YaraScanner Class Reference

The YaraScanner class that is used to scan a file using YARA rules. More...

#include <PanoptesYara.h>

Classes
struct	ScanData
	The data that is sent to the Panoptes Service. More...

Public Member Functions
	YaraScanner (const char *Rules)
	Intializes Yara memory and attempts to load supplied yara rules.
	~YaraScanner ()
	Destructor for the YaraScanner class that destroys the YARA rules.
std::vector< std::string >	YaraScanFile (std::string PathToFile)
	Scan a file using YARA rules.

Detailed Description

The YaraScanner class that is used to scan a file using YARA rules.

Definition at line 20 of file PanoptesYara.h.

Constructor & Destructor Documentation

YaraScanner()

YaraScanner::YaraScanner

(

const char *

rulesPath

)

Intializes Yara memory and attempts to load supplied yara rules.

Parameters

rulesPath

Definition at line 37 of file yara-scan.cpp.

                                             {
    YRX_RESULT result = YRX_NOT_SUPPORTED; 
 
    auto readBuffer = readFileToBuffer(rulesPath);
    
    if (readBuffer.empty()) {
        throw std::runtime_error("Failed to read rules file");
    }
 
    result = yrx_rules_deserialize(readBuffer.data(), readBuffer.size(), &g_yaraRules);
    if (result != YRX_SUCCESS) {
        throw std::runtime_error("Failed to deserialize YARA rules");
    }   
}

References readFileToBuffer(), and result.

Referenced by PanoEntry().

~YaraScanner()

YaraScanner::~YaraScanner

(

)

Destructor for the YaraScanner class that destroys the YARA rules.

Definition at line 53 of file yara-scan.cpp.

                          {
    if (g_yaraRules != nullptr) {
        yrx_rules_destroy(g_yaraRules);
        g_yaraRules = nullptr;
    }
}

Member Function Documentation

YaraScanFile()

std::vector< string > YaraScanner::YaraScanFile

(

std::string

file_path

)

Scan a file using YARA rules.

Parameters

file_path

The path to the file to scan

Returns

A vector of strings containing the detected rules

Definition at line 81 of file yara-scan.cpp.

{
    std::vector<string> detectedRules;
    YRX_RESULT result = YRX_SUCCESS;
    YRX_SCANNER* scanner = nullptr;
 
    if (g_yaraRules == nullptr) {
        throw std::runtime_error("YARA rules not initialized");
    }
 
    try {
        result = yrx_scanner_create(g_yaraRules, &scanner);
        if (result != YRX_SUCCESS) {
            throw std::runtime_error("Failed to create YARA scanner");
        }
 
        result = yrx_scanner_on_matching_rule(scanner, matchingRule, &detectedRules);
        if (result != YRX_SUCCESS) {
            if (scanner != nullptr) {
                yrx_scanner_destroy(scanner);
            }
            throw std::runtime_error("Failed to set matching rule callback");
        }
 
        std::vector<uint8_t> scanBuffer = readFileToBuffer(file_path);
        if (scanBuffer.empty()) {
            if (scanner != nullptr) {
                yrx_scanner_destroy(scanner);
            }
            throw std::runtime_error("Failed to read file for scanning");
        }
 
        result = yrx_scanner_scan(scanner, scanBuffer.data(), scanBuffer.size());
        if (result != YRX_SUCCESS) {
            if (scanner != nullptr) {
                yrx_scanner_destroy(scanner);
            }
            throw std::runtime_error("Failed to scan file");
        }
    }
    catch (...) {
        if (scanner != nullptr) {
            yrx_scanner_destroy(scanner);
        }
        throw; // Re-throw the exception after cleanup
    }
 
    // Clean up resources
    if (scanner != nullptr) {
        yrx_scanner_destroy(scanner);
    }
 
    return detectedRules;
}

References matchingRule(), readFileToBuffer(), and result.

Referenced by PanoEntry(), and Yara::TEST_F().

---

The documentation for this class was generated from the following files:

• /home/runner/work/Panoptes/Panoptes/src/extensibility/PanoptesYara/include/PanoptesYara.h
• /home/runner/work/Panoptes/Panoptes/src/extensibility/PanoptesYara/src/yara-scan.cpp