README
¶
Repackaged go-yara
This package is a repackaged version of https://github.com/hillu/go-yara which focuses on making it easier to use.
Instead of requiring users to install the yara library on the build system, this package already includes the library within it. This makes it very easy to use - simply add the dependency and build normally.
The resulting binary will also be statically built and have no external shared object dependencies. No need to mess with build flags:
~/go/src/github.com/Velocidex/go-yara$ go build _examples/simple-yara/simple-yara.go
~/go/src/github.com/Velocidex/go-yara$ ldd simple-yara
linux-vdso.so.1 (0x00007ffd4085a000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fcd9867c000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcd9828b000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcd9889b000)
To build for windows, there is no need to build the yara library first, just build your project with the usual steps:
~/go/src/github.com/Velocidex/go-yara$ GOOS=windows GOARCH=amd64 \
CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc \
go build _examples/simple-yara/simple-yara.go
go-yara
Go bindings for YARA, staying as
close as sensible to the library's C-API while taking inspiration from
the yara-python implementation.
Installation
Unix
On a Unix system with libyara, its header files, and pkg-config
installed, the following should simply work, provided that GOPATH is
set:
go get github.com/hillu/go-yara
go install github.com/hillu/go-yara
The pkg-config program should be able to output the correct compiler
and linker flags from the yara.pc file that has been generated and
installed by YARA's build system. If libyara has been installed to
a custom location, the PKG_CONFIG_PATH environment variable can be
used to point pkg-config at the right yara.pc file. If
pkg-config cannot be used at all, please see "Build Tags" below.
Linker errors in the compiler output such as
undefined reference to `yr_compiler_add_file'
indicate that the linker is probably looking at an old version of libyara.
Cross-building for Windows
go-yara can be cross-built on a current Debian system using the
MinGW cross compiler (gcc-mingw-w64) if the Go compiler contains
Windows runtime libraries with CGO support
(cf.). After libyara has
been built from the source tree with the MinGW compiler using the
usual ./configure && make && make install, go-yara can be built
and installed. Some environment variables need to be set when running
go build or go install:
GOOS,GOARCHindicate the cross compilation target.CGO_ENABLEDis set to 1 beacuse it defaults to 0 when cross-compiling.CChas to specified because the go tool has no knowledge on what C compiler to use (it defaults to the system C compiler, usually gcc).PKG_CONFIG_PATHis set so the go tool can determine correct locations for headers and libraries through pkg-config.
32bit:
$ cd ${YARA_SRC} \
&& ./bootstrap.sh \
&& ./configure --host=i686-w64-mingw32 --disable-magic --disable-cuckoo --without-crypto --prefix=${YARA_SRC}/i686-w64-mingw32 \
&& make -C ${YARA_SRC} \
&& make -C ${YARA_SRC} install
$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 \
CC=i686-w64-mingw32-gcc \
PKG_CONFIG_PATH=${YARA_SRC}/i686-w64-mingw32/lib/pkgconfig \
go install -ldflags '-extldflags "-static"' github.com/hillu/go-yara
64bit:
$ cd ${YARA_SRC} \
&& ./bootstrap.sh \
&& ./configure --host=x86_64-w64-mingw32 --disable-magic --disable-cuckoo --without-crypto --prefix=${YARA_SRC}/x86_64-w64-mingw32 \
&& make -C ${YARA_SRC} \
&& make -C ${YARA_SRC} install
$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 \
CC=x86_64-w64-mingw32-gcc \
PKG_CONFIG_PATH=${YARA_SRC}/x86_64-w64-mingw32/lib/pkgconfig \
go install -ldflags '-extldflags "-static"' github.com/hillu/go-yara
Build Tags
go-yara is tested with the latest stable version of YARA, currently
3.7. If you need to to build with an older version of YARA, certain
features that are not present in older versions can be excluded by
passing a build tag such as yara3.3, yara3.4, yara3.5. If you
want to build with a git snapshot of YARA, you may use a build tag
corresponding to the upcoming stable YARA version, currently
yara3.8. You also need to pass the tag when you build your own
project.
The build tag yara_static can be used to tell the Go toolchain to
run pkg-config with the --static switch.
