YARA是一个流行的开源项目,用于恶意软件检测和分析。它允许用户定义规则,这些规则可以识别和分类恶意软件样本。YARA 的强大之处在于其灵活性和易用性,尤其是在 C/C++ 项目中。本文将详细介绍如何通过 YARA 的 C API 集成和使用 YARA,从而将 YARA 无缝集成到您的安全解决方案中。
本章主要介绍libyara的C API接口用于开发时参考,其它关于libyara的详细介绍可以浏览以下章节:
- YARA:第七章-模块使用之PE
- YARA:第八章-模块使用之ELF
- YARA:第九章-模块使用之Magic
- YARA:第十章-模块使用之Hash
- YARA:第十一章-模块使用之Math
- YARA:第十二章-模块使用之Time、Console和String
- YARA:第十三章-编写定制化模块
- YARA:第十四章-基于JSON文件的威胁分析
- YARA:第十五章-libyara使用(威胁检测)
目录
2.6 yr_compiler_set_include_callback
2.11 yr_compiler_define_integer_variable
2.12 yr_compiler_define_float_variable
2.13 yr_compiler_define_boolean_variable
2.14 yr_compiler_define_string_variable
2.15 yr_rules_define_integer_variable
2.16 yr_rules_define_boolean_variable
2.17 yr_rules_define_float_variable
2.18 yr_rules_define_string_variable
2.34 yr_scanner_define_integer_variable
2.35 yr_scanner_define_boolean_variable
2.36 yr_scanner_define_float_variable
2.37 yr_scanner_define_string_variable
2.38 yr_scanner_scan_mem_blocks
2.42 yr_scanner_last_error_rule
2.43 yr_scanner_last_error_string
3.7 ERROR_UNSUPPORTED_FILE_VERSION
3.8 ERROR_TOO_MANY_SCAN_THREADS
1 数据结构
1.1 YR_COMPILER
编译器对象。使用yr_compiler_create函数创建。
typedef struct _YR_COMPILER
{
// Arena that contains the data generated by the compiled. The arena has
// the following buffers:
//
// YR_SUMMARY_SECTION:
// A YR_SUMMARY struct.
// YR_RULES_TABLE:
// An array of YR_RULE structures, one per each rule.
// YR_STRINGS_TABLE:
// An array of YR_STRING structures, one per each string.
// YR_METAS_TABLE:
// An array of YR_META structures, one per each meta definition.
// YR_NAMESPACES_TABLE:
// An array of YR_NAMESPACE structures, one per each namespace.
// YR_EXTERNAL_VARIABLES_TABLE:
// An array of YR_EXTERNAL_VARIABLE structures, one per each external
// variable defined.
// YR_SZ_POOL:
// A collection of null-terminated strings. This buffer contains
// identifiers, literal strings, and in general any null-terminated
// string referenced by other data structures.
// YR_CODE_SECTION:
// The code for the condition section of all the rules. This is the
// code executed by yr_execute_code.
// YR_RE_CODE_SECTION:
// Similar to YR_CODE_SECTION, but it contains the code for regular
// expressions. This is the code executed by yr_re_exec and
// yr_re_fast_exec.
// YR_AC_TRANSITION_TABLE:
// An array of uint32_t containing the Aho-Corasick transition table.
// See comment in _yr_ac_build_transition_table for details.
// YR_AC_STATE_MATCHES_TABLE:
// An array of uint32_t with the same number of items than the transition
// table. If entry N in the transition table corresponds to some
// Aho-Corasick state, the N-th item in this array has the index within
// the matches pool where the list of matches for that state begins.
// YR_AC_STATE_MATCHES_POOL:
// An array of YR_AC_MATCH structures.
//
YR_ARENA* arena;
// Index of the rule being compiled in the array of YR_RULE structures
// stored in YR_RULES_TABLE. If this is MAX_UINT32 the compiler is not
// parsing a rule.
uint32_t current_rule_idx;
// Index of the rule that comes next during parsing.
uint32_t next_rule_idx;
// Index of the string being compiled in the array of YR_STRING structures
// stored in YR_STRINGS_TABLE.
uint32_t current_string_idx;
// Index of the current namespace in the array of YR_NAMESPACE structures
// stored in YR_NAMESPACES_TABLE.
uint32_t current_namespace_idx;
// Index of the current meta in the array of YR_META structures stored in
// YR_METAS_TABLE.
uint32_t current_meta_idx;
// Pointer to a YR_RULES structure that represents the compiled rules. This
// is what yr_compiler_get_rules returns. Once these rules are generated you
// can't call any of the yr_compiler_add_xxx functions.
