yara

package module
v2.0.0-...-047400e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2021 License: BSD-2-Clause Imports: 10 Imported by: 0

README

Logo

go-yara

GoDoc Travis Go Report Card

Go bindings for YARA, staying as close as sensible to the library's C-API while taking inspiration from the yara-python implementation.

Installation

Unix

On a Unix system with libyara, its header files, and pkg-config installed, the following should simply work, provided that GOPATH is set:

go get github.com/hillu/go-yara
go install github.com/hillu/go-yara

The pkg-config program should be able to output the correct compiler and linker flags from the yara.pc file that has been generated and installed by YARA's build system. If libyara has been installed to a custom location, the PKG_CONFIG_PATH environment variable can be used to point pkg-config at the right yara.pc file. If pkg-config cannot be used at all, please refer to the "Build Tags" section.

Linker errors in the compiler output such as

undefined reference to `yr_compiler_add_file'

indicate that the linker is probably looking at an old version of libyara. Please refer to the "Build Tags" section below on how to work with old YARA versions.

Cross-building

go-yara can be cross-built for a different CPU architecture/operating system platform, provided a C cross-compiler for the target platform is available to be used by the cgo tool.

After the yara library has been built from its source tree using the proper C cross-compiler through the usual configure / make / make install steps, go-yara can be built and installed. Some environment variables need to be set when running go build or go install:

  • GOOS, GOARCH indicate the cross compilation target.
  • CGO_ENABLED has to be set to 1 beacuse it defaults to 0 when cross-compiling.
  • CC has to specified because cgo has no prior knowledge about what C compiler to chose for cross-compiling. (it defaults to the system C compiler, usually gcc).
  • PKG_CONFIG_PATH has to be set in so that pkg-config which is run by cgo for determining compiler and linker flags can find the yara.pc file generated while cross-building yara.
Example: Cross-building for Windows on Debian/streach

Install the MinGW C compiler gcc-mingw-w64-i686, gcc-mingw-w64-x86-64 for Win32, Win64, respectively.

Build libyara and go-yara for Win32:

$ cd ${YARA_SRC} \
  && ./bootstrap.sh \
  && ./configure --host=i686-w64-mingw32 --disable-magic --disable-cuckoo --without-crypto --prefix=${YARA_SRC}/i686-w64-mingw32 \
  && make -C ${YARA_SRC} \
  && make -C ${YARA_SRC} install 
$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 \
  CC=i686-w64-mingw32-gcc \
  PKG_CONFIG_PATH=${YARA_SRC}/i686-w64-mingw32/lib/pkgconfig \
  go inxstall -ldflags '-extldflags "-static"' github.com/hillu/go-yara

Build libyara and go-yara for Win64:

$ cd ${YARA_SRC} \
  && ./bootstrap.sh \
  && ./configure --host=x86_64-w64-mingw32 --disable-magic --disable-cuckoo --without-crypto --prefix=${YARA_SRC}/x86_64-w64-mingw32 \
  && make -C ${YARA_SRC} \
  && make -C ${YARA_SRC} install 
$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 \
  CC=x86_64-w64-mingw32-gcc \
  PKG_CONFIG_PATH=${YARA_SRC}/x86_64-w64-mingw32/lib/pkgconfig \
  go install -ldflags '-extldflags "-static"' github.com/hillu/go-yara

Build Tags

go-yara is tested with the latest stable version of YARA, currently 3.11. If you need to to build with an older version of YARA, certain features that are not present in older versions can be excluded by passing a build tag such as yara3.7, yara3.6, yara3.5, etc.. If you want to build with a git snapshot of YARA, you may use a build tag corresponding to the upcoming stable YARA version, currently yara3.9. You also need to pass the tag when you build your own project.

The build tag yara_static can be used to tell the Go toolchain to run pkg-config with the --static switch. This is not enough for a static build; the appropriate linker flags (e.g. -extldflags "-static") still need to be passed to the go tool.

