コード例 #1
0
ファイル: yarascan.py プロジェクト: google/rekall
    def __init__(self, *args, **kwargs):
        super(WinPhysicalYaraScanner, self).__init__(*args, **kwargs)
        try:
            # The user gave a yara DSL rule.
            if self.plugin_args.yara_expression:
                self.rules = yara.compile(
                    source=self.plugin_args.yara_expression)

                self.parsed_rules = yara_support.parse_yara_to_ast(
                    self.plugin_args.yara_expression)

            # User gave a yara AST.
            elif self.plugin_args.yara_ast:
                self.parsed_rules = self.plugin_args.yara_ast
                self.rules = yara.compile(
                    source=yara_support.ast_to_yara(self.parsed_rules))
            else:
                raise plugin.PluginError("A yara expression must be provided.")

            all_strings = []
            rule_id = 0
            for parsed_rule in self.parsed_rules:
                name = parsed_rule["name"]
                for k, v in parsed_rule["strings"]:
                    rule_name = "%s_%d_REKALL_%s" % (k, rule_id, name)
                    all_strings.append((rule_name, v))
                    rule_id += 1

            self.parsed_unified_rule = [
                dict(name="XX",
                     strings=all_strings,
                     condition="any of them")
            ]
            self.plugin_args.unified_yara_expression = (
                yara_support.ast_to_yara(self.parsed_unified_rule))

            self.unified_rule = yara.compile(
                source=self.plugin_args.unified_yara_expression)

            self.context_buffer = ContextBuffer(self.session)

        except Exception as e:
            raise plugin.PluginError(
                "Failed to compile yara expression: %s" % e)
コード例 #2
0
    def testParser(self):
        for rule in self.rules:
            parsed = yara_support.parse_yara_to_ast(rule)
            self.assertTrue(len(parsed) > 0)

            # Now check to make sure that the reconstructed rule is the same as
            # the original rule. We do not preserve comments though.
            self.assertEqual(
                self.normalize_rule(rule),
                self.normalize_rule(yara_support.ast_to_yara(parsed)))
コード例 #3
0
    def testParser(self):
        for rule in self.rules:
            parsed = yara_support.parse_yara_to_ast(rule)
            self.assertTrue(len(parsed) > 0)

            # Now check to make sure that the reconstructed rule is the same as
            # the original rule. We do not preserve comments though.
            self.assertEqual(self.normalize_rule(rule),
                             self.normalize_rule(
                                 yara_support.ast_to_yara(parsed)))
コード例 #4
0
    def __init__(self, *args, **kwargs):
        super(WinPhysicalYaraScanner, self).__init__(*args, **kwargs)
        try:
            # The user gave a yara DSL rule.
            if self.plugin_args.yara_expression:
                self.rules = yara.compile(
                    source=self.plugin_args.yara_expression)

                self.parsed_rules = yara_support.parse_yara_to_ast(
                    self.plugin_args.yara_expression)

            # User gave a yara AST.
            elif self.plugin_args.yara_ast:
                self.parsed_rules = self.plugin_args.yara_ast
                self.rules = yara.compile(
                    source=yara_support.ast_to_yara(self.parsed_rules))
            else:
                raise plugin.PluginError("A yara expression must be provided.")

            all_strings = []
            rule_id = 0
            for parsed_rule in self.parsed_rules:
                name = parsed_rule["name"]
                for k, v in parsed_rule["strings"]:
                    rule_name = "%s_%d_REKALL_%s" % (k, rule_id, name)
                    all_strings.append((rule_name, v))
                    rule_id += 1

            self.parsed_unified_rule = [
                dict(name="XX", strings=all_strings, condition="any of them")
            ]
            self.plugin_args.unified_yara_expression = (
                yara_support.ast_to_yara(self.parsed_unified_rule))

            self.unified_rule = yara.compile(
                source=self.plugin_args.unified_yara_expression)

            self.context_buffer = ContextBuffer(self.session)

        except Exception as e:
            raise plugin.PluginError("Failed to compile yara expression: %s" %
                                     e)