Row scanFile(const std::string& ruleContent) {
YR_RULES* rules = nullptr;
int result = yr_initialize();
EXPECT_TRUE(result == ERROR_SUCCESS);
writeTextFile(ruleFile, ruleContent);
Status status = compileSingleFile(ruleFile, &rules);
EXPECT_TRUE(status.ok());
Row r;
r["count"] = "0";
r["matches"] = "";
result = yr_rules_scan_file(rules,
ls.c_str(),
SCAN_FLAGS_FAST_MODE,
YARACallback,
(void*)&r,
0);
EXPECT_TRUE(result == ERROR_SUCCESS);
yr_rules_destroy(rules);
return r;
}
void moloch_yara_init()
{
yr_initialize();
moloch_yara_open(config.yara, &yCompiler, &yRules);
moloch_yara_open(config.emailYara, &yEmailCompiler, &yEmailRules);
}
Status YARAConfigParserPlugin::setUp() {
int result = yr_initialize();
if (result != ERROR_SUCCESS) {
LOG(WARNING) << "Unable to initialize YARA (" << result << ")";
return Status(1, "Unable to initialize YARA");
}
return Status(0, "OK");
}
Yara::Yara()
{
_compiler = nullptr;
_rules = nullptr;
_current_rules = "";
if (_instance_count == 0) {
yr_initialize();
}
++_instance_count;
}
int main(int argc, char** argv)
{
yr_initialize();
assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
"tests/data/tiny");
assert_true_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
"tests/data/tiny-idata-51ff");
assert_false_rule_file("import \"pe\" rule test { condition: pe.imports(\"KERNEL32.dll\", \"DeleteCriticalSection\") }",
"tests/data/tiny-idata-5200");
yr_finalize();
return 0;
}
RBOOL
collector_16_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( 0 == yr_initialize() )
{
if( NULL != ( g_global_rules_mutex = rMutex_create() ) )
{
if( rQueue_create( &g_async_files_to_scan, _freeSeq, 100 ) )
{
if( notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE,
NULL,
0,
NULL,
updateSignatures ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_SCAN,
NULL,
0,
NULL,
doScan ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD,
NULL,
0,
g_async_files_to_scan,
NULL ) )
{
isSuccess = TRUE;
if( !rThreadPool_task( hbsState->hThreadPool, continuousMemScan, NULL ) ||
!rThreadPool_task( hbsState->hThreadPool, continuousFileScan, NULL ) )
{
isSuccess = FALSE;
}
}
}
}
}
}
if( !isSuccess )
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL);
rQueue_free( g_async_files_to_scan );
g_async_files_to_scan = NULL;
rMutex_free( g_global_rules_mutex );
g_global_rules_mutex = NULL;
yr_finalize();
}
return isSuccess;
}
int main(
int argc,
const char** argv)
{
COMPILER_RESULTS cr;
YR_COMPILER* compiler = NULL;
YR_RULES* rules = NULL;
int result;
argc = args_parse(options, argc, argv);
if (show_version)
{
printf("%s\n", YR_VERSION);
return EXIT_SUCCESS;
}
if (show_help)
{
printf("%s\n\n", USAGE_STRING);
args_print_usage(options, 35);
printf("\nSend bug reports and suggestions to: [email protected]\n");
return EXIT_SUCCESS;
}
if (argc < 2)
{
fprintf(stderr, "yarac: wrong number of arguments\n");
fprintf(stderr, "%s\n\n", USAGE_STRING);
fprintf(stderr, "Try `--help` for more options\n");
exit_with_code(EXIT_FAILURE);
}
result = yr_initialize();
if (result != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (!define_external_variables(compiler))
exit_with_code(EXIT_FAILURE);
cr.errors = 0;
cr.warnings = 0;