The build tag no_pkg_config can be used to tell the Go toolchain not to use pkg-config's output. In this case, any compiler or linker flags have to be set via the CGO_CFLAGS and CGO_LDFLAGS environment variables, e.g.:

export CGO_CFLAGS="-I${YARA_SRC}/libyara/include"
export CGO_LDFLAGS="-L${YARA_SRC}/libyara/.libs -lyara"
go install -tags no_pkg_config github.com/hillu/go-yara

License

BSD 2-clause, see LICENSE file in the source distribution.

Author

Hilko Bengen bengen@hilluzination.de

Documentation

Overview

Package yara provides bindings to the YARA library.

Index

Constants

View Source 
const (
	ERROR_SUCCESS                      = C.ERROR_SUCCESS
	ERROR_INSUFFICIENT_MEMORY          = C.ERROR_INSUFFICIENT_MEMORY
	ERROR_COULD_NOT_ATTACH_TO_PROCESS  = C.ERROR_COULD_NOT_ATTACH_TO_PROCESS
	ERROR_COULD_NOT_OPEN_FILE          = C.ERROR_COULD_NOT_OPEN_FILE
	ERROR_COULD_NOT_MAP_FILE           = C.ERROR_COULD_NOT_MAP_FILE
	ERROR_INVALID_FILE                 = C.ERROR_INVALID_FILE
	ERROR_CORRUPT_FILE                 = C.ERROR_CORRUPT_FILE
	ERROR_UNSUPPORTED_FILE_VERSION     = C.ERROR_UNSUPPORTED_FILE_VERSION
	ERROR_INVALID_REGULAR_EXPRESSION   = C.ERROR_INVALID_REGULAR_EXPRESSION
	ERROR_INVALID_HEX_STRING           = C.ERROR_INVALID_HEX_STRING
	ERROR_SYNTAX_ERROR                 = C.ERROR_SYNTAX_ERROR
	ERROR_LOOP_NESTING_LIMIT_EXCEEDED  = C.ERROR_LOOP_NESTING_LIMIT_EXCEEDED
	ERROR_DUPLICATED_LOOP_IDENTIFIER   = C.ERROR_DUPLICATED_LOOP_IDENTIFIER
	ERROR_DUPLICATED_IDENTIFIER        = C.ERROR_DUPLICATED_IDENTIFIER
	ERROR_DUPLICATED_TAG_IDENTIFIER    = C.ERROR_DUPLICATED_TAG_IDENTIFIER
	ERROR_DUPLICATED_META_IDENTIFIER   = C.ERROR_DUPLICATED_META_IDENTIFIER
	ERROR_DUPLICATED_STRING_IDENTIFIER = C.ERROR_DUPLICATED_STRING_IDENTIFIER
	ERROR_UNREFERENCED_STRING          = C.ERROR_UNREFERENCED_STRING
	ERROR_UNDEFINED_STRING             = C.ERROR_UNDEFINED_STRING
	ERROR_UNDEFINED_IDENTIFIER         = C.ERROR_UNDEFINED_IDENTIFIER
	ERROR_MISPLACED_ANONYMOUS_STRING   = C.ERROR_MISPLACED_ANONYMOUS_STRING
	ERROR_INCLUDES_CIRCULAR_REFERENCE  = C.ERROR_INCLUDES_CIRCULAR_REFERENCE
	ERROR_INCLUDE_DEPTH_EXCEEDED       = C.ERROR_INCLUDE_DEPTH_EXCEEDED
	ERROR_WRONG_TYPE                   = C.ERROR_WRONG_TYPE
	ERROR_EXEC_STACK_OVERFLOW          = C.ERROR_EXEC_STACK_OVERFLOW
	ERROR_SCAN_TIMEOUT                 = C.ERROR_SCAN_TIMEOUT
	ERROR_TOO_MANY_SCAN_THREADS        = C.ERROR_TOO_MANY_SCAN_THREADS
	ERROR_CALLBACK_ERROR               = C.ERROR_CALLBACK_ERROR
	ERROR_INVALID_ARGUMENT             = C.ERROR_INVALID_ARGUMENT
	ERROR_TOO_MANY_MATCHES             = C.ERROR_TOO_MANY_MATCHES
	ERROR_INTERNAL_FATAL_ERROR         = C.ERROR_INTERNAL_FATAL_ERROR
	ERROR_NESTED_FOR_OF_LOOP           = C.ERROR_NESTED_FOR_OF_LOOP
	ERROR_INVALID_FIELD_NAME           = C.ERROR_INVALID_FIELD_NAME
	ERROR_UNKNOWN_MODULE               = C.ERROR_UNKNOWN_MODULE
	ERROR_NOT_A_STRUCTURE              = C.ERROR_NOT_A_STRUCTURE
	ERROR_NOT_INDEXABLE                = C.ERROR_NOT_INDEXABLE
	ERROR_NOT_A_FUNCTION               = C.ERROR_NOT_A_FUNCTION
	ERROR_INVALID_FORMAT               = C.ERROR_INVALID_FORMAT
	ERROR_TOO_MANY_ARGUMENTS           = C.ERROR_TOO_MANY_ARGUMENTS
	ERROR_WRONG_ARGUMENTS              = C.ERROR_WRONG_ARGUMENTS
	ERROR_WRONG_RETURN_TYPE            = C.ERROR_WRONG_RETURN_TYPE
	ERROR_DUPLICATED_STRUCTURE_MEMBER  = C.ERROR_DUPLICATED_STRUCTURE_MEMBER
)
View Source 
const (
	// ScanFlagsFastMode avoids multiple matches of the same string
	// when not necessary.
	ScanFlagsFastMode = C.SCAN_FLAGS_FAST_MODE
	// ScanFlagsProcessMemory causes the scanned data to be
	// interpreted like live, in-process memory rather than an on-disk
	// file.
	ScanFlagsProcessMemory = C.SCAN_FLAGS_PROCESS_MEMORY
	// Flags for indicating that the callback function should for matching and
	// not matching rules. Both flags can be used together for receiving
	// notification about matching and not matching rules, or they can be used
	// alone for receiving notifications about either case. If none of these
	// two flags are specified the default behaviour is reporting both matching
	// and not matching rules.
	ScanFlagsReportRulesMatching    = C.SCAN_FLAGS_REPORT_RULES_MATCHING
	ScanFlagsReportRulesNotMatching = C.SCAN_FLAGS_REPORT_RULES_NOT_MATCHING
)

