Comments (5)
I can't tell you how you are using yara.exe wrong (or how it may be broken), but one thing that comes to mind is that you need to quote your paths that contain strings.
Does running yara --help
output anything?
from go-yara.
After some time i figured that maybe it is a code issue, i tested using: https://github.com/EvilAres/saferwall/blob/edec505dab55a2a1e0c0cf24b436194835510f0f/cmd/yara/main.go#L8
and it seems working fine whitout unstable flags, ill return here if i solve it by my own
but yeah, the command is working fine, every yara module is working fine, is just the scanfile that doesn't follow rules conditions and flags every possible file.
Microsoft Windows [Versión 10.0.17763.1]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.
C:\Users\Rancio>yara --help
YARA 4.3.2, the pattern matching swiss army knife.
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
Mandatory arguments to long options are mandatory for short options too.
--atom-quality-table=FILE path to a file with the atom quality table
-C, --compiled-rules load compiled rules
-c, --count print only number of matches
-d, --define=VAR=VALUE define external variable
--fail-on-warnings fail on warnings
-f, --fast-scan fast matching mode
-h, --help show this help and exit
-i, --identifier=IDENTIFIER print only rules named IDENTIFIER
--max-process-memory-chunk=NUMBER set maximum chunk size while reading process memory (default=1073741824)
-l, --max-rules=NUMBER abort scanning after matching a NUMBER of rules
--max-strings-per-rule=NUMBER set maximum number of strings per rule (default=10000)
-x, --module-data=MODULE=FILE pass FILE's content as extra data to MODULE
-n, --negate print only not satisfied rules (negate)
-N, --no-follow-symlinks do not follow symlinks when scanning
-w, --no-warnings disable warnings
-m, --print-meta print metadata
-D, --print-module-data print module data
-M, --module-names show module names
-e, --print-namespace print rules' namespace
-S, --print-stats print rules' statistics
-s, --print-strings print matching strings
-L, --print-string-length print length of matched strings
-X, --print-xor-key print xor key and plaintext of matched strings
-g, --print-tags print tags
-r, --recursive recursively search directories
--scan-list scan files listed in FILE, one per line
-z, --skip-larger=NUMBER skip files larger than the given size when scanning a directory
-k, --stack-size=SLOTS set maximum stack size (default=16384)
-t, --tag=TAG print only rules tagged as TAG
-p, --threads=NUMBER use the specified NUMBER of threads to scan a directory
-a, --timeout=SECONDS abort scanning after the given number of SECONDS
-v, --version show version information
Send bug reports and suggestions to: [email protected].
C:\Users\Rancio>
from go-yara.
It seems to me that you are re-using your MatchRules
object without resetting it between scans. Matching results just get appended to it.
Please also have a look at the simple-yara
example and the tests.
from go-yara.
Hey, after some minutes i fixed the issue, this is the final code:
set rule and scan:
package API
import (
"strings"
yara "github.com/hillu/go-yara/v4"
)
func NewFromReader(ruleReader *strings.Reader) (*yara.Scanner, error) {
r, err := LoadRuleFromReader(ruleReader)
if err != nil {
return nil, err
}
s, err := yara.NewScanner(r)
if err != nil {
return nil, err
}
return s, nil
}
func LoadRuleFromReader(reader *strings.Reader) (*yara.Rules, error) {
rules, err := yara.ReadRules(reader)
if err != nil {
return nil, err
}
return rules, nil
}
func ScanFile(scanner *yara.Scanner, filePath string) ([]yara.MatchRule, error) {
var matches yara.MatchRules
err := scanner.SetCallback(&matches).ScanFile(filePath)
return matches, err
}
func ScanProc(scanner *yara.Scanner, pid int) ([]yara.MatchRule, error) {
var matches yara.MatchRules
err := scanner.SetCallback(&matches).ScanProc(pid)
return matches, err
}
file for scan:
sc, err := yara.NewCompiler()
if sc == nil || err != nil {
fmt.Println(err)
return
}
detections := req.A(req.GENERICCRIPT)
reader := strings.NewReader(string(detections))
scanner, err := API.NewFromReader(reader)
if err != nil {
fmt.Println(err)
return
}
for _, filename := range result {
filenameLower := strings.ToLower(filename)
if !strings.Contains(filenameLower, "temp") {
fileInfo, err := os.Stat(filename)
if err != nil {
continue
}
if fileInfo.Size() > 20*1024*1024 {
continue
}
matches, err := API.ScanFile(scanner, filenameLower)
if err != nil {
fmt.Println(err)
continue
}
if len(matches) > 0 {
for _, match := range matches {
rule := strings.Replace(match.Rule, "_", " ", -1)
fmt.Println(rule, filenameLower)
other.SuspiciousAdd(fmt.Sprintf("%s:::Generic %s", filename, rule))
}
}
}
}
now i have a question, where should i add the yara.ScanFlagsFastMode
?, on the another code i was using it on the same "ScanFile" function, but using callback seems quite different
from go-yara.
The Scanner
object has a SetFlags
method.
Otherwise, you can still use the Rules
object directly, just make sure that your match objects are reset.
from go-yara.
Related Issues (20)
- There's no way to return an error from MemoryBlockIterator HOT 5
- yr_scanner_scan_file Using mmap is a dangerous operation HOT 9
- Unable to cross compile yara for windows on ubuntu HOT 5
- Is the new tag version expected ? HOT 1
- Issues while installing HOT 7
- Unable to use ScanProc HOT 23
- Unable to define variable on AIX HOT 4
- Scan a file in a streaming maner HOT 2
- Encrypted rules? HOT 4
- Wrong release version? HOT 1
- Building static binary HOT 3
- cannot find -lyara HOT 1
- linux编译yara出现错误 HOT 2
- generate a dynamic-link library (.so file) HOT 1
- v3.x no release tag HOT 1
- Failing to compile with go-yara HOT 9
- yararule.ScanFile, can not scan filepath which contains chinese, may be other language has the same HOT 2
- Attempt to add a new YARA rule files during runtime causes panic HOT 1
- Question: Adding multiple Compiled YARA files to a single yara.Scanner or *yara.Rules HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-yara.