variables

package

v1.7.0 Latest Latest Go to latest Published: Oct 2, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/binalyze/gora

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

Variables
type MetaType
type Parser
type ProcessInfo
type ScanContext
type ScanContextImpl
type ValueFunc
- func (fn ValueFunc) Value(sCtx ScanContext) (interface{}, error)
type Valuer
type VariableDefiner
type VariableType
- func List() []VariableType
- func (v VariableType) Meta() MetaType
- func (v VariableType) String() string
type Variables

Constants ¶

This section is empty.

Variables ¶

View Source

var (

	// Valuers holds the Valuer implementations of all variables.
	Valuers = [typeEnd]Valuer{
		VarOs:                 ValueFunc(varOsFunc),
		VarOsLinux:            ValueFunc(varOsLinuxFunc),
		VarOsWindows:          ValueFunc(varOsWindowsFunc),
		VarOsDarwin:           ValueFunc(varOsDarwinFunc),
		VarOsAIX:              ValueFunc(varOsAIX),
		VarInFileSystem:       ValueFunc(varInFileSystemFunc),
		VarInProcess:          ValueFunc(varInProcessFunc),
		VarTimeNow:            ValueFunc(varTimeNowFunc),
		VarFilePath:           ValueFunc(varFilePathFunc),
		VarFileName:           ValueFunc(varFileNameFunc),
		VarFileExtension:      ValueFunc(varFileExtensionFunc),
		VarFileReadonly:       ValueFunc(varFileReadonlyFunc),
		VarFileHidden:         ValueFunc(varFileHiddenFunc),
		VarFileSystem:         ValueFunc(varFileSystemFunc),
		VarFileCompressed:     ValueFunc(varFileCompressedFunc),
		VarFileEncrypted:      ValueFunc(varFileEncryptedFunc),
		VarFileModifiedTime:   ValueFunc(varFileModifiedTimeFunc),
		VarFileAccessedTime:   ValueFunc(varFileAccessedTimeFunc),
		VarFileChangedTime:    ValueFunc(varFileChangedTimeFunc),
		VarFileBirthTime:      ValueFunc(varFileBirthTimeFunc),
		VarProcessId:          ValueFunc(varProcessIdFunc),
		VarProcessParentId:    ValueFunc(varProcessParentIdFunc),
		VarProcessUserName:    ValueFunc(varProcessUserNameFunc),
		VarProcessUserSid:     ValueFunc(varProcessUserSidFunc),
		VarProcessSessionId:   ValueFunc(varProcessSessionIdFunc),
		VarProcessName:        ValueFunc(varProcessNameFunc),
		VarProcessPath:        ValueFunc(varFilePathFunc),
		VarProcessCommandLine: ValueFunc(varProcessCommandLineFunc),
	}
)

Functions ¶

This section is empty.

Types ¶

type Parser ¶

type Parser struct {
	// contains filtered or unexported fields
}

Parser reprents a parser which parses the given yara rule(s) to identify all external variables, includes and imports used in the rule(s).

func (*Parser) Imports ¶

func (p *Parser) Imports() []string

Imports returns the list of imported modules parsed.

func (*Parser) Includes ¶

func (p *Parser) Includes() []string

Includes returns the list of included paths parsed.

func (*Parser) ParseFromFile ¶

func (p *Parser) ParseFromFile(file string) error

ParseFromFile parses the given file which must be a valid yara rule file to identify external variables, includes and imports. Note that, subsequent calls do not reset underlying list of variables, includes and imports identified. Use this behaviour to parse multiple inputs to aggregate.

func (*Parser) ParseFromReader ¶

func (p *Parser) ParseFromReader(rd io.Reader) error

ParseFromReader parses the given io.Reader which must provide a valid yara rule to identify external variables, includes and imports. Note that, subsequent calls do not reset underlying list of variables, includes and imports identified. Use this behaviour to parse multiple inputs to aggregate.

func (*Parser) Variables ¶

func (p *Parser) Variables() []VariableType

Variables returns the list of variables parsed.

type ProcessInfo ¶

type ProcessInfo interface {
	Ppid() (int32, error)
	Username() (string, error)
	NameWithContext(context.Context) (string, error)
	CmdlineWithContext(context.Context) (string, error)
}

type ScanContext ¶

type ScanContext interface {
	Context() context.Context
	FilePath() string
	FileInfo() fs.FileInfo
	Pid() int
	ProcessInfo() ProcessInfo
	InFileSystem() bool
	InProcess() bool
	HandleValueError(VariableDefiner, VariableType, error) error
}

ScanContext is an interface that wraps the methods required to calculate variable values for yara scanner.

