public void CheckStringNotMatchTest() { // Initialize yara context using (YaraContext ctx = new YaraContext()) { // Compile yara rules CompiledRules rules = null; using (var compiler = new Compiler()) { compiler.AddRuleString("rule foo: bar {strings: $a = \"nml\" condition: $a}"); rules = compiler.Compile(); } if (rules != null) { // Initialize the scanner var scanner = new Scanner(); List <ScanResult> scanResult = scanner.ScanString("abcdefgjiklmnoprstuvwxyz", rules); Assert.True(scanResult.Count == 0); } } }
public void CheckMemoryNotMatchTest() { // Initialize yara context using (YaraContext ctx = new YaraContext()) { // Compile yara rules CompiledRules rules = null; using (var compiler = new Compiler()) { compiler.AddRuleString("rule foo: bar {strings: $a = \"nml\" condition: $a}"); rules = compiler.Compile(); } if (rules != null) { // Initialize the scanner var scanner = new Scanner(); Encoding encoding = Encoding.ASCII; byte[] buffer = encoding.GetBytes("abcdefgjiklmnoprstuvwxyz"); List <ScanResult> scanResult = scanner.ScanMemory(ref buffer, rules); Assert.True(scanResult.Count == 0); } } }
public void CheckExternalVariableRuleTest() { // Initialize yara context using (YaraContext ctx = new YaraContext()) { using (var compiler = new Compiler()) { //must declare this or the compiler will complain it doesn't exist when a rule references it compiler.DeclareExternalStringVariable("filename"); //declare rule with an external variable available compiler.AddRuleString("rule foo: bar {strings: $a = \"lmn\" condition: $a and filename matches /\\.txt$/is}"); CompiledRules compiledRules = compiler.Compile(); Assert.True(compiledRules.RuleCount == 1); Encoding encoding = Encoding.ASCII; byte[] buffer = encoding.GetBytes("abcdefgjiklmnoprstuvwxyz"); // Initialize a customscanner we can add variables to var scanner = new CustomScanner(compiledRules); ExternalVariables externalVariables = new ExternalVariables(); externalVariables.StringVariables.Add("filename", "Alphabet.txt"); List <ScanResult> compiledScanResults = scanner.ScanMemory(ref buffer, externalVariables); Assert.True(compiledScanResults.Count == 1); Assert.Equal("foo", compiledScanResults[0].MatchingRule.Identifier); //release before falling out of the yara context scanner.Release(); } } }
static void Main(string[] args) { // Get list of yara rules string[] ruleFiles = Directory.GetFiles(@"e:\yara-db\rules\", "*.yara", SearchOption.AllDirectories) .ToArray(); // Get list of samples to check string[] samples = new[] { @"e:\malware-samples\", // directory @"e:\speficic-samples\sample1.exe" // file }; // Initialize yara context using (YaraContext ctx = new YaraContext()) { // Compile list of yara rules CompiledRules rules = null; using (var compiler = new Compiler()) { foreach (var yara in ruleFiles) { compiler.AddRuleFile(yara); } rules = compiler.Compile(); Console.WriteLine($"* Compiled"); } if (rules != null) { // Initialize the scanner var scanner = new Scanner(); // Go through all samples foreach (var sample in samples) { // If item is file, scan the file if (File.Exists(sample)) { ScanFile(scanner, sample, rules); } // If item is directory, scan the directory else { if (Directory.Exists(sample)) { DirectoryInfo dirInfo = new DirectoryInfo(sample); foreach (FileInfo fi in dirInfo.EnumerateFiles("*", SearchOption.AllDirectories)) { ScanFile(scanner, fi.FullName, rules); } } } } } } }
