Skip to content

Commit

Permalink
fixes up the wahzoo
Browse files Browse the repository at this point in the history
  • Loading branch information
@blacktop
blacktop committed Nov 11, 2017
1 parent 9444339 commit fca139e
Show file tree
Hide file tree
Showing 11 changed files with 1,094 additions and 42,984 deletions.
3 changes: 2 additions & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,10 @@ RUN apk --update add --no-cache -t .build-deps \
&& export GOPATH=/go \
&& export CGO_CFLAGS="-I/usr/local/include" \
&& export CGO_LDFLAGS="-L/usr/local/lib -lyara" \
&& export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig" \
&& go version \
&& go get \
&& go build -ldflags "-X main.Version=$(cat VERSION) -X main.BuildTime=$(date -u +%Y%m%d)" -o /bin/scan \
&& CGO_ENABLED=1 go build -ldflags "-X main.Version=$(cat VERSION) -X main.BuildTime=$(date -u +%Y%m%d)" -o /bin/scan \
&& rm -rf /go /usr/local/go /usr/lib/go /tmp/* \
&& apk del --purge .build-deps

Expand Down
92 changes: 92 additions & 0 deletions Dockerfile.dev
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
FROM malice/alpine

LABEL maintainer "https://github.com/blacktop"

LABEL malice.plugin.repository = "https://github.com/malice-plugins/yara.git"
LABEL malice.plugin.category="av"
LABEL malice.plugin.mime="*"
LABEL malice.plugin.docker.engine="*"

ENV YARA 3.7.0

# Install Yara
COPY . /go/src/github.com/maliceio/malice-yara
RUN apk --update add --no-cache openssl file bison jansson ca-certificates
RUN apk --update add --no-cache -t .build-deps \
openssl-dev \
jansson-dev \
build-base \
mercurial \
musl-dev \
libc-dev \
file-dev \
automake \
autoconf \
libtool \
flex \
bash \
wget \
git \
gcc \
go \
git \
gcc \
&& echo "===> Install Yara from source..." \
&& cd /tmp \
&& git clone --recursive --branch v${YARA} https://github.com/VirusTotal/yara.git \
&& cd /tmp/yara \
&& ./bootstrap.sh \
&& sync \
&& ./configure --with-crypto \
--enable-magic \
--enable-cuckoo \
--enable-dotnet \
&& make \
&& make install \
&& echo "===> Building scan Go binary..." \
&& cd /go/src/github.com/maliceio/malice-yara \
&& export GOPATH=/go \
&& YARA_SRC="/tmp/yara" \
&& export CGO_CFLAGS="-I${YARA_SRC}/libyara/include" \
&& export CGO_LDFLAGS="-L${YARA_SRC}/libyara/.libs -lyara" \
&& export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig" \
&& go version \
&& go get -d \
&& CGO_ENABLED=1 go build -ldflags "-X main.Version=$(cat VERSION) -X main.BuildTime=$(date -u +%Y%m%d)" -o /bin/scan
# && rm -rf /go /usr/local/go /usr/lib/go /tmp/* \
# && apk del --purge .build-deps

# Install malice plugin
# COPY . /go/src/github.com/maliceio/malice-yara
# RUN apk --update add --no-cache -t .build-deps \
# openssl-dev \
# jansson-dev \
# build-base \
# mercurial \
# musl-dev \
# openssl \
# bash \
# wget \
# git \
# gcc \
# go \
# && echo "===> Building scan Go binary..." \
# && cd /go/src/github.com/maliceio/malice-yara \
# && export GOPATH=/go \
# && export CGO_CFLAGS="-I/usr/local/include" \
# && export CGO_LDFLAGS="-L/usr/local/lib -lyara" \
# && go version \
# && go get \
# && go build -ldflags "-X main.Version=$(cat VERSION) -X main.BuildTime=$(date -u +%Y%m%d)" -o /bin/scan \
# && rm -rf /go /usr/local/go /usr/lib/go /tmp/* \
# && apk del --purge .build-deps

COPY rules /rules

VOLUME ["/malware"]
VOLUME ["/rules"]

WORKDIR /malware

ENTRYPOINT ["su-exec","malice","/sbin/tini","--","scan"]
CMD ["--help"]
44 changes: 38 additions & 6 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,21 @@ VERSION=$(shell cat VERSION)

all: build size test

build:
build: ## Build docker image
docker build -t $(ORG)/$(NAME):$(VERSION) .

size:
.PHONY: dev
dev: ## Build dev docker image
docker build -f Dockerfile.dev -t $(ORG)/$(NAME):dev .

.PHONY: size
size: build ## Get built image size
sed -i.bu 's/docker%20image-.*-blue/docker%20image-$(shell docker images --format "{{.Size}}" $(ORG)/$(NAME):$(VERSION)| cut -d' ' -f1)-blue/' README.md

.PHONY: tags
tags:
docker images --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}" $(ORG)/$(NAME)

test:
@echo "===> Starting elasticsearch"
@docker rm -f elasticsearch || true
Expand All @@ -21,11 +30,27 @@ test:
@test -f befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408 || wget https://github.com/maliceio/malice-av/raw/master/samples/befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408
@docker run --rm --link elasticsearch -v $(PWD):/malware $(ORG)/$(NAME):$(VERSION) -V befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408 | jq . > docs/results.json
@cat docs/results.json | jq .
@echo "===> ${NAME} pull MarkDown from elasticsearch results"
@echo "===> ${NAME} pull MarkDown from elasticsearch results"
@http localhost:9200/malice/_search | jq . > docs/elastic.json
@cat docs/elastic.json | jq -r '.hits.hits[] ._source.plugins.av.${NAME}.markdown' > docs/SAMPLE.md
@docker rm -f elasticsearch