The build tag no_pkg_config can be used to tell the Go toolchain not
to use pkg-config's output. In this case, any compiler or linker
flags have to be set via the CGO_CFLAGS and CGO_LDFLAGS
environment variables, e.g.:
export CGO_CFLAGS="-I${YARA_SRC}/libyara/include"
export CGO_LDFLAGS="-L${YARA_SRC}/libyara/.libs -lyara"
go install -tags no_pkg_config github.com/hillu/go-yara
License
BSD 2-clause, see LICENSE file in the source distribution.
Author
Hilko Bengen bengen@hilluzination.de
Documentation
¶
Overview ¶
Package yara provides bindings to the YARA library.
Index ¶
- Constants
- func Finalize()
- func GetConfiguration(name ConfigName) (interface{}, error)
- func SetConfiguration(name ConfigName, src interface{}) error
- type Compiler
- func (c *Compiler) AddFile(file *os.File, namespace string) (err error)
- func (c *Compiler) AddString(rules string, namespace string) (err error)
- func (c *Compiler) DefineVariable(identifier string, value interface{}) (err error)
- func (c *Compiler) Destroy()
- func (c *Compiler) DisableIncludes()
- func (c *Compiler) GetRules() (*Rules, error)
- func (c *Compiler) SetIncludeCallback(cb CompilerIncludeFunc)
- type CompilerIncludeFunc
- type CompilerMessage
- type ConfigName
- type Match
- type MatchRule
- type MatchRules
- type MatchString
- type Object
- type Rule
- type Rules
- func (r *Rules) DefineVariable(identifier string, value interface{}) (err error)
- func (r *Rules) Destroy()
- func (r *Rules) GetRules() (rv []Rule)
- func (r *Rules) Save(filename string) (err error)
- func (r *Rules) ScanFile(filename string, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanFileDescriptor(fd uintptr, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanFileDescriptorWithCallback(fd uintptr, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)
- func (r *Rules) ScanFileWithCallback(filename string, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)
- func (r *Rules) ScanMem(buf []byte, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanMemWithCallback(buf []byte, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)
- func (r *Rules) ScanProc(pid int, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanProcWithCallback(pid int, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)
- func (r *Rules) Write(wr io.Writer) (err error)
- type ScanCallback
- type ScanCallbackFinished
- type ScanCallbackMatch
- type ScanCallbackModuleImport
- type ScanCallbackModuleImportFinished
- type ScanCallbackNoMatch
- type ScanFlags
- type String
Constants ¶
const ( // ScanFlagsFastMode avoids multiple matches of the same string // when not necessary. ScanFlagsFastMode = C.SCAN_FLAGS_FAST_MODE // ScanFlagsProcessMemory causes the scanned data to be // interpreted like live, in-prcess memory rather than an on-disk // file. ScanFlagsProcessMemory = C.SCAN_FLAGS_PROCESS_MEMORY )
Variables ¶
This section is empty.
Functions ¶
func Finalize ¶ added in v1.1.9
func Finalize()
Finalize releases all the resources allocated by the YARA library. It should be called by the program when it no longer needs YARA, e.g. just before the program exits. It is not strictly necessary to call Finalize because the allocated memory will be freed on program exit; however, explicitly-freed resources will not show up as a leak in memory profiling tools.
A good practice is calling Finalize as a deferred function in the program's main function:
defer yara.Finalize()
func GetConfiguration ¶ added in v1.1.9
func GetConfiguration(name ConfigName) (interface{}, error)
GetConfiguration gets a global YARA configuration option.
func SetConfiguration ¶ added in v1.1.9
func SetConfiguration(name ConfigName, src interface{}) error
SetCnofiguration sets a global YARA configuration option.
Types ¶
type Compiler ¶
type Compiler struct {
Errors []CompilerMessage
Warnings []CompilerMessage
// contains filtered or unexported fields
}
A Compiler encapsulates the YARA compiler that transforms rules into YARA's internal, binary form which in turn is used for scanning files or memory blocks.
func (*Compiler) AddFile ¶
AddFile compiles rules from a file. Rules are added to the specified namespace.
