mirrors/CyberChef
1
0
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2025-04-21 15:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed problems flagged by n's review

Browse source
This commit is contained in:
Matt 2019-01-09 15:28:50 +00:00
parent ebb632e888
commit dd9ba4d250
No known key found for this signature in database
GPG key ID: 2DD462FE98BF38C2
4 changed files with 19 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

114
src/core/operations/YARARules.mjs Normal file
View file

@ -0,0 +1,114 @@
/**
* @author Matt C [matt@artemisbot.uk]
* @copyright Crown Copyright 2019
* @license Apache-2.0
*/
import Operation from "../Operation";
import OperationError from "../errors/OperationError";
import Yara from "libyara-wasm";
/**
* YARA Rules operation
*/
class YARARules extends Operation {
/**
* YARARules constructor
*/
constructor() {
super();
this.name = "YARA Rules";
this.module = "Yara";
this.description = "YARA is a tool developed at VirusTotal, primarily aimed at helping malware researchers to identify and classify malware samples. It matches based on rules specified by the user containing textual or binary patterns and a boolean expression. For help on writing rules, see the <a href='https://yara.readthedocs.io/en/latest/writingrules.html'>YARA documentation.</a>";
this.infoURL = "https://wikipedia.org/wiki/YARA";
this.inputType = "ArrayBuffer";
this.outputType = "string";
this.args = [
{
name: "Rules",
type: "text",
value: "",
rows: 5
},
{
name: "Show strings",
type: "boolean",
hint: "Show each match's data",
value: false
},
{
name: "Show string lengths",
type: "boolean",
hint: "Show the length of each match's data",
value: false
},
{
name: "Show metadata",
type: "boolean",
hint: "Show the metadata of each rule",
value: false
}
];
}
/**
* @param {string} input
* @param {Object[]} args
* @returns {string}
*/
run(input, args) {
const [rules, showStrings, showLengths, showMeta] = args;
return new Promise((resolve, reject) => {
Yara().then(yara => {
let matchString = "";
const inpArr = new Uint8Array(input);
const inpVec = new yara.vectorChar();
for (let i = 0; i < inpArr.length; i++) {
inpVec.push_back(inpArr[i]);
}
const resp = yara.run(inpVec, rules);
if (resp.compileErrors.size() > 0) {
for (let i = 0; i < resp.compileErrors.size(); i++) {
const compileError = resp.compileErrors.get(i);
if (!compileError.warning) {
reject(new OperationError(`Error on line ${compileError.lineNumber}: ${compileError.message}`));
} else {
matchString += `Warning on line ${compileError.lineNumber}: ${compileError.message}`;
}
}
}
const matchedRules = resp.matchedRules;
for (let i = 0; i < matchedRules.size(); i++) {
const rule = matchedRules.get(i);
const matches = rule.resolvedMatches;
let meta = "";
if (showMeta && rule.metadata.size() > 0) {
meta += " [";
for (let j = 0; j < rule.metadata.size(); j++) {
meta += `${rule.metadata.get(j).identifier}: ${rule.metadata.get(j).data}, `;
}
meta = meta.slice(0, -2) + "]";
}
if (matches.size() === 0 || !(showStrings || showLengths)) {
matchString += `Input matches rule "${rule.ruleName}"${meta}.\n`;
} else {
matchString += `Rule "${rule.ruleName}"${meta} matches:\n`;
for (let j = 0; j < matches.size(); j++) {
const match = matches.get(j);
if (showStrings || showLengths) {
matchString += `Pos ${match.location}, ${showLengths ? `length ${match.matchLength}, ` : ""}identifier ${match.stringIdentifier}${showStrings ? `, data: "${match.data}"` : ""}\n`;
}
}
}
}
resolve(matchString);
});
});
}
}
export default YARARules;