遇到这个问题已经有一段时间了。我正在用我自己的yara规则扫描目录,当我为单个文件尝试我的代码时,它可以工作,但是当我在for loop上使用相同的代码时,它不匹配任何东西。
我试着搜索我的问题,但它总是向我显示yara的基础文档。
def scan_test(): // works
file_source = 'index.php'
match_list = []
externals = {'filename': file_source}
rules = yara.compile('rules.yar', externals=externals)
with open('filepath') as f:
matches = rules.match(data=f.read(), externals=externals)
if len(matches) > 0:
match_list.append(matches)
return match_list
def scan_test3(dir_source): // not working
match_list = []
for folder,subfolders, files in os.walk(dir_source):
for file in files:
path = os.path.join(folder, file)
try:
file_name, file_extension = os.path.splitext(file)
if (file_extension == '.txt' or file_extension == '.php'):
rules = yara.compile('rules.yar', externals={'filename': file})
with open(path) as f:
matches = rules.match(data=f.read(), externals={'filename': file})
if len(matches) > 0:
match_list.append(matches)
except Exception as e:
print(e)
pass
return match_list
Test yara规则:
rule test_rule
{
meta:
description = "This is a test rule"
strings:
$a = "<?php"
condition:
$a and (filename matches /index.php/ or filename matches /login.php/)
}
我的代码是正确的吗?有人能帮我一下吗?
代码没有问题。由于某些原因,yara-python不能在Windows上正常运行。在Linux上试过这段代码,它工作得很好。