Variables

This section is empty.

Functions

func Finalize 

func Finalize() error

Finalize releases all the resources allocated by the YARA library. It should be called by the program when it no longer needs YARA, e.g. just before the program exits. It is not strictly necessary to call Finalize because the allocated memory will be freed on program exit; however, explicitly-freed resources will not show up as a leak in memory profiling tools.

A good practice is calling Finalize as a deferred function in the program's main function: 

defer yara.Finalize()

func GetConfiguration 

func GetConfiguration(name ConfigName) (interface{}, error)

GetConfiguration gets a global YARA configuration option.

func GetMaxMatchData 

func GetMaxMatchData() int

GetMaxMatchData returns the value for YARA's YR_CONFIG_MAX_MATCH_DATA configuration option. This controls the maximum amount of bytes that YARA stores for each matching string.

func SetConfiguration 

func SetConfiguration(name ConfigName, src interface{}) error

SetConfiguration sets a global YARA configuration option.

func SetMaxMatchData 

func SetMaxMatchData(n int)

SetMaxMatchData sets the value for YR_CONFIG_MAX_MATCH_DATA configuration option, which controls the maximum amount of bytes that YARA stores for each matching string. If this value is zero YARA won't copy any data at all.

Types

type Compiler 

type Compiler struct {
	Errors   []CompilerMessage
	Warnings []CompilerMessage
	// contains filtered or unexported fields
}

A Compiler encapsulates the YARA compiler that transforms rules into YARA's internal, binary form which in turn is used for scanning files or memory blocks.

func NewCompiler 

func NewCompiler() (*Compiler, error)

NewCompiler creates a YARA compiler.

func (*Compiler) AddFile 

func (c *Compiler) AddFile(file *os.File, namespace string) (err error)

AddFile compiles rules from a file. Rules are added to the specified namespace.

