本文整理汇总了Python中yara.compile函数的典型用法代码示例。如果您正苦于以下问题:Python compile函数的具体用法?Python compile怎么用?Python compile使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了compile函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: __init__
def __init__(self, string=None, scan_physical=False, yara_file=None, yara_expression=None, **kwargs):
"""Scan using yara signatures.
Args:
string: A verbatim string to search for.
we scan their entire address spaces.
scan_physical: If true we scan the physical address space.
yara_file: The yara file to read.
yara_expression: If provided we scan for this yarra expression.
"""
super(LinYaraScan, self).__init__(**kwargs)
if yara_expression:
self.rules_source = yara_expression
self.rules = yara.compile(source=self.rules_source)
elif string:
self.rules_source = 'rule r1 {strings: $a = "%s" condition: $a}' % string
self.rules = yara.compile(source=self.rules_source)
elif yara_file:
self.rules = yara.compile(yara_file)
else:
raise plugin.PluginError("You must specify a yara rule file or " "string to match.")
self.scan_physical = scan_physical示例2: YARACompile
def YARACompile(ruledata):
if ruledata.startswith('#'):
if ruledata.startswith('#h#'):
rule = binascii.a2b_hex(ruledata[3:])
elif ruledata.startswith('#b#'):
rule = binascii.a2b_base64(ruledata[3:])
elif ruledata.startswith('#s#'):
rule = 'rule string {strings: $a = "%s" ascii wide nocase condition: $a}' % ruledata[3:]
elif ruledata.startswith('#q#'):
rule = ruledata[3:].replace("'", '"')
elif ruledata.startswith('#x#'):
rule = 'rule hexadecimal {strings: $a = { %s } condition: $a}' % ruledata[3:]
elif ruledata.startswith('#r#'):
rule = 'rule regex {strings: $a = /%s/ ascii wide nocase condition: $a}' % ruledata[3:]
else:
rule = ruledata[1:]
return yara.compile(source=rule, externals={'streamname': '', 'VBA': False})
else:
dFilepaths = {}
if os.path.isdir(ruledata):
for root, dirs, files in os.walk(ruledata):
for file in files:
filename = os.path.join(root, file)
dFilepaths[filename] = filename
else:
for filename in ProcessAt(ruledata):
dFilepaths[filename] = filename
return yara.compile(filepaths=dFilepaths, externals={'streamname': '', 'VBA': False})示例3: _yara_check
def _yara_check(targ):
# Utilize yara rules packed into this script to check for nasty stuff. Compile each rule stored in tmp and check the rule_match results for a Match True hit.
contains_pe_file_rule = yara.compile(filepath='/tmp/automal/contains_pe_file.yara')
match_pe = contains_pe_file_rule.match(targ)
yara_pe_res = ""
if len(match_pe) == 1:
match_data_pe = str(match_pe).split(',')
for item in match_data_pe:
if "True" in item.strip() and "matches" in item.strip():
yara_pe_res = "Present_PE_Hit"
if yara_pe_res != "Present_PE_Hit":
yara_pe_res = "PE_None"
else:
if yara_pe_res != "Present_PE_Hit":
yara_pe_res = "PE_None"
maldoc_file_rule = yara.compile(filepath='/tmp/automal/maldoc.yara')
match_maldoc = maldoc_file_rule.match(targ)
yara_maldoc_res = ""
if len(match_maldoc) == 1:
match_data_maldoc = str(match_maldoc).split(',')
for item in match_data_maldoc:
if "True" in item.strip() and "matches" in item.strip():
yara_maldoc_res = "Present_Maldoc_Hit"
if yara_maldoc_res != "Present_Maldoc_Hit":
yara_maldoc_res = "Maldoc_None"
else:
if yara_maldoc_res != "Present_Maldoc_Hit":
yara_maldoc_res = "Maldoc_None"
return(yara_pe_res, yara_maldoc_res)示例4: compile_rules
def compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Scan for unicode strings
if self._config.WIDE: s += "wide"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE:
rules = yara.compile(self._config.YARA_FILE)
elif self._config.YARA_RULES_DIRECTORY:
filepaths = {}
for filename in glob.glob(self._config.YARA_RULES_DIRECTORY + '/*.rule'):
base=os.path.basename(filename)
namespace = os.path.splitext(base)[0]
filepaths[namespace] = filename
rules = yara.compile(filepaths = filepaths)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))示例5: _compile_rules
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Option for case insensitive searches
if self._config.CASE: s += " nocase"
# Scan for unicode and ascii strings
if self._config.WIDE: s += " wide ascii"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE and os.path.isfile(self._config.YARA_FILE):
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))示例6: run
def run(self):
if os.path.isfile(self.custom_rule):
rules = yara.compile(self.custom_rule)
elif isinstance(self.custom_rule, str):
rules = yara.compile(source=self.custom_rule)
matches = []
count = 0
for root, dirs, files in os.walk(self.target):
for entry in files:
count += 1
pbar = progressbar.ProgressBar(widgets=[progressbar.Bar('+'), ' ', progressbar.Percentage(), ' | ',
progressbar.ETA(), ' | ', progressbar.SimpleProgress()],
maxval=count).start()
p = 0