If this function returns an error, the Compiler object will become unusable.
func (*Compiler) AddString ¶
AddString compiles rules from a string. Rules are added to the specified namespace.
If this function returns an error, the Compiler object will become unusable.
func (*Compiler) DefineVariable ¶
DefineVariable defines a named variable for use by the compiler. Boolean, int64, float64, and string types are supported.
func (*Compiler) Destroy ¶
func (c *Compiler) Destroy()
Destroy destroys the YARA data structure representing a compiler. Since a Finalizer for the underlying YR_COMPILER structure is automatically set up on creation, it should not be necessary to explicitly call this method.
func (*Compiler) DisableIncludes ¶ added in v1.0.5
func (c *Compiler) DisableIncludes()
DisableIncludes disables all include statements in the compiler. See yr_compiler_set_include_callbacks.
func (*Compiler) SetIncludeCallback ¶ added in v1.0.5
func (c *Compiler) SetIncludeCallback(cb CompilerIncludeFunc)
SetIncludeCallback sets up cb as an include callback that is called (through Go glue code) by the YARA compiler for every include statement.
type CompilerIncludeFunc ¶ added in v1.0.5
CompilerIncludeFunc is the type of the function that can be registered through SetIncludeCallback. It is called for every include statement encountered by the compiler. The argument "name" specifies the rule file to be included, "filename" specifies the name of the rule file where the include statement has been encountered, and "namespace" specifies the rule namespace. The sole return value is a byte slice containing the contents of the included file. A return value of nil signals an error to the YARA compiler.
See also: yr_compiler_set_include_callback in the YARA C API documentation.
type CompilerMessage ¶
A CompilerMessage contains an error or warning message produced while compiling sets of rules using AddString or AddFile.
type ConfigName ¶ added in v1.1.9
type ConfigName uint32
const ( ConfigStackSize ConfigName = C.YR_CONFIG_STACK_SIZE ConfigMaxStringsPerRule = C.YR_CONFIG_MAX_STRINGS_PER_RULE )
const ConfigMaxMatchData ConfigName = C.YR_CONFIG_MAX_MATCH_DATA
type Match ¶ added in v1.0.6
type Match struct {
// contains filtered or unexported fields
}
Match represents a string match
type MatchRule ¶
type MatchRule struct {
Rule string
Namespace string
Tags []string
Meta map[string]interface{}
Strings []MatchString
}
A MatchRule represents a rule successfully matched against a block of data.
type MatchRules ¶ added in v1.0.7
type MatchRules []MatchRule
MatchRules is used to collect matches that are returned by the simple (*Rules).Scan* methods.
func (*MatchRules) RuleMatching ¶ added in v1.0.7
func (mr *MatchRules) RuleMatching(r *Rule) (abort bool, err error)
RuleMatching implements the ScanCallbackMatch interface for MatchRules.
type MatchString ¶
A MatchString represents a string declared and matched in a rule.
type Rule ¶ added in v1.0.5
type Rule struct {
// contains filtered or unexported fields
}
Rule represents a single rule as part of a ruleset
func (*Rule) Identifier ¶ added in v1.0.5
Identifier returns the rule's name.
func (*Rule) Metas ¶ added in v1.0.5
Metas returns a map containing the rule's meta variables. Values can be of type string, int, bool, or nil.
type Rules ¶
type Rules struct {
// contains filtered or unexported fields
}
Rules contains a compiled YARA ruleset.
func Compile ¶
Compile compiles rules and an (optional) set of variables into a Rules object in a single step.
func MustCompile ¶
MustCompile is like Compile but panics if the rules and optional variables can't be compiled. Like regexp.MustCompile, it allows for simple, safe initialization of global or test data.
func (*Rules) DefineVariable ¶
DefineVariable defines a named variable for use by the compiler. Boolean, int64, float64, and string types are supported.
func (*Rules) Destroy ¶
func (r *Rules) Destroy()
Destroy destroys the YARA data structure representing a ruleset. Since a Finalizer for the underlying YR_RULES structure is automatically set up on creation, it should not be necessary to explicitly call this method.