If this function returns an error, the Compiler object will become unusable.

func (*Compiler) AddString 

func (c *Compiler) AddString(rules string, namespace string) (err error)

AddString compiles rules from a string. Rules are added to the specified namespace.

If this function returns an error, the Compiler object will become unusable.

func (*Compiler) DefineVariable 

func (c *Compiler) DefineVariable(identifier string, value interface{}) (err error)

DefineVariable defines a named variable for use by the compiler. Boolean, int64, float64, and string types are supported.

func (*Compiler) Destroy 

func (c *Compiler) Destroy()

Destroy destroys the YARA data structure representing a compiler. Since a Finalizer for the underlying YR_COMPILER structure is automatically set up on creation, it should not be necessary to explicitly call this method.

func (*Compiler) DisableIncludes 

func (c *Compiler) DisableIncludes()

DisableIncludes disables all include statements in the compiler. See yr_compiler_set_include_callbacks.

func (*Compiler) GetRules 

func (c *Compiler) GetRules() (*Rules, error)

GetRules returns the compiled ruleset.

func (*Compiler) SetIncludeCallback 

func (c *Compiler) SetIncludeCallback(cb CompilerIncludeFunc)

SetIncludeCallback sets up cb as an include callback that is called (through Go glue code) by the YARA compiler for every include statement.

type CompilerIncludeFunc 

type CompilerIncludeFunc func(name, filename, namespace string) []byte

CompilerIncludeFunc is the type of the function that can be registered through SetIncludeCallback. It is called for every include statement encountered by the compiler. The argument "name" specifies the rule file to be included, "filename" specifies the name of the rule file where the include statement has been encountered, and "namespace" specifies the rule namespace. The sole return value is a byte slice containing the contents of the included file. A return value of nil signals an error to the YARA compiler.

See also: yr_compiler_set_include_callback in the YARA C API documentation.

type CompilerMessage 

type CompilerMessage struct {
	Filename string
	Line     int
	Text     string
}

A CompilerMessage contains an error or warning message produced while compiling sets of rules using AddString or AddFile.

type ConfigName 

type ConfigName uint32
const ConfigMaxMatchData ConfigName = C.YR_CONFIG_MAX_MATCH_DATA
const ConfigMaxStringsPerRule ConfigName = C.YR_CONFIG_MAX_STRINGS_PER_RULE
const ConfigStackSize ConfigName = C.YR_CONFIG_STACK_SIZE

type Error 

type Error struct {
	// YARA error code.
	Code int
	// Namespace in which the error occurred, if applicable. It can be empty.
	Namespace string
	// Rule in which the error occurred, if applicable. It can be empty.
	RuleIdentifier string
	// String in which the error occurred, if applicable. It can be empty.
	StringIdentifier string
}

Error is an implementation of the error interface that includes the YARA error code. All functions in this package return this type of errors.

func (Error) Error 

func (e Error) Error() (errorString string)

type Match 

type Match struct {
	// contains filtered or unexported fields
}

Match represents a string match

func (*Match) Data 

func (m *Match) Data() []byte

Data returns the blob of data associated with the match. Returns nil if YARA was configured for not storing the matching data by passing zero to SetMaxMatchData.

func (*Match) Length 

func (m *Match) Length() int64

Length returns the length of the match.

func (*Match) Offset 

func (m *Match) Offset() int64

Offset returns the offset at which the string match occurred

type MatchRule 

type MatchRule struct {
	Rule      string
	Namespace string
	Tags      []string
	Meta      map[string]interface{}
	Strings   []MatchString
}

A MatchRule represents a rule successfully matched against a block of data.

type MatchRules 

type MatchRules []MatchRule

MatchRules is used to collect matches that are returned by the simple (*Rules).Scan* methods.

func (*MatchRules) RuleMatching 

func (mr *MatchRules) RuleMatching(ctx *ScanContext, r *Rule) (abort bool, err error)

RuleMatching implements the ScanCallbackMatch interface for MatchRules.

type MatchString 

type MatchString struct {
	Name   string
	Offset uint64
	Data   []byte
	Length uint64
}

