CompiledRules C# (CSharp)代码示例

示例#1

0

显示文件

文件： ScanTests.cs 项目： digitalarche/dnYara

        public void CheckStringNotMatchTest()
        {
            // Initialize yara context
            using (YaraContext ctx = new YaraContext())
            {
                // Compile yara rules
                CompiledRules rules = null;

                using (var compiler = new Compiler())
                {
                    compiler.AddRuleString("rule foo: bar {strings: $a = \"nml\" condition: $a}");

                    rules = compiler.Compile();
                }

                if (rules != null)
                {
                    // Initialize the scanner
                    var scanner = new Scanner();
                    List <ScanResult> scanResult = scanner.ScanString("abcdefgjiklmnoprstuvwxyz", rules);

                    Assert.True(scanResult.Count == 0);
                }
            }
        }

示例#2

0

显示文件

文件： ScanTests.cs 项目： digitalarche/dnYara

        public void CheckMemoryNotMatchTest()
        {
            // Initialize yara context
            using (YaraContext ctx = new YaraContext())
            {
                // Compile yara rules
                CompiledRules rules = null;

                using (var compiler = new Compiler())
                {
                    compiler.AddRuleString("rule foo: bar {strings: $a = \"nml\" condition: $a}");

                    rules = compiler.Compile();
                }

                if (rules != null)
                {
                    // Initialize the scanner
                    var scanner = new Scanner();

                    Encoding encoding = Encoding.ASCII;

                    byte[] buffer = encoding.GetBytes("abcdefgjiklmnoprstuvwxyz");

                    List <ScanResult> scanResult = scanner.ScanMemory(ref buffer, rules);

                    Assert.True(scanResult.Count == 0);
                }
            }
        }

示例#3

0

显示文件

文件： ScanTests.cs 项目： airbus-cert/dnYara

        public void CheckExternalVariableRuleTest()
        {
            // Initialize yara context
            using (YaraContext ctx = new YaraContext())
            {
                using (var compiler = new Compiler())
                {
                    //must declare this or the compiler will complain it doesn't exist when a rule references it
                    compiler.DeclareExternalStringVariable("filename");

                    //declare rule with an external variable available
                    compiler.AddRuleString("rule foo: bar {strings: $a = \"lmn\" condition: $a and filename matches /\\.txt$/is}");
                    CompiledRules compiledRules = compiler.Compile();

                    Assert.True(compiledRules.RuleCount == 1);

                    Encoding encoding = Encoding.ASCII;
                    byte[]   buffer   = encoding.GetBytes("abcdefgjiklmnoprstuvwxyz");

                    // Initialize a customscanner we can add variables to
                    var scanner = new CustomScanner(compiledRules);

                    ExternalVariables externalVariables = new ExternalVariables();
                    externalVariables.StringVariables.Add("filename", "Alphabet.txt");

                    List <ScanResult> compiledScanResults = scanner.ScanMemory(ref buffer, externalVariables);

                    Assert.True(compiledScanResults.Count == 1);
                    Assert.Equal("foo", compiledScanResults[0].MatchingRule.Identifier);

                    //release before falling out of the yara context
                    scanner.Release();
                }
            }
        }

示例#4

0

显示文件

        static void Main(string[] args)
        {
            // Get list of yara rules
            string[] ruleFiles = Directory.GetFiles(@"e:\yara-db\rules\", "*.yara", SearchOption.AllDirectories)
                                 .ToArray();

            // Get list of samples to check
            string[] samples = new[]
            {
                @"e:\malware-samples\",            // directory
                @"e:\speficic-samples\sample1.exe" // file
            };

            // Initialize yara context
            using (YaraContext ctx = new YaraContext())
            {
                // Compile list of yara rules
                CompiledRules rules = null;
                using (var compiler = new Compiler())
                {
                    foreach (var yara in ruleFiles)
                    {
                        compiler.AddRuleFile(yara);
                    }

                    rules = compiler.Compile();

                    Console.WriteLine($"* Compiled");
                }

                if (rules != null)
                {
                    // Initialize the scanner
                    var scanner = new Scanner();

                    // Go through all samples
                    foreach (var sample in samples)
                    {
                        // If item is file, scan the file
                        if (File.Exists(sample))
                        {
                            ScanFile(scanner, sample, rules);
                        }
                        // If item is directory, scan the directory
                        else
                        {
                            if (Directory.Exists(sample))
                            {
                                DirectoryInfo dirInfo = new DirectoryInfo(sample);

                                foreach (FileInfo fi in dirInfo.EnumerateFiles("*", SearchOption.AllDirectories))
                                {
                                    ScanFile(scanner, fi.FullName, rules);
                                }
                            }
                        }
                    }
                }
            }
        }

示例#5

0

显示文件

文件： ScanTests.cs 项目： airbus-cert/dnYara

        public void CheckSaveLoadRuleTest()
        {
            // Initialize yara context
            using (YaraContext ctx = new YaraContext())
            {
                using (var compiler = new Compiler())
                {
                    compiler.AddRuleString("rule foo: bar {strings: $a = \"lmn\" condition: $a}");
                    CompiledRules compiledRules = compiler.Compile();
                    Assert.True(compiledRules.RuleCount == 1);

