在江南研究jsunpack-n（五）

今天被那个“程序项目管理”考试搞得我一整天没精神和心情搞jsunpack，好吧，还是得努力的研究。

看了下“大众脸也有春天”，搞笑！

===============================================================

今天把YARA语法剩下的部分学习完吧。

6. Includes

类似于c的#include

include "other.yar"

include "./includes/other.yar"
include "../includes/other.yar"

include "/home/plusvic/yara/includes/other.yar"    

windows下还可以：

include "c:/yara/includes/other.yar"
include "c:\\yara\\includes\\other.yar"

7. Using YARA from command-line

usage: yara [OPTION]... [RULEFILE]... FILE | PID

options:

-t <tag>                                        print rules tagged as <tag> and ignore the rest.
-i <identifier>                                 print rules named <identifier> and ignore the rest.
-n                                              print only not satisfied rules (negate).
-g                                              print tags.
-m                                              print metadata.
-s                                              print matching strings.
-l <number>                                     abort scanning after a <number> of rules matched.
-d <identifier>=<value>                         define external variable.
-r                                              recursively search directories.
-f                                              fast matching mode.
-v                                              show version information.

8. Using YARA from Python

程序之类的给点例子之类的。。看看就能模仿了。

Ps：首先要安装yara-python 环境

import yara   //使用yara

编译rule：

rules = yara.compile(filepath='/foo/bar/myrules')        //编译rules

rules = yara.compile('/foo/bar/myrules')          //不需要加filepath，它是默认的

fh = open('/foo/bar/myrules')                 //这种形式也行哦~
rules = yara.compile(file=fh)
fh.close()

这是直接编译写在里面的rule：

rules = yara.compile(source='rule dummy { condition: true }')

编译多个rule     (filepaths and sources)：

rules = yara.compile(filepaths={

'namespace1':'/my/path/rules1',
'namespace2':'/my/path/rules2'
})

rules = yara.compile(sources={

'namespace1':'rule dummy { condition: true }',
'namespace2':'rule dummy { condition: false }'

})

编译，如果被检测源文件使用了include指令就会报错

rules = yara.compile('/foo/bar/myrules', includes=False)

在编译时，给外部变量赋值（还记得外部变量（externals parameter）吗？）

rules = yara.compile( '/foo/rules',
                                  externals= {
                                      'var1': 'some string',
                                      'var2': 4,
                                      'var3': True
})

match 函数 和它的callback函数：

import yara
def mycallback(data):
print data
yara.CALLBACK_CONTINUE

matches = rules.match('/foo/bar/myfile', callback=mycallback)

Ps：callback就是每次match函数被调用的时候，自动调用的一个函数。

The passed dictionary will be something like this:
{
'tags': ['foo', 'bar'],
'matches': True,
'namespace': 'default',
'rule': 'my_rule',
'meta': {},
'strings': [(81, '$a', 'abc'), (141, '$b', 'def')]
}

总结下YARA的套路：

（1）用compile函数，编译返回一个Rule的类实例rule

（2）用match函数，匹配返回一个Match的类实例match

（3）查看match的内容就能完成得到想要的结果了