Autopsy  4.17.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
YaraIngestHelper.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.yara;
20 
21 import java.io.File;
22 import java.io.IOException;
23 import java.nio.file.Path;
24 import java.nio.file.Paths;
25 import java.util.ArrayList;
26 import java.util.List;
27 import org.openide.modules.InstalledFileLocator;
28 import org.openide.util.NbBundle;
34 import org.sleuthkit.autopsy.yara.YaraJNIWrapper;
35 import org.sleuthkit.autopsy.yara.YaraWrapperException;
36 import org.sleuthkit.datamodel.AbstractFile;
37 import org.sleuthkit.datamodel.BlackboardArtifact;
38 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_YARA_HIT;
39 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
40 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE;
41 import org.sleuthkit.datamodel.BlackboardAttribute;
42 import org.sleuthkit.datamodel.TskCoreException;
43 
47 final class YaraIngestHelper {
48 
49  private static final String YARA_DIR = "yara";
50  private static final String YARA_C_EXE = "yarac64.exe";
51  private static final String MODULE_NAME = YaraIngestModuleFactory.getModuleName();
52 
53  private YaraIngestHelper() {
54  }
55 
64  static void compileRules(List<String> ruleSetNames, Path outputDir) throws IngestModuleException {
65  if (ruleSetNames == null || ruleSetNames.isEmpty()) {
66  throw new IngestModule.IngestModuleException(Bundle.YaraIngestModule_no_ruleSets());
67  }
68 
69  // Find javac
70  File exeFile = InstalledFileLocator.getDefault().locate(
71  Paths.get(YARA_DIR, YARA_C_EXE).toString(),
72  YaraIngestModule.class.getPackage().getName(), false);
73 
74  if (exeFile == null) {
75  throw new IngestModuleException(Bundle.YaraIngestModule_yarac_not_found());
76  }
77 
78  for (RuleSet set : getRuleSetsForNames(ruleSetNames)) {
79  compileRuleSet(set, outputDir, exeFile);
80  }
81  }
82 
96  static List<BlackboardArtifact> scanFileForMatches(AbstractFile file, File baseRuleSetDirectory, byte[] fileData, int fileDataSize, int timeout) throws TskCoreException, YaraWrapperException {
97  List<BlackboardArtifact> artifacts = new ArrayList<>();
98 
99  File[] ruleSetDirectories = baseRuleSetDirectory.listFiles();
100  for (File ruleSetDirectory : ruleSetDirectories) {
101 
102  List<String> ruleMatches = YaraIngestHelper.scanFileForMatches(fileData, fileDataSize, ruleSetDirectory, timeout);
103  if (!ruleMatches.isEmpty()) {
104  artifacts.addAll(YaraIngestHelper.createArtifact(file, ruleSetDirectory.getName(), ruleMatches));
105  }
106  }
107 
108  return artifacts;
109  }
110 
126  static List<BlackboardArtifact> scanFileForMatches(AbstractFile file, File baseRuleSetDirectory, File localFile, int timeout) throws TskCoreException, YaraWrapperException {
127  List<BlackboardArtifact> artifacts = new ArrayList<>();
128 
129  File[] ruleSetDirectories = baseRuleSetDirectory.listFiles();
130  for (File ruleSetDirectory : ruleSetDirectories) {
131  List<String> ruleMatches = YaraIngestHelper.scanFileForMatch(localFile, ruleSetDirectory, timeout);
132  if (!ruleMatches.isEmpty()) {
133  artifacts.addAll(YaraIngestHelper.createArtifact(file, ruleSetDirectory.getName(), ruleMatches));
134  }
135  }
136 
137  return artifacts;
138  }
139 
152  private static List<String> scanFileForMatches(byte[] fileBytes, int fileSize, File ruleSetDirectory, int timeout) throws YaraWrapperException {
153  List<String> matchingRules = new ArrayList<>();
154 
155  File[] ruleSetCompiledFileList = ruleSetDirectory.listFiles();
156 
157  for (File ruleFile : ruleSetCompiledFileList) {
158  matchingRules.addAll(YaraJNIWrapper.findRuleMatch(ruleFile.getAbsolutePath(), fileBytes, fileSize, timeout));
159  }
160 
161  return matchingRules;
162  }
163 
175  private static List<String> scanFileForMatch(File scanFile, File ruleSetDirectory, int timeout) throws YaraWrapperException {
176  List<String> matchingRules = new ArrayList<>();
177 
178  File[] ruleSetCompiledFileList = ruleSetDirectory.listFiles();
179 
180  for (File ruleFile : ruleSetCompiledFileList) {
181  matchingRules.addAll(YaraJNIWrapper.findRuleMatchFile(ruleFile.getAbsolutePath(), scanFile.getAbsolutePath(), timeout));
182  }
183 
184  return matchingRules;
185  }
186 
198  private static List<BlackboardArtifact> createArtifact(AbstractFile abstractFile, String ruleSetName, List<String> matchingRules) throws TskCoreException {
199  List<BlackboardArtifact> artifacts = new ArrayList<>();
200  for (String rule : matchingRules) {
201  BlackboardArtifact artifact = abstractFile.newArtifact(TSK_YARA_HIT);
202  List<BlackboardAttribute> attributes = new ArrayList<>();
203 
204  attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName));
205  attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule));
206 
207  artifact.addAttributes(attributes);
208  artifacts.add(artifact);
209  }
210  return artifacts;
211  }
212 
213  @NbBundle.Messages({
214  "YaraIngestModule_yarac_not_found=Unable to compile YARA rules files. Unable to find executable at.",
215  "YaraIngestModule_no_ruleSets=Unable to run YARA ingest, list of YARA rule sets was empty."
216  })
217 
229  static private void compileRuleSet(RuleSet set, Path outputDir, File yarac) throws IngestModuleException {
230  File tempFolder = Paths.get(outputDir.toString(), set.getName()).toFile();
231  if (!tempFolder.exists()) {
232  tempFolder.mkdir();
233  }
234 
235  List<File> fileList = set.getRuleFiles();
236  for (File file : fileList) {
237  List<String> commandList = new ArrayList<>();
238  commandList.add(String.format("\"%s\"", yarac.toString()));
239  commandList.add(String.format("\"%s\"", file.toString()));
240  commandList.add(String.format("\"%s\"", Paths.get(tempFolder.getAbsolutePath(), "compiled_" + file.getName())));
241 
242  ProcessBuilder builder = new ProcessBuilder(commandList);
243  try {
244  int result = ExecUtil.execute(builder);
245  if (result != 0) {
246  throw new IngestModuleException(String.format("Failed to compile Yara rules file %s. Compile error %d", file.toString(), result));
247  }
248  } catch (SecurityException | IOException ex) {
249  throw new IngestModuleException(String.format("Failed to compile Yara rules file, %s", file.toString()), ex);
250  }
251 
252  }
253  }
254 
263  private static List<RuleSet> getRuleSetsForNames(List<String> names) {
264  List<RuleSet> ruleSetList = new ArrayList<>();
265 
266  RuleSetManager manager = RuleSetManager.getInstance();
267  for (RuleSet set : manager.getRuleSetList()) {
268  if (names.contains(set.getName())) {
269  ruleSetList.add(set);
270  }
271  }
272 
273  return ruleSetList;
274  }
275 }

Copyright © 2012-2021 Basis Technology. Generated on: Tue Jan 19 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.