Scan plugins support and Libyara #165
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 11 commits
January 22, 2021 18:35
ADD: general plugin supports
ADD: Yara plugin configuration path in Makefile
REM: fflush(stdin)
|
Need add libyara in github action |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a LOT of things, here is everything included
Scan plugin basic structure
A pre-defined exported function for PE scans, if any plugin has a function called plugin_scan, it will be called with pe_ctx_t structure, this is used by the Yara plugin
Yara plugin support in pescan
Using the scan plugin structure, at the end of all pescan work, we can call the general_plugin function scan_plugins_run_scan that will run ALL plugins that have the scan_pe exported function
Also, in the general makefile is created a plugin configuration folder and in the plugins makefile is created a yara_rule folder in this plugin config folder.
Example of rule: /usr/local/share/pev/plugins/yara_rules/<any_rule>.yar
The yara scan plugin will load all rules in the folder.
Example:
pescan -f json VirusShare_92c2bb8f606b2d01b42502eee3210396 { "file entropy": "6.725520 (normal)", "fpu anti-disassembly": "no", "imagebase": "normal", "entrypoint": "normal", "DOS stub": "normal", "TLS directory": "not found", "timestamp": "normal", "section count": "4", "sections": [ { ".text": "normal" }, { ".rdata": "normal" }, { ".data": "normal" }, { ".rsrc": "normal" } ], "Yara": [ "Microsoft_Visual_Cpp_v60", "Microsoft_Visual_Cpp_v50v60_MFC_additional", "Microsoft_Visual_Cpp_50", "Microsoft_Visual_Cpp_v50v60_MFC", "Armadillo_v4x", "Microsoft_Visual_Cpp" ] }Other changes
Move all the struct defintion and header includes from plugins.c to plugins.h, created a output interface for all plugins using function pointers to output functions like,output_open_scope, in pev_api struct.