I wrote condition in YARA rule like this pe.entry_point == {12 A5 26} but I am getting unexpected _HEX_STRING_ error. What is the problem? How can I get address of entry_point? What is the type of output of pe.entry_point?
pe.entry_point is a DWORD found in IMAGE_OPTIONAL_HEADER.
The implementation of this function (that is, how Yara retrieves the pe.entry_point value from portable executable files) is available on the Yara Github page.
Regarding the error you encountered, try changing the rule to pe.entry_point == 0x12A526. I'm basing this suggestion off the sample test rule here.
Related
(It's been a while since I've been here.)
I've been using the first version of PHRets v1 for years, and understood it well enough to get by, but now I'm trying to understand the advantages of v2.6.2. I've got it all installed and the basics are working fine. My issues are pretty much with comprehending fine points of query syntax that goes into the rets=>Search() statement. (I'm much more familiar with SQL statements). Specifically, I'd like to have a query return a list of properties, EXCLUDING those which already have the status of "Sold".
Here's where I am stuck: If I start with this
`$results = $rets->Search('Property', 'A','*',['Select' => 'LIST_8,LIST_105,LIST_15,LIST_19,listing_office_shortid']);`
That works well enough. BUT I'd like to fit in a filter like:
"LIST_15 != Sold", or "NOT LIST_15=Sold"...something like that. I don't get how to fit/type that into a PHRets Search().
I like PHRets but it is so hard to find well-organized/complete documentation about specific things like this. Thanks in advance.
As in my comment above I've figured out that the filter goes in the third argument position ('*', as in the original question). The tricky thing was having to find a specific "sold" code for each class of properties and placing it in that position like so: '(LIST_15=~B4ZIT1Y75TZ)', (notice the =~ combination of characters that means "does not equal" in this context). I've found the code strings for each of the property types (not clear WHY they would need to be unique for each type of property: "Sold" is Sold for any type, after all) but the correct code for a single-family residential property (type 'A' ...at least for the MLS in which I have to search is:
$results = $rets->Search('Property', 'A','(LIST_15=~B4ZIT1Y75TZ)',['Select' => 'LIST_8,LIST_105,LIST_15,LIST_19,listing_office_shortid']);
(again, the code to go with LIST_15 will be different for the different types of properties.) I think there is a better answer that involves more naturalistic language, but this works and I guess I will have to be satisfied with it for now. I hope this is of some use to anyone else struggling with this stuff.
I intent to use gsdll32 to display postscript in a Win32 window (not ghostview).
I need help with the parameters needed by gsdll_init_with_args.
The function immediately returns error -0x12 or -0x100.
I tried several parameter combinations in various sequences:
-sDisplayFormat=16#030804
-dDisplayHandle="1234"
-dDisplayResolution=96
-sDEVICE=display
postscriptfile.ps
As a second question:
What should the parameters be if I want to pipe in the postscript data programmatically ?
Examples would be nice.
Seppe
The supplied source code for Windows uses gs_dll_init_with_args(). If you look in /ghostpdl/psi/dwmain.c, function new_main(int argc, char *argv) then at about line 328 you can see the call happening.
You can follow this through in a debugger to see what the arguments look like (they get sanitised before arriving here). Get it to work the way you want on the command line, then break here with those arguments and you can see what your own code should be providing.
To send the data buffer-by-buffer, we don't have an example. However, you start by calling gsapi_run_string_begin(), then repeatedly calling gsapi_run_string_continue() until you exhaust the data, then call gsapi_run_string_end(). Obviously you will have to check the return code to see if an error occurred.
Finally; please check the AGPL to be sure you can conform to the license restrictions.
In the "Apple LLVM 7.0 - Preprocessing" section under the "Build Settings" tab, I've defined a Preprocessor Macros as:
STR(arg)=#arg
HUBNAME=STR("myhub")
HUBLISTENACCESS=STR("Endpoint=sb://abc-xyz.servicebus.windows.net/;SharedAccessKeyName=DefaultListenSharedAccessSignature;SharedAccessKey=JKLMNOP=")
In my code, I'm trying to refer to the value of HUBLISTENACCESS as a string:
SBNotificationHub* hub = [[SBNotificationHub alloc] initWithConnectionString:#HUBLISTENACCESS notificationHubPath:#HUBNAME];
But I'm getting errors from Xcode for the initialization of "hub":
Expected ';' at end of declaration
Unterminated function-like macro invocation
Unexpected '#' in program
I suspect that the definition of HUBLISTENACCESS in the Preprocessor Macros needs to be properly escaped but I've tried a few things and can't seem to get it right. Can somebody help me understand what I'm doing wrong?
There's one very obvious reason why you were trying to do failed: you use // in the HUBLISTENACCESS. As in C, things after // were commented out so in the aspect of the compiler, the last line of yours is actually:
HUBLISTENACCESS=STR("Endpoint=sb:
To test it, just remove one slash and it will work again. What you were doing like trying to define things as such:
#define FOO //
which I don't think it's possible. I honestly have no idea how you can do that within the Build Settings, but there are other ways to do it globally via a PCH file (prefix header).