type ScanContextImpl ¶

type ScanContextImpl struct {
	// contains filtered or unexported fields
}

ScanContextImpl implements the ScanContext interface. It is a simple implementation to set the required values to be used as ScanContext interface.

func (*ScanContextImpl) Context ¶

func (sc *ScanContextImpl) Context() context.Context

Context is to implement the ScanContext interface. It returns context.Background() if underlying context is missing.

func (*ScanContextImpl) FileInfo ¶

func (sc *ScanContextImpl) FileInfo() fs.FileInfo

FileInfo is to implement the ScanContext interface.

func (*ScanContextImpl) FilePath ¶

func (sc *ScanContextImpl) FilePath() string

FilePath is to implement the ScanContext interface.

func (*ScanContextImpl) HandleValueError ¶

func (sc *ScanContextImpl) HandleValueError(d VariableDefiner, v VariableType, err error) error

HandleValueError is to implement the ScanContext interface. It calls underlying value error handler if exists, otherwise it returns the provided error to the caller.

func (*ScanContextImpl) InFileSystem ¶ added in v1.4.0

func (sc *ScanContextImpl) InFileSystem() bool

InFileSystem is to implement the ScanContext interface.

func (*ScanContextImpl) InProcess ¶ added in v1.4.0

func (sc *ScanContextImpl) InProcess() bool

InProcess is to implement the ScanContext interface.

func (*ScanContextImpl) Pid ¶

func (sc *ScanContextImpl) Pid() int

Pid is to implement the ScanContext interface.

func (*ScanContextImpl) ProcessInfo ¶

func (sc *ScanContextImpl) ProcessInfo() ProcessInfo

ProcessInfo is to implement the ScanContext interface.

func (*ScanContextImpl) Reset ¶

func (sc *ScanContextImpl) Reset()

Reset resets all the fields to be able to reuse the same ScanContextImpl instance.

func (*ScanContextImpl) SetContext ¶

func (sc *ScanContextImpl) SetContext(ctx context.Context)

SetContext sets the underlying context to be returned from Context method.

func (*ScanContextImpl) SetFileInfo ¶

func (sc *ScanContextImpl) SetFileInfo(f fs.FileInfo)

SetFileInfo sets the underlying file info to be returned from FileInfo method.

func (*ScanContextImpl) SetFilePath ¶

func (sc *ScanContextImpl) SetFilePath(p string)

SetFilePath sets the underlying file path to be returned from FilePath method.

func (*ScanContextImpl) SetHandleValueError ¶

func (sc *ScanContextImpl) SetHandleValueError(fn func(VariableDefiner, VariableType, error) error)

SetHandleValueError sets the underlying value error handler.

func (*ScanContextImpl) SetInFileSystem ¶ added in v1.4.0

func (sc *ScanContextImpl) SetInFileSystem(v bool)

SetInFileSystem sets file system context flag

func (*ScanContextImpl) SetInProcess ¶ added in v1.4.0

func (sc *ScanContextImpl) SetInProcess(v bool)

SetInProcess is to implement the ScanContext interface.

func (*ScanContextImpl) SetPid ¶

func (sc *ScanContextImpl) SetPid(v int)

SetPid sets the underlying process id to be returned from Pid method.

func (*ScanContextImpl) SetProcessInfo ¶

func (sc *ScanContextImpl) SetProcessInfo(p ProcessInfo)

SetProcess sets the underlying process to be returned from Process method.

type ValueFunc ¶

type ValueFunc func(ScanContext) (interface{}, error)

ValueFunc is an helper type to implement Valuer interface using a function.

func (ValueFunc) Value ¶

func (fn ValueFunc) Value(sCtx ScanContext) (interface{}, error)

Value implements Valuer interface.

type Valuer ¶

type Valuer interface {
	Value(ScanContext) (interface{}, error)
}

Valuer is an interface that wraps Value method. Value method returns the calculated value of a variable or an error. Variables' Valuer implementation must be registered to Valuers global to be seen by the Variables.DefineScannerVariables method.

type VariableDefiner ¶

type VariableDefiner interface {
	DefineVariable(string, interface{}) error
}

VariableDefiner is an interface that wraps the DefineVariable method which is implemented by yara compiler and scanner. It is defined as an interface to remove cgo dependency for this package.

type VariableType ¶

type VariableType byte

VariableType represents an external variable for yara. VariableType's underlying type is an integer to be able to use slices/arrays for faster access.