YR_RULES* rules;
int errors;
int current_line;
int last_error;
int last_error_line;
bool strict_escape;
jmp_buf error_recovery;
YR_AC_AUTOMATON* automaton;
YR_HASH_TABLE* rules_table;
YR_HASH_TABLE* objects_table;
YR_HASH_TABLE* strings_table;
// Hash table that contains all the identifiers with wildcards used in
// conditions. This is used to make sure we error out if we are parsing a
// rule _AFTER_ an existing rule has referenced it in a condition. For
// example:
//
// rule a1 { condition: true }
// rule b { condition: 1 of (a*) }
// rule a2 { condition: true }
//
// This must be a compiler error when parsing a2 because b has already been
// parsed and the instructions to check _ONLY_ a1 have been emitted. Rule b
// has no concept of a2 and would not work as expected.
YR_HASH_TABLE* wildcard_identifiers_table;
// Hash table that contains all the strings that has been written to the
// YR_SZ_POOL buffer in the compiler's arena. Values in the hash table are
// the offset within the YR_SZ_POOL where the string resides. This allows to
// know is some string has already been written in order to reuse instead of
// writting it again.
YR_HASH_TABLE* sz_table;
YR_FIXUP* fixup_stack_head;
int num_namespaces;
YR_LOOP_CONTEXT loop[YR_MAX_LOOP_NESTING];
int loop_index;
int loop_for_of_var_index;
char* file_name_stack[YR_MAX_INCLUDE_DEPTH];
int file_name_stack_ptr;
char last_error_extra_info[YR_MAX_COMPILER_ERROR_EXTRA_INFO];
// This buffer is used by the lexer for accumulating text strings. Those
// strings are copied from flex's internal variables. lex_buf_ptr points to
// the end of the string and lex_buf_len contains the number of bytes that
// have been copied into lex_buf.
char lex_buf[YR_LEX_BUF_SIZE];
char* lex_buf_ptr;
unsigned short lex_buf_len;
char include_base_dir[MAX_PATH];
void* user_data;
void* incl_clbk_user_data;
void* re_ast_clbk_user_data;
YR_COMPILER_CALLBACK_FUNC callback;
YR_COMPILER_INCLUDE_CALLBACK_FUNC include_callback;
YR_COMPILER_INCLUDE_FREE_FUNC include_free;
YR_COMPILER_RE_AST_CALLBACK_FUNC re_ast_callback;
YR_ATOMS_CONFIG atoms_config;
} YR_COMPILER;1.2 YR_SCAN_CONTEXT
包含扫描目标的信息,例如目标文件大小、超时时间、扫描规则等。
struct YR_SCAN_CONTEXT
{
// File size of the file being scanned.
uint64_t file_size;
// Entry point of the file being scanned, if the file is PE or ELF.
uint64_t entry_point;
// Scanning flags.
int flags;
// Canary value used for preventing hand-crafted objects from being embedded
// in compiled rules and used to exploit YARA. The canary value is initialized
// to a random value and is subsequently set to all objects created by
// yr_object_create. The canary is verified when objects are used by
// yr_execute_code.
int canary;
// Scan timeout in nanoseconds.
uint64_t timeout;
// Pointer to user-provided data passed to the callback function.
void* user_data;
// Pointer to the user-provided callback function that is called when an
// event occurs during the scan (a rule matching, a module being loaded, etc)
YR_CALLBACK_FUNC callback;
// Pointer to the YR_RULES object associated to this scan context.
YR_RULES* rules;
// Pointer to the YR_STRING causing the most recent scan error.
YR_STRING* last_error_string;
// Pointer to the iterator used for scanning
YR_MEMORY_BLOCK_ITERATOR* iterator;
// Pointer to a table mapping identifiers to YR_OBJECT structures. This table
// contains entries for external variables and modules.
YR_HASH_TABLE* objects_table;
// Notebook used for storing YR_MATCH structures associated to the matches
// found.
YR_NOTEBOOK* matches_notebook;
// Stopwatch used for measuring the time elapsed during the scan.
YR_STOPWATCH stopwatch;
// Fiber pool used by yr_re_exec.
RE_FIBER_POOL re_fiber_pool;
// Pool used by yr_re_fast_exec.
