static void Main(string[] args)
{
// Get Version
Version DllVersion = YSInstance.GetVersion();
// All API calls happens here
YSInstance instance = new YSInstance();
// Get list of YARA rules
List <string> ruleFilenames = Directory.GetFiles(@"D:\Test\yara", "*.yar", SearchOption.AllDirectories).ToList();
// Declare external variables (could be null)
Dictionary <string, object> externals = new Dictionary <string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
// Context is where yara is initialized
// From yr_initialize() to yr_finalize()
using (YSContext context = new YSContext())
{
// Compiling rules
using (YSCompiler compiler = instance.CompileFromFiles(ruleFilenames, externals))
{
// Get compiled rules
YSRules rules = compiler.GetRules();
// Get errors
YSReport errors = compiler.GetErrors();
// Get warnings
YSReport warnings = compiler.GetWarnings();
// Some file to test yara rules
string Filename = @"";
// Get matches
List <YSMatches> Matches = instance.ScanFile(Filename, rules,
new Dictionary <string, object>()
{
{ "filename", Alphaleonis.Win32.Filesystem.Path.GetFileName(Filename) },
{ "filepath", Alphaleonis.Win32.Filesystem.Path.GetFullPath(Filename) },
{ "extension", Alphaleonis.Win32.Filesystem.Path.GetExtension(Filename) }
},
0);
// Iterate over matches
foreach (YSMatches Match in Matches)
{
//...
}
}
// Log errors
}
}
public YaraScanner(string rulesPath)
{
List <string> mRuleFilenames = Directory.GetFiles(rulesPath, "*.yar", System.IO.SearchOption.AllDirectories).ToList();
for (int index = 0; index < mRuleFilenames.Count; index++)
{
mRuleFilenames[index] = mRuleFilenames[index].Replace("\\", "/");
}
YSCompiler YSCompiler = YSInstance.CompileFromFiles(mRuleFilenames, null);
YSRules = YSCompiler.GetRules();
}
public static void Init()
{
Connector.Logger.WriteLine("[YaraIntegration.Init] Start");
Instance = new YSInstance();
Dictionary <string, object> externals = new Dictionary <string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
Connector.Logger.WriteLine("[YaraIntegration.Init] Загрука YARA правил");
List <string> ruleFilenames = Directory.GetFiles(MODULE__SCAN.Configuration.YaraRulesDir, "*.yar", MODULE__SCAN.Configuration.YaraRulesSearchOption).ToList();
Connector.Logger.WriteLine($"[YaraIntegration.Init] Загружено {ruleFilenames.Count} файлов ");
Context = new YSContext();
Compiler = Instance.CompileFromFiles(ruleFilenames, externals);
Rules = Compiler.GetRules();
Errors = Compiler.GetErrors();
Warnings = Compiler.GetWarnings();
var ErrDump = Errors.Dump();
var WrnDump = Warnings.Dump();
foreach (var key in ErrDump)
{
Connector.Logger.WriteLine($"[YaraIntegration.Init] Error!");
}
foreach (var key in WrnDump)
{
Connector.Logger.WriteLine($"[YaraIntegration.Init] Warning!");
}
Connector.Logger.WriteLine($"[YaraIntegration.Init] Загрузка завершена");
}
public static YSScanner CompileRules(List <string> yaraRuleFiles, Action <string> loggingFunction)
{
YSRules result = null;
using (YSCompiler compiler = _yaraInstance.CompileFromFiles(yaraRuleFiles, null))
{
string yaraWarnings = string.Empty;
string yaraErrors = string.Empty;
YSReport warnings = compiler.GetWarnings();
if (!warnings.IsEmpty())
{
yaraWarnings = string.Join(Environment.NewLine,
warnings.Dump().Select(kvp => $"{kvp.Key}:" + Environment.NewLine + string.Join(Environment.NewLine + "\t", kvp.Value)));
}
if (!string.IsNullOrWhiteSpace(yaraWarnings))
{
loggingFunction.Invoke("YARA reported warnings.");
loggingFunction.Invoke(yaraWarnings);
loggingFunction.Invoke("");
}
YSReport errors = compiler.GetErrors();
if (!errors.IsEmpty())
{
yaraErrors = string.Join(Environment.NewLine,
errors.Dump().Select(kvp => $"{kvp.Key}:" + Environment.NewLine + string.Join(Environment.NewLine + "\t", kvp.Value)));
yaraErrors += Environment.NewLine;
}
