blob: dabaa21985c6f62a9da861fc2e7bebd1f2e63926 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
#!/usr/bin/env python
#coding=UTF-8
import fnmatch
import hashlib
import os
import sys
try:
import yara
except ImportError:
print('Please install python-yara')
sys.exit(1)
if len(sys.argv) != 3:
print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0])
sys.exit(1)
if not os.path.isdir(sys.argv[2]):
print('%s is not a folder !' % sys.argv[2])
sys.exit(1)
try:
rules = yara.compile(sys.path[0]+'/../php.yar', includes=True, error_on_warning=False)
except yara.SyntaxError as e:
print("Can't compile rules: %s" % e)
sys.exit(1)
output_list = list()
for curdir, dirnames, filenames in os.walk(sys.argv[2]):
for filename in filenames:
fname = os.path.join(curdir, filename)
if 0 < os.stat(fname).st_size < 5 * 1024 * 1024:
matches = rules.match(fname, fast=True)
if matches:
with open(fname, 'rb') as f:
digest = hashlib.sha1(f.read()).hexdigest()
output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (digest, fname))
if output_list:
output_rule = 'import "hash"\n\nrule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1])
output_rule += '\n\t\t'.join(output_list)
output_rule += '\n\t\tfalse\n}'
print(output_rule)
|
