static void Main(string[] args)
{
// Get list of yara rules
string[] ruleFiles = Directory.GetFiles(@"e:\yara-db\rules\", "*.yara", SearchOption.AllDirectories)
.ToArray();
// Get list of samples to check
string[] samples = new[]
{
@"e:\malware-samples\", // directory
@"e:\speficic-samples\sample1.exe" // file
};
// Initialize yara context
using (YaraContext ctx = new YaraContext())
{
// Compile list of yara rules
CompiledRules rules = null;
using (var compiler = new Compiler())
{
foreach (var yara in ruleFiles)
{
compiler.AddRuleFile(yara);
}
rules = compiler.Compile();
Console.WriteLine($"* Compiled");
}
if (rules != null)
{
// Initialize the scanner
var scanner = new Scanner();
// Go through all samples
foreach (var sample in samples)
{
// If item is file, scan the file
if (File.Exists(sample))
{
ScanFile(scanner, sample, rules);
}
// If item is directory, scan the directory
else
{
if (Directory.Exists(sample))
{
DirectoryInfo dirInfo = new DirectoryInfo(sample);
foreach (FileInfo fi in dirInfo.EnumerateFiles("*", SearchOption.AllDirectories))
{
ScanFile(scanner, fi.FullName, rules);
}
}
}
}
}
}
}
/*~DetectWithYara()
* {
* if(_compiledRules != null)
* _compiledRules.Dispose();
* }*/
#endregion
#region Methods
/// <summary>
/// Loads yara rules and run tests
/// </summary>
private void LoadYaraRules()
{
//Load rules from files
this._yaraRules = Directory.GetFiles(this._pathToRules, "*.yara", SearchOption.AllDirectories).ToArray();
this._results.Clear();
try
{
using (var ctx = new YaraContext())
{
Rules rules = null;
// Rules and Compiler objects must be disposed.
using (var compiler = new Compiler())
{
//string path = Path.Combine(this._pathToRules, "packer.yara");
foreach (var path in _yaraRules)
{
//Console.WriteLine(path);
compiler.AddRuleFile(path);
}
rules = compiler.GetRules();
}
// Scanner and ScanResults do not need to be disposed.
var scanner = new Scanner();
var results = scanner.ScanFile(this._filename, rules);
foreach (var a in results)
{
//Console.WriteLine(a.MatchingRule.Identifier);
this._results.Add(a.MatchingRule.Identifier.ToString());
}
// Rules and Compiler objects must be disposed.
if (rules != null)
{
rules.Dispose();
}
}
}
catch (Exception e)
{
Debug.WriteLine(e.ToString());
}
}
private Rules CompileRules(List <string> yaraRuleFiles)
{
Rules result = null;
Compiler compiler = new Compiler();
foreach (string file in yaraRuleFiles)
{
compiler.AddRuleFile(file);
}
result = compiler.GetRules();
compiler.Dispose();
return(result);
}
static void Main(string[] args)
{
// Use the QuickScan class when you don't need to reuse rules
// or other yara objects. QuickScan handles all of the resource
// management including the YaraContext.
// var results = QuickScan.File(".\\SampleFile.txt", ".\\HelloWorldRules.yara");
// When you need to reuse yara objects (e.g. when scanning multiple files) it's
// more efficient to use the pattern below. Note that all yara operations must
// take place within the scope of a YaraContext.
using (var ctx = new YaraContext())
{
Rules rules = null;
try
{
// Rules and Compiler objects must be disposed.
using (var compiler = new Compiler())
{
compiler.AddRuleFile(".\\HelloWorldRules.yara");
rules = compiler.GetRules();
}
// Scanner and ScanResults do not need to be disposed.
var scanner = new Scanner();
var results = scanner.ScanFile(".\\SampleFile.txt", rules);
}
finally
{
// Rules and Compiler objects must be disposed.
if (rules != null)
{
rules.Dispose();
}
}
}
}
public List <ScanResult> YaraScan(string RulesFile, bool IncludeData = false, bool KernelSpace = false)
{
var rv = new List <ScanResult>();
using (var ctx = new YaraContext())
{
Rules rules = null;
try
{
// Rules and Compiler objects must be disposed.
using (var compiler = new Compiler())
{
compiler.AddRuleFile(RulesFile);
rules = compiler.GetRules();
}
PageTable.AddProcess(this, MemAccess);
//var cnt = PT.FillPageQueue(false, KernelSpace);
var curr = 0;
YaraTotalScanned = 0;
// single threaded worked best so far
//Parallel.For(0, cnt, (i, loopState) => x
foreach (var range in PT.FillPageQueue(false, KernelSpace, true, false))
//for (int i = 0; i < cnt; i++)
{
curr++;
if (Vtero.VerboseLevel > 1)
{
//var curr = cnt - PT.PageQueue.Count;
//var done = Convert.ToDouble(curr) / Convert.ToDouble(cnt) * 100.0;
Console.CursorLeft = 0;
Console.Write($"{curr} scanned");
}
if (range.PTE.Valid)
{
// skip data as requested
if (!IncludeData && range.PTE.NoExecute)
{
continue;
}
// Scanner and ScanResults do not need to be disposed.
var scanner = new libyaraNET.Scanner();
unsafe
{
long[] block = null;
bool GotData = false;
if (range.PTE.LargePage)
{
block = new long[0x40000];
}
else
{
block = new long[0x200];
}
MemAccess.GetPageForPhysAddr(range.PTE, ref block, ref GotData);
if (GotData)
{
fixed(void *lp = block)
{
var res = scanner.ScanMemory((byte *)lp, block.Length, rules, ScanFlags.None);
rv.AddRange(res);
YaraTotalScanned += block.Length;
}
}
}
}
}
}
finally
{
// Rules and Compiler objects must be disposed.
if (rules != null)
{
rules.Dispose();
}
}
}
YaraOutput = rv;
return(YaraOutput);
}
internal static bool ExecuteCmd(string command)
{
bool isManagedCmd = false;
string[] commands = command.Split(' ');
string cmdName = commands.First();
string[] args = commands.Skip(1).ToArray();
switch (cmdName)
{
case "exit":
Environment.Exit(0);
break;
case "clear":
Console.Clear();
isManagedCmd = true;
break;
case "yadd":
isManagedCmd = true;
CmdAddRules(args);
break;
case "sadd":
isManagedCmd = true;
CmdAddSamples(args);
break;
case "ycompile":
isManagedCmd = true;
using (var compiler = new Compiler())
{
foreach (var yara in yaras.Distinct())
{
var err = ScanHelper.CheckRule(yara);
if (err == YARA_ERROR.SUCCESS)
{
try
{
compiler.AddRuleFile(yara);
Console.WriteLine($":Added {yara}");
} catch (Exception e)
{
Console.WriteLine($"!Exception adding \"{yara}\": {e.Message}");
}
}
else
{
Console.WriteLine($"!Exception adding \"{yara}\": {err}");
}
}
try
{
rules = compiler.Compile();
Console.WriteLine($"* Compiled");
}
catch (Exception e)
{
Console.WriteLine($"!Exception compiling rules: {e.Message}");
}
}
break;
case "run":
isManagedCmd = true;
CmdRun();
break;
}
return(isManagedCmd);
}
