def each_dump(self):
self.ignored_rules = list_value(self.ignored_rules)
# Create file containing rules
tmpdir = tempdir()
rules_path = os.path.join(tmpdir, "rules")
rules = open(rules_path, "w")
rules.write(self.rules)
rules.close()
# Build a VadYaraScan plugin instance
vad_yara_scan = self.configure_plugin(
"windows.vadyarascan.VadYaraScan",
yara_file="file://{}".format(rules_path))
rules = yarascan.YaraScan.process_yara_options(
dict(vad_yara_scan.config))
for task in pslist.PsList.list_processes(
context=vad_yara_scan.context,
layer_name=vad_yara_scan.config["primary"],
symbol_table=vad_yara_scan.config["nt_symbols"],
):
layer_name = task.add_process_layer()
layer = vad_yara_scan.context.layers[layer_name]
for offset, rule_name, name, value in layer.scan(
context=vad_yara_scan.context,
scanner=yarascan.YaraScanner(rules=rules),
sections=vad_yara_scan.get_vad_maps(task),
):
if rule_name not in self.ignored_rules:
self.results.append({
"rule":
rule_name,
"owner":
task.ImageFileName.cast(
"string",
max_length=task.ImageFileName.vol.count,
errors="replace"),
"pid":
task.UniqueProcessId,
"variable":
name,
"hexdump":
hexdump(value, result="return"),
})
self.add_tag(rule_name)
return len(self.results) > 0
def update_setting_value(self, name, value):
if is_iterable(self[name]):
value = list_value(value)
for element in value:
if element not in self[name]:
self._add_value(name, element)
for element in self[name]:
if element not in value:
self._remove_value(name, element)
self[name] = value
else:
if self[name] != value:
self['diffs'][name] = value
self[name] = value
def each_dump(self):
self.ignored_rules = list_value(self.ignored_rules)
matched = False
# Create file containing rules
tmpdir = tempdir()
rules_path = os.path.join(tmpdir, 'rules')
rules = open(rules_path, 'wb')
rules.write(self.rules)
rules.close()
self._volconfig.update("YARA_FILE", rules_path)
plugin = self.plugins["yarascan"](self._volconfig)
# code mostly taken from cuckoo
for o, addr, hit, content in plugin.calculate():
if hit.rule not in self.ignored_rules:
if o is None:
owner = "Unknown Kernel Memory"
elif o.obj_name == "_EPROCESS":
owner = "Process {0} Pid {1}".format(
o.ImageFileName, o.UniqueProcessId)
else:
owner = "{0}".format(o.BaseDllName)
hexdump = "".join(
"{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c))
for o, h, c in self._volutils.Hexdump(content[0:64]))
new = {
"rule": hit.rule,
"owner": owner,
"hexdump": hexdump,
}
self.results.append(new)
self.add_tag(hit.rule)
matched = True
return matched
