-
Notifications
You must be signed in to change notification settings - Fork 103
/
Copy pathYaraSearch.py
90 lines (77 loc) · 2.26 KB
/
YaraSearch.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#Searches the program via YARA.
#@author
#@category Search
#@keybinding
#@menupath Search.YARA
#@toolbar
import os, tempfile
from subprocess import Popen, PIPE
from ghidra.program.model.listing import CodeUnit
from ghidra.program.util import ProgramSelection
from ghidra.util.exception import CancelledException
from ghidra.program.model.mem import MemoryAccessException
PIPE_BUFFER_SIZE=10*1024*1024
SCRIPT_NAME="YaraSearch.py"
COMMENT_STYLE = CodeUnit.PRE_COMMENT
try:
rule_file = askFile(SCRIPT_NAME, "Search with YARA rule").getPath()
except CancelledException as e:
print "[!] CANCELLED: " + str(e)
exit()
# get all memory ranges
ranges = currentProgram.getMemory().getAddressRanges()
for r in ranges:
begin = r.getMinAddress()
end = r.getMaxAddress()
length = r.getLength()
status = "Searching: " + r.toString()
print "[+] " + status
try:
bytes = getBytes(begin,length)
except MemoryAccessException as e:
print "[!] FAILED: " + str(e)
continue
try:
tmp = tempfile.NamedTemporaryFile(delete=False)
print "[+] using temporary file " + tmp.name
tmp.write(bytes)
tmp.close()
command = "yara " + rule_file + " -gs " + tmp.name
p = Popen(command, stdout=PIPE, stderr=PIPE, shell=True, bufsize=PIPE_BUFFER_SIZE)
stdout, stderr = p.communicate()
finally:
os.unlink(tmp.name)
#print stderr
# fail on non successful execution
if p.returncode != 0:
print "[!] FAILED: subprocess did not return with 0 (=success)"
continue
lines = stdout.splitlines()
rule = ""
tag = ""
for line in lines:
if line.startswith("0x"):
l = line.split(":")
addr = int(l[0],16)
string = l[1]
match = l[2]
createBookmark(begin.add(addr), SCRIPT_NAME, rule + " " + tag)
cu = currentProgram.getListing().getCodeUnitAt(begin.add(addr))
if cu == None:
print "ERROR: CodeUnitAt " + begin.add(addr).toString() + " does not exist! Can't set comment."
continue
comment = cu.getComment(COMMENT_STYLE)
if comment == None or comment == "":
comment = ""
else:
comment += "\n"
comment += SCRIPT_NAME + "\n"
comment += rule + " " + tag + "\n"
comment += string + ": " + match
cu.setComment(COMMENT_STYLE, comment)
print line
else:
rule = line.split()[0]
tag = line.split()[1]
print rule + " " + tag
print "[$] SUCCESS"