RE_FAST_EXEC_POSITION_POOL re_fast_exec_position_pool;
// A bitmap with one bit per rule, bit N is set when the rule with index N
// has matched.
YR_BITMASK* rule_matches_flags;
// A bitmap with one bit per namespace, bit N is set if the namespace with
// index N has some global rule that is not satisfied.
YR_BITMASK* ns_unsatisfied_flags;
// A bitmap with one bit per string, bit N is set if the string with index
// N has too many matches.
YR_BITMASK* strings_temp_disabled;
// Array with pointers to lists of matches. Item N in the array has the
// list of matches for string with index N.
YR_MATCHES* matches;
// "unconfirmed_matches" is like "matches" but for strings that are part of
// a chain. Let's suppose that the string S is split in two chained strings
// S1 <- S2. When a match is found for S1, we can't be sure that S matches
// until a match for S2 is found (within the range defined by chain_gap_min
// and chain_gap_max), so the matches for S1 are put in "unconfirmed_matches"
// until they can be confirmed or discarded.
YR_MATCHES* unconfirmed_matches;
// A bitmap with one bit per rule, bit N is set if the corresponding rule
// must evaluated.
YR_BITMASK* required_eval;
// profiling_info is a pointer to an array of YR_PROFILING_INFO structures,
// one per rule. Entry N has the profiling information for rule with index N.
YR_PROFILING_INFO* profiling_info;
};1.3 YR_MATCH
命中规则的字符串的详细信息。例如所匹配字符串在文件中偏移,所匹配字符串长度,包含所匹配字符串的一段缓存数据等。
struct YR_MATCH
{
int64_t base; // Base address for the match
int64_t offset; // Offset relative to base for the match
int32_t match_length; // Match length
int32_t data_length;
// Pointer to a buffer containing a portion of the matched data. The size of
// the buffer is data_length. data_length is always <= length and is limited
// to YR_CONFIG_MAX_MATCH_DATA bytes.
const uint8_t* data;
YR_MATCH* prev;
YR_MATCH* next;
// If the match belongs to a chained string chain_length contains the
// length of the chain. This field is used only in unconfirmed matches.
int32_t chain_length;
// True if this is match for a private string.
bool is_private;
// Set to the xor key if this is an xor string.
uint8_t xor_key;
};1.4 YR_META
包含规则中元数据信息的结构。Yara规则中元数据详解可参考YARA:第六章-更多关于规则。
struct YR_META
{
DECLARE_REFERENCE(const char*, identifier);
DECLARE_REFERENCE(const char*, string);
int64_t integer;
int32_t type;
int32_t flags;
};1.5 YR_MODULE_IMPORT
包含所导入模块的名称,模块数据(module_data)以及模块数据大小(module_data_size)。模块以及模块数据的作用可参考YARA:第十三章-编写定制化模块。
struct YR_MODULE_IMPORT
{
const char* module_name;
void* module_data;
size_t module_data_size;
};1.6 YR_RULE
包含单个Yara规则信息的数据结构。
struct YR_RULE
{
int32_t flags;
// Number of atoms generated for this rule.
int32_t num_atoms;
// Number of strings that must match for this rule to have some possibility
// to match.
uint32_t required_strings;
// Just for padding.
uint32_t unused;
DECLARE_REFERENCE(const char*, identifier);
DECLARE_REFERENCE(const char*, tags);
DECLARE_REFERENCE(YR_META*, metas);
DECLARE_REFERENCE(YR_STRING*, strings);
DECLARE_REFERENCE(YR_NAMESPACE*, ns);
};1.7 YR_RULES
包含一组已经编译后的规则信息。
struct YR_RULES
{
YR_ARENA* arena;
// Array of pointers with an entry for each rule. The rule_idx field in the
// YR_STRING structure is an index within this array.
union
{
YR_RULE* rules_table;
// The previous name for rules_table was rules_list_head, because this
// was previously a linked list. The old name is maintained but marked as
// deprecated, which will raise a warning if used.
// TODO(vmalvarez): Remove this field when a reasonable a few versions
// after 4.1 has been released.
YR_DEPRECATED(YR_RULE* rules_list_head);
};
// Array of pointers with an entry for each of the defined strings. The idx
// field in the YR_STRING structure is an index within this array.
union
{
YR_STRING* strings_table;
// The previous name for strings_table was strings_list_head, because this
// was previously a linked list. The old name is maintained but marked as
// deprecated, which will raise a warning if used.
