def __init__(self, *args, **kwargs): super(WinPhysicalYaraScanner, self).__init__(*args, **kwargs) try: # The user gave a yara DSL rule. if self.plugin_args.yara_expression: self.rules = yara.compile( source=self.plugin_args.yara_expression) self.parsed_rules = yara_support.parse_yara_to_ast( self.plugin_args.yara_expression) # User gave a yara AST. elif self.plugin_args.yara_ast: self.parsed_rules = self.plugin_args.yara_ast self.rules = yara.compile( source=yara_support.ast_to_yara(self.parsed_rules)) else: raise plugin.PluginError("A yara expression must be provided.") all_strings = [] rule_id = 0 for parsed_rule in self.parsed_rules: name = parsed_rule["name"] for k, v in parsed_rule["strings"]: rule_name = "%s_%d_REKALL_%s" % (k, rule_id, name) all_strings.append((rule_name, v)) rule_id += 1 self.parsed_unified_rule = [ dict(name="XX", strings=all_strings, condition="any of them") ] self.plugin_args.unified_yara_expression = ( yara_support.ast_to_yara(self.parsed_unified_rule)) self.unified_rule = yara.compile( source=self.plugin_args.unified_yara_expression) self.context_buffer = ContextBuffer(self.session) except Exception as e: raise plugin.PluginError( "Failed to compile yara expression: %s" % e)
def testParser(self): for rule in self.rules: parsed = yara_support.parse_yara_to_ast(rule) self.assertTrue(len(parsed) > 0) # Now check to make sure that the reconstructed rule is the same as # the original rule. We do not preserve comments though. self.assertEqual( self.normalize_rule(rule), self.normalize_rule(yara_support.ast_to_yara(parsed)))
def testParser(self): for rule in self.rules: parsed = yara_support.parse_yara_to_ast(rule) self.assertTrue(len(parsed) > 0) # Now check to make sure that the reconstructed rule is the same as # the original rule. We do not preserve comments though. self.assertEqual(self.normalize_rule(rule), self.normalize_rule( yara_support.ast_to_yara(parsed)))
def __init__(self, *args, **kwargs): super(WinPhysicalYaraScanner, self).__init__(*args, **kwargs) try: # The user gave a yara DSL rule. if self.plugin_args.yara_expression: self.rules = yara.compile( source=self.plugin_args.yara_expression) self.parsed_rules = yara_support.parse_yara_to_ast( self.plugin_args.yara_expression) # User gave a yara AST. elif self.plugin_args.yara_ast: self.parsed_rules = self.plugin_args.yara_ast self.rules = yara.compile( source=yara_support.ast_to_yara(self.parsed_rules)) else: raise plugin.PluginError("A yara expression must be provided.") all_strings = [] rule_id = 0 for parsed_rule in self.parsed_rules: name = parsed_rule["name"] for k, v in parsed_rule["strings"]: rule_name = "%s_%d_REKALL_%s" % (k, rule_id, name) all_strings.append((rule_name, v)) rule_id += 1 self.parsed_unified_rule = [ dict(name="XX", strings=all_strings, condition="any of them") ] self.plugin_args.unified_yara_expression = ( yara_support.ast_to_yara(self.parsed_unified_rule)) self.unified_rule = yara.compile( source=self.plugin_args.unified_yara_expression) self.context_buffer = ContextBuffer(self.session) except Exception as e: raise plugin.PluginError("Failed to compile yara expression: %s" % e)