yr_set_configuration(YR_CONFIG_MAX_STRINGS_PER_RULE, &max_strings_per_rule);
yr_compiler_set_callback(compiler, report_error, &cr);
if (!compile_files(compiler, argc, argv))
exit_with_code(EXIT_FAILURE);
if (cr.errors > 0)
exit_with_code(EXIT_FAILURE);
if (fail_on_warnings && cr.warnings > 0)
exit_with_code(EXIT_FAILURE);
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = EXIT_SUCCESS;
_exit:
if (compiler != NULL)
yr_compiler_destroy(compiler);
if (rules != NULL)
yr_rules_destroy(rules);
yr_finalize();
return result;
}
int main(
int argc,
char const* argv[])
{
YR_COMPILER* compiler;
YR_RULES* rules;
FILE* rule_file;
EXTERNAL* external;
int pid;
int i;
int errors;
int result;
THREAD thread[MAX_THREADS];
if (!process_cmd_line(argc, argv))
return 0;
if (argc == 1 || optind == argc)
{
show_help();
return 0;
}
yr_initialize();
result = yr_rules_load(argv[optind], &rules);
if (result == ERROR_UNSUPPORTED_FILE_VERSION ||
result == ERROR_CORRUPT_FILE)
{
print_scanning_error(result);
return;
}
if (result == ERROR_SUCCESS)
{
external = externals_list;
while (external != NULL)
{
switch (external->type)
{
case EXTERNAL_TYPE_INTEGER:
yr_rules_define_integer_variable(
rules,
external->name,
external->integer);
break;
case EXTERNAL_TYPE_BOOLEAN:
yr_rules_define_boolean_variable(
rules,
external->name,
external->boolean);
break;
case EXTERNAL_TYPE_STRING:
yr_rules_define_string_variable(
rules,
external->name,
external->string);
break;
}
external = external->next;
}
}
else
{
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
return 0;
external = externals_list;
while (external != NULL)
{
switch (external->type)
{
case EXTERNAL_TYPE_INTEGER:
yr_compiler_define_integer_variable(
compiler,
external->name,
external->integer);
break;
case EXTERNAL_TYPE_BOOLEAN:
yr_compiler_define_boolean_variable(
compiler,
external->name,
external->boolean);
break;
case EXTERNAL_TYPE_STRING:
yr_compiler_define_string_variable(
compiler,
external->name,
external->string);
break;
}
external = external->next;
}
compiler->error_report_function = print_compiler_error;
rule_file = fopen(argv[optind], "r");
if (rule_file != NULL)
{
yr_compiler_push_file_name(compiler, argv[optind]);
errors = yr_compiler_add_file(compiler, rule_file, NULL);
fclose(rule_file);
if (errors == 0)
yr_compiler_get_rules(compiler, &rules);
yr_compiler_destroy(compiler);
if (errors > 0)
{
yr_finalize();
return 0;
}
}
else
{
fprintf(stderr, "could not open file: %s\n", argv[optind]);
return 0;
}
}
mutex_init(&output_mutex);
if (is_numeric(argv[argc - 1]))
{
pid = atoi(argv[argc - 1]);
result = yr_rules_scan_proc(
rules,
pid,
callback,
(void*) argv[argc - 1],
fast_scan,
timeout);
if (result != ERROR_SUCCESS)
print_scanning_error(result);
}
else if (is_directory(argv[argc - 1]))
{
file_queue_init();
for (i = 0; i < threads; i++)
{
if (create_thread(&thread[i], scanning_thread, (void*) rules) != 0)
return ERROR_COULD_NOT_CREATE_THREAD;
}
scan_dir(
argv[argc - 1],
recursive_search,
rules,
callback);
file_queue_finish();
// Wait for scan threads to finish
for (i = 0; i < threads; i++)
thread_join(&thread[i]);
file_queue_destroy();
}
else
{
result = yr_rules_scan_file(
rules,
argv[argc - 1],
callback,
