YaraSharp icon indicating copy to clipboard operation
YaraSharp copied to clipboard
verified publisher icon stellarbear

About the YSCompiler compiler is created in a callback function and can be used multiple times to optimize performance

Open lanyouqi opened this issue 11 months ago • 0 comments

I plan to use C# FileSystemWatcher to write an automatic directory monitoring program. When a new file is created, the callback function uses Yara to review it. However, the Yara part needs to be run in the using (YSContext context = new YSContext()){} block. Doesn't that mean that every time a file is created, a compiler must be compiled? Is there any good solution? Thank you very much (from Google Translate) ` private List<YSMatches> ScanFileWithYara(string filePath) { try { using (YSContext context = new YSContext()) { // Compiling rules YSCompiler compiler = _instance.CompileFromFiles(ruleFilenames, externals);

        //  Get compiled rules
        YSRules rules = compiler.GetRules();

        //  Get errors
        YSReport errors = compiler.GetErrors();
        //  Get warnings
        YSReport warnings = compiler.GetWarnings();


        //  Some file to test yara rules
        string Filename = Path.GetFileName(filePath);
        Console.WriteLine(Alphaleonis.Win32.Filesystem.Path.GetFileName(Filename));
        Console.WriteLine(Alphaleonis.Win32.Filesystem.Path.GetFullPath(Filename));
        Console.WriteLine(Alphaleonis.Win32.Filesystem.Path.GetExtension(Filename));

        List<YSMatches> Matches = _instance.ScanFile(filePath, rules, new Dictionary<string, object>()
            {
                    { "filename", Path.GetFileName(filePath)},
                    { "filepath", Path.GetFullPath(filePath)},
                    { "extension", Path.GetExtension(filePath)}
             }, 0);
        return Matches;

    }
}
catch (Exception ex)
{
    Console.WriteLine($"[FSA] 扫描文件 {filePath} 时发生错误: {ex.Message}");
    return new List<YSMatches>();
}

}

private void OnFileCreated(object sender, FileSystemEventArgs e) { if (_isMonitoring) { Console.WriteLine($"[FSA] 新文件创建: {e.FullPath}"); Thread.Sleep(1000); // Give a brief moment before starting checks

    int retryCount = 0;
    bool success = false;
    while (retryCount < 3 && !success)
    {
        try
        {
            // 对新创建的文件进行规则检查
            if (ScanFileForRansomware(e.FullPath))
            {
                Console.WriteLine($"[FSA] 文件 {e.FullPath} 被判定为勒索软件。");
                success = true;
            }
            else
            {
                Console.WriteLine($"[FSA] 文件 {e.FullPath} 未被判定为勒索软件。");
                success = true;
            }
        }
        catch (Exception ex)
        {
            retryCount++;
            Console.WriteLine($"[FSA] 文件扫描失败: {ex.Message}. 重试 {retryCount}...");
            Thread.Sleep(retryCount == 1 ? 10000 : retryCount == 2 ? 30000 : 60000);
        }
    }

    if (!success)
    {
        Console.WriteLine("[FSA] 文件审查失败,跳过该文件。");
    }
}

` There seems to be some problem with the code format of giihub

lanyouqi avatar Feb 22 '25 17:02 lanyouqi