private static void YaraRulesCompileTest(FileEnumeratorParameters parameters) { if (!parameters.YaraParameters.Any()) { return; } foreach (YaraFilter filter in parameters.YaraParameters) { YSScanner compiledRule = null; try { compiledRule = YaraHelper.CompileRules(filter.OnMatchRules, parameters.ReportAndLogOutputFunction); } catch (Exception ex) { parameters.ReportExceptionFunction.Invoke(nameof(YaraRulesCompileTest), string.Empty, ex); throw; } finally { if (compiledRule != null) { compiledRule.Dispose(); } } } }
private YSScanner GetCompiledYaraRules(FileEnumeratorParameters parameters) { YSScanner results = null; using (var timer = new TimingMetrics(TimingMetric.YaraRuleCompiling)) { List <YaraFilter> yaraFilters = parameters.YaraParameters; List <string> distinctRulesToRun = yaraFilters .SelectMany(yf => yf.ProcessRule(this)) .Distinct() .ToList(); if (!distinctRulesToRun.Any()) { distinctRulesToRun = yaraFilters .Where(yf => yf.FilterType == YaraFilterType.ElseNoMatch) .SelectMany(yf => yf.OnMatchRules) .Distinct() .ToList(); } if (!distinctRulesToRun.Any()) { return(null); } distinctRulesToRun = distinctRulesToRun.OrderBy(s => s).ToList(); string uniqueRuleCollectionToken = string.Join("|", distinctRulesToRun); string ruleCollectionHash = Hash.ByteArray.Sha256(Encoding.UTF8.GetBytes(uniqueRuleCollectionToken)); if (_yaraCompiledRulesDictionary.ContainsKey(ruleCollectionHash)) { results = _yaraCompiledRulesDictionary[ruleCollectionHash]; } else { try { results = YaraHelper.CompileRules(distinctRulesToRun, parameters.ReportAndLogOutputFunction); } catch (Exception ex) { parameters.ReportExceptionFunction.Invoke(nameof(GetCompiledYaraRules), string.Empty, ex); } _yaraCompiledRulesDictionary.Add(ruleCollectionHash, results); } } return(results); }