private bool FilterMatches(ScanResults fileProperties)
{
if (FilterType == YaraFilterType.AlwaysRun)
{
return(true);
}
else if (FilterType == YaraFilterType.IsPeFile)
{
return(fileProperties.IsPe);
}
else if (FilterType == YaraFilterType.FileExtension)
{
return(string.Equals(FilterValue.Replace(".", ""), fileProperties.Extension.Replace(".", ""), StringComparison.InvariantCultureIgnoreCase));
}
else if (FilterType == YaraFilterType.MimeType)
{
return(string.Equals(FilterValue, fileProperties.MimeType, StringComparison.InvariantCultureIgnoreCase));
}
else if (FilterType == YaraFilterType.ElseNoMatch)
{
return(false);
}
else
{
throw new NotImplementedException($"You must have added a new {nameof(YaraFilterType)} enum without adding the appropriate logic in {nameof(YaraFilter)}.{nameof(FilterMatches)}.");
}
}
public static ScanResults PopulateFileProperties(ScanParameters parameters, char driveLetter, INode node)
{
CancellationToken cancelToken = parameters.CancelToken;
cancelToken.ThrowIfCancellationRequested();
ScanResults results = new ScanResults();
byte[] fileBytes = new byte[0];
if (!node.Streams.Any()) //workaround for no file stream such as with hard links
{
try
{
using (FileStream fsSource = new FileStream(node.FullName,
FileMode.Open, FileAccess.Read))
{
// Read the source file into a byte array.
fileBytes = new byte[fsSource.Length];
int numBytesToRead = (int)fsSource.Length;
int numBytesRead = 0;
while (numBytesToRead > 0)
{
// Read may return anything from 0 to numBytesToRead.
int n = fsSource.Read(fileBytes, numBytesRead, numBytesToRead);
// Break when the end of the file is reached.
if (n == 0)
{
break;
}
numBytesRead += n;
numBytesToRead -= n;
}
numBytesToRead = fileBytes.Length;
}
}
catch
{ }
}
else
{
fileBytes = node.GetBytes().SelectMany(chunk => chunk).ToArray();
cancelToken.ThrowIfCancellationRequested();
}
string yaraIndexFilename = results.PopulateYaraInfo(parameters.YaraParameters);
if (!string.IsNullOrWhiteSpace(yaraIndexFilename))
{
results.YaraDetections = YaraHelper.ScanBytes(fileBytes, yaraIndexFilename);
}
throw new NotImplementedException();
return(results);
}
public List <string> ProcessRule(ScanResults fileProperties)
{
if (FilterMatches(fileProperties))
{
return(OnMatchRules);
}
else
{
return(new List <string>());
}
}
private static List <string> Worker(ScanParameters parameters)
{
List <string> resultsAggregate = new List <string>();
try
{
IEnumerable <INode> mftNodes = FileEnumerator.EnumerateFiles(parameters);
IDataPersistenceLayer dataPersistenceLayer = parameters.DataPersistenceLayer;
foreach (INode node in mftNodes)
{
string message = $"MFT#: {node.MFTRecordNumber.ToString().PadRight(7)} Seq.#: {node.SequenceNumber.ToString().PadRight(4)} Path: {node.FullName}";
if (parameters.LogOutputFunction != null)
{
parameters.LogOutputFunction.Invoke(message);
}
if (parameters.ReportOutputFunction != null)
{
parameters.ReportOutputFunction.Invoke(message);
}
ScanResults results = new ScanResults();
results = PopulateFileProperties(parameters, parameters.SelectedFolder[0], node);
resultsAggregate.AddRange(results.YaraDetections);
// Insert scan results into IDataPersistenceLayer
bool insertResult = dataPersistenceLayer.PersistFileProperties(results);
if (insertResult)
{
}
else
{
}
parameters.CancelToken.ThrowIfCancellationRequested();
}
dataPersistenceLayer.Dispose();
}
catch (OperationCanceledException)
{ }
return(resultsAggregate);
}