// TODO(vmalvarez): Remove this field when a reasonable a few versions
// after 4.1 has been released.
YR_DEPRECATED(YR_STRING* strings_list_head);
};
// Array of pointers with an entry for each external variable.
union
{
YR_EXTERNAL_VARIABLE* ext_vars_table;
// The previous name for ext_vars_table was externals_list_head, because
// this was previously a linked list. The old name is maintained but marked
// as deprecated, which will raise a warning if used.
// TODO(vmalvarez): Remove this field when a reasonable a few versions
// after 4.1 has been released.
YR_DEPRECATED(YR_EXTERNAL_VARIABLE* externals_list_head);
};
// Pointer to the Aho-Corasick transition table.
YR_AC_TRANSITION* ac_transition_table;
// A pointer to the arena where YR_AC_MATCH structures are allocated.
YR_AC_MATCH* ac_match_pool;
// Table that translates from Aho-Corasick states (which are identified by
// numbers 0, 1, 2.. and so on) to the index in ac_match_pool where the
// YR_AC_MATCH structures for the corresponding state start.
// If the entry corresponding to state N in ac_match_table is zero, it
// means that there's no match associated to the state. If it's non-zero,
// its value is the 1-based index within ac_match_pool where the first
// match resides.
uint32_t* ac_match_table;
// Pointer to the first instruction that is executed whan evaluating the
// conditions for all rules. The code is executed by yr_execute_code and
// the instructions are defined by the OP_X macros in exec.h.
const uint8_t* code_start;
// A bitmap with one bit per rule, bit N is set when the condition for rule
// might evaluate to true even without any string matches.
YR_BITMASK* no_required_strings;
// Total number of rules.
uint32_t num_rules;
// Total number of strings.
uint32_t num_strings;
// Total number of namespaces.
uint32_t num_namespaces;
};1.8 YR_STREAM
作为参数用于yr_rules_save_stream() and yr_rules_load_stream()函数中,这两个函数可以有用户自定义流的形式存储和读取Yara已编译后的规则信息。
typedef struct _YR_STREAM
{
void* user_data;
YR_STREAM_READ_FUNC read;
YR_STREAM_WRITE_FUNC write;
} YR_STREAM;1.9 YR_STRING
包含了Yara规则中,字符串块中字符串的相关信息。Yara规则中字符串块的介绍可以参考YARA:第二章-字符串之十六进制字符串(一)、YARA:第三章-字符串之文本字符串(二) 和YARA:第四章-字符串之正则表达式(三)章节介绍。
struct YR_STRING
{
// Flags, see STRING_FLAGS_XXX macros defined above.
uint32_t flags;
// Index of this string in the array of YR_STRING structures stored in
// YR_STRINGS_TABLE.
uint32_t idx;
// If the string can only match at a specific offset (for example if the
// condition is "$a at 0" the string $a can only match at offset 0), the
// fixed_offset field contains the offset, it have the YR_UNDEFINED value for
// strings that can match anywhere.
int64_t fixed_offset;
// Index of the rule containing this string in the array of YR_RULE
// structures stored in YR_RULES_TABLE.
uint32_t rule_idx;
// String's length.
int32_t length;
// Pointer to the string itself, the length is indicated by the "length"
// field.
DECLARE_REFERENCE(uint8_t*, string);
// Strings are splitted in two or more parts when they contain a "gap" that
// is larger than YR_STRING_CHAINING_THRESHOLD. This happens in strings like
// { 01 02 03 04 [X-Y] 05 06 07 08 } if Y >= X + YR_STRING_CHAINING_THRESHOLD
// and also in { 01 02 03 04 [-] 05 06 07 08 }. In both cases the strings are
// split in { 01 02 03 04 } and { 05 06 07 08 }, and the two smaller strings
// are searched for independently. If some string S is splitted in S1 and S2,
// S2 is chained to S1. In the example above { 05 06 07 08 } is chained to
// { 01 02 03 04 }. The same applies when the string is splitted in more than
// two parts, if S is split in S1, S2, and S3. S3 is chained to S2 and S2 is
// chained to S1 (it can represented as: S1 <- S2 <- S3).