for root, dirs, files in os.walk(self.target+'\\'):
for entry in files:
p += 1
pbar.update(p)
e = os.path.join(root, entry)
try:
m = rules.match(e)
if len(m) > 1:
pass
if m:
matches.append({'match': m, 'file': e})
except Exception, err:
pass示例7: testExternals
def testExternals(self):
r = yara.compile(source='rule test { condition: ext_int == 15 }', externals={'ext_int': 15})
self.assertTrue(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_bool }', externals={'ext_bool': True})
self.assertTrue(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_bool }', externals={'ext_bool': False})
self.assertFalse(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_str contains "ssi" }', externals={'ext_str': 'mississippi'})
self.assertTrue(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_str matches /foo/ }', externals={'ext_str': ''})
self.assertFalse(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_str matches /ssi(s|p)/ }', externals={'ext_str': 'mississippi'})
self.assertTrue(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_str matches /ppi$/ }', externals={'ext_str': 'mississippi'})
self.assertTrue(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_str matches /ssi$/ }', externals={'ext_str': 'mississippi'})
self.assertFalse(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_str matches /^miss/ }', externals={'ext_str': 'mississippi'})
self.assertTrue(r.match(data='dummy'))
r = yara.compile(source='rule test { condition: ext_str matches /ssi$/ }', externals={'ext_str': 'mississippi'})
self.assertFalse(r.match(data='dummy'))示例8: init_yara_rules
def init_yara_rules(self):
'''
This method tries to find and compile the yara rules specified by 'family' before the q&a test starts.
'''
if (self.method == 'STATIC' or self.method == 'ALL'):
if not os.path.isfile(self.YARA_STATIC_DIR+self.family+'.yara'):
yara_path = self.YARA_STATIC_DIR+self.family+'.yara'
self.die("Can't found static yaras for this family! {0}".format(str(yara_path)))
yara_path = self.YARA_STATIC_DIR+self.family+'.yara'
rule_static = yara.compile(filepath=yara_path)
if not rule_static:
self.die("Couldn't compile the .yara! {0}".format(str(yara_path)))
if (self.method == 'MEMORY' or self.method == 'ALL'):
if not os.path.isfile(self.YARA_MEMORY_DIR+self.family+'.yara'):
yara_path = self.YARA_MEMORY_DIR+self.family+'.yara'
self.die("Can't found memory yaras for this family! {0}".format(str(yara_path)))
yara_path = self.YARA_MEMORY_DIR+self.family+'.yara'
rule_memory = yara.compile(filepath=yara_path)
if not rule_memory:
self.die("Couldn't compile the .yara! {0}".format(str(yara_path)))
if (self.method == 'STATIC' or self.method == 'ALL'):
return rule_static
else:
return rule_memory示例9: calculate
def calculate(self):
"""Required: Use Filescan to find Chaperone config file"""
if not HAS_YARA:
debug.error('Yara must be installed for this plugin')
# Complile yara signatures
rules_json = yara.compile(sources=YARA_JSON)
rules_devices = yara.compile(sources=YARA_HMD)
rules_activity = yara.compile(sources=YARA_HMD_ACTIVITY)
# Load address space
addr_space = utils.load_as(self._config)
# Get list of processes
tasks = win32.tasks.pslist(addr_space)
# Read the Chaperone information from the provided file
if self._config.CHAP_FILE:
print("Loading Chaperone information from file")
file1 = open(self._config.CHAP_FILE, "r+")
json_from_file = json.load(file1)
self.build_obj(1, json_from_file)
for task in tasks:
if self._config.FULL_SCAN and str(task.ImageFileName) != "vrmonitor.exe":
continue
else:
print("Scanning {0} pid: {1}".format(task.ImageFileName, task.UniqueProcessId))
vad_offset = 0
for vad, process_space in task.get_vads():
vad_offset += vad.Length
if vad.Length > 8*1024*1024*1024:
continue
# read Vad content
data = process_space.zread(vad.Start, vad.Length)
if not self._config.CHAP_FILE:
# match yara rules for chaperone Json
matches = rules_json.match(data=data)
self.pull_chaperone(matches, process_space, vad)
# Check for tracked device signatures
matches = rules_devices.match(data=data)
for match in matches:
pointer = vad.Start + match.strings[0][0]
device_pointer = self.follow_pointers(DEVICE_OFFSETS, pointer, process_space, "HMD")
self.get_coords(device_pointer, process_space)
# Pull tracked device activity state data
matches = rules_activity.match(data=data)
for match in matches:
pointer = vad.Start + match.strings[0][0]
hmd_activity = self.follow_pointers(HMD_ACTIVITY_OFFSETS,pointer,process_space,"Activity")
print("HMD activity: {0}".format(activity_dict(hmd_activity & 0xFFFFFFFF)))
hmd_state = self.follow_pointers(HMD_STATE_OFFSETS, pointer, process_space, "State")
print("HMD state: {0}".format(state_dict(hmd_state & 0xFFFFFFFF)))示例10: get_yara
def get_yara(self, rulepath=YARA_RULEPATH):
"""Get Yara signatures matches.