                    Encoding encoding = Encoding.ASCII;
                    byte[]   buffer   = encoding.GetBytes("abcdefgjiklmnoprstuvwxyz");

                    // Initialize the scanner
                    var scanner = new Scanner();

                    List <ScanResult> compiledScanResults = scanner.ScanMemory(ref buffer, compiledRules);
                    Assert.True(compiledScanResults.Count == 1);
                    Assert.Equal("foo", compiledScanResults[0].MatchingRule.Identifier);


                    //save the rule to disk
                    string tempfile = System.IO.Path.GetTempFileName();
                    bool   saved    = compiledRules.Save(tempfile);
                    Assert.True(saved);

                    //load the saved rule to a new ruleset
                    CompiledRules loadedRules = new CompiledRules(tempfile);

                    List <ScanResult> loadedScanResults = scanner.ScanMemory(ref buffer, loadedRules);

                    Assert.True(loadedScanResults.Count == 1);
                    Assert.Equal("foo", loadedScanResults[0].MatchingRule.Identifier);

                    System.IO.File.Delete(tempfile);
                }
            }
        }

示例#6

0

显示文件

文件： ScanTests.cs 项目： digitalarche/dnYara

        public void CheckIterateRulesTest()
        {
            string ruleText = @"rule foo: bar {
                meta:
                    bool_meta = true
                    int_meta = 10
                    string_meta = ""what a long, drawn-out thing this is!""
                strings:
                    $a = ""nml""
                condition:
                    $a
                }";

            // Initialize yara context
            using (YaraContext ctx = new YaraContext())
            {
                // Compile yara rules
                CompiledRules rules = null;

                using (var compiler = new Compiler())
                {
                    compiler.AddRuleString(ruleText);

                    rules = compiler.Compile();
                }

                if (rules != null)
                {
                    var rule = rules.Rules.ToList()[0];
                    Assert.NotEmpty(rules.Rules);
                    Assert.Equal("foo", rule.Identifier);
                    Assert.Equal("bar", rule.Tags[0]);
                    Assert.Equal(true, rule.Metas["bool_meta"]);
                    Assert.Equal((long)10, rule.Metas["int_meta"]);
                    Assert.Equal("what a long, drawn-out thing this is!", rule.Metas["string_meta"]);
                }
            }
        }

示例#7

0

显示文件

        public static void ScanFile(Scanner scanner, string filename, CompiledRules rules)
        {
            List <ScanResult> scanResults = scanner.ScanFile(filename, rules);

            foreach (ScanResult scanResult in scanResults)
            {
                string id = scanResult.MatchingRule.Identifier;

                if (scanResult.Matches.Count == 1)
                {
                    Console.WriteLine(
                        $"* Match found : \"{filename}\" for rule \"{id}.{scanResult.Matches.First().Key}\"");
                }
                else
                {
                    Console.WriteLine($"* Match found : \"{filename}\" for rule \"{id}\":");

                    foreach (var vd in scanResult.Matches)
                    {
                        Console.WriteLine($"   > Rule : \"{vd.Key}\"");
                    }
                }
            }
        }

示例#8

0

显示文件

        internal static bool ExecuteCmd(string command)
        {
            bool isManagedCmd = false;

            string[] commands = command.Split(' ');

            string cmdName = commands.First();

            string[] args = commands.Skip(1).ToArray();

            switch (cmdName)
            {
            case "exit":
                Environment.Exit(0);
                break;

            case "clear":
                Console.Clear();
                isManagedCmd = true;
                break;

            case "yadd":
                isManagedCmd = true;
                CmdAddRules(args);
                break;

            case "sadd":
                isManagedCmd = true;
                CmdAddSamples(args);
                break;

            case "ycompile":
                isManagedCmd = true;

                using (var compiler = new Compiler())
                {
                    foreach (var yara in yaras.Distinct())
                    {
                        var err = ScanHelper.CheckRule(yara);

                        if (err == YARA_ERROR.SUCCESS)
                        {
                            try
                            {
                                compiler.AddRuleFile(yara);
                                Console.WriteLine($":Added {yara}");
                            } catch (Exception e)
                            {
                                Console.WriteLine($"!Exception adding \"{yara}\": {e.Message}");
                            }
                        }
                        else
                        {
                            Console.WriteLine($"!Exception adding \"{yara}\": {err}");
                        }
                    }

                    try
                    {
                        rules = compiler.Compile();
                        Console.WriteLine($"* Compiled");
                    }
                    catch (Exception e)
                    {
                        Console.WriteLine($"!Exception compiling rules: {e.Message}");
                    }
                }

                break;

            case "run":
                isManagedCmd = true;
                CmdRun();
                break;
            }


            return(isManagedCmd);
        }

示例#9

0

显示文件

 public bool Qualifies(T item)
 {
     return(CompiledRules.All(rule => rule(item)));
 }

C# (CSharp) CompiledRules示例