45 lines
1.1 KiB
Python
45 lines
1.1 KiB
Python
|
#region Imports
|
||
|
|
import os
|
||
|
|
import yara
|
||
|
|
import tomllib
|
||
|
|
#endregion
|
||
|
|
|
||
|
|
#region Variables
|
||
|
|
scanned_files_map = set()
|
||
|
|
ignored_files = {}
|
||
|
|
ignored_directories = {}
|
||
|
|
|
||
|
|
with open("./config.toml", "rb") as f:
|
||
|
|
data = tomllib.load(f)
|
||
|
|
#endregion
|
||
|
|
|
||
|
|
#region scanfile
|
||
|
|
|
||
|
|
def scan(file_path):
|
||
|
|
"""
|
||
|
|
Scan a file with YARA rules and return the matches.
|
||
|
|
|
||
|
|
Args:
|
||
|
|
file_path (str): The path to the file to be scanned.
|
||
|
|
|
||
|
|
Returns:
|
||
|
|
matches[filename], error_message
|
||
|
|
"""
|
||
|
|
matches = {}
|
||
|
|
error_messages = {}
|
||
|
|
|
||
|
|
for filename in os.listdir(data['DETECTION']['SignaturePath']):
|
||
|
|
if filename.endswith((".yara")):
|
||
|
|
rule_path = os.path.join(data['DETECTION']['SignaturePath'], filename)
|
||
|
|
try:
|
||
|
|
rules = yara.compile(filepath=rule_path)
|
||
|
|
file_matches = rules.match(file_path)
|
||
|
|
if file_matches:
|
||
|
|
matches[filename] = file_matches
|
||
|
|
# for match in file_matches:
|
||
|
|
# print(f" - Rule: {match.rule}")
|
||
|
|
except yara.Error as e:
|
||
|
|
error_messages[filename] = e
|
||
|
|
|
||
|
|
return matches, error_messages
|
||
|
|
#endregion
|