Created
November 19, 2023 04:34
-
-
Save dmknght/2552fb2af08e9b3c86c6b8f50f7c2905 to your computer and use it in GitHub Desktop.
Demo of using yara to find files that contains credentials. Requires Yara binding for Nim to compile.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import .. / src / engine / libyara # Binding lib co san. Neu tai ve thi sua cho nay, lay binding o day https://github.com/dmknght/nimyara | |
| import strformat | |
| import os | |
| # Pass vao compiler de link voi thu vien Yara | |
| {.passL: "-lyara".} | |
| type | |
| COMPILER_RESULT = object | |
| errors: int | |
| warnings: int | |
| ScanData = object | |
| scan_path: string | |
| const | |
| YR_SCAN_TIMEOUT: cint = 1000000 | |
| YR_RULE_FIND_SSH = "rule ssh_private_key { strings: $key_header = \"-----BEGIN OPENSSH PRIVATE KEY-----\" condition: $key_header at 0}" | |
| DIR_TO_SCAN = "~/.ssh/" | |
| proc yr_rules_report_errors*(error_level: cint; file_name: cstring; line_number: cint; rule: ptr YR_RULE; message: cstring; user_data: pointer) {.cdecl.} = | |
| if rule != nil: | |
| echo fmt"{message} at {file_name}:{line_number}" | |
| proc yara_scan_cb(context: ptr YR_SCAN_CONTEXT, message: cint, message_data: pointer, user_data: pointer): cint {.cdecl.} = | |
| #[ | |
| Handle scan result from Yara engine | |
| ]# | |
| if message == CALLBACK_MSG_RULE_MATCHING: | |
| let | |
| scan_context = cast[ptr ScanData](user_data) | |
| echo "Matched: ", scan_context.scan_path | |
| proc main() = | |
| var | |
| compiler: ptr YR_COMPILER | |
| rules: ptr YR_RULES | |
| scan_context: ScanData | |
| compiler_result: COMPILER_RESULT | |
| setting_max_string = DEFAULT_MAX_STRINGS_PER_RULE | |
| #[ | |
| Khoi tao Yara engine | |
| ]# | |
| if yr_initialize() != ERROR_SUCCESS: | |
| return | |
| if yr_compiler_create(addr(compiler)) != ERROR_SUCCESS: | |
| return | |
| #[ | |
| Lay rule tu string va compile | |
| ]# | |
| discard yr_set_configuration(YR_CONFIG_MAX_STRINGS_PER_RULE, addr(setting_max_string)) | |
| yr_compiler_set_callback(compiler, yr_rules_report_errors, addr(compiler_result)) | |
| if yr_compiler_add_string(compiler, YR_RULE_FIND_SSH, "") != ERROR_SUCCESS: | |
| echo "Failed to compile rule from a string" | |
| return | |
| # Compile | |
| discard yr_compiler_get_rules(compiler, addr(rules)) | |
| #[ | |
| Doan nay handle scan | |
| ]# | |
| let | |
| absolute_path = expandTilde(DIR_TO_SCAN) # Handle HOME from shortname (demo nen viet vay cho nhanh). https://nim-lang.org/docs/os.html#expandTilde%2Cstring | |
| for path in walkDirRec(absolute_path): | |
| # cai scan_context dong vai tro nhu 1 struct de truyen du lieu qua callback | |
| scan_context.scan_path = path | |
| # Nen co doan check object type la pcFile, pcDir hay symlink gi do | |
| discard yr_rules_scan_file(rules, cstring(path), SCAN_FLAGS_FAST_MODE, yara_scan_cb, addr(scan_context), YR_SCAN_TIMEOUT) | |
| #[ | |
| Free engine's memory | |
| ]# | |
| # finityara | |
| if compiler != nil: | |
| yr_compiler_destroy(compiler) | |
| if rules != nil: | |
| discard yr_rules_destroy(rules) | |
| discard yr_finalize() | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment