def each_dump(self): self.ignored_rules = list_value(self.ignored_rules) # Create file containing rules tmpdir = tempdir() rules_path = os.path.join(tmpdir, "rules") rules = open(rules_path, "w") rules.write(self.rules) rules.close() # Build a VadYaraScan plugin instance vad_yara_scan = self.configure_plugin( "windows.vadyarascan.VadYaraScan", yara_file="file://{}".format(rules_path)) rules = yarascan.YaraScan.process_yara_options( dict(vad_yara_scan.config)) for task in pslist.PsList.list_processes( context=vad_yara_scan.context, layer_name=vad_yara_scan.config["primary"], symbol_table=vad_yara_scan.config["nt_symbols"], ): layer_name = task.add_process_layer() layer = vad_yara_scan.context.layers[layer_name] for offset, rule_name, name, value in layer.scan( context=vad_yara_scan.context, scanner=yarascan.YaraScanner(rules=rules), sections=vad_yara_scan.get_vad_maps(task), ): if rule_name not in self.ignored_rules: self.results.append({ "rule": rule_name, "owner": task.ImageFileName.cast( "string", max_length=task.ImageFileName.vol.count, errors="replace"), "pid": task.UniqueProcessId, "variable": name, "hexdump": hexdump(value, result="return"), }) self.add_tag(rule_name) return len(self.results) > 0
def update_setting_value(self, name, value): if is_iterable(self[name]): value = list_value(value) for element in value: if element not in self[name]: self._add_value(name, element) for element in self[name]: if element not in value: self._remove_value(name, element) self[name] = value else: if self[name] != value: self['diffs'][name] = value self[name] = value
def each_dump(self): self.ignored_rules = list_value(self.ignored_rules) matched = False # Create file containing rules tmpdir = tempdir() rules_path = os.path.join(tmpdir, 'rules') rules = open(rules_path, 'wb') rules.write(self.rules) rules.close() self._volconfig.update("YARA_FILE", rules_path) plugin = self.plugins["yarascan"](self._volconfig) # code mostly taken from cuckoo for o, addr, hit, content in plugin.calculate(): if hit.rule not in self.ignored_rules: if o is None: owner = "Unknown Kernel Memory" elif o.obj_name == "_EPROCESS": owner = "Process {0} Pid {1}".format( o.ImageFileName, o.UniqueProcessId) else: owner = "{0}".format(o.BaseDllName) hexdump = "".join( "{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c)) for o, h, c in self._volutils.Hexdump(content[0:64])) new = { "rule": hit.rule, "owner": owner, "hexdump": hexdump, } self.results.append(new) self.add_tag(hit.rule) matched = True return matched