-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfile_scanner.py
65 lines (59 loc) · 2.03 KB
/
file_scanner.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
'''Scans the files using YARA'''
import yara
import json
import os
import subprocess
'''Load YARA rules from a JSON file
containing the YARA rule file locations'''
def load_rules_from_json():
with open('yara_files.json') as f:
#Filepaths to the YARA files
filepaths = json.load(f)
f.close()
rules = yara.compile(filepaths=filepaths)
return rules
'''Load YARA rules'''
def load_rules():
#If the rules have been compiled before
if os.path.exists('yara_compiled_rules'):
rules = yara.load('yara_compiled_rules')
#First time compiling the rules
else:
rules = load_rules_from_json()
rules.save('yara_compiled_rules')
return rules
'''Scan a file
Returns true, if no matches found
Returns false, if at least one match
If the file extension is pdf and using yextend to scan PDF files is enabled
in the config, use yextend
to scan the file as a proof-of-concept.
'''
async def scan_file(data, config):
#first, load the YARA rules
rules = load_rules()
filename, file_extension = os.path.splitext(data)
print("File extension is " + str(file_extension))
#If the file extension is pdf and scanning pdf with yextend is enabled in the config
if file_extension == ".pdf" and config.getboolean("SCAN", "pdfscan"):
#Yara rules need to be in a folder called yara_rules
output = subprocess.check_output(["./yextend", "-r", "yara_rules/*", "-t", data, "-j"])
str_output = output.decode('utf-8')
cleaned_output = str_output.strip().replace("\n","")
cleaned_output = cleaned_output.replace("\\","")
json_output = json.loads(cleaned_output)
print(json_output)
try:
if json_output[0]["yara_matches_found"] == True:
return False
else:
return True
except KeyError:
return True
matches = rules.match(data)
print(matches)
#If matches within the rules
if len(matches) > 0:
return False
else:
return True