private void SetExternalVariables(ExternalVariables externalVariables)
{
if (!TestAllVariablesUnique(externalVariables, out string duplicates))
{
throw new InvalidDataException("Duplicate external variable names declared: " + duplicates);
}
foreach (KeyValuePair <string, string> variable in externalVariables.StringVariables)
{
ErrorUtility.ThrowOnError(
Methods.yr_scanner_define_string_variable(customScannerPtr, variable.Key, variable.Value));
}
foreach (KeyValuePair <string, long> variable in externalVariables.IntVariables)
{
ErrorUtility.ThrowOnError(
Methods.yr_scanner_define_integer_variable(customScannerPtr, variable.Key, variable.Value));
}
foreach (KeyValuePair <string, double> variable in externalVariables.FloatVariables)
{
ErrorUtility.ThrowOnError(
Methods.yr_scanner_define_float_variable(customScannerPtr, variable.Key, variable.Value));
}
foreach (KeyValuePair <string, bool> variable in externalVariables.BoolVariables)
{
ErrorUtility.ThrowOnError(
Methods.yr_scanner_define_boolean_variable(customScannerPtr, variable.Key, variable.Value == true ? 1 : 0));
}
}
public virtual List <ScanResult> ScanFile(string path, ExternalVariables externalVariables)
{
if (customScannerPtr == IntPtr.Zero)
{
throw new NullReferenceException("Custom Scanner has not been initialised");
}
if (!File.Exists(path))
{
throw new FileNotFoundException(path);
}
SetExternalVariables(externalVariables);
YR_CALLBACK_FUNC scannerCallback = new YR_CALLBACK_FUNC(HandleMessage);
List <ScanResult> scanResults = new List <ScanResult>();
GCHandleHandler resultsHandle = new GCHandleHandler(scanResults);
Methods.yr_scanner_set_callback(customScannerPtr, scannerCallback, resultsHandle.GetPointer());
ErrorUtility.ThrowOnError(
Methods.yr_scanner_scan_file(
customScannerPtr,
path
));
ClearExternalVariables(externalVariables);
return(scanResults);
}
public virtual List <ScanResult> ScanMemory(
ref byte[] buffer,
int length,
ExternalVariables externalVariables,
YR_SCAN_FLAGS flags)
{
YR_CALLBACK_FUNC scannerCallback = new YR_CALLBACK_FUNC(HandleMessage);
List <ScanResult> scanResults = new List <ScanResult>();
GCHandleHandler resultsHandle = new GCHandleHandler(scanResults);
Methods.yr_scanner_set_callback(customScannerPtr, scannerCallback, resultsHandle.GetPointer());
SetFlags(flags);
SetExternalVariables(externalVariables);
IntPtr btCpy = Marshal.AllocHGlobal(buffer.Length);;
Marshal.Copy(buffer, 0, btCpy, (int)buffer.Length);
ErrorUtility.ThrowOnError(
Methods.yr_scanner_scan_mem(
customScannerPtr,
btCpy,
(ulong)length
));
ClearExternalVariables(externalVariables);
return(scanResults);
}
public virtual List <ScanResult> ScanFile(
string path,
CompiledRules rules,
YR_SCAN_FLAGS flags)
{
if (!File.Exists(path))
{
throw new FileNotFoundException(path);
}
var results = new List <ScanResult>();
var nativePath = path;
GCHandleHandler resultsHandle = new GCHandleHandler(results);
ErrorUtility.ThrowOnError(
Methods.yr_rules_scan_file(
rules.BasePtr,
nativePath,
(int)flags,
callbackPtr,
resultsHandle.GetPointer(),
YR_TIMEOUT));
resultsHandle.Dispose();
return(results);
}
//YARA doesnt allow deletion of variables, this cleans them us as much as practical but
//a new scanner should be created if it's imporant for them not to exist
private void ClearExternalVariables(ExternalVariables externalVariables)
{
foreach (KeyValuePair <string, string> variable in externalVariables.StringVariables)
{
ErrorUtility.ThrowOnError(
Methods.yr_scanner_define_string_variable(customScannerPtr, variable.Key, String.Empty));
}
foreach (KeyValuePair <string, long> variable in externalVariables.IntVariables)
{
ErrorUtility.ThrowOnError(
Methods.yr_scanner_define_integer_variable(customScannerPtr, variable.Key, long.MinValue));
}
foreach (KeyValuePair <string, double> variable in externalVariables.FloatVariables)
{
ErrorUtility.ThrowOnError(
Methods.yr_scanner_define_float_variable(customScannerPtr, variable.Key, float.NegativeInfinity));
}
foreach (KeyValuePair <string, bool> variable in externalVariables.BoolVariables)
{
ErrorUtility.ThrowOnError(
Methods.yr_scanner_define_boolean_variable(customScannerPtr, variable.Key, 0));
}
}
public virtual List <ScanResult> ScanMemory(
ref byte[] buffer,
int length,
CompiledRules rules,
YR_SCAN_FLAGS flags)
{
var results = new List <ScanResult>();
GCHandleHandler resultsHandle = new GCHandleHandler(results);
IntPtr btCpy = Marshal.AllocHGlobal(buffer.Length);;
Marshal.Copy(buffer, 0, btCpy, (int)buffer.Length);
ErrorUtility.ThrowOnError(
Methods.yr_rules_scan_mem(
rules.BasePtr,
btCpy,
(ulong)length,
(int)flags,
callbackPtr,
resultsHandle.GetPointer(),
YR_TIMEOUT));
return(results);
}
public CompiledRules(string filename)
{
IntPtr ptr = IntPtr.Zero;
ErrorUtility.ThrowOnError(Methods.yr_rules_load(filename, ref ptr));
BasePtr = ptr;
ExtractRules();
}
public CompiledRules Compile()
{
IntPtr rulesPtr = new IntPtr();
ErrorUtility.ThrowOnError(
Methods.yr_compiler_get_rules(compilerPtr, ref rulesPtr));
return(new CompiledRules(rulesPtr));
}
public Compiler()
{
ErrorUtility.ThrowOnError(Methods.yr_compiler_create(out compilerPtr));
compilationErrors = new List <string>();
compilerCallback = new YR_COMPILER_CALLBACK_FUNC(this.HandleError);
Methods.yr_compiler_set_callback(compilerPtr, compilerCallback, IntPtr.Zero);
}
public virtual List <ScanResult> ScanProcess(
int processId,
CompiledRules rules,
YR_SCAN_FLAGS flags)
{
var results = new List <ScanResult>();
GCHandleHandler resultsHandle = new GCHandleHandler(results);
ErrorUtility.ThrowOnError(
Methods.yr_rules_scan_proc(
rules.BasePtr,
processId,
(int)flags,
callbackPtr,
resultsHandle.GetPointer(),
YR_TIMEOUT));
return(results);
}
public bool Save(string filename)
{
ErrorUtility.ThrowOnError(Methods.yr_rules_save(BasePtr, filename));
return(true);
}
public YaraContext()
{
ErrorUtility.ThrowOnError(Methods.yr_initialize());
}