-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path__init__.py
72 lines (58 loc) · 2.1 KB
/
__init__.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
from binaryninja import *
import yara
def get_yara_rule_path():
return get_open_filename_input("Open YARA rule", "YARA rules (*.yar *.yara)")
def get_markdown_result(matches):
entry_fmt = "| {} | {} | {} |\n"
md_text = """# YARA - Scan results
| Rule Name | Function | Strings offsets |
|-----------|----------|-----------------|
"""
for m in matches:
rule = m['rule']
func = '-'
if 'funcs' in m and len(m['funcs']) > 0:
func = " ".join(['[{:name}](binaryninja://?expr={:name})'.format(name=f.name) for f in m['funcs']])
# 'strings': [(81L, '$a', 'abc'), (141L, '$b', 'def')]
s = " ".join(['["{}"](binaryninja://?expr=0x{:x})'.format(s[2].decode('utf-8'), s[0]) for s in m['strings']])
md_text += entry_fmt.format(rule, func, s)
return md_text
def plugin_search_file(bv):
matches = []
def yara_callback(data):
"""
{
'tags': ['foo', 'bar'],
'matches': True,
'namespace': 'default',
'rule': 'my_rule',
'meta': {},
'strings': [(81L, '$a', 'abc'), (141L, '$b', 'def')]
}
"""
if data['matches']:
funcs = []
for addr, _, _ in data['strings']:
funcs += bv.get_functions_containing(addr)
data['funcs'] = funcs
matches.append(data)
yara.CALLBACK_CONTINUE
yara_path = get_yara_rule_path()
# user closed message prompt
if yara_path is None:
return
try:
rules = yara.compile(filepath=yara_path.decode('utf-8'))
rules.match(bv.file.original_filename, callback=yara_callback)
except Exception as e:
log_error("[YARA] Exception: {}".format(str(e)))
show_message_box("Error", "Check logs for details", icon=MessageBoxIcon.ErrorIcon)
if len(matches) > 0:
bv.show_markdown_report("YARA", get_markdown_result(matches))
else:
log_info("[YARA] No matches")
def plugin_search_functions(bv):
show_message_box("Not implemented", "This feature is not implemented yet")
# TODO implement Background task maybe?
PluginCommand.register("[YARA] Scan file with yara rule...", "Scan file with yara rule", plugin_search_file)
# PluginCommand.register('[YARA] Scan functions with yara rule...', "Scan all functions with yara rules (might be slower)", plugin_search_functions)