Documentation ¶
Overview ¶
Package yapscan provides high-level features on top of the popular virus-scanner yara.
Index ¶
- Constants
- Variables
- func AddressesFromMatches(matches []yara.MatchString, offset uint64) []uint64
- func FormatSlice(format string, slice interface{}, args ...interface{}) []string
- func IsYaraRulesFile(name string) bool
- func Join(parts []string, defaultGlue, finalGlue string) string
- func LoadYaraRules(path string, recurseIfDir bool) (*yara.Rules, error)
- type FilterMatch
- type MemoryScanProgress
- type MemoryScanner
- type MemorySegmentFilter
- func NewAndFilter(filters ...MemorySegmentFilter) MemorySegmentFilter
- func NewFilterFromFunc(filter MemorySegmentFilterFunc, parameter interface{}, reasonTemplate string, ...) MemorySegmentFilter
- func NewMaxSizeFilter(size uintptr) MemorySegmentFilter
- func NewMinSizeFilter(size uintptr) MemorySegmentFilter
- func NewPermissionsFilter(perm procio.Permissions) MemorySegmentFilter
- func NewPermissionsFilterExact(perms []procio.Permissions) MemorySegmentFilter
- func NewRSSRatioFilter(ratio float64) MemorySegmentFilter
- func NewStateFilter(states []procio.State) MemorySegmentFilter
- func NewTypeFilter(types []procio.SegmentType) MemorySegmentFilter
- type MemorySegmentFilterFunc
- type ProcessScanner
- type ProfilingInformation
- type Rules
- type ScanningStatistics
- func (s *ScanningStatistics) Finalize()
- func (s *ScanningStatistics) IncrementFilesScanned(numOfBytes uint64)
- func (s *ScanningStatistics) IncrementMemorySegmentsScanned(numOfBytes uint64)
- func (s *ScanningStatistics) IncrementNumberOfProcessesScanned()
- func (s *ScanningStatistics) StartProfiler(ctx context.Context, scanInterval time.Duration)
- type YaraScanner
Examples ¶
Constants ¶
const RulesZIPPassword = "infected"
RulesZIPPassword is the password yapscan uses to de-/encrypt the rules zip file.
Variables ¶
var DefaultYaraRulesNamespace = ""
DefaultYaraRulesNamespace is the default namespace when compiling rules.
var ErrSkipped = errors.New("skipped")
ErrSkipped is returned, when a memory segment is skipped due to the applied filter.
var YaraRulesFileExtensions = []string{
".yar",
".yara",
}
YaraRulesFileExtensions are the file extensions yapscan expects rules files to have. This is used when loading files from a directory.
Functions ¶
func AddressesFromMatches ¶
AddressesFromMatches returns one value for each given yara.MatchString. The returned values are equal to the given offset plus the Offset field of each yara.MatchString.
func FormatSlice ¶
FormatSlice calls fmt.Sprintf(format, element, args...) for each element in the given slice. The returned string slice contains the formatted output.
func IsYaraRulesFile ¶
IsYaraRulesFile returns true, if the given filename has one of the extensions in YaraRulesFileExtensions.
func Join ¶
Join joins all elements of a string slice, using the defaultGlue for all but the last two elements.
Example ¶
parts := []string{"life", "the universe", "everything"} fmt.Println(Join(parts, ", ", " and "))
Output: life, the universe and everything
func LoadYaraRules ¶
LoadYaraRules loads yara.Rules from a file (or files) and compiles if necessary. The given path can be a path to a directory, a compiled rules-file, a plain text file containing rules, or an encrypted zip file containing rules.
If the path is a directory, all files with one of the file extensions in YaraRulesFileExtensions are loaded (recursively if recurseIfDir is true). All files are assumed to be uncompiled and will be compiled. Loading multiple already compiled files into one yara.Rules object is not supported. Each file will be compiled with the namespace equal to its filename, relative to the given path.
If the path is a single file, it may be compiled, uncompiled or a zip file. An uncompiled file will be compiled with the namespace `DefaultYaraRulesNamespace+"/"+filename`. A zip file will be opened and decrypted with the RulesZIPPassword. The contents of the zip file will be treated similar to the way a directory is treated (see above), however *all* files are assumed to be rules-files, recursion is always enabled and there may be either a single compiled file or arbitrarily many uncompiled files in the zip.
