Comments (9)
hillu
commented on May 12, 2024
Hi @altsab.
the keepAlive function is a simple wrapper around runtime.KeepAlive which allows the go-yara codebase to be compiled using pre-1.7 Go. It could probably be replaced by runtime.KeepAlive at this point...
Can you share a minimal setup (code + rule + matching sample) to reproduce the crash? Thank you!
from go-yara.
unstppbl
commented on May 12, 2024
runtime.KeepAlive does the work, thank you!
Here is the files and code.
Error stack : error.txt
Matching sample: shell.zip
Rule: thor-webshells.zip
Code:
package main
import (
"encoding/json"
"os"
"path/filepath"
"time"
log "github.com/Sirupsen/logrus"
yara "github.com/hillu/go-yara"
)
const (
rulesDir = "rules"
)
var (
compiler *yara.Compiler
blacklisted []string
compiledRules *yara.Rules
)
func main() {
matches, err := scanFile("wso2.php", 60)
if err != nil {
panic(err)
}
j, err := json.Marshal(matches)
if err != nil {
panic(err)
}
log.Infof("[*] Matches: %s", string(j))
}
// StringInSlice returns whether or not a string exists in a slice
func StringInSlice(a string, list []string) bool {
for _, b := range list {
if b == a {
return true
}
}
return false
}
// compileRules compiles the yara rules
func compileRules() error {
log.Info("[*] In compileRules")
fileList := []string{}
// walk rules directory
err := filepath.Walk(rulesDir, func(path string, f os.FileInfo, err error) error {
if !f.IsDir() {
fileList = append(fileList, path)
}
return nil
})
if err != nil {
return err
}
// new yara compiler
compiler, err = yara.NewCompiler()
if err != nil {
return err
}
// compile all yara rules
for _, file := range fileList {
log.Infof("[*] Adding rule %s", file)
if StringInSlice(file, blacklisted) {
continue
}
f, err := os.Open(file)
if err != nil {
return err
}
log.Debug("Adding rule: ", file)
err = compiler.AddFile(f, "webtotem")
if err != nil {
blacklisted = append(blacklisted, file)
for _, er := range compiler.Errors {
log.WithFields(log.Fields{
"rule": er.Filename,
"line_no": er.Line,
}).Error(er.Text)
}
f.Close()
// destroy unstable YR_COMPILER
// (see https://github.com/hillu/go-yara/issues/32#issuecomment-416040753)
log.Debug("destroying unstable yara compiler")
compiler.Destroy()
log.Debug("recreating yara compiler")
os.Exit(1)
if err := compileRules(); err != nil {
log.Fatal(err)
}
}
f.Close()
}
return nil
}
func scanFile(path string, timeout int) ([]yara.MatchRule, error) {
log.Info("[*] In scanFile")
// comile rules if they haven't been compiled yet
if compiler == nil {
log.Info("[*] Compiling rules (called from scanner)")
if err := compileRules(); err != nil {
log.Fatal(err)
}
}
if compiledRules == nil {
log.Info("[*] Getting rules (called from scanner)")
r, err := compiler.GetRules()
if err != nil {
return nil, err
}
compiledRules = r
}
matches, err := compiledRules.ScanFile(
path, // filename string
0, // flags ScanFlags
time.Duration(timeout)*time.Second, //timeout time.Duration
)
log.Infof("[*] After scan, matches length: %d", len(matches))
if err != nil {
return nil, err
}
return matches, nil
}from go-yara.
hillu
commented on May 12, 2024
What Go version were you using?
from go-yara.
unstppbl
commented on May 12, 2024
go version go1.10.3 linux/amd64
from go-yara.
hillu
commented on May 12, 2024
@altsab Sorry, I cannot reproduce your crash with the sources built using go version go1.10.3 linux/amd64 (Debian/unstable) from yara 3.8.1 (Debian package from unstable) and go-yara commit 54bec3c.
Were you scanning more than one file?
from go-yara.
unstppbl
commented on May 12, 2024
Yup, I scanned several including wso shell 🤔
Here they are
test.zip
from go-yara.
hillu
commented on May 12, 2024
Does the test program you posted actually crash when scanning the wso2.php shell? I really can't reproduce that crash at all. (Using go-yara commit 0540979 unlike stated above.)
from go-yara.
hillu
commented on May 12, 2024
@altsab Can you give me a self-contained program that reproduces your crash? Something that does not rely on anything but the Go stdlib and go-yara would be preferred.
from go-yara.
unstppbl
commented on May 12, 2024
@hillu sorry for the late reply, I just tried to reproduce the crash but I couldn't either. Dunno what changed 🤔
Seems like it was something to do with my setup or environment.
from go-yara.
Related Issues (20)
- There's no way to return an error from MemoryBlockIterator HOT 5
- yr_scanner_scan_file Using mmap is a dangerous operation HOT 9
- Unable to cross compile yara for windows on ubuntu HOT 5
- Is the new tag version expected ? HOT 1
- Issues while installing HOT 7
- Unable to use ScanProc HOT 23
- Unable to define variable on AIX HOT 4
- Scan a file in a streaming maner HOT 2
- Encrypted rules? HOT 4
- unstable rules HOT 5
- Wrong release version? HOT 1
- Building static binary HOT 3
- cannot find -lyara HOT 1
- linux编译yara出现错误 HOT 2
- generate a dynamic-link library (.so file) HOT 1
- v3.x no release tag HOT 1
- Failing to compile with go-yara HOT 9
- yararule.ScanFile, can not scan filepath which contains chinese, may be other language has the same HOT 2
- Attempt to add a new YARA rule files during runtime causes panic HOT 1
- Question: Adding multiple Compiled YARA files to a single yara.Scanner or *yara.Rules HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-yara.