From ba68f463e597558c77aeb553e8a25f45f0c84b2d Mon Sep 17 00:00:00 2001 From: WerWolv Date: Wed, 2 Feb 2022 21:08:46 +0100 Subject: [PATCH] ui: Added to matched yara rules --- .../include/hex/pattern_language/pattern_data.hpp | 1 - plugins/builtin/include/content/views/view_yara.hpp | 5 +++-- .../builtin/source/content/views/view_hexeditor.cpp | 3 ++- plugins/builtin/source/content/views/view_yara.cpp | 11 +++++++++-- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/lib/libimhex/include/hex/pattern_language/pattern_data.hpp b/lib/libimhex/include/hex/pattern_language/pattern_data.hpp index 08498a7ce..73c1a3c87 100644 --- a/lib/libimhex/include/hex/pattern_language/pattern_data.hpp +++ b/lib/libimhex/include/hex/pattern_language/pattern_data.hpp @@ -82,7 +82,6 @@ namespace hex::pl { public: PatternData(Evaluator *evaluator, u64 offset, size_t size, u32 color = 0) : PatternCreationLimiter(evaluator), m_offset(offset), m_size(size), m_color(color) { - constexpr u32 Palette[] = { 0x70b4771f, 0x700e7fff, 0x702ca02c, 0x702827d6, 0x70bd6794, 0x704b568c, 0x70c277e3, 0x707f7f7f, 0x7022bdbc, 0x70cfbe17 }; if (color != 0) return; diff --git a/plugins/builtin/include/content/views/view_yara.hpp b/plugins/builtin/include/content/views/view_yara.hpp index 99403b57e..1e4f43a6a 100644 --- a/plugins/builtin/include/content/views/view_yara.hpp +++ b/plugins/builtin/include/content/views/view_yara.hpp @@ -18,9 +18,10 @@ namespace hex::plugin::builtin { struct YaraMatch { std::string identifier; std::string variable; - i64 address; - i32 size; + u64 address; + size_t size; bool wholeDataMatch; + u32 highlightId; }; std::vector> m_rules; diff --git a/plugins/builtin/source/content/views/view_hexeditor.cpp b/plugins/builtin/source/content/views/view_hexeditor.cpp index 06df4ceb8..1eb5bb007 100644 --- a/plugins/builtin/source/content/views/view_hexeditor.cpp +++ b/plugins/builtin/source/content/views/view_hexeditor.cpp @@ -116,7 +116,8 @@ namespace hex::plugin::builtin { this->m_memoryEditor.HoverFn = [](const ImU8 *data, size_t off) { bool tooltipShown = false; - off += ImHexApi::Provider::get()->getBaseAddress(); + auto provider = ImHexApi::Provider::get(); + off += provider->getBaseAddress() + provider->getCurrentPageAddress(); for (const auto &[id, highlight] : ImHexApi::HexEditor::getHighlights()) { auto ®ion = highlight.getRegion(); diff --git a/plugins/builtin/source/content/views/view_yara.cpp b/plugins/builtin/source/content/views/view_yara.cpp index 1a0f5bc00..71f6bdb2f 100644 --- a/plugins/builtin/source/content/views/view_yara.cpp +++ b/plugins/builtin/source/content/views/view_yara.cpp @@ -96,7 +96,7 @@ namespace hex::plugin::builtin { while (clipper.Step()) { for (u32 i = clipper.DisplayStart; i < clipper.DisplayEnd; i++) { - auto &[identifier, variableName, address, size, wholeDataMatch] = this->m_matches[i]; + auto &[identifier, variableName, address, size, wholeDataMatch, highlightId] = this->m_matches[i]; ImGui::TableNextRow(); ImGui::TableNextColumn(); ImGui::PushID(i); @@ -147,6 +147,9 @@ namespace hex::plugin::builtin { } void ViewYara::applyRules() { + for (const auto &match : this->m_matches) + ImHexApi::HexEditor::removeHighlight(match.highlightId); + this->m_matches.clear(); this->m_errorMessage.clear(); this->m_matching = true; @@ -271,7 +274,7 @@ namespace hex::plugin::builtin { if (rule->strings != nullptr) { yr_rule_strings_foreach(rule, string) { yr_string_matches_foreach(context, string, match) { - newMatches.push_back({ rule->identifier, string->identifier, match->offset, match->match_length, false }); + newMatches.push_back({ rule->identifier, string->identifier, u64(match->offset), size_t(match->match_length), false }); } } } else { @@ -284,6 +287,10 @@ namespace hex::plugin::builtin { &newMatches, 0); + for (auto &match : newMatches) { + match.highlightId = ImHexApi::HexEditor::addHighlight({ match.address, match.size }, 0x70B4771F, hex::format("{0} [{1}]", match.identifier, match.variable)); + } + std::copy(newMatches.begin(), newMatches.end(), std::back_inserter(this->m_matches)); }).detach(); }