1. yara环境搭建
sudo apt-get install automake libtool make gcc pkg-config
wget https://github.91chifun.workers.dev/VirusTotal/yara/archive/refs/tags/v4.1.1.tar.gz
tar -zxvf v4.1.1.tar.gz
cd yara-4.1.1/
./bootstrap.sh
./configure --disable-shared --enable-static --without-crypto
make && make install
cp /usr/local/lib/pkgconfig/yara.pc /usr/lib64/pkgconfig
export YARA_SRC=/opt/src/yara-4.1.1
export CGO_CFLAGS="-I${YARA_SRC}/libyara/include"
export CGO_LDFLAGS="-L${YARA_SRC}/libyara/.libs -lyara -lm"
go get github.com/hillu/go-yara/v4
2. 编写测试文件 test.go
package main
import (
yara "github.com/hillu/go-yara/v4"
"io/ioutil"
"os"
"fmt"
)
func main() {
rule := "rule test : tag1 { meta: author = \"Matt Blewitt\" strings: $a = \"abc\" fullword condition: $a }"
c, err := yara.NewCompiler()
if c == nil || err != nil {
return
}
if err = c.AddString(rule, ""); err != nil {
return
}
r, err := c.GetRules()
if err != nil {
return
}
s, err := yara.NewScanner(rules)
if err != nil {
return
}
tf, _ := ioutil.TempFile("", "TestScannerSimpleFileMatch")
defer os.Remove(tf.Name())
tf.Write([]byte(" abc "))
tf.Close()
var m yara.MatchRules
if err := s.SetCallback(&m).ScanFile(tf.Name()); err != nil {
return
} else if len(m) != 1 {
return
}
fmt.Printf("Matches: %+v", m)
}