(void*) argv[argc - 1],
fast_scan,
timeout);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "Error scanning %s: ", argv[argc - 1]);
print_scanning_error(result);
}
}
yr_rules_destroy(rules);
yr_finalize();
mutex_destroy(&output_mutex);
cleanup();
return 1;
}
int main(
int argc,
const char** argv)
{
YR_COMPILER* compiler = NULL;
YR_RULES* rules = NULL;
int result;
argc = args_parse(options, argc, argv);
if (show_version)
{
printf("%s\n", PACKAGE_STRING);
printf("\nSend bug reports and suggestions to: %s.\n", PACKAGE_BUGREPORT);
return EXIT_FAILURE;
}
if (show_help)
{
printf("%s\n\n", USAGE_STRING);
args_print_usage(options, 25);
printf("\nSend bug reports and suggestions to: %s.\n", PACKAGE_BUGREPORT);
return EXIT_FAILURE;
}
if (argc < 2)
{
fprintf(stderr, "yarac: wrong number of arguments\n");
fprintf(stderr, "%s\n\n", USAGE_STRING);
fprintf(stderr, "Try `--help` for more options\n");
exit_with_code(EXIT_FAILURE);
}
result = yr_initialize();
if (result != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
exit_with_code(EXIT_FAILURE);
if (!define_external_variables(compiler))
exit_with_code(EXIT_FAILURE);
yr_compiler_set_callback(compiler, report_error, NULL);
for (int i = 0; i < argc - 1; i++)
{
const char* ns;
const char* file_name;
char* colon = (char*) strchr(argv[i], ':');
if (colon)
{
file_name = colon + 1;
*colon = '\0';
ns = argv[i];
}
else
{
file_name = argv[i];
ns = NULL;
}
FILE* rule_file = fopen(file_name, "r");
if (rule_file != NULL)
{
int errors = yr_compiler_add_file(
compiler, rule_file, ns, file_name);
fclose(rule_file);
if (errors) // errors during compilation
exit_with_code(EXIT_FAILURE);
}
else
{
fprintf(stderr, "error: could not open file: %s\n", file_name);
}
}
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
exit_with_code(EXIT_FAILURE);
}
result = EXIT_SUCCESS;
_exit:
if (compiler != NULL)
yr_compiler_destroy(compiler);
if (rules != NULL)
yr_rules_destroy(rules);
yr_finalize();
return result;
}
int main(
int argc,
char const* argv[])
{
int i, result, errors;
YR_COMPILER* compiler;
YR_RULES* rules;
FILE* rule_file;
yr_initialize();
if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
{
yr_finalize();
return EXIT_FAILURE;
}
if (!process_cmd_line(compiler, argc, argv))
{
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
if (argc == 1 || optind == argc)
{
show_help();
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
compiler->error_report_function = report_error;
for (i = optind; i < argc - 1; i++)
{
rule_file = fopen(argv[i], "r");
if (rule_file != NULL)
{
yr_compiler_push_file_name(compiler, argv[i]);
errors = yr_compiler_add_file(compiler, rule_file, NULL);
fclose(rule_file);
if (errors) // errors during compilation
{
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_FAILURE;
}
}
else
{
fprintf(stderr, "could not open file: %s\n", argv[i]);
}
}
result = yr_compiler_get_rules(compiler, &rules);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
return EXIT_FAILURE;
}
result = yr_rules_save(rules, argv[argc - 1]);
if (result != ERROR_SUCCESS)
{
fprintf(stderr, "error: %d\n", result);
return EXIT_FAILURE;
}
yr_rules_destroy(rules);
yr_compiler_destroy(compiler);
yr_finalize();
return EXIT_SUCCESS;
