Autopsy 4.22.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
YaraIngestHelper.java
Go to the documentation of this file.
1/*
2 * Autopsy Forensic Browser
3 *
4 * Copyright 2020 Basis Technology Corp.
5 * Contact: carrier <at> sleuthkit <dot> org
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19package org.sleuthkit.autopsy.modules.yara;
20
21import java.io.File;
22import java.io.IOException;
23import java.nio.file.Path;
24import java.nio.file.Paths;
25import java.util.ArrayList;
26import java.util.List;
27import org.openide.modules.InstalledFileLocator;
28import org.openide.util.NbBundle;
29import org.sleuthkit.autopsy.coreutils.ExecUtil;
30import org.sleuthkit.autopsy.ingest.IngestModule;
31import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException;
32import org.sleuthkit.autopsy.modules.yara.rules.RuleSet;
33import org.sleuthkit.autopsy.modules.yara.rules.RuleSetManager;
34import org.sleuthkit.autopsy.yara.YaraJNIWrapper;
35import org.sleuthkit.autopsy.yara.YaraWrapperException;
36import org.sleuthkit.datamodel.AbstractFile;
37import org.sleuthkit.datamodel.BlackboardArtifact;
38import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
39import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE;
40import org.sleuthkit.datamodel.BlackboardAttribute;
41import org.sleuthkit.datamodel.Score;
42import org.sleuthkit.datamodel.TskCoreException;
43
47final class YaraIngestHelper {
48
49 private static final String YARA_DIR = "yara";
50 private static final String YARA_C_EXE = "yarac64.exe";
51 private static final String MODULE_NAME = YaraIngestModuleFactory.getModuleName();
52
53 private YaraIngestHelper() {
54 }
55
64 static void compileRules(List<String> ruleSetNames, Path outputDir) throws IngestModuleException {
65 if (ruleSetNames == null || ruleSetNames.isEmpty()) {
66 throw new IngestModule.IngestModuleException(Bundle.YaraIngestModule_no_ruleSets());
67 }
68
69 // Find javac
70 File exeFile = InstalledFileLocator.getDefault().locate(
71 Paths.get(YARA_DIR, YARA_C_EXE).toString(),
72 YaraIngestModule.class.getPackage().getName(), false);
73
74 if (exeFile == null) {
75 throw new IngestModuleException(Bundle.YaraIngestModule_yarac_not_found());
76 }
77
78 for (RuleSet set : getRuleSetsForNames(ruleSetNames)) {
79 compileRuleSet(set, outputDir, exeFile);
80 }
81 }
82
96 static List<BlackboardArtifact> scanFileForMatches(AbstractFile file, File baseRuleSetDirectory, byte[] fileData, int fileDataSize, int timeout) throws TskCoreException, YaraWrapperException {
97 List<BlackboardArtifact> artifacts = new ArrayList<>();
98
99 File[] ruleSetDirectories = baseRuleSetDirectory.listFiles();
100 for (File ruleSetDirectory : ruleSetDirectories) {
101
102 List<String> ruleMatches = YaraIngestHelper.scanFileForMatches(fileData, fileDataSize, ruleSetDirectory, timeout);
103 if (!ruleMatches.isEmpty()) {
104 artifacts.addAll(YaraIngestHelper.createArtifact(file, ruleSetDirectory.getName(), ruleMatches));
105 }
106 }
107
108 return artifacts;
109 }
110
126 static List<BlackboardArtifact> scanFileForMatches(AbstractFile file, File baseRuleSetDirectory, File localFile, int timeout) throws TskCoreException, YaraWrapperException {
127 List<BlackboardArtifact> artifacts = new ArrayList<>();
128
129 File[] ruleSetDirectories = baseRuleSetDirectory.listFiles();
130 for (File ruleSetDirectory : ruleSetDirectories) {
131 List<String> ruleMatches = YaraIngestHelper.scanFileForMatch(localFile, ruleSetDirectory, timeout);
132 if (!ruleMatches.isEmpty()) {
133 artifacts.addAll(YaraIngestHelper.createArtifact(file, ruleSetDirectory.getName(), ruleMatches));
