Removed unbounded regexps which could cause issues with very long import names (fixes #65).

Author: JusticeRage

docs/writing-plugins.rst

@@ -402,7 +402,7 @@ In Manalyze, looking up imports is a two-step process. You usually query the lis
 
 You can also use the ``find_imports`` and ``find_imported_dlls`` function if you're looking for something specific. For instance::
 
-	auto dlls = pe.find_imports("WS2_32.dll", false);
+	auto dlls = pe.find_imported_dlls("WS2_32.dll", false);
 	
 ...will return all shared libraries imported by the PE matching the regular expression given as the first argument. The second argument controls whether the regular expression is case sensitive and defaults to false when omitted.
 

include/manape/pe.h

@@ -119,6 +119,15 @@ class PE
 	 */
 	DECLSPEC const_shared_strings get_imported_functions(const std::string& dll) const;
 
+	/**
+	 *	@brief	Returns the number of unique imported function names across all imported DLLs.
+	 *
+	 *	@return	The number of unique imported functions.
+	 *
+	 *	Implementation is located in imports.cpp.
+	 */
+	DECLSPEC size_t count_imported_functions() const;
+
 	/**
 	*	@brief	Finds imported DLLs whose names match a particular regular expression.
 	*
@@ -136,20 +145,20 @@ class PE
 	 *	@brief	Finds imported functions matching regular expressions.
 	 *
 	 *	@param	const std::string& function_name_regexp		The regular expression selecting function names.
-	 *	@param	const std::string& dll_name_regexp			The regular expression selecting imported dlls into which the
-	 *														functions should be searched.
+	 *	@param	const std::optional<std::string>& dll_name_regexp
+	 *														Optional regular expression selecting imported DLLs into which
+	 *														the functions should be searched. std::nullopt means all DLLs.
 	 *	@param	bool case_sensitivity						Whethter the regular expression should be case sensitive (default is false).
 	 *
 	 *	@return	A shared vector containing the matching function names.
 	 *
-	 *	The default value for dll_name_regexp implies that all DLLs should be searched.
 	 *	Note that functions will only be returned if they match the WHOLE input sequence.
 	 *	/!\ Warning: Functions imported by ordinal can NOT be found using this function!
 	 *
 	 *	Implementation is located in imports.cpp.
 	 */
 	DECLSPEC const_shared_strings find_imports(const std::string& function_name_regexp,
-											   const std::string& dll_name_regexp = ".*",
+											   const std::optional<std::string>& dll_name_regexp = std::nullopt,
 											   bool  case_sensitivity = false) const;
 
 	/**

manape/imports.cpp

@@ -18,6 +18,7 @@
 #include "manape/pe.h"
 
 #include <regex>
+#include <set>
 
 namespace mana {
 
@@ -306,6 +307,36 @@ const_shared_strings PE::get_imported_functions(const std::string& dll) const
 
 // ----------------------------------------------------------------------------
 
+size_t PE::count_imported_functions() const
+{
+	if (!_initialized) {
+		return 0;
+	}
+
+	std::set<std::string> unique_imports;
+	for (const auto& library : _imports)
+	{
+		auto imports = library->get_imports();
+		if (imports == nullptr) {
+			continue;
+		}
+		for (const auto& imported_symbol : *imports)
+		{
+			std::string name;
+			if (imported_symbol->Name == "") {
+				name = *nt::translate_ordinal(imported_symbol->AddressOfData & 0x7FFF, *library->get_name());
+			}
+			else {
+				name = imported_symbol->Name;
+			}
+			unique_imports.insert(name);
+		}
+	}
+	return unique_imports.size();
+}
+
+// ----------------------------------------------------------------------------
+
 shared_imports PE::find_imported_dlls(const std::string& name_regexp,
 									  bool  case_sensitivity) const
 {
@@ -335,19 +366,14 @@ shared_imports PE::find_imported_dlls(const std::string& name_regexp,
 // ----------------------------------------------------------------------------
 
 const_shared_strings PE::find_imports(const std::string& function_name_regexp,
-									  const std::string& dll_name_regexp,
+									  const std::optional<std::string>& dll_name_regexp,
 									  bool  case_sensitivity) const
 {
 	auto destination = std::make_shared<std::vector<std::string> >();
 	if (!_initialized) {
 		return destination;
 	}
 
