gyp

package module
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 3, 2019 License: Apache-2.0 Imports: 13 Imported by: 4

README

GoDoc Go Report Card

gyp (go-yara-parser)

gyp is a Go library for parsing YARA rules. It uses the same grammar and lexer files as the original libyara to ensure that lexing and parsing work exactly like YARA. This library produces an Abstract Syntax Tree (AST) for the parsed YARA rules. Additionally, the AST can be serialized as a Protocol Buffer, which facilitate its manipulation in other programming languages.

Go Usage

The example below illustrates the usage of gyp, this a simple program that reads a YARA source file from the standard input, creates the corresponding AST, and writes the rules back to the standard output. The resulting output won't be exactly like the input, during the parsing and re-generation of the rules the text is reformatted and comments are lost.

package main

import (
	"log"
	"os"

	"github.com/VirusTotal/gyp"
)

func main() {
	ruleset, err := gyp.Parse(os.Stdin)
	if err != nil {
		log.Fatalf(`Error parsing rules: %v`, err)
	}
	if err = ruleset.WriteSource(os.Stdout); err != nil {
		log.Fatalf(`Error writing rules: %v`, err)
	}
}

Development

Setup development environment (Linux)
  1. Install the required packages using your package manager (apt is assumed in the following example):
	apt update && apt install \
		automake \
		bison \
		help2man \
		m4 \
		texinfo \
		texlive
  1. Install golang following the provided installation instructions.
  2. Install golang protobuf package following the provided installation instructions.
  3. Install the project dependencies:
  • go get golang.org/x/tools/cmd/goyacc
  • go get github.com/pebbe/flexgo/...
  • Add the environment variable FLEXGO, pointing out to the flexgo folder in your Go workspace (e.g., $HOME/go/src/github.com/pebbe/flexgo).
  • cd ${FLEXGO} && ./configure && cd -
  • make -C ${FLEXGO} && make -C ${FLEXGO} install
Build project

The Makefile includes targets for quickly building the parser and lexer and the data protocol buffer, as well as the y2j and j2y command-line tools:

  • Build rulesets parser and lexer: make grammar
  • Build hex strings parser and lexer: make hexgrammar
  • Build ruleset protocol buffer: make proto
  • Build y2j tool: make y2j
  • Build j2y tool: make j2y

License and third party code

This project uses code from yara-parser by Northern-Lights, which is available under the MIT license (see LICENSES_THIRD_PARTIES).

Documentation

Index

Constants

View Source 
const (
	ModGlobal modifiers = 1 << iota
	ModPrivate
	ModASCII
	ModWide
	ModXor
	ModFullword
	ModNocase
)
View Source 
const UNARY_MINUS = 57397

Variables

This section is empty.

Functions

func Parse 

func Parse(input io.Reader) (rs *ast.RuleSet, err error)

Parse parses a YARA rule from the provided input source.

func ParseString 

func ParseString(s string) (*ast.RuleSet, error)

ParseString parses a YARA rule from the provided string.

func YYmain 

func YYmain(filenames ...string) (interface{}, error)

Types

type Scanner 

type Scanner struct {
	In     io.Reader
	Out    io.Writer
	Lineno int

	Filename      string
	Wrap          func(*Scanner) bool
	IsInteractive func(io.Reader) bool
	Context       YYcontext

	Interactive bool
	// contains filtered or unexported fields
}

func NewScanner 

func NewScanner() *Scanner

func (*Scanner) Input 

func (yy *Scanner) Input() (byte, error)

func (*Scanner) Lex 

func (yy *Scanner) Lex() YYtype

The main scanner function which does all the work.

func (*Scanner) NewFile 

func (yy *Scanner) NewFile()

func (*Scanner) Restart 

func (yy *Scanner) Restart(input_file io.Reader)

* Immediately switch to a different input stream.

  • @param input_file A readable stream. *
  • @note This function does not reset the start condition to @c yyInitial .

type YYcontext 

type YYcontext struct {
	// contains filtered or unexported fields
}

Note that the parser is generated with the yr prefix to avoid name collisions with the hex and regexp parsers.

type YYtype 

type YYtype struct {
	Token int
	Error gyperror.Error
}

YYtype is the structure returned by the lexer every time the scanner asks for the next token. If the lexer wants to return an error to the scanner it sets the Error field and leaves the Token empty.

func Error added in v0.2.0 

func Error(c gyperror.Code, msg string) YYtype

func Token added in v0.2.0 

func Token(t int) YYtype

type YaraSerializer 

type YaraSerializer struct {
	// contains filtered or unexported fields
}

YaraSerializer converts a RuleSet from proto to YARA ruleset. Contains configuration options.

func NewSerializer 

func NewSerializer(w io.Writer) *YaraSerializer

NewSerializer returns a YaraSerializer that writes the serialization output to w.

func (*YaraSerializer) Serialize 

func (ys *YaraSerializer) Serialize(rs *pb.RuleSet) error

Serialize converts the provided RuleSet proto to a YARA ruleset.

func (*YaraSerializer) SerializeExpression 

func (ys *YaraSerializer) SerializeExpression(e *pb.Expression) error

SerializeExpression serializes an Expression in a YARA rule condition.

func (*YaraSerializer) SerializeStringValue 

func (ys *YaraSerializer) SerializeStringValue(str *pb.String) error

Serializes the value of a string in a YARA rule.

func (*YaraSerializer) SetIndent 

func (ys *YaraSerializer) SetIndent(indent string)

SetIndent sets the indentation string used for each indentation level. Default value: 2 whitespaces.

Source Files

View all Source files

Directories

Path Synopsis
cmd
j2y command
y2j command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.