mirrors/CyberChef
1
0
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2025-04-20 14:56:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update libyara package to fix bug with compile messages and add support for console module

Browse source
This commit is contained in:
Matt C 2022-09-18 16:11:04 +01:00
parent 8f710461da
commit 28ec56a27f
4 changed files with 77 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

14
package-lock.json generated
View file

@ -52,7 +52,7 @@
"jsrsasign": "^10.5.23", "jsrsasign": "^10.5.23",
"kbpgp": "2.1.15", "kbpgp": "2.1.15",
"libbzip2-wasm": "0.0.4", "libbzip2-wasm": "0.0.4",
"libyara-wasm": "^1.2.0", "libyara-wasm": "^1.2.1",
"lodash": "^4.17.21", "lodash": "^4.17.21",
"loglevel": "^1.8.0", "loglevel": "^1.8.0",
"loglevel-message-prefix": "^3.0.0", "loglevel-message-prefix": "^3.0.0",
@ -9152,9 +9152,9 @@
"integrity": "sha512-RqscTx95+RTKhFAyjedsboR0Lmo3zd8//EuRwQXkdWmsCwYlzarVRaiYg6kS1O8m10MCQkGdrnlK9L4eAmZUwA==" "integrity": "sha512-RqscTx95+RTKhFAyjedsboR0Lmo3zd8//EuRwQXkdWmsCwYlzarVRaiYg6kS1O8m10MCQkGdrnlK9L4eAmZUwA=="
}, },
"node_modules/libyara-wasm": { "node_modules/libyara-wasm": {
"version": "1.2.0", "version": "1.2.1",
"resolved": "https://registry.npmjs.org/libyara-wasm/-/libyara-wasm-1.2.0.tgz", "resolved": "https://registry.npmjs.org/libyara-wasm/-/libyara-wasm-1.2.1.tgz",
"integrity": "sha512-Dx6lnwy/JIuYSAhLcRBqdNBOzzrFoCcthmIuiNHi89P3fObXAxQYajWxOv3OFjXfIyTLr8mqSUSiyzfonbQoXg==" "integrity": "sha512-PNqUNWnwjZLe55iA8Rv6vLQRjSdO2OnVg24aRE8v+ytR8CRB8agIG6pS9h2VQejuJP1A/uR4pwcBggUxoNC7DA=="
}, },
"node_modules/lie": { "node_modules/lie": {
"version": "3.3.0", "version": "3.3.0",
@ -21198,9 +21198,9 @@
"integrity": "sha512-RqscTx95+RTKhFAyjedsboR0Lmo3zd8//EuRwQXkdWmsCwYlzarVRaiYg6kS1O8m10MCQkGdrnlK9L4eAmZUwA==" "integrity": "sha512-RqscTx95+RTKhFAyjedsboR0Lmo3zd8//EuRwQXkdWmsCwYlzarVRaiYg6kS1O8m10MCQkGdrnlK9L4eAmZUwA=="
}, },
"libyara-wasm": { "libyara-wasm": {
"version": "1.2.0", "version": "1.2.1",
"resolved": "https://registry.npmjs.org/libyara-wasm/-/libyara-wasm-1.2.0.tgz", "resolved": "https://registry.npmjs.org/libyara-wasm/-/libyara-wasm-1.2.1.tgz",
"integrity": "sha512-Dx6lnwy/JIuYSAhLcRBqdNBOzzrFoCcthmIuiNHi89P3fObXAxQYajWxOv3OFjXfIyTLr8mqSUSiyzfonbQoXg==" "integrity": "sha512-PNqUNWnwjZLe55iA8Rv6vLQRjSdO2OnVg24aRE8v+ytR8CRB8agIG6pS9h2VQejuJP1A/uR4pwcBggUxoNC7DA=="
}, },
"lie": { "lie": {
"version": "3.3.0", "version": "3.3.0",

2
package.json
View file

@ -128,7 +128,7 @@
"jsrsasign": "^10.5.23", "jsrsasign": "^10.5.23",
"kbpgp": "2.1.15", "kbpgp": "2.1.15",
"libbzip2-wasm": "0.0.4", "libbzip2-wasm": "0.0.4",
"libyara-wasm": "^1.2.0", "libyara-wasm": "^1.2.1",
"lodash": "^4.17.21", "lodash": "^4.17.21",
"loglevel": "^1.8.0", "loglevel": "^1.8.0",
"loglevel-message-prefix": "^3.0.0", "loglevel-message-prefix": "^3.0.0",

