SSMA icon indicating copy to clipboard operation
SSMA copied to clipboard
verified publisher icon secrary

Doesn't using my own yara rule file to detect linux elf malware file?

Open linlih opened this issue 5 years ago • 2 comments

as the title says

linlih avatar Jan 17 '21 08:01 linlih

In this file : src/check.py, following code:

# Added by Yang
def is_your_target(filename, yara_file):
    if not os.path.exists("rules_compiled/your_target"):
        os.mkdir("rules_compiled/your_target")
    if os.path.isdir(yara_file):
        for n in os.listdir(yara_file):
            if not os.path.isdir("./" + n):
                try:
                    rule = yara.compile(yara_file + "/" + n)
                    rule.save("rules_compiled/your_target/" + n)
                    rule = yara.load("rules_compiled/malware/" + n)
                    m = rule.match(filename)
                    if m:
                        return m
                except:
                    pass
            else:
                pass
    elif os.path.isfile(yara_file):
        try:
            rule = yara.compile(yara_file)
            rule.save("rules_compiled/your_target/" + yara_file)
            rule = yara.load("rules_compiled/malware/" + yara_file)
            m = rule.match(filename)
            if m:
                return m
        except:
            pass
    else:
        return "[x] Wrong type of input!"

why the rule save to your_target directory, and load from malware directory, it doesn't make any sense

linlih avatar Jan 17 '21 09:01 linlih

Hello, can you provide more information , an example of what is failing and the output error. I do not full understand from your description what is failing.

Evan-Sa avatar Jan 22 '21 07:01 Evan-Sa