-	auto matching_dlls = find_imported_dlls(dll_name_regexp);
-	if (!matching_dlls || matching_dlls->empty()) {
-		return destination;
-	}
-
 	std::regex e;
 	if (case_sensitivity) {
 		e = std::regex(function_name_regexp);
@@ -356,19 +382,19 @@ const_shared_strings PE::find_imports(const std::string& function_name_regexp,
 		e = std::regex(function_name_regexp, std::regex::icase);
 	}
 
-	// Iterate on matching DLLs
-	for (const auto& it : *matching_dlls)
+	auto add_matching_imports = [&](const pImportedLibrary& library)
 	{
-		auto imported_functions = it->get_imports();
+		auto imported_functions = library->get_imports();
 		if (imported_functions == nullptr) {
-			continue;
+			return;
 		}
+
 		// Iterate on functions imported by each of these DLLs
 		for (const auto& it2 : *imported_functions)
 		{
 			std::string name;
 			if (it2->Name == "") {
-				name = *nt::translate_ordinal(it2->AddressOfData & 0x7FFF, *it->get_name());
+				name = *nt::translate_ordinal(it2->AddressOfData & 0x7FFF, *library->get_name());
 			}
 			else {
 				name = it2->Name;
@@ -378,7 +404,28 @@ const_shared_strings PE::find_imports(const std::string& function_name_regexp,
 				destination->push_back(name);
 			}
 		}
+	};
+
+	if (dll_name_regexp.has_value())
+	{
+		auto matching_dlls = find_imported_dlls(*dll_name_regexp, case_sensitivity);
+		if (!matching_dlls || matching_dlls->empty()) {
+			return destination;
+		}
+
+		// Iterate on matching DLLs only.
+		for (const auto& it : *matching_dlls) {
+			add_matching_imports(it);
+		}
 	}
+	else
+	{
+		// No DLL filter: iterate on all imported DLLs.
+		for (const auto& it : _imports) {
+			add_matching_imports(it);
+		}
+	}
+
 	return destination;
 }
 

plugins/plugin_packer_detection.cpp

@@ -166,10 +166,10 @@ class PackerDetectionPlugin : public IPlugin
             // Look for the "Total imports" @comp.id.
             if (std::get<0>(*it) == 1)
             {
-                auto imports = pe.find_imports(".*");
+                auto imports = pe.count_imported_functions();
                 // For some reason, the number of imports present here seems to be wrong in a lot of goodware.
                 // It seems however that that number is never smaller than the actual number of imports.
-                if (std::get<2>(*it) < imports->size())
+                if (std::get<2>(*it) < imports)
                 {
                     if (res->get_summary() == nullptr) {
                         res->set_summary("The PE is packed or was manually edited.");
@@ -232,10 +232,10 @@ class PackerDetectionPlugin : public IPlugin
         }
 
         // A low number of imports indicates that the binary is packed.
-        mana::const_shared_strings imports = pe.find_imports(".*"); // Get all imports
+        auto imports = pe.count_imported_functions();
 
         // A single import could indicate that the file is a .NET executable; don't warn about that.
-        if (imports->size() == 1)
+        if (imports == 1)
         {
             auto mscoree = pe.find_imported_dlls("mscoree.dll");
             if (!mscoree->empty())
@@ -265,10 +265,10 @@ class PackerDetectionPlugin : public IPlugin
             }
         }
 
-        if (imports->size() < min_imports)
+        if (imports < min_imports)
         {
             std::stringstream ss;
-            ss << "The PE only has " << imports->size() << " import(s).";
+            ss << "The PE only has " << imports << " import(s).";
             res->add_information(ss.str());
             res->raise_level(SUSPICIOUS);
         }

test/imports.cpp

@@ -127,13 +127,21 @@ BOOST_AUTO_TEST_CASE(find_imports_case_insensitivity)
 	BOOST_CHECK_EQUAL(pfunctions->at(0), "WriteProcessMemory");
 
 	// Try again with case sensitivity on.
-	pfunctions = pe.find_imports("WRITEPROCESSMEMORY", ".*", true);
+	pfunctions = pe.find_imports("WRITEPROCESSMEMORY", std::nullopt, true);
 	BOOST_ASSERT(pfunctions);
 	BOOST_ASSERT(pfunctions->size() == 0);
 }
 
 // ----------------------------------------------------------------------------
 
+BOOST_AUTO_TEST_CASE(count_imported_functions)
+{
+	mana::PE pe("testfiles/manatest.exe");
+	BOOST_CHECK_EQUAL(pe.count_imported_functions(), 56);
+}
+
+// ----------------------------------------------------------------------------
+
 BOOST_AUTO_TEST_CASE(hash_imports)
 {
 	mana::PE pe("testfiles/manatest.exe");