README
¶
go-yara
Go bindings for YARA, staying as
close as sensible to the library's C-API while taking inspiration from
the yara-python implementation.
YARA 3.4.0 or higher is required for full functionality. If you need
to build with YARA 3.3.0, please build with the yara3.3 build tag.
(The compat-yara-3.3 branch has been removed.)
Installation
Unix
On a Unix system with libyara properly installed, this should work,
provided that GOPATH is set:
$ go get github.com/hillu/go-yara
$ go install github.com/hillu/go-yara
Depending on what location libyara and its headers have been
installed, proper CFLAGS and LDFLAGS may have to be added to
cgo.go or be specified via environment variables (CGO_CFLAGS and
CGO_LDFLAGS).
Linker errors buried in the CGO output such as
undefined reference to `yr_compiler_add_file'
probably mean that the linker is looking at an old YARA version.
Windows
I have not yet built go-yara on Windows, only used the MinGW-w64 provided on Debian. The YARA library was built like this:
$ ./configure --host=i686-w64-mingw32 --disable-magic --disable-cuckoo --without-crypto
[...]
$ make
$ make install prefix=/path/to/i686-w64-mingw32
Compiling and linking go-yara against this library was achieved like
this:
$ CC=i686-w64-mingw32-gcc \
CGO_ENABLED=1 \
GOOS=windows GOARCH=386 \
CGO_CFLAGS=-I/path/to/i686-w64-mingw32/include \
CGO_LDFLAGS=-L/path/to/i686-w64-mingw32/lib \
go install --ldflags '-extldflags "-static"' github.com/hillu/go-yara
License
BSD 2-clause, see LICENSE file in the source distribution.
Author
Hilko Bengen bengen@hilluzination.de
Documentation
¶
Overview ¶
Package yara provides bindings to the YARA library.
Index ¶
- Constants
- type Compiler
- type CompilerMessage
- type MatchRule
- type MatchString
- type Rules
- func (r *Rules) DefineVariable(name string, value interface{}) (err error)
- func (r *Rules) Destroy()
- func (r *Rules) Save(filename string) (err error)
- func (r *Rules) ScanFile(filename string, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanFileDescriptor(fd uintptr, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanMem(buf []byte, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanProc(pid int, flags int, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) Write(wr io.Writer) (err error)
- type ScanFlags
Constants ¶
const ( // ScanFlagsFastMode avoids multiple matches of the same string // when not necessary. ScanFlagsFastMode = C.SCAN_FLAGS_FAST_MODE // ScanFlagsProcessMemory causes the scanned data to be // interpreted like live, in-prcess memory rather than an on-disk // file. ScanFlagsProcessMemory = C.SCAN_FLAGS_PROCESS_MEMORY )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Compiler ¶
type Compiler struct {
Errors []CompilerMessage
Warnings []CompilerMessage
// contains filtered or unexported fields
}
A Compiler encapsulates the YARA compiler that transforms rules into YARA's internal, binary form which in turn is used for scanning files or memory blocks.
func (*Compiler) AddFile ¶
AddFile compiles rules from a file. Rules are added to the specified namespace.
func (*Compiler) AddString ¶
AddString compiles rules from a string. Rules are added to the specified namespace.
func (*Compiler) DefineVariable ¶
DefineVariable defines a named variable for use by the compiler. Boolean, int64, float64, and string types are supported.
type CompilerMessage ¶
A CompilerMessage contains an error or warning message produced while compiling sets of rules using AddString or AddFile.
type MatchRule ¶
type MatchRule struct {
Rule string
Namespace string
Tags []string
Meta map[string]interface{}
Strings []MatchString
}
A MatchRule represents a rule successfully matched against a block of data.
type MatchString ¶
A MatchString represents a string declared and matched in a rule.
type Rules ¶
type Rules struct {
// contains filtered or unexported fields
}
Rules contains a compiled YARA ruleset.
func Compile ¶
Compile compiles rules and an (optional) set of variables into a Rules object in a single step.
func MustCompile ¶
MustCompile is like Compile but panics if the rules and optional variables can't be compiled. Like regexp.MustCompile, it allows for simple, safe initialization of global or test data.
func (*Rules) DefineVariable ¶
DefineVariable defines a named variable for use by the compiler. Boolean, int64, float64, and string types are supported.
func (*Rules) Destroy ¶
func (r *Rules) Destroy()
Destroy destroys the YARA data structure representing a ruleset. Since a Finalizer for the underlying YR_RULES structure is automatically set up on creation, it should not be necessary to explicitly call this method.
func (*Rules) ScanFile ¶
func (r *Rules) ScanFile(filename string, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanFile scans a file using the ruleset.
func (*Rules) ScanFileDescriptor ¶
func (r *Rules) ScanFileDescriptor(fd uintptr, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanFileDescriptor scans a file using the ruleset.
func (*Rules) ScanMem ¶
func (r *Rules) ScanMem(buf []byte, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanMem scans an in-memory buffer using the ruleset.
Source Files