134 }
135 }
136
137 return artifacts;
138 }
139
152 private static List<String> scanFileForMatches(byte[] fileBytes, int fileSize, File ruleSetDirectory, int timeout) throws YaraWrapperException {
153 List<String> matchingRules = new ArrayList<>();
154
155 File[] ruleSetCompiledFileList = ruleSetDirectory.listFiles();
156
157 for (File ruleFile : ruleSetCompiledFileList) {
158 matchingRules.addAll(YaraJNIWrapper.findRuleMatch(ruleFile.getAbsolutePath(), fileBytes, fileSize, timeout));
159 }
160
161 return matchingRules;
162 }
163
177 private static List<String> scanFileForMatch(File scanFile, File ruleSetDirectory, int timeout) throws YaraWrapperException {
178 List<String> matchingRules = new ArrayList<>();
179
180 File[] ruleSetCompiledFileList = ruleSetDirectory.listFiles();
181
182 for (File ruleFile : ruleSetCompiledFileList) {
183 matchingRules.addAll(YaraJNIWrapper.findRuleMatchFile(ruleFile.getAbsolutePath(), scanFile.getAbsolutePath(), timeout));
184 }
185
186 return matchingRules;
187 }
188
200 private static List<BlackboardArtifact> createArtifact(AbstractFile abstractFile, String ruleSetName, List<String> matchingRules) throws TskCoreException {
201 List<BlackboardArtifact> artifacts = new ArrayList<>();
202 for (String rule : matchingRules) {
203
204 List<BlackboardAttribute> attributes = new ArrayList<>();
205
206 attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName));
207 attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule));
208
209 BlackboardArtifact artifact = abstractFile.newAnalysisResult(BlackboardArtifact.Type.TSK_YARA_HIT, Score.SCORE_NOTABLE, null, ruleSetName, rule, attributes)
210 .getAnalysisResult();
211
212 artifacts.add(artifact);
213 }
214 return artifacts;
215 }
216
217 @NbBundle.Messages({
218 "YaraIngestModule_yarac_not_found=Unable to compile YARA rules files. Unable to find executable at.",
219 "YaraIngestModule_no_ruleSets=Unable to run YARA ingest, list of YARA rule sets was empty."
220 })
221
233 static private void compileRuleSet(RuleSet set, Path outputDir, File yarac) throws IngestModuleException {
234 File tempFolder = Paths.get(outputDir.toString(), set.getName()).toFile();
235 if (!tempFolder.exists()) {
236 tempFolder.mkdir();
237 }
238
239 List<File> fileList = set.getRuleFiles();
240 for (File file : fileList) {
241 List<String> commandList = new ArrayList<>();
242 commandList.add(String.format("\"%s\"", yarac.toString()));
243 commandList.add(String.format("\"%s\"", file.toString()));
244 commandList.add(String.format("\"%s\"", Paths.get(tempFolder.getAbsolutePath(), "compiled_" + file.getName())));
245
246 ProcessBuilder builder = new ProcessBuilder(commandList);
247 try {
248 int result = ExecUtil.execute(builder);
249 if (result != 0) {
250 throw new IngestModuleException(String.format("Failed to compile Yara rules file %s. Compile error %d", file.toString(), result));
251 }
252 } catch (SecurityException | IOException ex) {
253 throw new IngestModuleException(String.format("Failed to compile Yara rules file, %s", file.toString()), ex);
254 }
255
256 }
257 }
258
267 private static List<RuleSet> getRuleSetsForNames(List<String> names) {
268 List<RuleSet> ruleSetList = new ArrayList<>();
269
270 RuleSetManager manager = RuleSetManager.getInstance();
271 for (RuleSet set : manager.getRuleSetList()) {
272 if (names.contains(set.getName())) {
273 ruleSetList.add(set);
274 }
275 }
276
277 return ruleSetList;
278 }
279}

Copyright © 2012-2024 Sleuth Kit Labs. Generated on:
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.