variables

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 23, 2022 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (

	// Valuers holds the Valuer implementations of all variables.
	Valuers = [typeEnd]Valuer{
		VarOs:                 ValueFunc(varOsFunc),
		VarOsLinux:            ValueFunc(varOsLinuxFunc),
		VarOsWindows:          ValueFunc(varOsWindowsFunc),
		VarTimeNow:            ValueFunc(varTimeNowFunc),
		VarFilePath:           ValueFunc(varFilePathFunc),
		VarFileName:           ValueFunc(varFileNameFunc),
		VarFileExtension:      ValueFunc(varFileExtensionFunc),
		VarFileReadonly:       ValueFunc(varFileReadonlyFunc),
		VarFileHidden:         ValueFunc(varFileHiddenFunc),
		VarFileSystem:         ValueFunc(varFileSystemFunc),
		VarFileCompressed:     ValueFunc(varFileCompressedFunc),
		VarFileEncrypted:      ValueFunc(varFileEncryptedFunc),
		VarFileModifiedTime:   ValueFunc(varFileModifiedTimeFunc),
		VarFileAccessedTime:   ValueFunc(varFileAccessedTimeFunc),
		VarFileChangedTime:    ValueFunc(varFileChangedTimeFunc),
		VarFileBirthTime:      ValueFunc(varFileBirthTimeFunc),
		VarProcessId:          ValueFunc(varProcessIdFunc),
		VarProcessParentId:    ValueFunc(varProcessParentIdFunc),
		VarProcessUserName:    ValueFunc(varProcessUserNameFunc),
		VarProcessUserSid:     ValueFunc(varProcessUserSidFunc),
		VarProcessSessionId:   ValueFunc(varProcessSessionIdFunc),
		VarProcessName:        ValueFunc(varProcessNameFunc),
		VarProcessPath:        ValueFunc(varFilePathFunc),
		VarProcessCommandLine: ValueFunc(varProcessCommandLineFunc),
	}
)

Functions

This section is empty.

Types

type MetaType 

type MetaType byte

MetaType represents a metadata of a VariableType. 

const (
	MetaBool MetaType = 1 << iota
	MetaInt
	MetaFloat
	MetaString
	MetaFile
	MetaProcess
	MetaFileProcess = MetaFile | MetaProcess
)

Meta types.

type Parser 

type Parser struct {
	// contains filtered or unexported fields
}

Parser reprents a parser which parses the given yara rule(s) to identify all external variables, includes and imports used in the rule(s).

func (*Parser) Imports 

func (p *Parser) Imports() []string

Imports returns the list of imported modules parsed.

func (*Parser) Includes 

func (p *Parser) Includes() []string

Includes returns the list of included paths parsed.

func (*Parser) ParseFromFile 

func (p *Parser) ParseFromFile(file string) error

ParseFromFile parses the given file which must be a valid yara rule file to identify external variables, includes and imports. Note that, subsequent calls do not reset underlying list of variables, includes and imports identified. Use this behaviour to parse multiple inputs to aggregate.

func (*Parser) ParseFromReader 

func (p *Parser) ParseFromReader(rd io.Reader) error

ParseFromReader parses the given io.Reader which must provide a valid yara rule to identify external variables, includes and imports. Note that, subsequent calls do not reset underlying list of variables, includes and imports identified. Use this behaviour to parse multiple inputs to aggregate.

func (*Parser) Variables 

func (p *Parser) Variables() []VariableType

Variables returns the list of variables parsed.

type ProcessInfo 

type ProcessInfo interface {
	Ppid() (int32, error)
	Username() (string, error)
	NameWithContext(context.Context) (string, error)
	CmdlineWithContext(context.Context) (string, error)
}

type ScanContext 

type ScanContext interface {
	Context() context.Context
	FilePath() string
	FileInfo() fs.FileInfo
	Pid() int
	ProcessInfo() ProcessInfo
	HandleValueError(VariableDefiner, VariableType, error) error
}

ScanContext is an interface that wraps the methods required to calculate variable values for yara scanner.