DECLARE_REFERENCE(YR_STRING*, chained_to);
// When this string is chained to some other string, chain_gap_min and
// chain_gap_max contain the minimum and maximum distance between the two
// strings. For example in { 01 02 03 04 [X-Y] 05 06 07 08 }, the string
// { 05 06 07 08 } is chained to { 01 02 03 04 } and chain_gap_min is X
// and chain_gap_max is Y. These fields are ignored for strings that are not
// part of a string chain.
int32_t chain_gap_min;
int32_t chain_gap_max;
// Identifier of this string.
DECLARE_REFERENCE(const char*, identifier);
};1.10 YR_NAMESPACE
包含Yara规则中namespace名称以及索引。
struct YR_NAMESPACE
{
// Pointer to namespace's name.
DECLARE_REFERENCE(const char*, name);
// Index of this namespace in the array of YR_NAMESPACE structures stored
// in YR_NAMESPACES_TABLE.
//
// YR_ALIGN(8) forces the idx field to be treated as a 8-bytes field
// and therefore the struct's size is 16 bytes. This is necessary only for
// 32-bits versions of YARA compiled with Visual Studio. See: #1358.
YR_ALIGN(8) uint32_t idx;
};2. 函数接口
2.1 yr_initialize
初始化函数,此函数负责初始化libyara正常执行所需的变量和资源,且必须在调用libyara其它函数前调用。如果是多线程模式,则需要在主线程执行一次调用即可。
此函数返回ERROR_SUCCESS说明初始化执行成功,否则执行失败且返回值对应着错误码。
int yr_initialize(void)2.2 yr_finalize
退出函数,此函数在libyara库不再使用时调用,用于释放libyara在运行过程中申请的各种资源和空间。
此函数返回ERROR_SUCCESS说明退出函数执行成功,否则执行失败且返回值对应着错误码。
int yr_finalize(void)2.3 yr_compiler_create
此函数创建一个Yara编译器对象。用户需要声明一个YR_COMPILER指针类型的对象,并将对象的地址传入此函数,此函数会为YR_COMPILER指针申请空间。
此函数返回ERROR_SUCCESS说明编译器对象创建成功,返回ERROR_INSUFFICIENT_MEMORY说明在创建编译器对象时失败,可能是申请空间失败。
int yr_compiler_create(YR_COMPILER **compiler)2.4 yr_compiler_destroy
此函数负责销毁Yara编译器对象,即释放其所申请的空间。
void yr_compiler_destroy(YR_COMPILER *compiler)2.5 yr_compiler_set_callback
此函数用来注册编译回调函数,当在编译过程中出现错误时调用回调函数用来通知用户针对编译错误做出相应的处理。回调函数详细格式说明参考YARA:第十五章-libyara使用(威胁检测)第二章节。
void yr_compiler_set_callback(YR_COMPILER *compiler,
YR_COMPILER_CALLBACK_FUNC callback, void *user_data)2.6 yr_compiler_set_include_callback
当Yara在解析规则文件时遇到"include"关键字,它通常会在本地磁盘中搜索并加载被引用的规则文件。为了提高灵活性,用户可以利用特定的函数注册一个回调函数。这样一来,每当Yara检测到规则文件中的"include"关键字,它就会调用这个回调函数。这使得规则文件不仅可以从磁盘加载,还可以从数据库、其他服务器等不同来源动态获取。
void yr_compiler_set_include_callback(YR_COMPILER *compiler,
YR_COMPILER_INCLUDE_CALLBACK_FUNC callback,
YR_COMPILER_INCLUDE_FREE_FUNC include_free,
void *user_data)2.7 yr_compiler_add_file
int yr_compiler_add_file(YR_COMPILER *compiler,
FILE *file, const char *namespace, const char *file_name)2.8 yr_compiler_add_fd
从文件描述符中获取规则并编译。
int yr_compiler_add_fd(YR_COMPILER *compiler,
YR_FILE_DESCRIPTOR rules_fd, const char *namespace, const char *file_name)2.9 yr_compiler_add_string
将传入的字符串信息作为规则进行编译。
int yr_compiler_add_string(YR_COMPILER *compiler,
const char *string, const char *namespace_)2.10 yr_compiler_get_rules
从编译器对象中获取规则编译后规则规则对象。