public void CheckSaveLoadRuleTest() { // Initialize yara context using (YaraContext ctx = new YaraContext()) { using (var compiler = new Compiler()) { compiler.AddRuleString("rule foo: bar {strings: $a = \"lmn\" condition: $a}"); CompiledRules compiledRules = compiler.Compile(); Assert.True(compiledRules.RuleCount == 1); Encoding encoding = Encoding.ASCII; byte[] buffer = encoding.GetBytes("abcdefgjiklmnoprstuvwxyz"); // Initialize the scanner var scanner = new Scanner(); List <ScanResult> compiledScanResults = scanner.ScanMemory(ref buffer, compiledRules); Assert.True(compiledScanResults.Count == 1); Assert.Equal("foo", compiledScanResults[0].MatchingRule.Identifier); //save the rule to disk string tempfile = System.IO.Path.GetTempFileName(); bool saved = compiledRules.Save(tempfile); Assert.True(saved); //load the saved rule to a new ruleset CompiledRules loadedRules = new CompiledRules(tempfile); List <ScanResult> loadedScanResults = scanner.ScanMemory(ref buffer, loadedRules); Assert.True(loadedScanResults.Count == 1); Assert.Equal("foo", loadedScanResults[0].MatchingRule.Identifier); System.IO.File.Delete(tempfile); } } }
public void CheckIterateRulesTest() { string ruleText = @"rule foo: bar { meta: bool_meta = true int_meta = 10 string_meta = ""what a long, drawn-out thing this is!"" strings: $a = ""nml"" condition: $a }"; // Initialize yara context using (YaraContext ctx = new YaraContext()) { // Compile yara rules CompiledRules rules = null; using (var compiler = new Compiler()) { compiler.AddRuleString(ruleText); rules = compiler.Compile(); } if (rules != null) { var rule = rules.Rules.ToList()[0]; Assert.NotEmpty(rules.Rules); Assert.Equal("foo", rule.Identifier); Assert.Equal("bar", rule.Tags[0]); Assert.Equal(true, rule.Metas["bool_meta"]); Assert.Equal((long)10, rule.Metas["int_meta"]); Assert.Equal("what a long, drawn-out thing this is!", rule.Metas["string_meta"]); } } }
public static void ScanFile(Scanner scanner, string filename, CompiledRules rules) { List <ScanResult> scanResults = scanner.ScanFile(filename, rules); foreach (ScanResult scanResult in scanResults) { string id = scanResult.MatchingRule.Identifier; if (scanResult.Matches.Count == 1) { Console.WriteLine( $"* Match found : \"{filename}\" for rule \"{id}.{scanResult.Matches.First().Key}\""); } else { Console.WriteLine($"* Match found : \"{filename}\" for rule \"{id}\":"); foreach (var vd in scanResult.Matches) { Console.WriteLine($" > Rule : \"{vd.Key}\""); } } } }
internal static bool ExecuteCmd(string command) { bool isManagedCmd = false; string[] commands = command.Split(' '); string cmdName = commands.First(); string[] args = commands.Skip(1).ToArray(); switch (cmdName) { case "exit": Environment.Exit(0); break; case "clear": Console.Clear(); isManagedCmd = true; break; case "yadd": isManagedCmd = true; CmdAddRules(args); break; case "sadd": isManagedCmd = true; CmdAddSamples(args); break; case "ycompile": isManagedCmd = true; using (var compiler = new Compiler()) { foreach (var yara in yaras.Distinct()) { var err = ScanHelper.CheckRule(yara); if (err == YARA_ERROR.SUCCESS) { try { compiler.AddRuleFile(yara); Console.WriteLine($":Added {yara}"); } catch (Exception e) { Console.WriteLine($"!Exception adding \"{yara}\": {e.Message}"); } } else { Console.WriteLine($"!Exception adding \"{yara}\": {err}"); } } try { rules = compiler.Compile(); Console.WriteLine($"* Compiled"); } catch (Exception e) { Console.WriteLine($"!Exception compiling rules: {e.Message}"); } } break; case "run": isManagedCmd = true; CmdRun(); break; } return(isManagedCmd); }
public bool Qualifies(T item) { return(CompiledRules.All(rule => rule(item))); }