Types ¶
type FilterMatch ¶
type FilterMatch struct { Result bool MSI *procio.MemorySegmentInfo Reason string // Reason for filter mismatch, if Result is false }
FilterMatch contains information about the matching of a MemorySegmentFilter.
type MemoryScanProgress ¶
type MemoryScanProgress struct { // Process contains information about the process being scanned. Process procio.Process // MemorySegment contains information about the specific memory segment which was just scanned. MemorySegment *procio.MemorySegmentInfo // Dump contains the raw contents of the memory segment. Dump []byte // Matches contains the yara.MatchRule results. Matches []yara.MatchRule // Error contains the encountered error or nil, if no error was encountered. Error error }
MemoryScanProgress contains all information, generated during scanning.
type MemoryScanner ¶
MemoryScanner is a yara.Rules compatible interface, defining the subset of functions required for scanning memory buffers.
type MemorySegmentFilter ¶
type MemorySegmentFilter interface { Filter(info *procio.MemorySegmentInfo) *FilterMatch Description() string }
MemorySegmentFilter describes an interface, capable of filtering *procio.MemorySegmentInfo instances.
func NewAndFilter ¶
func NewAndFilter(filters ...MemorySegmentFilter) MemorySegmentFilter
NewAndFilter creates a new filter, which is the logical AND-combination of all given MemorySegmentFilter instances.
func NewFilterFromFunc ¶
func NewFilterFromFunc(filter MemorySegmentFilterFunc, parameter interface{}, reasonTemplate string, description string) MemorySegmentFilter
NewFilterFromFunc creates a new filter from a given MemorySegmentFilterFunc.
func NewMaxSizeFilter ¶
func NewMaxSizeFilter(size uintptr) MemorySegmentFilter
NewMaxSizeFilter creates a new filter, matching *procio.MemorySegmentInfo with the given maximum size.
func NewMinSizeFilter ¶
func NewMinSizeFilter(size uintptr) MemorySegmentFilter
NewMinSizeFilter creates a new filter, matching *procio.MemorySegmentInfo with the given minimum size.
func NewPermissionsFilter ¶
func NewPermissionsFilter(perm procio.Permissions) MemorySegmentFilter
NewPermissionsFilter creates a new filter, matching *procio.MemorySegmentInfo with procio.Permissions equal to or more permissive than the given perm.
func NewPermissionsFilterExact ¶
func NewPermissionsFilterExact(perms []procio.Permissions) MemorySegmentFilter
NewPermissionsFilterExact creates a new filter, matching *procio.MemorySegmentInfo with procio.Permissions exactly equal to one of the given perms.
func NewRSSRatioFilter ¶ added in v0.9.0
func NewRSSRatioFilter(ratio float64) MemorySegmentFilter
NewRSSRatioFilter creates a new filter, matching *procio.MemorySegmentInfo with RSS/Size ratio equal or greater than the given value.
func NewStateFilter ¶
func NewStateFilter(states []procio.State) MemorySegmentFilter
NewStateFilter creates a new filter, matching *procio.MemorySegmentInfo with a procio.State equal to one of the given states.
func NewTypeFilter ¶
func NewTypeFilter(types []procio.SegmentType) MemorySegmentFilter
NewTypeFilter creates a new filter, matching *procio.MemorySegmentInfo with a procio.SegmentType equal to one of the given types.
type MemorySegmentFilterFunc ¶
type MemorySegmentFilterFunc func(info *procio.MemorySegmentInfo) bool
MemorySegmentFilterFunc is a callback, used to filter *procio.MemorySegmentInfo instances.
type ProcessScanner ¶
type ProcessScanner struct {
// contains filtered or unexported fields
}
ProcessScanner implements scanning of memory segments, allocated by a process. This scanning is done using an underlying MemoryScanner on segments, matching a MemorySegmentFilter.
func NewProcessScanner ¶
func NewProcessScanner(proc procio.Process, filter MemorySegmentFilter, scanner MemoryScanner) *ProcessScanner
NewProcessScanner create a new ProcessScanner with for the given procio.Process. It uses the given MemoryScanner in order to scan memory segments of the process, which match the given MemoryScanner.
func (*ProcessScanner) EncounteredMemoryMappedFiles ¶ added in v0.9.0
func (s *ProcessScanner) EncounteredMemoryMappedFiles() []string
func (*ProcessScanner) Scan ¶
func (s *ProcessScanner) Scan() (<-chan *MemoryScanProgress, error)
Scan starts an asynchronous scan. The returned unbuffered channel will yield MemoryScanProgress instances every time a memory segment has been processed. The channel will be closed when all segments have been processed.