int yr_compiler_get_rules(YR_COMPILER *compiler, YR_RULES **rules)2.11 yr_compiler_define_integer_variable
对Yara规则中整型变量赋值。
int yr_compiler_define_integer_variable(YR_COMPILER *compiler,
const char *identifier, int64_t value)2.12 yr_compiler_define_float_variable
对Yara规则中浮点型变量赋值。
int yr_compiler_define_float_variable(YR_COMPILER *compiler,
const char *identifier, double value)2.13 yr_compiler_define_boolean_variable
对Yara规则中布尔型变量赋值。
int yr_compiler_define_boolean_variable(YR_COMPILER *compiler,
const char *identifier, int value)2.14 yr_compiler_define_string_variable
对Yara规则中字符串变量赋值。
int yr_compiler_define_string_variable(YR_COMPILER *compiler,
const char *identifier, const char *value)2.15 yr_rules_define_integer_variable
更改Yara编译后规则中整型变量的值。
int yr_rules_define_integer_variable(YR_RULES *rules,
const char *identifier, int64_t value)2.16 yr_rules_define_boolean_variable
更改Yara编译后规则中布尔类型变量的值。
int yr_rules_define_boolean_variable(YR_RULES *rules,
const char *identifier, int value)2.17 yr_rules_define_float_variable
更改Yara编译后规则中浮点型变量的值。
int yr_rules_define_float_variable(YR_RULES *rules,
const char *identifier, double value)2.18 yr_rules_define_string_variable
更改Yara编译后规则中字符串变量的值。
int yr_rules_define_string_variable(YR_RULES *rules,
const char *identifier, const char *value)2.19 yr_rules_destroy
销毁规则对象。
void yr_rules_destroy(YR_RULES *rules)2.20 yr_rules_save
此函数将已编译规则以文件的形式存储到磁盘中。返回ERROR_SUCCESS表示规则存储成功。返回ERROR_COULD_NOT_OPEN_FILE表示在存储时无法打开或创建规则文件。
int yr_rules_save(YR_RULES *rules, const char *filename)2.21 yr_rules_save_stream
规则以流的形式存储,适用于规则信息以特殊的方式存储,例如数据库或者远程服务器中。
int yr_rules_save_stream(YR_RULES *rules, YR_STREAM *stream)2.22 yr_rules_load
从指定文件中加载已编译后的规则信息。
int yr_rules_load(const char *filename, YR_RULES **rules)2.23 yr_rules_load_stream
以流的形式加载已编译后的规则信息,适用于规则信息以特殊的方式存储,例如数据库或者远程服务器中。
int yr_rules_load_stream(YR_STREAM *stream, YR_RULES **rules)2.24 yr_rules_scan_mem
Yara执行检测规则扫描一段缓冲区。
int yr_rules_scan_mem(YR_RULES *rules, const uint8_t *buffer,
size_t buffer_size, int flags, YR_CALLBACK_FUNC callback,
void *user_data, int timeout)2.25 yr_rules_scan_file
Yara执行检测规则扫描指定文件。
int yr_rules_scan_file(YR_RULES *rules, const char *filename,
int flags, YR_CALLBACK_FUNC callback,
void *user_data, int timeout)2.26 yr_rules_scan_fd
Yara执行检测规则扫描指定文件描述符对应的信息。
int yr_rules_scan_fd(YR_RULES *rules, YR_FILE_DESCRIPTOR fd,
int flags, YR_CALLBACK_FUNC callback, void *user_data, int timeout)2.27 yr_rule_disable
禁用指定规则,禁用后在扫描时将忽略此规则策略并且不进行匹配。
void yr_rule_disable(YR_RULE *rule)2.28 yr_rule_enable
启用指定规则。
void yr_rule_enable(YR_RULE *rule)2.29 yr_scanner_create
此函数用于创建scanner对象,此对象可以执行扫描功能。适用于多线程模式下。
int yr_scanner_create(YR_RULES *rules, YR_SCANNER **scanner)2.30 yr_scanner_destroy
此函数用于销毁scanner对象。
void yr_scanner_destroy(YR_SCANNER *scanner)2.31 yr_scanner_set_callback
注册回调函数,注册后当scanner检测时命中规则就调用回调函数。
