULE_NOT_MATCHING && callback == NULL)
+  if (message == CALLBACK_MSG_RULE_NOT_MATCHING &&
+      (callback == NULL || which & CALLBACK_MATCHES))
+    return CALLBACK_CONTINUE;
+
+  if (message == CALLBACK_MSG_RULE_MATCHING &&
+      (callback == NULL || which & CALLBACK_NON_MATCHES))
    return CALLBACK_CONTINUE;

  if (message == CALLBACK_MSG_IMPORT_MODULE && modules_data == NULL)
@@ -1331,7 +1342,7 @@ static PyObject* Rules_match(
  static char* kwlist[] = {
      "filepath", "pid", "data", "externals",
      "callback", "fast", "timeout", "modules_data",
-      "modules_callback", NULL
+      "modules_callback", "which_callbacks", NULL
      };

  char* filepath = NULL;
@@ -1354,11 +1365,12 @@ static PyObject* Rules_match(
  callback_data.callback = NULL;
  callback_data.modules_data = NULL;
  callback_data.modules_callback = NULL;
+  callback_data.which = CALLBACK_ALL;

  if (PyArg_ParseTupleAndKeywords(
        args,
        keywords,
-        "|sis#OOOiOO",
+        "|sis#OOOiOOi",
        kwlist,
        &filepath,
        &pid,
@@ -1369,7 +1381,8 @@ static PyObject* Rules_match(
        &fast,
        &timeout,
        &callback_data.modules_data,
-        &callback_data.modules_callback))
+        &callback_data.modules_callback,
+        &callback_data.which))
  {
    if (filepath == NULL && data == NULL && pid == 0)
    {
@@ -2136,6 +2149,9 @@ MOD_INIT(yara)

  PyModule_AddIntConstant(m, "CALLBACK_CONTINUE", 0);
  PyModule_AddIntConstant(m, "CALLBACK_ABORT", 1);
+  PyModule_AddIntConstant(m, "CALLBACK_ALL", CALLBACK_ALL);
+  PyModule_AddIntConstant(m, "CALLBACK_MATCHES", CALLBACK_MATCHES);
+  PyModule_AddIntConstant(m, "CALLBACK_NON_MATCHES", CALLBACK_NON_MATCHES);
  PyModule_AddStringConstant(m, "__version__", YR_VERSION);
  PyModule_AddStringConstant(m, "YARA_VERSION", YR_VERSION);
  PyModule_AddIntConstant(m, "YARA_VERSION_HEX", YR_VERSION_HEX);