@return: matched Yara signatures.
"""
results = []
if not HAVE_YARA:
if not File.notified_yara:
File.notified_yara = True
log.warning("Unable to import yara (please compile from sources)")
return results
if not os.path.exists(rulepath):
log.warning("The specified rule file at %s doesn't exist, skip",
rulepath)
return results
if not os.path.getsize(self.file_path):
return results
try:
try:
filepath = ""
filename = ""
if self.file_name:
filepath = self.file_name
filename = self.file_name
if self.guest_paths:
filepath = self.guest_paths[0]
rules = yara.compile(rulepath, externals={"filepath":filepath, "filename":filename})
except:
rules = yara.compile(rulepath)
matches = rules.match(self.file_path)
if getattr(yara, "__version__", None) == "1.7.7":
return self._yara_matches_177(matches)
results = []
for match in matches:
strings = set()
for s in match.strings:
strings.add(self._yara_encode_string(s[2]))
results.append({
"name": match.rule,
"meta": match.meta,
"strings": list(strings),
})
except Exception as e:
log.exception("Unable to match Yara signatures: %s", e)
return results示例11: _yara_check
def _yara_check(targ):
# Utilize yara rules packed into this script to check for nasty stuff. Compile each rule stored in tmp and check the rule_match results for a Match True hit.
# -------------------------------------- RULE 1
contains_pe_file_rule = yara.compile(filepath=str(os.path.expanduser("~")) + "/automal/contains_pe_file.yara")
match_pe = contains_pe_file_rule.match(targ)
yara_pe_res = ""
if len(match_pe) == 1:
match_data_pe = str(match_pe).split(",")
for item in match_data_pe:
if "True" in item.strip() and "matches" in item.strip():
yara_pe_res = "Present_PE_Hit"
if yara_pe_res != "Present_PE_Hit":
yara_pe_res = "PE_None"
else:
if yara_pe_res != "Present_PE_Hit":
yara_pe_res = "PE_None"
# -------------------------------------- RULE 2
maldoc_file_rule = yara.compile(filepath=str(os.path.expanduser("~")) + "/automal/maldoc.yara")
match_maldoc = maldoc_file_rule.match(targ)
yara_maldoc_res = ""
if len(match_maldoc) == 1:
match_data_maldoc = str(match_maldoc).split(",")
for item in match_data_maldoc:
if "True" in item.strip() and "matches" in item.strip():
yara_maldoc_res = "Present_Maldoc_Hit"
if yara_maldoc_res != "Present_Maldoc_Hit":
yara_maldoc_res = "Maldoc_None"
else:
if yara_maldoc_res != "Present_Maldoc_Hit":
yara_maldoc_res = "Maldoc_None"
# ------------------------------------- RULE 3
contains_obfus_str = yara.compile(filepath=str(os.path.expanduser("~")) + "/automal/obfus_strings.yara")
match_obf = contains_obfus_str.match(targ)
yara_obf_res = ""
if len(match_obf) == 1:
match_data_obfus = str(match_obf).split(",")
for item in match_data_obfus:
if "True" in item.strip() and "matches" in item.strip():
yara_obf_res = "Present_Obfus_Hit"
if yara_obf_res != "Present_Obfus_Hit":
yara_obf_res = "Obfus_None"
else:
if yara_obf_res != "Present_Obfus_Hit":
yara_obf_res = "Obfus_None"
return (yara_pe_res, yara_maldoc_res, yara_obf_res)示例12: calculate
def calculate(self):
all_tasks = pstasks.mac_tasks(self._config).allprocs()
bit_tasks = []
try:
if self._config.PID:
# find tasks given PIDs
pidlist = [int(p) for p in self._config.PID.split(',')]
bit_tasks = [t for t in all_tasks if t.p_pid in pidlist]
else:
# find multibit process
name_re = re.compile("JavaApplicationS", re.I)
bit_tasks = [t for t in all_tasks if name_re.search(str(t.p_comm))]
except:
pass
if len(bit_tasks) == 0:
yield (None, None)