const (

	//                       | Name                 | OS   | Type    | Default | Description                                                   |
	//                       |----------------------|------|---------|---------|---------------------------------------------------------------|
	VarOs                 VariableType // | os                   | LWDA | String  | ""      | Operating system name, linux, windows, darwin or aix |
	VarOsLinux                         // | os_linux             | LWDA | Boolean | false   | If operating system is linux, its value is true |
	VarOsWindows                       // | os_windows           | LWDA | Boolean | false   | If operating system is Windows, its value is true |
	VarOsDarwin                        // | os_darwin            | LWDA | Boolean | false   | If operating system is Darwin/macOS, its value is true |
	VarOsAIX                           // | os_aix               | LWDA | Boolean | false   | If operating system is AIX, its value is true |
	VarInFileSystem                    // | in_filesystem        | LWDA | Boolean | false   | Determines whether the current scan context is running for the file system. |
	VarInProcess                       // | in_process           | LWDA | Boolean | false   | Determines whether the current scan context is running for the processes. |
	VarTimeNow                         // | time_now             | LWDA | Integer | 0       | Current time in YYYYMMDDHHMMSS format |
	VarFilePath                        // | file_path            | LWDA | String  | ""      | Path of the file |
	VarFileName                        // | file_name            | LWDA | String  | ""      | Name of the file including extension. Example: document.docx |
	VarFileExtension                   // | file_extension       | LWDA | String  | ""      | Extension of the file without leading dot. Example: docx |
	VarFileReadonly                    // | file_readonly        | LWDA | Boolean | false   | If it is a readonly file, its value is true |
	VarFileHidden                      // | file_hidden          | LWDA | Boolean | false   | If it is a hidden file, its value is true |
	VarFileSystem                      // | file_system          |  W   | Boolean | false   | If it is a system file, its value is true |
	VarFileCompressed                  // | file_compressed      |  W   | Boolean | false   | If it is a compressed file, its value is true |
	VarFileEncrypted                   // | file_encrypted       |  W   | Boolean | false   | If it is an encrypted file, its value is true |
	VarFileModifiedTime                // | file_modified_time   | LWDA | Integer | 0       | File's modification time in YYYYMMDDHHMMSS format |
	VarFileAccessedTime                // | file_accessed_time   | LWDA | Integer | 0       | File's access time in YYYYMMDDHHMMSS format |
	VarFileChangedTime                 // | file_changed_time    | L DA | Integer | 0       | File's change time in YYYYMMDDHHMMSS format |
	VarFileBirthTime                   // | file_birth_time      |  WD  | Integer | 0       | File's birth time in YYYYMMDDHHMMSS format |
	VarProcessId                       // | process_id           | LWDA | Integer | 0	      | Process's id |
	VarProcessParentId                 // | process_parent_id    | LWDA | Integer | 0       | Parent process id |
	VarProcessUserName                 // | process_user_name    | LWDA | String  | ""      | Process's user name. Windows format: <computer name or domain name>\<user name> |
	VarProcessUserSid                  // | process_user_sid     | LWDA | String  | ""      | Process's user SID. This returns UID of the user as string on Unixes. |
	VarProcessSessionId                // | process_session_id   | LWDA | Integer | 0       | Process's session id |
	VarProcessName                     // | process_name         | LWDA | String  | ""      | Process's name |
	VarProcessPath                     // | process_path         | LWDA | String  | ""      | Process's path |
	VarProcessCommandLine              // | process_command_line | LWDA | String  | ""      | Process's command line |

)

func List ¶

func List() []VariableType

List returns the list of all available variables. It creates a new slice at every call.

func (VariableType) Meta ¶

func (v VariableType) Meta() MetaType

Meta returns the meta data of the variable.

func (VariableType) String ¶

func (v VariableType) String() string

String implements the fmt.Stringer interface and returns the string representation of a VariableType.

type Variables ¶

type Variables struct {
	// contains filtered or unexported fields
}

Variables holds the list of applicable variables to define external variables for yara compiler and scanner, and it provides methods to set values for the yara compiler and scanner.

func (*Variables) Copy ¶

func (vr *Variables) Copy() *Variables

Copy creates a new instance of Variables by deeply copying. This should be used to create new Variables instances for each scanner thread.

func (*Variables) DefineCompilerVariables ¶

func (vr *Variables) DefineCompilerVariables(compiler VariableDefiner) (err error)

DefineCompilerVariables defines the already set variables to the given compiler using their default zero values.

func (*Variables) DefineScannerVariables ¶

func (vr *Variables) DefineScannerVariables(sCtx ScanContext, scanner VariableDefiner) error

DefineScannerVariables defines the already set variables to the given scanner using their calculated values using their Valuer implementations. Returning error from Valuer's Value method should be handled by the given ScanContext.HandleValueError.

func (*Variables) InitVariables ¶ added in v1.6.0

func (vr *Variables) InitVariables(vars []VariableType)

InitVariables sets Variables instance's applicable variables.

func (*Variables) Variables ¶

func (vr *Variables) Variables() []VariableType

Variables returns a copy of variables list.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL