Esempio n. 1
0
        private void SetExternalVariables(ExternalVariables externalVariables)
        {
            if (!TestAllVariablesUnique(externalVariables, out string duplicates))
            {
                throw new InvalidDataException("Duplicate external variable names declared: " + duplicates);
            }

            foreach (KeyValuePair <string, string> variable in externalVariables.StringVariables)
            {
                ErrorUtility.ThrowOnError(
                    Methods.yr_scanner_define_string_variable(customScannerPtr, variable.Key, variable.Value));
            }

            foreach (KeyValuePair <string, long> variable in externalVariables.IntVariables)
            {
                ErrorUtility.ThrowOnError(
                    Methods.yr_scanner_define_integer_variable(customScannerPtr, variable.Key, variable.Value));
            }

            foreach (KeyValuePair <string, double> variable in externalVariables.FloatVariables)
            {
                ErrorUtility.ThrowOnError(
                    Methods.yr_scanner_define_float_variable(customScannerPtr, variable.Key, variable.Value));
            }

            foreach (KeyValuePair <string, bool> variable in externalVariables.BoolVariables)
            {
                ErrorUtility.ThrowOnError(
                    Methods.yr_scanner_define_boolean_variable(customScannerPtr, variable.Key, variable.Value == true ? 1 : 0));
            }
        }
Esempio n. 2
0
        public virtual List <ScanResult> ScanFile(string path, ExternalVariables externalVariables)
        {
            if (customScannerPtr == IntPtr.Zero)
            {
                throw new NullReferenceException("Custom Scanner has not been initialised");
            }

            if (!File.Exists(path))
            {
                throw new FileNotFoundException(path);
            }

            SetExternalVariables(externalVariables);

            YR_CALLBACK_FUNC  scannerCallback = new YR_CALLBACK_FUNC(HandleMessage);
            List <ScanResult> scanResults     = new List <ScanResult>();
            GCHandleHandler   resultsHandle   = new GCHandleHandler(scanResults);

            Methods.yr_scanner_set_callback(customScannerPtr, scannerCallback, resultsHandle.GetPointer());

            ErrorUtility.ThrowOnError(
                Methods.yr_scanner_scan_file(
                    customScannerPtr,
                    path
                    ));

            ClearExternalVariables(externalVariables);

            return(scanResults);
        }
Esempio n. 3
0
        public virtual List <ScanResult> ScanMemory(
            ref byte[] buffer,
            int length,
            ExternalVariables externalVariables,
            YR_SCAN_FLAGS flags)
        {
            YR_CALLBACK_FUNC  scannerCallback = new YR_CALLBACK_FUNC(HandleMessage);
            List <ScanResult> scanResults     = new List <ScanResult>();
            GCHandleHandler   resultsHandle   = new GCHandleHandler(scanResults);

            Methods.yr_scanner_set_callback(customScannerPtr, scannerCallback, resultsHandle.GetPointer());

            SetFlags(flags);
            SetExternalVariables(externalVariables);

            IntPtr btCpy = Marshal.AllocHGlobal(buffer.Length);;

            Marshal.Copy(buffer, 0, btCpy, (int)buffer.Length);

            ErrorUtility.ThrowOnError(
                Methods.yr_scanner_scan_mem(
                    customScannerPtr,
                    btCpy,
                    (ulong)length
                    ));

            ClearExternalVariables(externalVariables);

            return(scanResults);
        }
Esempio n. 4
0
        public virtual List <ScanResult> ScanFile(
            string path,
            CompiledRules rules,
            YR_SCAN_FLAGS flags)
        {
            if (!File.Exists(path))
            {
                throw new FileNotFoundException(path);
            }

            var results    = new List <ScanResult>();
            var nativePath = path;

            GCHandleHandler resultsHandle = new GCHandleHandler(results);

