我最近一直在测试本地亚拉扫描(https://github.com/hillu/go-yara(的YARA的Go绑定。我使用的是yara v4.0.0。我只有一个.go文件,它有两个例程:CompileAllRules和main。每当我试图扫描恶意文件时,我都不会得到任何匹配,因为我知道YARA规则已经命中了这个事实。
代码只需在当前文件夹中查找YARA规则,编译它们并使用这些规则扫描/root目录。下面是有问题的代码。
func CompileAllRules(compiler *yara.Compiler) (*yara.Compiler, error) {
log.Info("Start")
var rule_count = 0
var invalid_rules = 0
current_path, cerr := os.Executable()
if(cerr != nil){
log.Info(cerr)
os.Exit(0)
}
rules_path := filepath.Dir(current_path)
log.Info("[COMPILER] Looking for Rules in: ", rules_path)
_ = filepath.Walk(rules_path, func(filePath string, fileObj os.FileInfo, ferr error) error {
fileName := fileObj.Name()
if (path.Ext(fileName) == ".yar") || (path.Ext(fileName) == ".yara") {
rulesObj, _ := os.Open(filePath)
defer rulesObj.Close()
if(compiler.AddFile(rulesObj, "") != nil){
compiler.Destroy()
a, ferr := yara.NewCompiler()
compiler = a
invalid_rules+=1
if ferr != nil {
log.Info(ferr)
os.Exit(0)
}
}else{
rule_count+=1
}
}
return nil
})
log.Info("[COMPILER] Compiled: ", rule_count, " Invalid: ", invalid_rules)
return compiler, cerr
}
func main() {
compiler, err := yara.NewCompiler()
if err != nil {
log.Info(err)
os.Exit(0)
}
compiler, _ = CompileAllRules(compiler)
rules, err := compiler.GetRules()
if(err != nil || rules == nil){
log.Info("Could not get the rules")
os.Exit(0)
}
scanner, err := yara.NewScanner(rules)
if(err != nil){
log.Info("Could not generate a scanner")
os.Exit(0)
}
var matches []yara.MatchRule
_ = filepath.Walk("/root", func(filePath string, fileObj os.FileInfo, ferr error) error {
fileName := fileObj.Name()
if (path.Ext(fileName) == ".yar") || (path.Ext(fileName) == ".yara") {
//log.Info("[scanner] Scanning file: ", fileName)
matches, _ = scanner.ScanFile(fileName)
if (len(matches) != 0) {
log.Info("[SCANNER] Mathes found: ", len(matches))
}
}
return nil
})
}
我删除了旧的编译器并创建了一个新的编译器,但没有想到到那时编译的规则也会被丢弃。我通过迭代规则来解决这个问题,首先检查有效性,然后编译有效的规则。