yara-x 1.15.0

A pure Rust implementation of YARA.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

/*! YARA module that uses [libmagic][1] for recognizing file types.

This allows creating YARA rules that use the file type provided by [libmagic][1].

[1]: https://man7.org/linux/man-pages/man3/libmagic.3.html
 */

use crate::modules::prelude::*;
use crate::modules::protos::magic::*;
use std::cell::RefCell;

#[cfg(feature = "logging")]
use log::*;

#[cfg(test)]
mod tests;

thread_local! {
    static MAGIC: magic::Cookie<magic::cookie::Load> = {
        magic::Cookie::open(Default::default())
            .expect("initialized libmagic")
            .load(&Default::default())
            .expect("loaded libmagic database")
    };

    static TYPE_CACHE: RefCell<Option<String>> = const { RefCell::new(None) };
    static MIME_TYPE_CACHE: RefCell<Option<String>> = const { RefCell::new(None) };
}

#[module_main]
fn main(_data: &[u8], _meta: Option<&[u8]>) -> Result<Magic, ModuleError> {
    // With every scanned file the cache must be cleared.
    TYPE_CACHE.set(None);
    MIME_TYPE_CACHE.set(None);

    Ok(Magic::new())
}

/// Returns the file type provided by libmagic.
#[module_export(name = "type")]
fn file_type(ctx: &mut ScanContext) -> Option<RuntimeString> {
    let cached = TYPE_CACHE.with(|cache| cache.borrow().clone());

    if let Some(cached) = cached {
        return Some(RuntimeString::new(cached));
    }

    match get_type(ctx.scanned_data()?) {
        Ok(type_) => {
            TYPE_CACHE.replace(Some(type_.clone()));
            Some(RuntimeString::new(type_))
        }
        #[allow(unused_variables)]
        Err(err) => {
            #[cfg(feature = "logging")]
            error!("libmagic error: {}", err);
            None
        }
    }
}

/// Returns the MIME type provided by libmagic.
#[module_export(name = "mime_type")]
fn mime_type(ctx: &mut ScanContext) -> Option<RuntimeString> {
    let cached = MIME_TYPE_CACHE.with(|cache| cache.borrow().clone());

    if let Some(cached) = cached {
        return Some(RuntimeString::new(cached));
    }

    match get_mime_type(ctx.scanned_data()?) {
        Ok(type_) => {
            MIME_TYPE_CACHE.replace(Some(type_.clone()));
            Some(RuntimeString::new(type_))
        }
        #[allow(unused_variables)]
        Err(err) => {
            #[cfg(feature = "logging")]
            error!("libmagic error: {}", err);
            None
        }
    }
}

fn get_type(data: &[u8]) -> Result<String, magic::cookie::Error> {
    MAGIC
        .with(|magic| magic.set_flags(Default::default()))
        .expect("set libmagic options");

    MAGIC.with(|magic| magic.buffer(data))
}

fn get_mime_type(data: &[u8]) -> Result<String, magic::cookie::Error> {
    MAGIC
        .with(|magic| magic.set_flags(magic::cookie::Flags::MIME_TYPE))
        .expect("set libmagic options");

    MAGIC.with(|magic| magic.buffer(data))
}