            ErrorUtility.ThrowOnError(
                Methods.yr_rules_scan_file(
                    rules.BasePtr,
                    nativePath,
                    (int)flags,
                    callbackPtr,
                    resultsHandle.GetPointer(),
                    YR_TIMEOUT));

            resultsHandle.Dispose();

            return(results);
        }
Esempio n. 5
0
        //YARA doesnt allow deletion of variables, this cleans them us as much as practical but
        //a new scanner should be created if it's imporant for them not to exist
        private void ClearExternalVariables(ExternalVariables externalVariables)
        {
            foreach (KeyValuePair <string, string> variable in externalVariables.StringVariables)
            {
                ErrorUtility.ThrowOnError(
                    Methods.yr_scanner_define_string_variable(customScannerPtr, variable.Key, String.Empty));
            }

            foreach (KeyValuePair <string, long> variable in externalVariables.IntVariables)
            {
                ErrorUtility.ThrowOnError(
                    Methods.yr_scanner_define_integer_variable(customScannerPtr, variable.Key, long.MinValue));
            }

            foreach (KeyValuePair <string, double> variable in externalVariables.FloatVariables)
            {
                ErrorUtility.ThrowOnError(
                    Methods.yr_scanner_define_float_variable(customScannerPtr, variable.Key, float.NegativeInfinity));
            }

            foreach (KeyValuePair <string, bool> variable in externalVariables.BoolVariables)
            {
                ErrorUtility.ThrowOnError(
                    Methods.yr_scanner_define_boolean_variable(customScannerPtr, variable.Key, 0));
            }
        }
Esempio n. 6
0
        public virtual List <ScanResult> ScanMemory(
            ref byte[] buffer,
            int length,
            CompiledRules rules,
            YR_SCAN_FLAGS flags)
        {
            var             results       = new List <ScanResult>();
            GCHandleHandler resultsHandle = new GCHandleHandler(results);

            IntPtr btCpy = Marshal.AllocHGlobal(buffer.Length);;

            Marshal.Copy(buffer, 0, btCpy, (int)buffer.Length);

            ErrorUtility.ThrowOnError(
                Methods.yr_rules_scan_mem(
                    rules.BasePtr,
                    btCpy,
                    (ulong)length,
                    (int)flags,
                    callbackPtr,
                    resultsHandle.GetPointer(),
                    YR_TIMEOUT));

            return(results);
        }
Esempio n. 7
0
        public CompiledRules(string filename)
        {
            IntPtr ptr = IntPtr.Zero;

            ErrorUtility.ThrowOnError(Methods.yr_rules_load(filename, ref ptr));
            BasePtr = ptr;
            ExtractRules();
        }
Esempio n. 8
0
        public CompiledRules Compile()
        {
            IntPtr rulesPtr = new IntPtr();

            ErrorUtility.ThrowOnError(
                Methods.yr_compiler_get_rules(compilerPtr, ref rulesPtr));

            return(new CompiledRules(rulesPtr));
        }
Esempio n. 9
0
        public Compiler()
        {
            ErrorUtility.ThrowOnError(Methods.yr_compiler_create(out compilerPtr));

            compilationErrors = new List <string>();

            compilerCallback = new YR_COMPILER_CALLBACK_FUNC(this.HandleError);

            Methods.yr_compiler_set_callback(compilerPtr, compilerCallback, IntPtr.Zero);
        }
Esempio n. 10
0
        public virtual List <ScanResult> ScanProcess(
            int processId,
            CompiledRules rules,
            YR_SCAN_FLAGS flags)
        {
            var             results       = new List <ScanResult>();
            GCHandleHandler resultsHandle = new GCHandleHandler(results);

            ErrorUtility.ThrowOnError(
                Methods.yr_rules_scan_proc(
                    rules.BasePtr,
                    processId,
                    (int)flags,
                    callbackPtr,
                    resultsHandle.GetPointer(),
                    YR_TIMEOUT));

            return(results);
        }
Esempio n. 11
0
 public bool Save(string filename)
 {
     ErrorUtility.ThrowOnError(Methods.yr_rules_save(BasePtr, filename));
     return(true);
 }
Esempio n. 12
0
 public YaraContext()
 {
     ErrorUtility.ThrowOnError(Methods.yr_initialize());
 }