}
extern "C" DLL_EXPORT const char* _dbg_dbginit()
{
if(!EngineCheckStructAlignment(UE_STRUCT_TITAN_ENGINE_CONTEXT, sizeof(TITAN_ENGINE_CONTEXT_t)))
return "Invalid TITAN_ENGINE_CONTEXT_t alignment!";
if(sizeof(TITAN_ENGINE_CONTEXT_t) != sizeof(REGISTERCONTEXT))
return "Invalid REGISTERCONTEXT alignment!";
dputs("Initializing wait objects...");
waitinitialize();
dputs("Initializing debugger...");
dbginit();
dputs("Initializing debugger functions...");
dbgfunctionsinit();
dputs("Setting JSON memory management functions...");
json_set_alloc_funcs(json_malloc, json_free);
dputs("Initializing capstone...");
Capstone::GlobalInitialize();
dputs("Initializing Yara...");
if(yr_initialize() != ERROR_SUCCESS)
return "Failed to initialize Yara!";
dputs("Getting directory information...");
wchar_t wszDir[deflen] = L"";
if(!GetModuleFileNameW(hInst, wszDir, deflen))
return "GetModuleFileNameW failed!";
char dir[deflen] = "";
strcpy_s(dir, StringUtils::Utf16ToUtf8(wszDir).c_str());
int len = (int)strlen(dir);
while(dir[len] != '\\')
len--;
dir[len] = 0;
strcpy_s(alloctrace, dir);
strcat_s(alloctrace, "\\alloctrace.txt");
DeleteFileW(StringUtils::Utf8ToUtf16(alloctrace).c_str());
setalloctrace(alloctrace);
strcpy_s(dbbasepath, dir); //debug directory
strcat_s(dbbasepath, "\\db");
CreateDirectoryW(StringUtils::Utf8ToUtf16(dbbasepath).c_str(), 0); //create database directory
char szLocalSymbolPath[MAX_PATH] = "";
strcpy_s(szLocalSymbolPath, dir);
strcat_s(szLocalSymbolPath, "\\symbols");
char cachePath[MAX_SETTING_SIZE];
if(!BridgeSettingGet("Symbols", "CachePath", cachePath) || !*cachePath)
{
strcpy_s(szSymbolCachePath, szLocalSymbolPath);
BridgeSettingSet("Symbols", "CachePath", ".\\symbols");
}
else
{
if (_strnicmp(cachePath, ".\\", 2) == 0)
{
strncpy_s(szSymbolCachePath, dir, _TRUNCATE);
strncat_s(szSymbolCachePath, cachePath + 1, _TRUNCATE);
}
else
{
// Trim the buffer to fit inside MAX_PATH
strncpy_s(szSymbolCachePath, cachePath, _TRUNCATE);
}
if(strstr(szSymbolCachePath, "http://") || strstr(szSymbolCachePath, "https://"))
{
if(Script::Gui::MessageYesNo("It is strongly discouraged to use symbol servers in your path directly (use the store option instead).\n\nDo you want me to fix this?"))
{
strcpy_s(szSymbolCachePath, szLocalSymbolPath);
BridgeSettingSet("Symbols", "CachePath", ".\\symbols");
}
}
}
dputs(szSymbolCachePath);
SetCurrentDirectoryW(StringUtils::Utf8ToUtf16(dir).c_str());
dputs("Allocating message stack...");
gMsgStack = MsgAllocStack();
if(!gMsgStack)
return "Could not allocate message stack!";
dputs("Initializing global script variables...");
varinit();
dputs("Registering debugger commands...");
registercommands();
dputs("Starting command loop...");
hCommandLoopThread = CreateThread(0, 0, DbgCommandLoopThread, 0, 0, 0);
char plugindir[deflen] = "";
strcpy_s(plugindir, dir);
strcat_s(plugindir, "\\plugins");
CreateDirectoryW(StringUtils::Utf8ToUtf16(plugindir).c_str(), 0);
dputs("Loading plugins...");
pluginload(plugindir);
dputs("Handling command line...");
//handle command line
int argc = 0;
wchar_t** argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if(argc == 2) //we have an argument
{
String str = "init \"";
