Autopsy  4.20.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
YaraIngestHelper.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.yara;
20 
21 import java.io.File;
22 import java.io.IOException;
23 import java.nio.file.Path;
24 import java.nio.file.Paths;
25 import java.util.ArrayList;
26 import java.util.List;
27 import org.openide.modules.InstalledFileLocator;
28 import org.openide.util.NbBundle;
29 import org.sleuthkit.autopsy.coreutils.ExecUtil;
30 import org.sleuthkit.autopsy.ingest.IngestModule;
31 import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException;
32 import org.sleuthkit.autopsy.modules.yara.rules.RuleSet;
33 import org.sleuthkit.autopsy.modules.yara.rules.RuleSetManager;
34 import org.sleuthkit.autopsy.yara.YaraJNIWrapper;
35 import org.sleuthkit.autopsy.yara.YaraWrapperException;
36 import org.sleuthkit.datamodel.AbstractFile;
37 import org.sleuthkit.datamodel.BlackboardArtifact;
38 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
39 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE;
40 import org.sleuthkit.datamodel.BlackboardAttribute;
41 import org.sleuthkit.datamodel.Score;
42 import org.sleuthkit.datamodel.TskCoreException;
43 
47 final class YaraIngestHelper {
48 
49  private static final String YARA_DIR = "yara";
50  private static final String YARA_C_EXE = "yarac64.exe";
51  private static final String MODULE_NAME = YaraIngestModuleFactory.getModuleName();
52 
53  private YaraIngestHelper() {
54  }
55 
64  static void compileRules(List<String> ruleSetNames, Path outputDir) throws IngestModuleException {
65  if (ruleSetNames == null || ruleSetNames.isEmpty()) {
66  throw new IngestModule.IngestModuleException(Bundle.YaraIngestModule_no_ruleSets());
67  }
68 
69  // Find javac
70  File exeFile = InstalledFileLocator.getDefault().locate(
71  Paths.get(YARA_DIR, YARA_C_EXE).toString(),
72  YaraIngestModule.class.getPackage().getName(), false);
73 
74  if (exeFile == null) {
75  throw new IngestModuleException(Bundle.YaraIngestModule_yarac_not_found());
76  }
77 
78  for (RuleSet set : getRuleSetsForNames(ruleSetNames)) {
79  compileRuleSet(set, outputDir, exeFile);
80  }
81  }
82 
96  static List<BlackboardArtifact> scanFileForMatches(AbstractFile file, File baseRuleSetDirectory, byte[] fileData, int fileDataSize, int timeout) throws TskCoreException, YaraWrapperException {
97  List<BlackboardArtifact> artifacts = new ArrayList<>();
98 
99  File[] ruleSetDirectories = baseRuleSetDirectory.listFiles();
100  for (File ruleSetDirectory : ruleSetDirectories) {
101 
102  List<String> ruleMatches = YaraIngestHelper.scanFileForMatches(fileData, fileDataSize, ruleSetDirectory, timeout);
103  if (!ruleMatches.isEmpty()) {
104  artifacts.addAll(YaraIngestHelper.createArtifact(file, ruleSetDirectory.getName(), ruleMatches));
105  }
106  }
107 
108  return artifacts;
109  }
110 
126  static List<BlackboardArtifact> scanFileForMatches(AbstractFile file, File baseRuleSetDirectory, File localFile, int timeout) throws TskCoreException, YaraWrapperException {
127  List<BlackboardArtifact> artifacts = new ArrayList<>();
128 
129  File[] ruleSetDirectories = baseRuleSetDirectory.listFiles();
130  for (File ruleSetDirectory : ruleSetDirectories) {
131  List<String> ruleMatches = YaraIngestHelper.scanFileForMatch(localFile, ruleSetDirectory, timeout);
132  if (!ruleMatches.isEmpty()) {
133  artifacts.addAll(YaraIngestHelper.createArtifact(file, ruleSetDirectory.getName(), ruleMatches));
134  }
135  }
136 
137  return artifacts;
138  }
139 