type ProfilingInformation ¶ added in v0.11.0
type ProfilingInformation struct { Time time.Time `json:"time"` FreeRAM uintptr `json:"freeRAM"` FreeSwap uintptr `json:"freeSwap"` LoadAvgOneMinute float64 `json:"loadAvgOneMinute"` LoadAvgFiveMinutes float64 `json:"loadAvgFiveMinutes"` LoadAvgFifteenMinutes float64 `json:"loadAvgFifteenMinutes"` }
type Rules ¶
type Rules interface { ScanFile(filename string, flags yara.ScanFlags, timeout time.Duration, cb yara.ScanCallback) (err error) ScanMem(buf []byte, flags yara.ScanFlags, timeout time.Duration, cb yara.ScanCallback) (err error) }
Rules are a yara.Rules compatible interface, defining the functions required by yapscan. The choice of an interface over the concrete struct yara.Rules is mostly to make testing easier.
type ScanningStatistics ¶ added in v0.7.0
type ScanningStatistics struct { Start time.Time `json:"start"` End time.Time `json:"end"` NumberOfProcessesScanned uint64 `json:"numberOfProcessesScanned"` NumberOfSegmentsScanned uint64 `json:"numberOfSegmentsScanned"` NumberOfMemoryBytesScanned uint64 `json:"numberOfMemoryBytesScanned"` NumberOfFileBytesScanned uint64 `json:"numberOfFileBytesScanned"` NumberOfFilesScanned uint64 `json:"numberOfFilesScanned"` ProfilingInformation []*ProfilingInformation `json:"profilingInformation"` // contains filtered or unexported fields }
ScanningStatistics holds statistic information about a scan.
func NewScanningStatistics ¶ added in v0.7.0
func NewScanningStatistics() *ScanningStatistics
func (*ScanningStatistics) Finalize ¶ added in v0.7.0
func (s *ScanningStatistics) Finalize()
Finalize finalizes the statistics, stopping the memory profile routine if its running. Use this function before processing the statistics further. This function is thread safe.
func (*ScanningStatistics) IncrementFilesScanned ¶ added in v0.8.0
func (s *ScanningStatistics) IncrementFilesScanned(numOfBytes uint64)
IncrementFilesScanned increments the number of files scanned as well as the number of bytes scanned. This function is thread safe.
func (*ScanningStatistics) IncrementMemorySegmentsScanned ¶ added in v0.7.0
func (s *ScanningStatistics) IncrementMemorySegmentsScanned(numOfBytes uint64)
IncrementMemorySegmentsScanned increments the number of segments scanned as well as the number of bytes scanned. This function is thread safe.
func (*ScanningStatistics) IncrementNumberOfProcessesScanned ¶ added in v0.7.0
func (s *ScanningStatistics) IncrementNumberOfProcessesScanned()
IncrementNumberOfProcessesScanned increments the number of scanned processes. This function is thread safe.
func (*ScanningStatistics) StartProfiler ¶ added in v0.11.0
func (s *ScanningStatistics) StartProfiler(ctx context.Context, scanInterval time.Duration)
StartProfiler starts a goroutine, regularly saving information about free memory, free swap and CPU load.
type YaraScanner ¶
type YaraScanner struct {
// contains filtered or unexported fields
}
YaraScanner is a wrapper for yara.Rules, with a more go-like interface.
func NewYaraScanner ¶
func NewYaraScanner(rules Rules) (*YaraScanner, error)
NewYaraScanner creates a new YaraScanner from the given yara.Rules.
func (*YaraScanner) ScanFile ¶
func (s *YaraScanner) ScanFile(filename string) ([]yara.MatchRule, error)
ScanFile scans the file with the given filename. This function simply calls ScanFile on the underlying yara.Rules object.
func (*YaraScanner) ScanMem ¶
func (s *YaraScanner) ScanMem(buf []byte) ([]yara.MatchRule, error)
ScanMem scans the given buffer. This function simply calls ScanMem on the underlying yara.Rules object.
func (*YaraScanner) Statistics ¶ added in v0.7.0
func (s *YaraScanner) Statistics() *ScanningStatistics
Statistics returns the mutable statistics of the scanner.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package arch provides information about the currently CPU architecture.
|
Package arch provides information about the currently CPU architecture. |
cmd
|
|
experiments
|
|
Package fileio provides functionality to interact with the OSs filesystem.
|
Package fileio provides functionality to interact with the OSs filesystem. |
Package win32 provides WinAPI functions and wrappers that are either inaccessible through golang.org/x/sys/windows or too complex to use directly.
|
Package win32 provides WinAPI functions and wrappers that are either inaccessible through golang.org/x/sys/windows or too complex to use directly. |