Initial support for ~ operator in hex strings. (VirusTotal#62)

* Initial support for ~ operator in hex strings.

This allows gyp to parse the ~ operator in hex strings. It isn't fully
implemented yet as it doesn't work with wildcards, but that will be next on my
list.

* Allow users to define their own flexgo/goyacc/protoc-gen-go

This allows users to build with:

FLEXGO=/Users/wxs/bin/flexgo/bin/flex GOYACC=/Users/wxs/go/bin/goyacc PROTOC=/Users/wxs/go/bin/protoc-gen-go make

If you have them in your path already it will still work, but if you need to
define them yourself you can now do so.

* Add support for not operator on wildcards.

Makefile

@@ -1,13 +1,17 @@
+FLEXGO ?= flexgo
+GOYACC ?= goyacc
+PROTOC ?= protoc-gen-go
+
 all: proto hexgrammar grammar y2j j2y
 
 grammar:
-	flexgo -G -v -o parser/lexer.go parser/lexer.l && goyacc -p yr -o parser/parser.go parser/grammar.y
+	${FLEXGO} -G -v -o parser/lexer.go parser/lexer.l && ${GOYACC} -p yr -o parser/parser.go parser/grammar.y
 
 hexgrammar:
-	flexgo -G -v -o hex/hex_lexer.go hex/hex_lexer.l && goyacc -p hex -o hex/hex_parser.go hex/hex_grammar.y
+	${FLEXGO} -G -v -o hex/hex_lexer.go hex/hex_lexer.l && ${GOYACC} -p hex -o hex/hex_parser.go hex/hex_grammar.y
 
 proto:
-	protoc --go_out=. --go_opt=paths=source_relative pb/yara.proto
+	protoc --plugin=${PROTOC} --go_out=. --go_opt=paths=source_relative pb/yara.proto
 
 j2y:
 	go build github.com/VirusTotal/gyp/cmd/j2y

ast/serialization.go

@@ -229,6 +229,7 @@ func hexTokensFromProto(pbTokens *pb.HexTokens) HexTokens {
 			tokens[i] = &HexBytes{
 				Bytes: v.Sequence.GetValue(),
 				Masks: v.Sequence.GetMask(),
+				Nots: v.Sequence.GetNots(),
 			}
 		case *pb.HexToken_Alternative:
 			alternatives := make(HexTokens, len(v.Alternative.GetTokens()))

ast/strings.go

@@ -133,9 +133,12 @@ type HexJump struct {
 // 0F -> The higher nibble is ignored (?X)
 // F0 -> The lower nibble is ignored (X?)
 // FF -> No wildcard at all.
+// The Nots array is an array of boolean values that indicate which of the
+// bytes are prefixed with a ~ indicating they should NOT be the given value.
 type HexBytes struct {
 	Bytes []byte
 	Masks []byte
+	Nots  []bool
 }
 
 // HexOr is an HexToken that represents an alternative in the hex string, like
@@ -311,18 +314,19 @@ func (h *HexString) WriteSource(w io.Writer) (err error) {
 // WriteSource writes the node's source into the writer w.
 func (h *HexBytes) WriteSource(w io.Writer) error {
 	for i, b := range h.Bytes {
-		var s string
+		var s string = ""
+		if h.Nots[i] {
+			s += "~"
+		}
 		switch mask := h.Masks[i]; mask {
 		case 0x00:
-			s = "?? "
+			s += "?? "
 		case 0x0F:
-			s = fmt.Sprintf("%02X ", b)
-			s = "?" + s[1:]
+			s += "?" + fmt.Sprintf("%02X ", b)[1:]
 		case 0xF0:
-			s = fmt.Sprintf("%02X", b)
-			s = s[:1] + "? "
+			s += fmt.Sprintf("%02X", b)[:1] + "? "
 		case 0xFF:
-			s = fmt.Sprintf("%02X ", b)
+			s += fmt.Sprintf("%02X ", b)
 		default:
 			panic(fmt.Errorf(`unexpected byte mask: "%0X"`, mask))
 		}
@@ -436,6 +440,7 @@ func (h *HexBytes) AsProto() *pb.BytesSequence {
 	return &pb.BytesSequence{
 		Value: h.Bytes,
 		Mask:  h.Masks,
+		Nots: h.Nots,
 	}
 }
 

gyp_test.go

@@ -419,7 +419,7 @@ rule foo {
 	`
 rule foo {
   strings:
-    $a = { 01 02 03 04 ?? AA B? ?C }
+    $a = { 01 02 ~03 04 ?? AA B? ?C }
   condition:
     $a
 }

hex/hex_grammar.y

@@ -40,11 +40,13 @@ const StringChainingThreshold int = 200
 type byteWithMask struct {
 	Value byte
 	Mask  byte
+	Not   bool
 }
 %}
 
 
 %token <bm> _BYTE_
+%token <bm> _NOT_BYTE_
 %token <bm> _MASKED_BYTE_
 %token <integer> _NUMBER_
 %token _LBRACE_
@@ -251,12 +253,14 @@ bytes
         $$ = &ast.HexBytes{
           Bytes: []byte{$1.Value},
           Masks: []byte{$1.Mask},
+          Nots: []bool{$1.Not},
         }
       }
     | bytes byte
       {
         $1.Bytes = append($1.Bytes, $2.Value)
         $1.Masks = append($1.Masks, $2.Mask)
+        $1.Nots = append($1.Nots, $2.Not)
       }
 
 
@@ -269,6 +273,10 @@ byte
       {
         $$ = $1
       }
+    | _NOT_BYTE_
+      {
+        $$ = $1
+      }
     ;
 
 %%