if (!string.IsNullOrWhiteSpace(yaraErrors))
{
throw new Exception("YARA reported errors compiling rules:" + Environment.NewLine + yaraErrors);
}
result = compiler.GetRules();
}
return(new YSScanner(result, null));
}
public void CheckWarningsStillScan()
{
string inputFileBase = "CheckWarningStillScans";
string yaraRuleFile = Path.Combine(TestDataDirectory, $"{inputFileBase}.yar");
string yaraInputFile = Path.Combine(TestDataDirectory, $"{inputFileBase}.txt");
YSInstance yaraInstance = new YSInstance();
using (YSContext context = new YSContext())
{
using (YSCompiler compiler = new YSCompiler(null))
{
compiler.AddFile(yaraRuleFile);
YSReport compilerErrors = compiler.GetErrors();
YSReport compilerWarnings = compiler.GetWarnings();
YSScanner scanner = new YSScanner(compiler.GetRules(), null);
Assert.IsTrue(scanner.ScanFile(yaraInputFile).Any(r => r.Rule.Identifier == "WarningRule"));
}
}
}
private void InitializeYara()
{
var externals = new Dictionary <string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
var ruleFilenames = System.IO.Directory.GetFiles(Path.Combine(AppContext.BaseDirectory, "rules"), "*.yara").ToList();
using (YSContext context = new YSContext())
{
using (YSCompiler compiler = ysInstance.CompileFromFiles(ruleFilenames, externals))
{
YSRules rules = compiler.GetRules();
YSReport errors = compiler.GetErrors();
YSReport warnings = compiler.GetWarnings();
}
}
}
/// <summary>
/// Forward user to form where he can check if his file is malicious.
/// </summary>
///
/// <param name="sender"></param>
/// <param name="e"></param>
private void IsThisMaliciousSign_MouseClick(object sender, MouseEventArgs e)
{
// TODO: only for clamp database.
// Get path to \Downloads folder.
string downloadsPath = KnownFolders.Downloads.Path;
DialogResult result = this.chooseFileToDetermineIfMaliciousDialog.ShowDialog(); // Show the dialog.
if (result == DialogResult.OK) // Test result.
{
string file = this.chooseFileToDetermineIfMaliciousDialog.FileName;
string script = "../../../../[PYTHON]/extractFeatures.py";
#region handle non-english charachters in path
// Move script to \Downloads.
File.Copy(Path.GetFullPath(script).Replace("/", @"\\"), downloadsPath + @"\\" + Path.GetFileName(script), true);
// Move file to \Downloads.
File.Copy(file, downloadsPath + @"\\" + Path.GetFileName(file), true);
var targetDirPath = new DirectoryInfo(downloadsPath + @"\\Python");
var sourceDirPath = new DirectoryInfo(Path.GetFullPath("../../../../[PYTHON]/Python/"));
CopyAll(targetDirPath, sourceDirPath);
script = downloadsPath + @"\\" + Path.GetFileName(script);
string outputFile = (downloadsPath + @"\" + Path.GetFileName(file) + rand.Next(10000).ToString() + "_clamp_features.csv").ToString();
#endregion
#region extract features with python script
try
{
// Create process info.
var psi = new ProcessStartInfo();
// Location to python.
psi.FileName = Path.GetFullPath(@"../../../../[PYTHON]/Python/python.exe").ToString();
// Provide script and arguments.
psi.Arguments = string.Format("{0} {1} {2}", script, downloadsPath + @"\\" + Path.GetFileName(file), outputFile);
// Process configuration.
psi.UseShellExecute = false;
psi.CreateNoWindow = true;
psi.RedirectStandardOutput = true;
psi.RedirectStandardError = true;
// Execute process and get output.
var errors = "";
var results = "";
// Execute script.
using (var process = Process.Start(psi))
{
errors = process.StandardError.ReadToEnd();
results = process.StandardOutput.ReadToEnd();
}
if (errors != "")
{
throw new Exception("[IsThisMaliciousSign_MouseClick]\r\n" + errors);
}
}
catch (IOException)
{
throw new Exception("[UploadSign_MouseClick] Coudn't process the file.");
}
#endregion
int packed = 0;
string packer = "NoPacker";
#region find out packer and packer type using YaraSharp
// All API calls happens here.