.PHONY: run
run: stop ## Run docker container
@docker run --init -d --name $(NAME) -p 9200:9200 $(ORG)/$(NAME):$(VERSION)

.PHONY: ssh
ssh: ## SSH into docker image
@docker run -it --rm --entrypoint=sh $(ORG)/$(NAME):$(VERSION)

.PHONY: ssh-dev
ssh-dev: ## SSH into docker image
@docker run -it --rm --entrypoint=sh $(ORG)/$(NAME):dev

.PHONY: stop
stop: ## Kill running docker containers
@docker rm -f $(NAME) || true

circle: ci-size
@sed -i.bu 's/docker%20image-.*-blue/docker%20image-$(shell cat .circleci/SIZE)-blue/' README.md
@echo "===> Image size is: $(shell cat .circleci/SIZE)"
Expand All @@ -38,7 +63,14 @@ ci-size: ci-build
@echo "===> Getting image build size from CircleCI"
@http "$(shell http https://circleci.com/api/v1.1/project/github/${REPO}/$(shell cat .circleci/build_num)/artifacts${CIRCLE_TOKEN} | jq '.[].url')" > .circleci/SIZE

clean:
clean: ## Clean docker image and stop all running containers
docker-clean stop
docker rmi $(ORG)/$(NAME):$(VERSION)
rm befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408 || true
docker rmi $(ORG)/$(NAME):$(VERSION) || true
docker rmi $(ORG)/$(NAME):dev || true
rm befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408 || true

# Absolutely awesome: http://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

.DEFAULT_GOAL := all
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
malice-yara
===========

[![Circle CI](https://circleci.com/gh/malice-plugins/yara.png?style=shield)](https://circleci.com/gh/malice-plugins/yara) [![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) [![Docker Stars](https://img.shields.io/docker/stars/malice/yara.svg)](https://hub.docker.com/r/malice/yara/) [![Docker Pulls](https://img.shields.io/docker/pulls/malice/yara.svg)](https://hub.docker.com/r/malice/yara/) [![Docker Image](https://img.shields.io/badge/docker%20image-41.6MB-blue.svg)](https://hub.docker.com/r/malice/virustotal/)
[![Circle CI](https://circleci.com/gh/malice-plugins/yara.png?style=shield)](https://circleci.com/gh/malice-plugins/yara) [![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) [![Docker Stars](https://img.shields.io/docker/stars/malice/yara.svg)](https://hub.docker.com/r/malice/yara/) [![Docker Pulls](https://img.shields.io/docker/pulls/malice/yara.svg)](https://hub.docker.com/r/malice/yara/) [![Docker Image](https://img.shields.io/badge/docker%20image-38.5MB-blue.svg)](https://hub.docker.com/r/malice/virustotal/)

Malice Yara Plugin

Expand Down
22 changes: 22 additions & 0 deletions docs/SAMPLE.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#### Yara
| Rule | Description | Offset | Data | Tags |
|-------------|--------------|-------------|-------------|-------------|
| `Contains_PE_File` | Detect a PE file inside a byte sequence | `0x0` | "MZ" | [] |
| `maldoc_function_prolog_signature` | | `0x1454` | "U\x8b\xec\x81\xec" | [] |
| `maldoc_structured_exception_handling` | | `0x5a55` | "d\xa1\x00\x00\x00\x00" | [] |
| `maldoc_suspicious_strings` | | `0x67ec` | "CloseHandle" | [] |
| `PEiD_00138_Armadillo_v1_71_` | [Armadillo v1.71] | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1" | [] |
| `PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_` | [dUP v2.x Patcher --> www.diablo2oo2.cjb.net] | `0x4e` | "This program cannot be ru" | [] |
| `PEiD_00729_Free_Pascal_1_06_` | [Free Pascal 1.06] | `0x3a12` | "\xc6\x05\xc0\x84@\x00O\xe8k\x04\x00\x00" | [] |
| `PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__` | [Microsoft Visual C++ v5.0/v6.0 (MFC)] | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00P" | [] |
| `PEiD_01108_Microsoft_Visual_C___v6_0_` | [Microsoft Visual C++ v6.0] | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00Pd\x89%" | [] |
| `PEiD_01110_Microsoft_Visual_C___v6_0_` | [Microsoft Visual C++ v6.0] | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00Pd\x89%" | [] |
| `PEiD_01125_Microsoft_Visual_C___` | [Microsoft Visual C++] | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00Pd\x89%" | [] |
| `_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_` | dUP v2.x Patcher --> www.diablo2oo2.cjb.net | `0x4e` | "This program cannot be ru" | [] |
| `_Microsoft_Visual_Cpp_` | Microsoft Visual C++ | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00Pd\x89%" | [] |
| `_Free_Pascal_v106_` | Free Pascal v1.06 | `0x3a12` | "\xc6\x05\xc0\x84@\x00O\xe8k\x04\x00\x00" | [] |
| `_Armadillo_v171_` | Armadillo v1.71 | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1" | [] |
| `_Microsoft_Visual_Cpp_v60_` | Microsoft Visual C++ v6.0 | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00Pd\x89%" | [] |
| `_Microsoft_Visual_Cpp_v50v60_MFC_` | Microsoft Visual C++ v5.0/v6.0 (MFC) | `0x5a46` | "U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00P" | [] |
> NOTE: **Data** truncated to 25 characters
Loading

0 comments on commit fca139e

Please sign in to comment.