当前位置:   article > 正文

使用python调用yara进行文件检测_python yara

python yara

以linux-centos7系统为例,无论是命令行使用yara还是第三方组件使用yara都必须先安装yara的执行环境。

1、yara说明

Yara 是一个识别和分类恶意文件的工具,其安装的环境依赖比较多,安装前先执行yum update,然后在用yum install直接装automake、 libtool、 make、gcc、pkg-config环境。Yara安装软件到官网Getting started — yara 4.4.0 documentation下载并根据官网说明进行安装,我本地的版本为4.4.0。

2、检查Yara是否安装成功

查看yara的版本来验证安装:yara -v 或者 yara --version

  

3、使用方法

Yara有两种使用方式:

  • 命令行方式:

yara /path/rules1.yar /path/rules2.yar /path/to/scan

/path/rules1.yar /path/rules2.yar:代表规则文件,多个以空格分割

/path/to/scan:代表待扫描的文件或者文件夹

返回结果格式:规则名 文件名(中间以空格隔开)

  • 第三方库(项目中使用此方法):

简单介绍使用过程(不同语言可能会有所不同):

  1. demo使用流程

python封装yara使用代码

  1. import base64
  2. import os
  3. import yara
  4. import logging
  5. from yara import Error
  6. class YaraManager(object):
  7. """ doc """
  8. categories = {}
  9. def __init__(self):
  10. self.rules_path = os.path.join(HOME_ROOT, "data", "rules")
  11. @staticmethod
  12. def __get_categories(path):
  13. try:
  14. return [di for di in os.listdir(path) if os.path.isdir(os.path.join(path, di))]
  15. except OSError as os_error:
  16. logging.warning("Please install sandbox-rules package to make yara detection normal. Exception:{0}"
  17. .format(os_error))
  18. return []
  19. def _generate_default_rules(self):
  20. log.debug("Initializing Yara Rules...")
  21. # Need to define each external variable that will be used in the
  22. # future. Otherwise Yara will complain.
  23. externals = {
  24. 'filename': "",
  25. 'filepath': "",
  26. 'extension': "",
  27. 'filetype': "",
  28. 'md5': ""
  29. }
  30. for category in self.__get_categories(self.rules_path):
  31. basepath = os.path.join(self.rules_path, category)
  32. if not os.path.exists(basepath):
  33. log.warning("Missing Yara directory: %s?", basepath)
  34. rules, indexed = {}, []
  35. for dirpath, dirnames, filenames in os.walk(basepath, followlinks=True):
  36. for filename in filenames:
  37. if not filename.endswith((".yar", ".yara")):
  38. continue
  39. filepath = os.path.join(dirpath, filename)
  40. try:
  41. assert len(str(filepath)) == len(filepath)
  42. except (UnicodeEncodeError, AssertionError):
  43. log.warning(
  44. "Can't load Yara rules at %r as Unicode filepaths are "
  45. "currently not supported in combination with Yara!",
  46. filepath
  47. )
  48. continue
  49. try:
  50. yara.compile(filepath=filepath, externals=externals)
  51. except yara.SyntaxError as e:
  52. log.warning("Error compiling the rules {0}".format(e))
  53. continue
  54. rules["rule_%s_%d" % (category, len(rules))] = filepath
  55. try:
  56. YaraManager.categories[category] = yara.compile(filepaths=rules, externals=externals)
  57. except yara.Error as e:
  58. log.warning(
  59. "There was a syntax error in one or more Yara rules: %s" % e
  60. )
  61. continue
  62. # The memory.py processing module requires a yara file with all of its
  63. # rules embedded in it, so create this file to remain compatible.
  64. for filename in indexed:
  65. f.write('include "%s"\n' % filename)
  66. # indexed = sorted(indexed)
  67. # for entry in indexed:
  68. # if entry == indexed[-1]:
  69. # log.debug("\t `-- %s %s", category, entry)
  70. # else:
  71. # log.debug("\t |-- %s %s", category, entry)
  72. # Store the compiled Yara rules for the "memory" category in $CWD/stuff/
  73. # so that we may easily pass it along to zer0m0n during an analysis.
  74. def generate_index(self):
  75. """Generates index for yara signatures."""
  76. self._generate_default_rules()
  77. @staticmethod
  78. def yara_match(externals, results):
  79. try:
  80. if isinstance(externals["filepath"], unicode):
  81. externals["filepath"] = externals.get("filepath").encode("utf8")
  82. if isinstance(externals["filename"], unicode):
  83. externals["filename"] = externals.get("filename").encode("utf8")
  84. for item, rules in YaraManager.categories.items():
  85. match_rules = []
  86. matches = rules.match(externals["filepath"], externals=externals, timeout=5)
  87. for match in matches:
  88. # skip duplicate rule
  89. if item in results and any([x for x in results[item] if match.rule == x.get("name", "")]):
  90. # if match.rule in self.rule_names:
  91. continue
  92. # else:
  93. # self.rule_names.append(match.rule)
  94. strings, offsets = set(), {}
  95. for _, key, value in match.strings:
  96. strings.add(base64.b64encode(value))
  97. offsets[key.lstrip("$")] = []
  98. strings = sorted(strings)
  99. for offset, key, value in match.strings:
  100. offsets[key.lstrip("$")].append(
  101. (offset, strings.index(base64.b64encode(value)))
  102. )
  103. meta = {
  104. "description": "(no description)",
  105. }
  106. meta.update(match.meta)
  107. match_rules.append({
  108. "name": match.rule,
  109. "tags": match.tags,
  110. "meta": meta,
  111. "strings": strings,
  112. "offsets": offsets,
  113. })
  114. if match_rules:
  115. results[item] = results[item] + match_rules if item in results else match_rules
  116. except Error as e:
  117. log.info("Unable to match {0} Heuristic signatures: {1}".format(item, e))
  118. except Exception as e:
  119. log.exception(e)
  120. return results

方法调用

  1. def run(self):
  2. """Get Yara signatures matches.
  3. @return: matched Yara signatures.
  4. """
  5. results = {}
  6. for item, rules in YaraManager.categories.items():
  7. match_rules = []
  8. try:
  9. matches = rules.match(self.task.target, timeout=5)
  10. for match in matches:
  11. match_rules.append({
  12. "name": match.rule
  13. })
  14. except Error as e:
  15. log.info("Unable to match {0} Heuristic signatures: {1}".format(item, e))
  16. if match_rules:
  17. results[item] = match_rules
  18. return results

4、更新病毒库

将最新的yara规则文件更新到服务器上,然后重新编译规则文件即可。

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家自动化/article/detail/874708
推荐阅读
相关标签
  

闽ICP备14008679号