A MatchString represents a string declared and matched in a rule. Name is the string's identifier. Offset is the offset within the file where the match was found. Data contains the portion of the file that matches, but it will be truncated to the amount specified with SetMaxMatchData, which by default is 512 bytes (this default value is controlled by the DEFAULT_MAX_MATCH_DATA macro defined in libyara.h). Length is the actual length of the match, and can be higher than len(Data).

type Meta 

type Meta struct {
	Identifier string
	Value      interface{}
}

Meta represents a rule meta variable. Value can be of type string, int, boolean, or nil.

type Object 

type Object struct {
	// contains filtered or unexported fields
}

type ProfilingInfo 

type ProfilingInfo struct {
	Rule *Rule
	Cost uint64
}

type Rule 

type Rule struct {
	// contains filtered or unexported fields
}

Rule represents a single rule as part of a ruleset

func (*Rule) Disable 

func (r *Rule) Disable()

Disable disables a single rule

func (*Rule) Enable 

func (r *Rule) Enable()

Enable enables a single rule

func (*Rule) Identifier 

func (r *Rule) Identifier() string

Identifier returns the rule's name.

func (*Rule) IsGlobal 

func (r *Rule) IsGlobal() bool

IsGlobal returns true if the rule is marked as global

func (*Rule) IsPrivate 

func (r *Rule) IsPrivate() bool

IsPrivate returns true if the rule is marked as private

func (*Rule) MetaList 

func (r *Rule) MetaList() (metas []Meta)

MetaList returns the rule's meta variables as a list of Meta objects. It does not share the limitation of Metas().

func (*Rule) MetaMap 

func (r *Rule) MetaMap() (metas map[string][]interface{})

MetaMap returns a map containing the rule's meta variables, with the variable names as keys. Values are collected into lists, this allows for multiple variables with the same; individual values can be of type string, int, bool, or nil.

func (*Rule) Metas deprecated 

func (r *Rule) Metas() (metas map[string]interface{})

Metas returns a map containing the rule's meta variables, with the variable names as keys. Values can be of type string, int, bool, or nil.

Deprecated: If there are multiple meta variables with the same name, the returned map contains only the last variable.

Use MetaList or MetaMap instead.

func (*Rule) Namespace 

func (r *Rule) Namespace() string

Namespace returns the rule's namespace.

func (*Rule) Strings 

func (r *Rule) Strings() (strs []String)

Strings returns the rule's strings

func (*Rule) Tags 

func (r *Rule) Tags() (tags []string)

Tags returns the rule's tags.

type Rules 

type Rules struct {
	// contains filtered or unexported fields
}

Rules contains a compiled YARA ruleset.

func Compile 

func Compile(rules string, variables map[string]interface{}) (r *Rules, err error)

Compile compiles rules and an (optional) set of variables into a Rules object in a single step.

func LoadRules 

func LoadRules(filename string) (*Rules, error)

LoadRules retrieves a compiled ruleset from filename.

func MustCompile 

func MustCompile(rules string, variables map[string]interface{}) (r *Rules)

MustCompile is like Compile but panics if the rules and optional variables can't be compiled. Like regexp.MustCompile, it allows for simple, safe initialization of global or test data.

func ReadRules 

func ReadRules(rd io.Reader) (*Rules, error)

ReadRules retrieves a compiled ruleset from an io.Reader

func (*Rules) DefineVariable 

func (r *Rules) DefineVariable(identifier string, value interface{}) (err error)

DefineVariable defines a named variable for use by the compiler. Boolean, int64, float64, and string types are supported.

func (*Rules) Destroy 

func (r *Rules) Destroy()

Destroy destroys the YARA data structure representing a ruleset. Since a Finalizer for the underlying YR_RULES structure is automatically set up on creation, it should not be necessary to explicitly call this method.

func (*Rules) GetRules 

func (r *Rules) GetRules() (rules []Rule)

GetRules returns a slice of rule objects that are part of the ruleset GetRules returns a slice of rule objects that are part of the ruleset.

func (*Rules) Save 

func (r *Rules) Save(filename string) (err error)

Save writes a compiled ruleset to filename.

func (*Rules) ScanFile 

func (r *Rules) ScanFile(filename string, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)

ScanFile scans a file using the ruleset, returning matches via a list of MatchRule objects.

func (*Rules) ScanFileDescriptor 

func (r *Rules) ScanFileDescriptor(fd uintptr, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)

ScanFileDescriptor scans a file using the ruleset, returning matches via a list of MatchRule objects.

func (*Rules) ScanFileDescriptorWithCallback 

func (r *Rules) ScanFileDescriptorWithCallback(fd uintptr, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)

ScanFileDescriptorWithCallback scans a file using the ruleset. For every event emitted by libyara, the appropriate method on the ScanCallback object is called.

func (*Rules) ScanFileWithCallback 

func (r *Rules) ScanFileWithCallback(filename string, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)

ScanFileWithCallback scans a file using the ruleset. For every event emitted by libyara, the appropriate method on the ScanCallback object is called.

func (*Rules) ScanMem 

func (r *Rules) ScanMem(buf []byte, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)

ScanMem scans an in-memory buffer using the ruleset, returning matches via a list of MatchRule objects.

func (*Rules) ScanMemWithCallback 

func (r *Rules) ScanMemWithCallback(buf []byte, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)

ScanMemWithCallback scans an in-memory buffer using the ruleset. For every event emitted by libyara, the appropriate method on the ScanCallback object is called.

func (*Rules) ScanProc 

func (r *Rules) ScanProc(pid int, flags ScanFlags, timeout time.Duration) (matches []MatchRule, err error)

ScanProc scans a live process using the ruleset, returning matches via a list of MatchRule objects.

func (*Rules) ScanProcWithCallback 

func (r *Rules) ScanProcWithCallback(pid int, flags ScanFlags, timeout time.Duration, cb ScanCallback) (err error)

ScanProcWithCallback scans a live process using the ruleset. For every event emitted by libyara, the appropriate method on the ScanCallback object is called.

func (*Rules) Write 

func (r *Rules) Write(wr io.Writer) (err error)

Write writes a compiled ruleset to an io.Writer.

type ScanCallback 

type ScanCallback interface{}

ScanCallback is a placeholder for different interfaces that may be implemented by the callback object that is passed to the (*Rules).Scan*WithCallback methods.

type ScanCallbackFinished 

type ScanCallbackFinished interface {
	ScanFinished(*ScanContext) (bool, error)
}

ScanCallbackFinished is used to signal that a scan has finished. The ScanFinished method corresponds to YARA's CALLBACK_MSG_SCAN_FINISHED message.

type ScanCallbackMatch 

type ScanCallbackMatch interface {
	RuleMatching(*ScanContext, *Rule) (bool, error)
}

ScanCallbackMatch is used to record rules that matched during a scan. The RuleMatching method corresponds to YARA's CALLBACK_MSG_RULE_MATCHING message.

type ScanCallbackModuleImport 

type ScanCallbackModuleImport interface {
	ImportModule(*ScanContext, string) ([]byte, bool, error)
}

ScanCallbackModuleImport is used to provide data to a YARA module. The ImportModule method corresponds to YARA's CALLBACK_MSG_IMPORT_MODULE message.

type ScanCallbackModuleImportFinished 

type ScanCallbackModuleImportFinished interface {
	ModuleImported(*ScanContext, *Object) (bool, error)
}

ScanCallbackModuleImportFinished can be used to free resources that have been used in the ScanCallbackModuleImport implementation. The ModuleImported method corresponds to YARA's CALLBACK_MSG_MODULE_IMPORTED message.

type ScanCallbackNoMatch 

type ScanCallbackNoMatch interface {
	RuleNotMatching(*ScanContext, *Rule) (bool, error)
}

ScanCallbackNoMatch is used to record rules that did not match during a scan. The RuleNotMatching method corresponds to YARA's CALLBACK_MSG_RULE_NOT_MATCHING message.

type ScanContext 

type ScanContext struct {
	// contains filtered or unexported fields
}

ScanContext is a struct passed to the ScanCallbackX functions.

func (*ScanContext) GetMatchStrings 

func (sc *ScanContext) GetMatchStrings(r *Rule) (matchstrings []MatchString)

