YaraSharp
1.0.0
C# wrapper around the Yara pattern matching library.
Use signatures form Loki or Yara.
Nuget package is available
// All API calls happens here
YSInstance YSInstance = new YSInstance();
// Declare external variables (could be null)
Dictionary<string, object> externals = new Dictionary<string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
// Get list of YARA rules
List<string> ruleFilenames = Directory.GetFiles(@"D:Testyara", "*.yar", SearchOption.AllDirectories).ToList();
// Context is where yara is initialized
// From yr_initialize() to yr_finalize()
using (YSContext context = new YSContext())
{
// Compiling rules
using (YSCompiler compiler = instance.CompileFromFiles(ruleFilenames, externals))
{
// Get compiled rules
YSRules rules = compiler.GetRules();
// Get errors
YSReport errors = compiler.GetErrors();
// Get warnings
YSReport warnings = compiler.GetWarnings();
// Some file to test yara rules
string Filename = @"";
// Get matches
List<YSMatches> Matches = instance.ScanFile(Filename, rules,
new Dictionary<string, object>()
{
{ "filename", Alphaleonis.Win32.Filesystem.Path.GetFileName(Filename) },
{ "filepath", Alphaleonis.Win32.Filesystem.Path.GetFullPath(Filename) },
{ "extension", Alphaleonis.Win32.Filesystem.Path.GetExtension(Filename) }
},
0);
// Iterate over matches
foreach (YSMatches Match in Matches)
{
//...
}
}
// Log errors
}For async scanning use must call destroy methods:
YaraSharp.CYaraSharp YSInstance = new CYaraSharp();
YaraSharp.CContext YSContext = new YaraSharp.CContext();
YaraSharp.CRules YSRules = YSInstance.CompileFromFiles(RuleFilenames, null, out Errors);
// Async here
YSRules.Destroy();
YSContext.Destroy();Libyara C API documentation for a general overview on how to use libyara.
Soultion contains 2 projects:
Build in vs 2017
Compiled with yara 3.8.1
Yara patched to support unicode paths
You can use or modify the sources however you want
Special thanks to kallanreed