void yr_scanner_set_callback(YR_SCANNER *scanner,
YR_CALLBACK_FUNC callback, void *user_data)2.32 yr_scanner_set_timeout
设置scanner在执行扫描时执行的最大时间。如果timeout设置为0则永不超时。
void yr_scanner_set_timeout(YR_SCANNER *scanner, int timeout)2.33 yr_scanner_set_flags
设置Yara扫描方式的标志位。包括:
(1)SCAN_FLAGS_FAST_MODE:执行快速扫描。
(2)SCAN_FLAGS_NO_TRYCATCH:关闭运行过程中的异常处理机制。
(3)SCAN_FLAGS_REPORT_RULES_MATCHING:扫描时当前目标命中任何规则需要进行通知(即调用扫描回调函数)。
(4)SCAN_FLAGS_REPORT_RULES_NOT_MATCHING:扫描时当前目标没有命中任何规则需要进行通知(即调用扫描回调函数)。
(5)SCAN_FLAGS_PROCESS_MEMORY:标识扫描进程内存。
void yr_scanner_set_flags(YR_SCANNER *scanner, int flags)2.34 yr_scanner_define_integer_variable
功能类似于yr_compiler_define_integer_variable()函数,前者是通过编译器对象对规则中整型变量进行赋值,此函数是通过scanner对象对规则中整型变量进行赋值。
int yr_scanner_define_integer_variable(YR_SCANNER *scanner, const char *identifier, int64_t value)2.35 yr_scanner_define_boolean_variable
功能类似于yr_compiler_define_boolean_variable()函数,前者是通过编译器对象对规则中布尔类型变量进行赋值,此函数是通过scanner对象对规则中布尔类型变量进行赋值。
int yr_scanner_define_boolean_variable(YR_SCANNER *scanner, const char *identifier, int value)2.36 yr_scanner_define_float_variable
功能类似于yr_compiler_define_float_variable()函数,前者是通过编译器对象对规则中浮点型变量进行赋值,此函数是通过scanner对象对规则中浮点型变量进行赋值。
int yr_scanner_define_float_variable(YR_SCANNER *scanner, const char *identifier, double value)2.37 yr_scanner_define_string_variable
功能类似于yr_compiler_define_string_variable()函数,前者是通过编译器对象对规则中字符串变量进行赋值,此函数是通过scanner对象对规则中字符串变量进行赋值。
int yr_scanner_define_string_variable(YR_SCANNER *scanner, const char *identifier, const char *value)2.38 yr_scanner_scan_mem_blocks
scanner扫描可迭代的内存块对象。
int yr_scanner_scan_mem_blocks(YR_SCANNER *scanner, YR_MEMORY_BLOCK_ITERATOR *iterator)2.39 yr_scanner_scan_mem
scanner扫描一段缓存区域。
int yr_scanner_scan_mem(YR_SCANNER *scanner, const uint8_t *buffer, size_t buffer_size)2.40 yr_scanner_scan_file
scanner扫描文件内容。
int yr_scanner_scan_file(YR_SCANNER *scanner, const char *filename)2.41 yr_scanner_scan_fd
scanner扫描文件描述符对应的文件内容。
int yr_scanner_scan_fd(YR_SCANNER *scanner, YR_FILE_DESCRIPTOR fd)2.42 yr_scanner_last_error_rule
返回触发扫描错误的规则对象的指针。如果规则对象没有定义,则返回NULL。例如在scanner扫描过程中出现错误,那么可以通过此函数判断是否为规则导致的错误。
YR_RULE *yr_scanner_last_error_rule(YR_SCANNER *scanner)2.43 yr_scanner_last_error_string
返回触发扫描错误的YR_STRING类型的指针。
YR_STRING *yr_scanner_last_error_string(YR_SCANNER *scanner)3. 错误码
3.1 ERROR_SUCCESS
执行成功。
3.2 ERROR_INSUFFICIENT_MEMORY
内存不足,无法完成操作。
3.3 ERROR_COULD_NOT_OPEN_FILE
无法打开文件。
3.4 ERROR_COULD_NOT_MAP_FILE
无法将文件映射到内存中。
3.5 ERROR_INVALID_FILE
文件不是有效的规则文件。
3.6 ERROR_CORRUPT_FILE
规则文件已被损坏。
3.7 ERROR_UNSUPPORTED_FILE_VERSION
规则文件由不同版本的Yara生成,并且当前版本无法正常加载此版本规则文件。
3.8 ERROR_TOO_MANY_SCAN_THREADS
太多的线程同时使用同一个YR_RULES对象。
3.9 ERROR_SCAN_TIMEOUT
扫描超时。
3.10 ERROR_CALLBACK_ERROR
回调函数返回错误。
3.11 ERROR_TOO_MANY_MATCHES
规则中某个字符串规则命中次数过多。一般在字符串规则过于简单常见的情况下出现这种情况。
3.12 ERROR_BLOCK_NOT_READY
下一个要扫描的内存块没有准备好。