Golang for infosec — Building an EDR #Part2 — YARA rules

Go, C, … cgo!

// #include <stdio.h>
// #include <errno.h>
import “C”
  • Goroutines run on a relatively small stack, handling stack growth through segmented stacks (old versions) or by copying (new versions).
  • Threads created by the Go runtime may not interact properly with libpthread’s thread local storage implementation.
  • Go reuses OS threads to run multiple Goroutines. If the C code called a blocking system call or otherwise monopolised the thread, it could be detrimental to other goroutines.
  • to install mingw (I suggest to do it via msys2)
  • to compile YARA from GCC
  • to use pkg-config to allow yara to be linked to your programs

Compile your YARA rules

go get github.com/hillu/go-yara
go install github.com/hillu/go-yara
// LoadYaraRules compile yara rules from specified paths and return a pointer to the yara compiler
func LoadYaraRules(path []string) (compiler *yara.Compiler, err error) {
compiler, err = yara.NewCompiler()
if err != nil {
return nil, errors.New("Failed to initialize YARA compiler")
}
for _, dir := range path {
f, err := os.Open(dir)
if err != nil{
log.Println("[ERROR]", "Could not open rule file ", dir, err)
}
namespace := filepath.Base(dir)[:len(filepath.Base(dir))-4] if err = compiler.AddFile(f, namespace); err != nil{
log.Println("[ERROR]", "Could not load rule file ", dir, err)
}
f.Close()
}
return compiler, nil}

Search for YARA match

// PerformYaraScan use provided YARA rules and search for match in the given byte slicefunc PerformYaraScan(data []byte, rules *yara.Rules) yara.MatchRules {
result, err := YaraScan(data, rules)
if err != nil{
log.Println("[ERROR]", err)
}
return result
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store