152  private static List<String> scanFileForMatches(byte[] fileBytes, int fileSize, File ruleSetDirectory, int timeout) throws YaraWrapperException {
153  List<String> matchingRules = new ArrayList<>();
154 
155  File[] ruleSetCompiledFileList = ruleSetDirectory.listFiles();
156 
157  for (File ruleFile : ruleSetCompiledFileList) {
158  matchingRules.addAll(YaraJNIWrapper.findRuleMatch(ruleFile.getAbsolutePath(), fileBytes, fileSize, timeout));
159  }
160 
161  return matchingRules;
162  }
163 
177  private static List<String> scanFileForMatch(File scanFile, File ruleSetDirectory, int timeout) throws YaraWrapperException {
178  List<String> matchingRules = new ArrayList<>();
179 
180  File[] ruleSetCompiledFileList = ruleSetDirectory.listFiles();
181 
182  for (File ruleFile : ruleSetCompiledFileList) {
183  matchingRules.addAll(YaraJNIWrapper.findRuleMatchFile(ruleFile.getAbsolutePath(), scanFile.getAbsolutePath(), timeout));
184  }
185 
186  return matchingRules;
187  }
188 
200  private static List<BlackboardArtifact> createArtifact(AbstractFile abstractFile, String ruleSetName, List<String> matchingRules) throws TskCoreException {
201  List<BlackboardArtifact> artifacts = new ArrayList<>();
202  for (String rule : matchingRules) {
203 
204  List<BlackboardAttribute> attributes = new ArrayList<>();
205 
206  attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName));
207  attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule));
208 
209  BlackboardArtifact artifact = abstractFile.newAnalysisResult(BlackboardArtifact.Type.TSK_YARA_HIT, Score.SCORE_NOTABLE, null, ruleSetName, rule, attributes)
210  .getAnalysisResult();
211 
212  artifacts.add(artifact);
213  }
214  return artifacts;
215  }
216 
217  @NbBundle.Messages({
218  "YaraIngestModule_yarac_not_found=Unable to compile YARA rules files. Unable to find executable at.",
219  "YaraIngestModule_no_ruleSets=Unable to run YARA ingest, list of YARA rule sets was empty."
220  })
221 
233  static private void compileRuleSet(RuleSet set, Path outputDir, File yarac) throws IngestModuleException {
234  File tempFolder = Paths.get(outputDir.toString(), set.getName()).toFile();
235  if (!tempFolder.exists()) {
236  tempFolder.mkdir();
237  }
238 
239  List<File> fileList = set.getRuleFiles();
240  for (File file : fileList) {
241  List<String> commandList = new ArrayList<>();
242  commandList.add(String.format("\"%s\"", yarac.toString()));
243  commandList.add(String.format("\"%s\"", file.toString()));
244  commandList.add(String.format("\"%s\"", Paths.get(tempFolder.getAbsolutePath(), "compiled_" + file.getName())));
245 
246  ProcessBuilder builder = new ProcessBuilder(commandList);
247  try {
248  int result = ExecUtil.execute(builder);
249  if (result != 0) {
250  throw new IngestModuleException(String.format("Failed to compile Yara rules file %s. Compile error %d", file.toString(), result));
251  }
252  } catch (SecurityException | IOException ex) {
253  throw new IngestModuleException(String.format("Failed to compile Yara rules file, %s", file.toString()), ex);
254  }
255 
256  }
257  }
258 
267  private static List<RuleSet> getRuleSetsForNames(List<String> names) {
268  List<RuleSet> ruleSetList = new ArrayList<>();
269 
270  RuleSetManager manager = RuleSetManager.getInstance();
271  for (RuleSet set : manager.getRuleSetList()) {
272  if (names.contains(set.getName())) {
273  ruleSetList.add(set);
274  }
275  }
276 
277  return ruleSetList;
278  }
279 }

Copyright © 2012-2022 Basis Technology. Generated on: Tue Aug 1 2023
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.