Documentation ¶
Overview ¶
Package yara provides bindings to the YARA library.
Index ¶
- Constants
- type Compiler
- func (c *Compiler) AddFile(file *os.File, namespace string) (err error)
- func (c *Compiler) AddString(rules string, namespace string) (err error)
- func (c *Compiler) DefineVariable(name string, value interface{}) (err error)
- func (c *Compiler) Destroy()
- func (c *Compiler) DisableIncludes()
- func (c *Compiler) GetRules() (*Rules, error)
- func (c *Compiler) SetIncludeCallback(cb CompilerIncludeFunc)
- type CompilerIncludeFunc
- type CompilerMessage
- type Match
- type MatchRule
- type MatchString
- type Rule
- type Rules
- func (r *Rules) DefineVariable(name string, value interface{}) (err error)
- func (r *Rules) Destroy()
- func (r *Rules) GetRules() (rv []Rule)
- func (r *Rules) Save(filename string) (err error)
- func (r *Rules) ScanFile(filename string, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanFileDescriptor(fd uintptr, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanMem(buf []byte, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) ScanProc(pid int, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
- func (r *Rules) Write(wr io.Writer) (err error)
- type ScanFlags
- type String
Constants ¶
const ( // ScanFlagsFastMode avoids multiple matches of the same string // when not necessary. ScanFlagsFastMode = C.SCAN_FLAGS_FAST_MODE // ScanFlagsProcessMemory causes the scanned data to be // interpreted like live, in-prcess memory rather than an on-disk // file. ScanFlagsProcessMemory = C.SCAN_FLAGS_PROCESS_MEMORY )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Compiler ¶
type Compiler struct { Errors []CompilerMessage Warnings []CompilerMessage // contains filtered or unexported fields }
A Compiler encapsulates the YARA compiler that transforms rules into YARA's internal, binary form which in turn is used for scanning files or memory blocks.
func (*Compiler) AddFile ¶
AddFile compiles rules from a file. Rules are added to the specified namespace.
func (*Compiler) AddString ¶
AddString compiles rules from a string. Rules are added to the specified namespace.
func (*Compiler) DefineVariable ¶
DefineVariable defines a named variable for use by the compiler. Boolean, int64, float64, and string types are supported.
func (*Compiler) Destroy ¶
func (c *Compiler) Destroy()
Destroy destroys the YARA data structure representing a compiler. Since a Finalizer for the underlying YR_COMPILER structure is automatically set up on creation, it should not be necessary to explicitly call this method.
func (*Compiler) DisableIncludes ¶ added in v1.0.5
func (c *Compiler) DisableIncludes()
DisableIncludes disables all include statements in the compiler. See yr_compiler_set_include_callbacks.
func (*Compiler) SetIncludeCallback ¶ added in v1.0.5
func (c *Compiler) SetIncludeCallback(cb CompilerIncludeFunc)
SetIncludeCallback sets up cb as an include callback that is called (through Go glue code) by the YARA compiler for every include statement.
type CompilerIncludeFunc ¶ added in v1.0.5
CompilerIncludeFunc is the type of the function that can be registered through SetIncludeCallback. It is called for every include statement encountered by the compiler. The argument "name" specifies the rule file to be included, "filename" specifies the name of the rule file where the include statement has been encountered, and "namespace" specifies the rule namespace. The sole return value is a byte slice containing the contents of the included file. A return value of nil signals an error to the YARA compiler.
See also: yr_compiler_set_include_callback in the YARA C API documentation.
type CompilerMessage ¶
A CompilerMessage contains an error or warning message produced while compiling sets of rules using AddString or AddFile.
type Match ¶ added in v1.0.6
type Match struct {
// contains filtered or unexported fields
}
Match represents a string match
type MatchRule ¶
type MatchRule struct { Rule string Namespace string Tags []string Meta map[string]interface{} Strings []MatchString }
A MatchRule represents a rule successfully matched against a block of data.
type MatchString ¶
A MatchString represents a string declared and matched in a rule.
type Rule ¶ added in v1.0.5
type Rule struct {
// contains filtered or unexported fields
}
Rule represents a single rule as part of a ruleset
func (*Rule) Identifier ¶ added in v1.0.5
Identifier returns the rule's name.
func (*Rule) Metas ¶ added in v1.0.5
Metas returns a map containing the rule's meta variables. Values can be of type string, int, bool, or nil.
type Rules ¶
type Rules struct {
// contains filtered or unexported fields
}
Rules contains a compiled YARA ruleset.
func Compile ¶
Compile compiles rules and an (optional) set of variables into a Rules object in a single step.
func MustCompile ¶
MustCompile is like Compile but panics if the rules and optional variables can't be compiled. Like regexp.MustCompile, it allows for simple, safe initialization of global or test data.
func (*Rules) DefineVariable ¶
DefineVariable defines a named variable for use by the compiler. Boolean, int64, float64, and string types are supported.
func (*Rules) Destroy ¶
func (r *Rules) Destroy()
Destroy destroys the YARA data structure representing a ruleset. Since a Finalizer for the underlying YR_RULES structure is automatically set up on creation, it should not be necessary to explicitly call this method.
func (*Rules) GetRules ¶ added in v1.0.5
GetRules returns a slice of rule objects that are part of the ruleset
func (*Rules) ScanFile ¶
func (r *Rules) ScanFile(filename string, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanFile scans a file using the ruleset.
func (*Rules) ScanFileDescriptor ¶
func (r *Rules) ScanFileDescriptor(fd uintptr, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanFileDescriptor scans a file using the ruleset.
func (*Rules) ScanMem ¶
func (r *Rules) ScanMem(buf []byte, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)
ScanMem scans an in-memory buffer using the ruleset.
type String ¶ added in v1.0.6
type String struct {
// contains filtered or unexported fields
}
String represents a string as part of a rule
func (*String) Identifier ¶ added in v1.0.6
Identifier returns the string's name