func (*Rules) GetRules ¶ added in v1.0.5
GetRules returns a slice of rule objects that are part of the ruleset
func (*Rules) ScanFile ¶
func (r *Rules) ScanFile(filename string, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanFile scans a file using the ruleset, returning matches via a list of MatchRule objects.
func (*Rules) ScanFileDescriptor ¶
func (r *Rules) ScanFileDescriptor(fd uintptr, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanFileDescriptor scans a file using the ruleset, returning matches via a list of MatchRule objects.
func (*Rules) ScanFileDescriptorWithCallback ¶ added in v1.0.7
func (r *Rules) ScanFileDescriptorWithCallback(fd uintptr, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)
ScanFileDescriptor scans a file using the ruleset. For every event emitted by libyara, the appropriate method on the ScanCallback object is called.
func (*Rules) ScanFileWithCallback ¶ added in v1.0.7
func (r *Rules) ScanFileWithCallback(filename string, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)
ScanFileWithCallback scans a file using the ruleset. For every event emitted by libyara, the appropriate method on the ScanCallback object is called.
func (*Rules) ScanMem ¶
func (r *Rules) ScanMem(buf []byte, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanMem scans an in-memory buffer using the ruleset, returning matches via a list of MatchRule objects.
func (*Rules) ScanMemWithCallback ¶ added in v1.0.7
func (r *Rules) ScanMemWithCallback(buf []byte, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)
ScanMemWithCallback scans an in-memory buffer using the ruleset. For every event emitted by libyara, the appropriate method on the ScanCallback object is called.
func (*Rules) ScanProc ¶
func (r *Rules) ScanProc(pid int, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanProc scans a live process using the ruleset, returning matches via a list of MatchRule objects.
func (*Rules) ScanProcWithCallback ¶ added in v1.0.7
func (r *Rules) ScanProcWithCallback(pid int, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)
ScanProcWithCallback scans a live process using the ruleset. For every event emitted by libyara, the appropriate method on the ScanCallback object is called.
type ScanCallback ¶ added in v1.0.7
type ScanCallback interface{}
ScanCallback is a placeholder for different interfaces that may be implemented by the callback object that is passed to the (*Rules).Scan*WithCallback methods.
type ScanCallbackFinished ¶ added in v1.0.7
ScanCallbackFinished is used to signal that a scan has finished. The ScanFinished method corresponds to YARA's CALLBACK_MSG_SCAN_FINISHED message.
type ScanCallbackMatch ¶ added in v1.0.7
ScanCallbackMatch is used to record rules that matched during a scan. The RuleMatching method corresponds to YARA's CALLBACK_MSG_RULE_MATCHING message.
type ScanCallbackModuleImport ¶ added in v1.0.7
ScanCallbackModuleImport is used to provide data to a YARA module. The ImportModule method corresponds to YARA's CALLBACK_MSG_IMPORT_MODULE message.
type ScanCallbackModuleImportFinished ¶ added in v1.0.7
ScanCallbackModuleImportFinished can be used to free resources that have been used in the ScanCallbackModuleImport implementation. The ModuleImported method corresponds to YARA's CALLBACK_MSG_MODULE_IMPORTED message.
type ScanCallbackNoMatch ¶ added in v1.0.7
ScanCallbackNoMatch is used to record rules that did not match during a scan. The RuleNotMatching method corresponds to YARA's CALLBACK_MSG_RULE_NOT_MATCHING mssage.
type String ¶ added in v1.0.6
type String struct {
// contains filtered or unexported fields
}
String represents a string as part of a rule
func (*String) Identifier ¶ added in v1.0.6
Identifier returns the string's name
Source Files
¶
- cbpool.go
- cgo.go
- compiler.go
- compiler_addfile_yara36.go
- compiler_yara37.go
- config.go
- config_yara38.go
- error.go
- error_yara34.go
- error_yara35.go
- error_yara36.go
- error_yara37.go
- error_yara38.go
- keepalive_go17.go
- main.go
- object.go
- rule.go
- rule_yara35.go
- rule_yara37.go
- rules.go
- rules_callback.go
- rules_yara34.go
- stream.go
- util.go
Directories