str += StringUtils::Utf16ToUtf8(argv[1]);
str += "\"";
DbgCmdExec(str.c_str());
}
else if(argc == 5) //4 arguments (JIT)
{
if(_wcsicmp(argv[1], L"-a") == 0 && !_wcsicmp(argv[3], L"-e"))
{
String str = "attach .";
str += StringUtils::Utf16ToUtf8(argv[2]);
str += ", .";
str += StringUtils::Utf16ToUtf8(argv[4]);
DbgCmdExec(str.c_str());
}
}
LocalFree(argv);
dputs("Initialization successful!");
bIsStopped = false;
return nullptr;
}
extern "C" DLL_EXPORT const char* _dbg_dbginit()
{
if(!EngineCheckStructAlignment(UE_STRUCT_TITAN_ENGINE_CONTEXT, sizeof(TITAN_ENGINE_CONTEXT_t)))
return "Invalid TITAN_ENGINE_CONTEXT_t alignment!";
if(sizeof(TITAN_ENGINE_CONTEXT_t) != sizeof(REGISTERCONTEXT))
return "Invalid REGISTERCONTEXT alignment!";
dputs("Initializing locks...");
SectionLockerGlobal::Initialize();
dputs("Initializing wait objects...");
waitinitialize();
dputs("Initializing debugger...");
dbginit();
dputs("Initializing debugger functions...");
dbgfunctionsinit();
dputs("Setting JSON memory management functions...");
json_set_alloc_funcs(json_malloc, json_free);
dputs("Initializing capstone...");
Capstone::GlobalInitialize();
dputs("Initializing Yara...");
if(yr_initialize() != ERROR_SUCCESS)
return "Failed to initialize Yara!";
dputs("Getting directory information...");
wchar_t wszDir[deflen] = L"";
if(!GetModuleFileNameW(hInst, wszDir, deflen))
return "GetModuleFileNameW failed!";
char dir[deflen] = "";
strcpy_s(dir, StringUtils::Utf16ToUtf8(wszDir).c_str());
int len = (int)strlen(dir);
while(dir[len] != '\\')
len--;
dir[len] = 0;
strcpy_s(alloctrace, dir);
strcat_s(alloctrace, "\\alloctrace.txt");
DeleteFileW(StringUtils::Utf8ToUtf16(alloctrace).c_str());
setalloctrace(alloctrace);
strcpy_s(dbbasepath, dir); //debug directory
strcat_s(dbbasepath, "\\db");
CreateDirectoryW(StringUtils::Utf8ToUtf16(dbbasepath).c_str(), 0); //create database directory
strcpy_s(szSymbolCachePath, dir);
strcat_s(szSymbolCachePath, "\\symbols");
SetCurrentDirectoryW(StringUtils::Utf8ToUtf16(dir).c_str());
dputs("Allocating message stack...");
gMsgStack = MsgAllocStack();
if(!gMsgStack)
return "Could not allocate message stack!";
dputs("Initializing global script variables...");
varinit();
dputs("Registering debugger commands...");
registercommands();
dputs("Starting command loop...");
hCommandLoopThread = CreateThread(0, 0, DbgCommandLoopThread, 0, 0, 0);
char plugindir[deflen] = "";
strcpy_s(plugindir, dir);
strcat_s(plugindir, "\\plugins");
CreateDirectoryW(StringUtils::Utf8ToUtf16(plugindir).c_str(), 0);
dputs("Loading plugins...");
pluginload(plugindir);
dputs("Handling command line...");
//handle command line
int argc = 0;
wchar_t** argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if(argc == 2) //we have an argument
{
String str = "init \"";
str += StringUtils::Utf16ToUtf8(argv[1]);
str += "\"";
DbgCmdExec(str.c_str());
}
else if(argc == 5) //4 arguments (JIT)
{
if(_wcsicmp(argv[1], L"-a") == 0 && !_wcsicmp(argv[3], L"-e"))
{
String str = "attach .";
str += StringUtils::Utf16ToUtf8(argv[2]);
str += ", .";
str += StringUtils::Utf16ToUtf8(argv[4]);
DbgCmdExec(str.c_str());
}
}
LocalFree(argv);
dputs("Initialization successful!");
return 0;
}