YSInstance instance = new YSInstance();
// Declare external variables (could be null).
Dictionary <string, object> externals = new Dictionary <string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
// Get list of YARA rules.
List <string> rulesFile = new List <string>();
// Download rules (peid.yara) to users computer since YaraSharp can't read non-english charachters in file path.
WebClient Client = new WebClient();
Client.DownloadFile(new Uri("https://raw.githubusercontent.com/urwithajit9/ClaMP/master/scripts/peid.yara"), downloadsPath + @"\peid.yara");
rulesFile.Add(Path.GetFullPath(downloadsPath + @"\peid.yara").ToString());
// Context is where yara is initialized.
// From yr_initialize() to yr_finalize().
using (YSContext context = new YSContext())
{
// Compiling rules.
using (YSCompiler compiler = instance.CompileFromFiles(rulesFile, externals))
{
// Get compiled rules.
YSRules rules = compiler.GetRules();
// Get errors.
YSReport errors = compiler.GetErrors();
// Get warnings.
YSReport warnings = compiler.GetWarnings();
// Some file to test yara rules.
string Filename = file;
// Get matches.
List <YSMatches> Matches = instance.ScanFile(Filename, rules,
new Dictionary <string, object>()
{
{ "filename", Path.GetFileName(Filename) },
{ "filepath", Path.GetFullPath(Filename) },
{ "extension", Path.GetExtension(Filename) }
},
0);
// Get packer name if packed.
if (Matches.Count > 0)
{
packed = 1;
packer = Matches[0].Rule.Identifier;
}
}
}
#endregion
#region determine if file is malicious using best model so far
DataTable fileFeatures = new DataTable();
#region csv to datatable
using (StreamReader sr = new StreamReader(outputFile))
{
string[] headers = sr.ReadLine().Split(',');
foreach (string header in headers)
{
fileFeatures.Columns.Add(header);
}
while (!sr.EndOfStream)
{
string[] rows = sr.ReadLine().Split(',');
if (rows[0] == "")
{
continue;
}
DataRow dr = fileFeatures.NewRow();
for (int i = 0; i < headers.Length; i++)
{
if (headers[i] == "packer")
{
dr[i] = packed;
continue;
}
if (headers[i] == "packer_type")
{
dr[i] = packer;
continue;
}
dr[i] = rows[i];
}
fileFeatures.Rows.Add(dr);
}
}
#endregion
double evaluation = this.detection.model.symbolicTree.Evaluate(fileFeatures.Rows[0]);
if (evaluation >= 0)
{
string mnok = "Your file is malicious!";
CustomDialogBox dialog = new CustomDialogBox("Malicious", mnok, global::antico.Properties.Resources.nok_shield, MessageBoxButtons.OK);
dialog.ShowDialog();
}
else
{
string mok = "Your file is benign!";
CustomDialogBox dialog = new CustomDialogBox("Benign", mok, global::antico.Properties.Resources.ok_shield, MessageBoxButtons.OK);
dialog.ShowDialog();
}
#endregion
#region handle non-english charachters in path
// Delete and move files at the end.
if (File.Exists(downloadsPath + @"\\" + Path.GetFileName(script)))
{
// Delete script from \Downloads directory.
File.Delete(downloadsPath + @"\\" + Path.GetFileName(script));
}
if (File.Exists(outputFile))
{
// Move file to its true destination.
File.Move(outputFile, @"..\\..\\..\\..\\[PYTHON]\\ExtractedFeatures\\" + Path.GetFileName(outputFile));
}
if (File.Exists(downloadsPath + @"\\" + Path.GetFileName(file)))
{
File.Delete(downloadsPath + @"\\" + Path.GetFileName(file));
}
if (Directory.Exists(downloadsPath + @"\\Python"))
{
Directory.Delete(downloadsPath + @"\\Python", true);
}
#endregion
// Delete downloaded peid.yara file.
if (File.Exists(downloadsPath + @"\peid.yara"))
{
File.Delete(downloadsPath + @"\peid.yara");
}
}
}