type ScanContextImpl 

type ScanContextImpl struct {
	// contains filtered or unexported fields
}

ScanContextImpl implements the ScanContext interface. It is a simple implementation to set the required values to be used as ScanContext interface.

func (*ScanContextImpl) Context 

func (sc *ScanContextImpl) Context() context.Context

Context is to implement the ScanContext interface. It returns context.Background() if underlying context is missing.

func (*ScanContextImpl) FileInfo 

func (sc *ScanContextImpl) FileInfo() fs.FileInfo

FileInfo is to implement the ScanContext interface.

func (*ScanContextImpl) FilePath 

func (sc *ScanContextImpl) FilePath() string

FilePath is to implement the ScanContext interface.

func (*ScanContextImpl) HandleValueError 

func (sc *ScanContextImpl) HandleValueError(d VariableDefiner, v VariableType, err error) error

HandleValueError is to implement the ScanContext interface. It calls underlying value error handler if exists, otherwise it returns the provided error to the caller.

func (*ScanContextImpl) Pid 

func (sc *ScanContextImpl) Pid() int

Pid is to implement the ScanContext interface.

func (*ScanContextImpl) ProcessInfo 

func (sc *ScanContextImpl) ProcessInfo() ProcessInfo

ProcessInfo is to implement the ScanContext interface.

func (*ScanContextImpl) Reset 

func (sc *ScanContextImpl) Reset()

Reset resets all the fields to be able to reuse the same ScanContextImpl instance.

func (*ScanContextImpl) SetContext 

func (sc *ScanContextImpl) SetContext(ctx context.Context)

SetContext sets the underlying context to be returned from Context method.

func (*ScanContextImpl) SetFileInfo 

func (sc *ScanContextImpl) SetFileInfo(f fs.FileInfo)

SetFileInfo sets the underlying file info to be returned from FileInfo method.

func (*ScanContextImpl) SetFilePath 

func (sc *ScanContextImpl) SetFilePath(p string)

SetFilePath sets the underlying file path to be returned from FilePath method.

func (*ScanContextImpl) SetHandleValueError 

func (sc *ScanContextImpl) SetHandleValueError(fn func(VariableDefiner, VariableType, error) error)

SetHandleValueError sets the underlying value error handler.

func (*ScanContextImpl) SetPid 

func (sc *ScanContextImpl) SetPid(v int)

SetPid sets the underlying process id to be returned from Pid method.

func (*ScanContextImpl) SetProcessInfo 

func (sc *ScanContextImpl) SetProcessInfo(p ProcessInfo)

SetProcess sets the underlying process to be returned from Process method.

type ValueFunc 

type ValueFunc func(ScanContext) (interface{}, error)

ValueFunc is an helper type to implement Valuer interface using a function.

func (ValueFunc) Value 

func (fn ValueFunc) Value(sCtx ScanContext) (interface{}, error)

Value implements Valuer interface.

type Valuer 

type Valuer interface {
	Value(ScanContext) (interface{}, error)
}

Valuer is an interface that wraps Value method. Value method returns the calculated value of a variable or an error. Variables' Valuer implementation must be registered to Valuers global to be seen by the Variables.DefineScannerVariables method.

type VariableDefiner 

type VariableDefiner interface {
	DefineVariable(string, interface{}) error
}

VariableDefiner is an interface that wraps the DefineVariable method which is implemented by yara compiler and scanner. It is defined as an interface to remove cgo dependency for this package.

type VariableType 

type VariableType byte

VariableType represents an external variable for yara. VariableType's underlying type is an integer to be able to use slices/arrays for faster access. 