# scan for bitcoin addresses with yara, 34 chars, https://en.bitcoin.it/wiki/Address
# Most Bitcoin addresses are 34 characters. They consist of random digits and uppercase
# and lowercase letters, with the exception that the uppercase letter "O", uppercase
# letter "I", lowercase letter "l", and the number "0" are never used to prevent visual ambiguity.
bit_addrs = []
addr_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /[1-9a-zA-z]{34}(?!OIl)/ condition: $a}'})
for task in bit_tasks:
scanner = mac_yarascan.MapYaraScanner(task = task, rules = addr_rule)
for hit, address in scanner.scan():
content = scanner.address_space.zread(address, 34)
if pyenc.is_valid_bitcoin_address(content) and content not in bit_addrs:
bit_addrs.append(content)
# scan for bitcoin keys with yara, 52 char compressed base58, starts with L or K, https://en.bitcoin.it/wiki/Private_key
addr_key = {}
key_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /(L|K)[0-9A-Za-z]{51}/ condition: $a}'})
for task in bit_tasks:
scanner = mac_yarascan.MapYaraScanner(task = task, rules = key_rule)
for hit, address in scanner.scan():
content = scanner.address_space.zread(address, 52)
if pyenc.is_valid_wif(content):
secret_exp = pyenc.wif_to_secret_exponent(content)
key = pykey.Key(secret_exponent = secret_exp,is_compressed=True)
if key.address() not in addr_key.keys():
addr_key[key.address()] = content
yield(content, key.address())
# addresses with no known keys
for bit_addr in bit_addrs:
if bit_addr not in addr_key.keys():
yield ("UNKNOWN", bit_addr)示例13: build_ruleset
def build_ruleset():
if ruletype == "FILE":
try:
rules = yara.compile(str(RULES))
print "..... Ruleset Compilation Successful."
return rules
except:
print "[!] - Could not compile YARA rule: %s" % RULES
print "Exiting."
sys.exit()
elif ruletype == "FOLDER":
RULEDATA=""
# Get list of files ending in .yara
RULE_COUNT = len(glob.glob1(RULES,"*.yar"))
if RULE_COUNT != 0:
for yara_file in glob.glob(os.path.join(RULES, "*.yar")):
try:
yara.compile(str(yara_file))
print "..... Syntax appears to be OK: %s " % yara_file
try:
with open(yara_file, "r") as sig_file:
file_contents=sig_file.read()
RULEDATA=RULEDATA + "\n" + file_contents
except:
print "..... SKIPPING: Could not open file for reading: %s " % yara_file
except:
print "..... SKIPPING: Could not compile rule: %s " % yara_file
try:
rules = yara.compile(source=RULEDATA)
print "..... SUCCESS! Compiled noted yara rulesets.\n"
return rules
except:
print "[!] - Some catastropic error occurred in the " \
"compilation of signatureswithin the directory. Exiting."
sys.exit()
else:
print "No files ending in .yar within: %s " % RULES
print "Exiting."
sys.exit()
elif ruletype == "DEFAULT":
rules = yara.compile(str(RULES))
print "[+] - Ruleset Compilation Successful."
return rules
else:
print "[!] - ERROR: Possible catastrophic error on build_ruleset. Exiting."
sys.exit()示例14: test_compile_sources
def test_compile_sources(self):
"""compile sources"""
filepath = os.path.join(RULES_ROOT, "meta.yar")
with open(filepath, "rb") as f:
source = f.read()
rule = yara.compile(sources=dict(test_ns=source))
self.assert_scan(rule)示例15: __init__
def __init__(self, *args, **kwargs):
"""Scan using yara signatures."""
super(YaraScanMixin, self).__init__(*args, **kwargs)
# Compile the yara rules in advance.
if self.plugin_args.yara_expression:
self.rules_source = self.plugin_args.yara_expression
self.rules = yara.compile(source=self.rules_source)
elif self.plugin_args.binary_string:
self.compile_rule(
'rule r1 {strings: $a = {%s} condition: $a}' %
self.plugin_args.binary_string)
elif self.plugin_args.string:
self.compile_rule(
'rule r1 {strings: $a = "%s" condition: $a}' %
self.plugin_args.string)
elif self.plugin_args.yara_file:
self.compile_rule(open(self.plugin_args.yara_file).read())
elif not self.ignore_required:
raise plugin.PluginError("You must specify a yara rule file or "
"string to match.")