我最近一直在测试 YARA 的 Go 绑定以进行本地 yara 扫描 ( https://github.com/hillu/go-yara)。我正在使用 yara v4.0.0。我只有一个.go文件有 2 个例程:CompileAllRules和main. 每当我尝试扫描我知道的 YARA 规则受到打击的恶意文件时,我都没有得到任何匹配。
代码只是在当前文件夹中查找 YARA 规则,编译它们并/root使用这些规则扫描目录。下面是有问题的代码。
func CompileAllRules(compiler *yara.Compiler) (*yara.Compiler, error) {
log.Info("Start")
var rule_count = 0
var invalid_rules = 0
current_path, cerr := os.Executable()
if(cerr != nil){
log.Info(cerr)
os.Exit(0)
}
rules_path := filepath.Dir(current_path)
log.Info("[COMPILER] Looking for Rules in: ", rules_path)
_ = filepath.Walk(rules_path, func(filePath string, fileObj os.FileInfo, ferr error) error {
fileName := fileObj.Name()
if (path.Ext(fileName) == ".yar") || (path.Ext(fileName) == ".yara") {
rulesObj, _ := os.Open(filePath)
defer rulesObj.Close()
if(compiler.AddFile(rulesObj, "") != nil){
compiler.Destroy()
a, ferr := yara.NewCompiler()
compiler = a
invalid_rules+=1
if ferr != nil {
log.Info(ferr)
os.Exit(0)
}
}else{
rule_count+=1
}
}
return nil
})
log.Info("[COMPILER] Compiled: ", rule_count, " Invalid: ", invalid_rules)
return compiler, cerr
}
func main() {
compiler, err := yara.NewCompiler()
if err != nil {
log.Info(err)
os.Exit(0)
}
compiler, _ = CompileAllRules(compiler)
rules, err := compiler.GetRules()
if(err != nil || rules == nil){
log.Info("Could not get the rules")
os.Exit(0)
}
scanner, err := yara.NewScanner(rules)
if(err != nil){
log.Info("Could not generate a scanner")
os.Exit(0)
}
var matches []yara.MatchRule
_ = filepath.Walk("/root", func(filePath string, fileObj os.FileInfo, ferr error) error {
fileName := fileObj.Name()
if (path.Ext(fileName) == ".yar") || (path.Ext(fileName) == ".yara") {
//log.Info("[scanner] Scanning file: ", fileName)
matches, _ = scanner.ScanFile(fileName)
if (len(matches) != 0) {
log.Info("[SCANNER] Mathes found: ", len(matches))
}
}
return nil
})
}