const (

	//                       | Name                 | OS  | Type    | Default | Description                                                   |
	//                       |----------------------|-----|---------|---------|---------------------------------------------------------------|
	VarOs                 VariableType // | os                   | LWD | String  | ""      | Operating system name, linux, windows or darwin |
	VarOsLinux                         // | os_linux             | LWD | Boolean | false   | If operating system is linux, its value is true |
	VarOsWindows                       // | os_windows           | LWD | Boolean | false   | If operating system is Windows, its value is true |
	VarTimeNow                         // | time_now             | LWD | Integer | 0       | Current time in YYYYMMDDHHMMSS format |
	VarFilePath                        // | file_path            | LWD | String  | ""      | Path of the file |
	VarFileName                        // | file_name            | LWD | String  | ""      | Name of the file including extension. Example: document.docx |
	VarFileExtension                   // | file_extension       | LWD | String  | ""      | Extension of the file without leading dot. Example: docx |
	VarFileReadonly                    // | file_readonly        | LWD | Boolean | false   | If it is a readonly file, its value is true |
	VarFileHidden                      // | file_hidden          | LWD | Boolean | false   | If it is a hidden file, its value is true |
	VarFileSystem                      // | file_system          |  W  | Boolean | false   | If it is a system file, its value is true |
	VarFileCompressed                  // | file_compressed      |  W  | Boolean | false   | If it is a compressed file, its value is true |
	VarFileEncrypted                   // | file_encrypted       |  W  | Boolean | false   | If it is an encrypted file, its value is true |
	VarFileModifiedTime                // | file_modified_time   | LWD | Integer | 0       | File's modification time in YYYYMMDDHHMMSS format |
	VarFileAccessedTime                // | file_accessed_time   | LWD | Integer | 0       | File's access time in YYYYMMDDHHMMSS format |
	VarFileChangedTime                 // | file_changed_time    | L D | Integer | 0       | File's change time in YYYYMMDDHHMMSS format |
	VarFileBirthTime                   // | file_birth_time      |  WD | Integer | 0       | File's birth time in YYYYMMDDHHMMSS format |
	VarProcessId                       // | process_id           | LWD | Integer | 0	      | Process's id |
	VarProcessParentId                 // | process_parent_id    | LWD | Integer | 0       | Parent process id |
	VarProcessUserName                 // | process_user_name    | LWD | String  | ""      | Process's user name. Windows format: <computer name or domain name>\<user name> |
	VarProcessUserSid                  // | process_user_sid     | LWD | String  | ""      | Process's user SID. This returns UID of the user as string on Unixes. |
	VarProcessSessionId                // | process_session_id   | LWD | Integer | 0       | Process's session id |
	VarProcessName                     // | process_name         | LWD | String  | ""      | Process's name |
	VarProcessPath                     // | process_path         | LWD | String  | ""      | Process's path |
	VarProcessCommandLine              // | process_command_line | LWD | String  | ""      | Process's command line |

)

func List 

func List() []VariableType

List returns the list of all available variables. It creates a new slice at every call.

func (VariableType) Meta 

func (v VariableType) Meta() MetaType

Meta returns the meta data of the variable.

func (VariableType) String 

func (v VariableType) String() string

String implements the fmt.Stringer interface and returns the string representation of a VariableType.

type Variables 

type Variables struct {
	// contains filtered or unexported fields
}

Variables holds the list of applicable variables to define external variables for yara compiler and scanner, and it provides methods to set values for the yara compiler and scanner.

func (*Variables) Copy 

func (vr *Variables) Copy() *Variables

Copy creates a new instance of Variables by deeply copying. This should be used to create new Variables instances for each scanner thread.

func (*Variables) DefineCompilerVariables 

func (vr *Variables) DefineCompilerVariables(compiler VariableDefiner) (err error)

DefineCompilerVariables defines the already set variables to the given compiler using their default zero values.

func (*Variables) DefineScannerVariables 

func (vr *Variables) DefineScannerVariables(sCtx ScanContext, scanner VariableDefiner) error

DefineScannerVariables defines the already set variables to the given scanner using their calculated values using their Valuer implementations. Returning error from Valuer's Value method should be handled by the given ScanContext.HandleValueError.

func (*Variables) InitFileVariables 

func (vr *Variables) InitFileVariables(vars []VariableType)

InitFileVariables sets Variables instance's applicable variables. It filters the given variables if they are not applicable for file scan. See metadata of the variable.

func (*Variables) InitProcessVariables 

func (vr *Variables) InitProcessVariables(vars []VariableType)

InitProcessVariables sets Variables instance's applicable variables. It filters the given variables if they are not applicable for process scan. See metadata of the variable.

func (*Variables) Variables 

func (vr *Variables) Variables() []VariableType

Variables returns a copy of variables list.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.