A simple line within the PCH will will save all those troubles:
#define HUBLISTENACCESS #"Endpoint=sb://abc-xyz.servicebus.windows.net/;SharedAccessKeyName=DefaultListenSharedAccessSignature;SharedAccessKey=JKLMNOP="
Then use it as below: (no more # needed!)
NSLog(#"%#", HUBLISTENACCESS);
Is it possible to extract the first and follow sets from a rule using ANTLR4? I played around with this a little bit in ANTLR3 and did not find a satisfactory solution, but if anyone has info for either version, it would be appreciated.
I would like to parse user input up the user's cursor location and then provide a list of possible choices for auto-completion. At the moment, I am not interested in auto-completing tokens which are partially entered. I want to display all possible following tokens at some point mid-parse.
For example:
sentence:
subjects verb (adverb)? '.' ;
subjects:
firstSubject (otherSubjects)* ;
firstSubject:
'The' (adjective)? noun ;
otherSubjects:
'and the' (adjective)? noun;
adjective:
'small' | 'orange' ;
noun:
CAT | DOG ;
verb:
'slept' | 'ate' | 'walked' ;
adverb:
'quietly' | 'noisily' ;
CAT : 'cat';
DOG : 'dog';
Given the grammar above...
If the user had not typed anything yet the auto-complete list would be ['The'] (Note that I would have to retrieve the FIRST and not the FOLLOW of rule sentence, since the follow of the base rule is always EOF).
If the input was "The", the auto-complete list would be ['small', 'orange', 'cat', 'dog'].
If the input was "The cat slept, the auto-complete list would be ['quietly', 'noisily', '.'].
So ANTLR3 provides a way to get the set of follows doing this:
BitSet followSet = state.following[state._fsp];
This works well. I can embed some logic into my parser so that when the parser calls the rule at which the user is positioned, it retrieves the follows of that rule and then provides them to the user. However, this does not work as well for nested rules (For instance, the base rule, because the follow set ignores and sub-rule follows, as it should).
I think I need to provide the FIRST set if the user has completed a rule (this could be hard to determine) as well as the FOLLOW set of to cover all valid options. I also think I will need to structure my grammar such that two tokens are never subsequent at the rule level.
I would have break the above "firstSubject" rule into some sub rules...
from
firstSubject:
'The'(adjective)? CAT | DOG;
to
firstSubject:
the (adjective)? CAT | DOG;
the:
'the';
I have yet to find any information on retrieving the FIRST set from a rule.
ANTLR4 appears to have drastically changed the way it works with follows at the level of the generated parser, so at this point I'm not really sure if I should continue with ANTLR3 or make the jump to ANTLR4.
Any suggestions would be greatly appreciated.
ANTLRWorks 2 (AW2) performs a similar operation, which I'll describe here. If you reference the source code for AW2, keep in mind that it is only released under an LGPL license.
Create a special token which represents the location of interest for code completion.
In some ways, this token behaves like the EOF. In particular, the ParserATNSimulator never consumes this token; a decision is always made at or before it is reached.
In other ways, this token is very unique. In particular, if the token is located at an identifier or keyword, it is treated as though the token type was "fuzzy", and allowed to match any identifier or keyword for the language. For ANTLR 4 grammars, if the caret token is located at a location where the user has typed g, the parser will allow that token to match a rule name or the keyword grammar.
Create a specialized ATN interpreter that can return all possible parse trees which lead to the caret token, without looking past the caret for any decision, and without constraining the exact token type of the caret token.
For each possible parse tree, evaluate your code completion in the context of whatever the caret token matched in a parser rule.
The union of all the results found in step 3 is a superset of the complete set of valid code completion results, and can be presented in the IDE.
The following describes AW2's implementation of the above steps.
In AW2, this is the CaretToken, and it always has the token type CARET_TOKEN_TYPE.
In AW2, this specialized operation is represented by the ForestParser<TParser> interface, with most of the reusable implementation in AbstractForestParser<TParser> and specialized for parsing ANTLR 4 grammars for code completion in GrammarForestParser.
In AW2, this analysis is performed primarily by GrammarCompletionQuery.TaskImpl.runImpl(BaseDocument).
I have been going mad trying to figure out why my scripts weren't working, until I started copying and pasting sample source code directly from a few websites only to have it fail there as well. I am getting the following error in my VBScripts:
C:\temp\vbs\script.vbs(19, 53) Microsoft VBScript compilation error: Expected statement'
For a line of code that looks like this:
wdoc.Application.Selection.Find.Execute Replace:=wdReplaceAll
This is interfacing with Microsft Word in Office 2007 to conduct a search and replace. Index 53 point directly to the := part of the assignment. Since this type of syntax doesn't work on my machine and I am using it from several websites, I was wondering if the cscript.exe I use is out of date.
Am I not calling cscript properly?
Named arguments (Param:=Value) are Visual Basic and VBA feature; this syntax isn't supported in VBScript.
In VBScript, you need to preserve the actual order of a routine's arguments. If a specific argument is optional and you want to use its default value, you need to simply omit that argument. So, your code should look like this:
Const wdReplaceAll = 2
wdoc.Application.Selection.Find.Execute , , , , , , , , , , wdReplaceAll