我最近一直在为本地yara扫描(https://github.com/hillu/go-yara)测试YARA的Go绑定。我正在使用yara v4.0.0。我只有一个.go文件,其中有2个例程:CompileAllRules和main。每当我尝试扫描恶意文件时都找不到任何匹配文件,因为我知道YARA规则受到打击。
代码只是在当前文件夹中查找YARA规则,对其进行编译,然后使用这些规则扫描/root目录。下面是有问题的代码。
func CompileAllRules(compiler *yara.Compiler) (*yara.Compiler, error) {
log.Info("Start")
var rule_count = 0
var invalid_rules = 0
current_path, cerr := os.Executable()
if(cerr != nil){
log.Info(cerr)
os.Exit(0)
}
rules_path := filepath.Dir(current_path)
log.Info("[COMPILER] Looking for Rules in: ", rules_path)
_ = filepath.Walk(rules_path, func(filePath string, fileObj os.FileInfo, ferr error) error {
fileName := fileObj.Name()
if (path.Ext(fileName) == ".yar") || (path.Ext(fileName) == ".yara") {
rulesObj, _ := os.Open(filePath)
defer rulesObj.Close()
if(compiler.AddFile(rulesObj, "") != nil){
compiler.Destroy()
a, ferr := yara.NewCompiler()
compiler = a
invalid_rules+=1
if ferr != nil {
log.Info(ferr)
os.Exit(0)
}
}else{
rule_count+=1
}
}
return nil
})
log.Info("[COMPILER] Compiled: ", rule_count, " Invalid: ", invalid_rules)
return compiler, cerr
}
func main() {
compiler, err := yara.NewCompiler()
if err != nil {
log.Info(err)
os.Exit(0)
}
compiler, _ = CompileAllRules(compiler)
rules, err := compiler.GetRules()
if(err != nil || rules == nil){
log.Info("Could not get the rules")
os.Exit(0)
}
scanner, err := yara.NewScanner(rules)
if(err != nil){
log.Info("Could not generate a scanner")
os.Exit(0)
}
var matches []yara.MatchRule
_ = filepath.Walk("/root", func(filePath string, fileObj os.FileInfo, ferr error) error {
fileName := fileObj.Name()
if (path.Ext(fileName) == ".yar") || (path.Ext(fileName) == ".yara") {
//log.Info("[scanner] Scanning file: ", fileName)
matches, _ = scanner.ScanFile(fileName)
if (len(matches) != 0) {
log.Info("[SCANNER] Mathes found: ", len(matches))
}
}
return nil
})
}
最佳答案
我正在删除旧的编译器并创建一个新的编译器,而没有想到到那时为止已编译的规则也将被丢弃。我通过遍历规则首先检查有效性,然后编译有效规则来解决它。