GetMatchStrings returns a list of MatchString structures with the matches found for the rule r during the scan represented by the ScanContext.

type ScanFlags 

type ScanFlags int

ScanFlags are used to tweak the scanner's behaviour. They are also used with rule's ScanX functions.

type Scanner 

type Scanner struct {
	// contains filtered or unexported fields
}

Scanner represents a YARA scanner.

func NewScanner 

func NewScanner(r *Rules) (*Scanner, error)

NewScanner creates a YARA scanner.

func (*Scanner) DefineVariable 

func (s *Scanner) DefineVariable(identifier string, value interface{}) (err error)

DefineVariable defines a named variable for use by the scanner. Boolean, int64, float64, and string types are supported.

func (*Scanner) Destroy 

func (s *Scanner) Destroy()

Destroy destroys the YARA data structure representing a scanner. Since a Finalizer for the underlying YR_SCANNER structure is automatically set up on creation, it should not be necessary to explicitly all this method.

func (*Scanner) GetLastErrorRule 

func (s *Scanner) GetLastErrorRule() *Rule

GetLastErrorRule returns the rule that caused the last scanner error.

func (*Scanner) GetLastErrorString 

func (s *Scanner) GetLastErrorString() *String

GetLastErrorString returns the string that caused the last scanner error.

func (*Scanner) GetProfilingInfo 

func (s *Scanner) GetProfilingInfo(n int) (result []ProfilingInfo)

GetProfilingInfo returns a list of ProfilingInfo structures containing the profiling information for the slowest n rules.

func (*Scanner) ResetProfilingInfo 

func (s *Scanner) ResetProfilingInfo()

ResetProfilingInfo resets the profiling information accumulated by the scanner so far. When you scan multiple files/buffer with the same scanner the profiling information is not automatically reset after each scan, instead it gets accumulated. If you want to reset profiling information so that the counters start a zero again you must call this function.

func (*Scanner) ScanFile 

func (s *Scanner) ScanFile(filename string) (err error)

ScanFile scans a file using the scanner.

func (*Scanner) ScanFile2 

func (s *Scanner) ScanFile2(filename string) (matches []MatchRule, err error)

func (*Scanner) ScanFileDescriptor 

func (s *Scanner) ScanFileDescriptor(fd uintptr) (err error)

ScanFileDescriptor scans a file using the scanner.

func (*Scanner) ScanFileDescriptor2 

func (s *Scanner) ScanFileDescriptor2(fd uintptr) (matches []MatchRule, err error)

func (*Scanner) ScanMem 

func (s *Scanner) ScanMem(buf []byte) (err error)

ScanMem scans an in-memory buffer using the scanner.

func (*Scanner) ScanMem2 

func (s *Scanner) ScanMem2(buf []byte) (matches []MatchRule, err error)

func (*Scanner) ScanProc 

func (s *Scanner) ScanProc(pid int) (err error)

ScanProc scans a live process using the scanner.

func (*Scanner) ScanProc2 

func (s *Scanner) ScanProc2(pid int) (matches []MatchRule, err error)

func (*Scanner) SetCallback 

func (s *Scanner) SetCallback(cb ScanCallback) *Scanner

SetCallback sets a callback object for the scanner. For every event emitted by libyara during subsequent scan, the appropriate method on the ScanCallback object is called.

Setting a callback object is not necessary (and will be overridden) when using any of the ScanXXX2 methods.

func (*Scanner) SetFlags 

func (s *Scanner) SetFlags(flags ScanFlags) *Scanner

SetFlags sets flags for the scanner.

func (*Scanner) SetTimeout 

func (s *Scanner) SetTimeout(timeout time.Duration) *Scanner

SetTimeout sets a timeout for the scanner.

type String 

type String struct {
	// contains filtered or unexported fields
}

String represents a string as part of a rule

func (*String) Identifier 

func (s *String) Identifier() string

Identifier returns the string's name

func (*String) Matches 

func (s *String) Matches(ctx *ScanContext) (matches []Match)

Matches returns all matches that have been recorded for the string during a scan.

Source Files

View all Source files

Directories

Path Synopsis
_examples
simple-yara

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.