30
src/core/operations/YARARules.mjs
View file

@ -52,7 +52,17 @@ class YARARules extends Operation {
name: "Show counts", name: "Show counts",
type: "boolean", type: "boolean",
value: true value: true
} },
{
name: "Show rule warnings",
type: "boolean",
value: true
},
{
name: "Show console module messages",
type: "boolean",
value: true
},
]; ];
} }
@ -64,7 +74,7 @@ class YARARules extends Operation {
async run(input, args) { async run(input, args) {
if (isWorkerEnvironment()) if (isWorkerEnvironment())
self.sendStatusMessage("Instantiating YARA..."); self.sendStatusMessage("Instantiating YARA...");
const [rules, showStrings, showLengths, showMeta, showCounts] = args; const [rules, showStrings, showLengths, showMeta, showCounts, showRuleWarns, showConsole] = args;
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
Yara().then(yara => { Yara().then(yara => {
if (isWorkerEnvironment()) self.sendStatusMessage("Converting data for YARA."); if (isWorkerEnvironment()) self.sendStatusMessage("Converting data for YARA.");
@ -83,11 +93,19 @@ class YARARules extends Operation {
const compileError = resp.compileErrors.get(i); const compileError = resp.compileErrors.get(i);
if (!compileError.warning) { if (!compileError.warning) {
reject(new OperationError(`Error on line ${compileError.lineNumber}: ${compileError.message}`)); reject(new OperationError(`Error on line ${compileError.lineNumber}: ${compileError.message}`));
} else { } else if (showRuleWarns) {
matchString += `Warning on line ${compileError.lineNumber}: ${compileError.message}`; matchString += `Warning on line ${compileError.lineNumber}: ${compileError.message}\n`;
} }
} }
} }
if (showConsole) {
const consoleLogs = resp.consoleLogs;
for (let i = 0; i < consoleLogs.size(); i++) {
matchString += consoleLogs.get(i) + "\n";
}
}
const matchedRules = resp.matchedRules; const matchedRules = resp.matchedRules;
for (let i = 0; i < matchedRules.size(); i++) { for (let i = 0; i < matchedRules.size(); i++) {
const rule = matchedRules.get(i); const rule = matchedRules.get(i);
@ -100,11 +118,11 @@ class YARARules extends Operation {
} }
meta = meta.slice(0, -2) + "]"; meta = meta.slice(0, -2) + "]";
} }
const countString = matches.size() === 0 ? "" : (showCounts ? `${matches.size()} time${matches.size() > 1 ? "s" : ""}` : ""); const countString = matches.size() === 0 ? "" : (showCounts ? ` (${matches.size()} time${matches.size() > 1 ? "s" : ""})` : "");
if (matches.size() === 0 || !(showStrings || showLengths)) { if (matches.size() === 0 || !(showStrings || showLengths)) {
matchString += `Input matches rule "${rule.ruleName}"${meta}${countString.length > 0 ? ` ${countString}`: ""}.\n`; matchString += `Input matches rule "${rule.ruleName}"${meta}${countString.length > 0 ? ` ${countString}`: ""}.\n`;
} else { } else {
matchString += `Rule "${rule.ruleName}"${meta} matches (${countString}):\n`; matchString += `Rule "${rule.ruleName}"${meta} matches${countString}:\n`;
for (let j = 0; j < matches.size(); j++) { for (let j = 0; j < matches.size(); j++) {
const match = matches.get(j); const match = matches.get(j);
if (showStrings || showLengths) { if (showStrings || showLengths) {

46
tests/operations/tests/YARA.mjs
View file

@ -8,6 +8,22 @@
*/ */
import TestRegister from "../../lib/TestRegister.mjs"; import TestRegister from "../../lib/TestRegister.mjs";
const CONSOLE_COMPILE_WARNING_RULE = `import "console"
rule a
{
strings:
$s=" "
condition:
$s and console.log("log rule a")
}
rule b
{
strings:
$s=" "
condition:
$s and console.hex("log rule b: int8(0)=", int8(0))
}`;
TestRegister.addTests([ TestRegister.addTests([
{ {
name: "YARA Match: simple foobar", name: "YARA Match: simple foobar",
@ -38,10 +54,38 @@ TestRegister.addTests([
condition: condition:
hash.sha256(0,filesize) == "7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069" hash.sha256(0,filesize) == "7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069"
}`, }`,
true, true, true, true true, true, true, true, false, false
], ],
} }
], ],
}, },
{
name: "YARA Match: compile warnings",
input: "CyberChef Yara",
expectedOutput: "Warning on line 5: string \"$s\" may slow down scanning\n" +
"Warning on line 12: string \"$s\" may slow down scanning\n" +
"Input matches rule \"a\".\n" +
"Input matches rule \"b\".\n",
recipeConfig: [
{
"op": "YARA Rules",
"args": [CONSOLE_COMPILE_WARNING_RULE, false, false, false, false, true, false],
}
],
},
{
name: "YARA Match: console messages",
input: "CyberChef Yara",
expectedOutput: "log rule a\n" +
"log rule b: int8(0)=0x43\n" +
"Input matches rule \"a\".\n" +
"Input matches rule \"b\".\n",
recipeConfig: [
{
"op": "YARA Rules",
"args": [CONSOLE_COMPILE_WARNING_RULE, false, false, false, false, false, true],
}
],
},
]); ]);