golang使用yara库go-yara
宫亦
目录
安装编译相关的依赖
sudo apt-get install automake libtool make gcc pkg-config
wget https://codeload.github.com/VirusTotal/yara/tar.gz/refs/tags/v4.2.0
tar -zxvf v4.2.0.tar.gz
cd yara-4.2.0/
./bootstrap.sh
./configure --disable-shared --enable-static --without-crypto
make && make install
cp /usr/local/lib/pkgconfig/yara.pc /usr/lib64/pkgconfig
export YARA_SRC=/opt/src/yara-4.2.0
export CGO_CFLAGS="-I${YARA_SRC}/libyara/include"
export CGO_LDFLAGS="-L${YARA_SRC}/libyara/.libs -lyara -lm"
go get github.com/hillu/go-yara/v4代码
package main
import (
yara "github.com/hillu/go-yara/v4"
"io/ioutil"
"os"
"fmt"
)
func main() {
rule := `rule test
{
meta:
date = "2021-07-26"
description = "this is a test"
strings:
$dev = "xiaomi" nocase
condition:
$dev
}`
compiler, err := yara.NewCompiler()
if compiler == nil || err != nil {
return
}
if err = compiler.AddString(rule, ""); err != nil {
return
}
rules, err := compiler.GetRules()
if err != nil {
return
}
s, err := yara.NewScanner(rules)
if err != nil {
return
}
testFile, _ := ioutil.TempFile("", "TestFile")
defer os.Remove(testFile.Name())
testFile.Write([]byte("xiaomi10"))
testFile.Close()
var matchRules yara.MatchRules
if err := s.SetCallback(&matchRules).ScanFile(testFile.Name()); err != nil {
return
} else if len(matchRules) != 1 {
return
}
fmt.Printf("Matches: %+v", matchRules)
}
提供一个打包好的镜像,直接进入容器编译即可,测试用例在/home/yaratest目录
编译镜像
类似资料: