Documentation ¶
Overview ¶
Package yapscan provides high-level features on top of the popular virus-scanner yara.
Index ¶
- Constants
- Variables
- func AddressesFromMatches(matches []yara.MatchString, offset uint64) []uint64
- func FormatSlice(format string, slice interface{}, args ...interface{}) []string
- func IsYaraRulesFile(name string) bool
- func Join(parts []string, defaultGlue, finalGlue string) string
- func LoadYaraRules(path string, recurseIfDir bool) (*yara.Rules, error)
- type FilterMatch
- type MemoryScanProgress
- type MemoryScanner
- type MemorySegmentFilter
- func NewAndFilter(filters ...MemorySegmentFilter) MemorySegmentFilter
- func NewFilterFromFunc(filter MemorySegmentFilterFunc, parameter interface{}, reasonTemplate string) MemorySegmentFilter
- func NewMaxSizeFilter(size uintptr) MemorySegmentFilter
- func NewMinSizeFilter(size uintptr) MemorySegmentFilter
- func NewPermissionsFilter(perm procIO.Permissions) MemorySegmentFilter
- func NewPermissionsFilterExact(perms []procIO.Permissions) MemorySegmentFilter
- func NewStateFilter(states []procIO.State) MemorySegmentFilter
- func NewTypeFilter(types []procIO.Type) MemorySegmentFilter
- type MemorySegmentFilterFunc
- type ProcessScanner
- type Rules
- type YaraScanner
Constants ¶
const RulesZIPPassword = "infected"
RulesZIPPassword is the password yapscan uses to de-/encrypt the rules zip file.
Variables ¶
var DefaultYaraRulesNamespace = ""
DefaultYaraRulesNamespace is the default namespace when compiling rules.
var ErrSkipped = errors.New("skipped")
var YaraRulesFileExtensions = []string{
".yar",
".yara",
}
YaraRulesFileExtensions are the file extensions yapscan expects rules files to have. This is used when loading files from a directory.
Functions ¶
func AddressesFromMatches ¶
func FormatSlice ¶
func IsYaraRulesFile ¶
IsYaraRulesFile returns true, if the given filename has one of the extensions in YaraRulesFileExtensions.
func LoadYaraRules ¶
LoadYaraRules loads yara.Rules from a file (or files) and compiles if necessary. The given path can be a path to a directory, a compiled rules-file, a plain text file containing rules, or an encrypted zip file containing rules.
If the path is a directory, all files with one of the file extensions in YaraRulesFileExtensions are loaded (recursively if recurseIfDir is true). All files are assumed to be uncompiled and will be compiled. Loading multiple already compiled files into one yara.Rules object is not supported. Each file will be compiled with the namespace equal to its filename, relative to the given path.
If the path is a single file, it may be compiled, uncompiled or a zip file. An uncompiled file will be compiled with the namespace `DefaultYaraRulesNamespace+"/"+filename`. A zip file will be opened and decrypted with the RulesZIPPassword. The contents of the zip file will be treated similar to the way a directory is treated (see above), however *all* files are assumed to be rules-files, recursion is always enabled and there may be either a single compiled file or arbitrarily many uncompiled files in the zip.
Types ¶
type FilterMatch ¶
type FilterMatch struct { Result bool MSI *procIO.MemorySegmentInfo Reason string // Reason for filter mismatch, if Result is false }
type MemoryScanProgress ¶
type MemoryScanner ¶
type MemorySegmentFilter ¶
type MemorySegmentFilter interface {
Filter(info *procIO.MemorySegmentInfo) *FilterMatch
}
func NewAndFilter ¶
func NewAndFilter(filters ...MemorySegmentFilter) MemorySegmentFilter
func NewFilterFromFunc ¶
func NewFilterFromFunc(filter MemorySegmentFilterFunc, parameter interface{}, reasonTemplate string) MemorySegmentFilter
func NewMaxSizeFilter ¶
func NewMaxSizeFilter(size uintptr) MemorySegmentFilter
func NewMinSizeFilter ¶
func NewMinSizeFilter(size uintptr) MemorySegmentFilter
func NewPermissionsFilter ¶
func NewPermissionsFilter(perm procIO.Permissions) MemorySegmentFilter
func NewPermissionsFilterExact ¶
func NewPermissionsFilterExact(perms []procIO.Permissions) MemorySegmentFilter
func NewStateFilter ¶
func NewStateFilter(states []procIO.State) MemorySegmentFilter
func NewTypeFilter ¶
func NewTypeFilter(types []procIO.Type) MemorySegmentFilter
type MemorySegmentFilterFunc ¶
type MemorySegmentFilterFunc func(info *procIO.MemorySegmentInfo) bool
type ProcessScanner ¶
type ProcessScanner struct {
// contains filtered or unexported fields
}
func NewProcessScanner ¶
func NewProcessScanner(proc procIO.Process, filter MemorySegmentFilter, scanner MemoryScanner) *ProcessScanner
func (*ProcessScanner) Scan ¶
func (s *ProcessScanner) Scan() (<-chan *MemoryScanProgress, error)
type YaraScanner ¶
type YaraScanner struct {
// contains filtered or unexported fields
}
YaraScanner is a wrapper for yara.Rules, with a more go-like interface.
func NewYaraScanner ¶
func NewYaraScanner(rules Rules) (*YaraScanner, error)
NewYaraScanner creates a new YaraScanner from the given yara.Rules.
func (*YaraScanner) ScanFile ¶
func (s *YaraScanner) ScanFile(filename string) ([]yara.MatchRule, error)
ScanFile scans the file with the given filename. This function simply calls ScanFile on the underlying yara.Rules object.
func (*YaraScanner) ScanMem ¶
func (s *YaraScanner) ScanMem(buf []byte) ([]yara.MatchRule, error)
ScanMem scans the given buffer. This function simply calls ScanMem on the underlying yara.Rules object.
Directories ¶
Path | Synopsis |
---|---|
cmd
|
|
experiments
|
|
customWin32
Package customWin32 provides a small subset of win32 bindings.
|
Package customWin32 provides a small subset of win32 bindings. |