-
Notifications
You must be signed in to change notification settings - Fork 8
/
comment.go
126 lines (115 loc) · 3.34 KB
/
comment.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package main
import (
"sort"
// "github.com/fatih/color"
"fmt"
"strings"
)
func find_string(haystack []string, needle string) bool {
i := sort.SearchStrings(haystack, needle)
if i < len(haystack) && haystack[i] == needle {
return true
}
return false
}
func make_comment_line(title, data string) string {
// if strings.Contains(data, "OK") || strings.Contains(data, "ok") ||
// strings.Contains(data, "YES") || strings.Contains(data, "yes") {
// data = color.Green(data)
// } else if strings.Contains(data, "NG") || strings.Contains(data, "NG") ||
// strings.Contains(data, "NO") || strings.Contains(data, "no") {
// data = color.Red(data)
// }
if len(data) == 0 {
return " " + title + Config.LineBreak
} else {
return " " + title + " : " + data + Config.LineBreak
}
}
func arrange_tags(tag_name string, tags, rules []string) (arranged []string) {
_len := len(rules)
for i := 0; i < _len; i += 1 {
if strings.Contains(tags[i], tag_name) {
arranged = append(arranged, rules[i])
}
}
return arranged
}
func add_comment(record YaraRecord) (string, bool) {
var comment string
sorted_matched_rules := make([]string, len(record.matched_rules))
copy(sorted_matched_rules, record.matched_rules)
sort.Strings(sorted_matched_rules)
var is_PE bool
if find_string(sorted_matched_rules, "IsPE32") {
comment += make_comment_line("PE", "32 bit")
is_PE = true
} else if find_string(sorted_matched_rules, "IsPE64") {
comment += make_comment_line("PE", "64 bit")
is_PE = true
} else {
is_PE = false
}
var is_packed bool
if is_PE {
if find_string(sorted_matched_rules, "IsDLL") {
comment += make_comment_line("DLL", "yes")
} else {
comment += make_comment_line("DLL", "no")
}
if find_string(sorted_matched_rules, "IsPacked") {
comment += make_comment_line("Packed", "yes")
is_packed = true
} else {
comment += make_comment_line("Packed", "no")
is_packed = false
}
if find_string(sorted_matched_rules, "anti_dbg") {
comment += make_comment_line("Anti-Debug", "yes")
} else {
if is_packed {
comment += make_comment_line("Anti-Debug", "no (yes)")
} else {
comment += make_comment_line("Anti-Debug", "no")
}
}
if find_string(sorted_matched_rules, "IsWindowsGUI") {
comment += make_comment_line("GUI Program", "yes")
} else {
if is_packed {
comment += make_comment_line("GUI Program", "no (yes)")
} else {
comment += make_comment_line("GUI Program", "no")
}
}
if find_string(sorted_matched_rules, "IsConsole") {
comment += make_comment_line("Console Program", "yes")
} else {
if is_packed {
comment += make_comment_line("Console Program", "no (yes)")
} else {
comment += make_comment_line("Console Program", "no")
}
}
if find_string(sorted_matched_rules, "win_mutex") {
comment += make_comment_line("mutex", "yes")
}
}
if find_string(sorted_matched_rules, "contentis_base64") {
comment += make_comment_line("contains base64", "")
}
// if find_string(sorted_matched_rules, "with_urls") {
// comment += make_comment_line("contains urls", "")
// }
for _, v := range []string{"PEiD", "AntiDebug"} {
arranged := arrange_tags(v, record.matched_tags, record.matched_rules)
if len(arranged) > 0 {
comment += make_comment_line(v, fmt.Sprintf("%q", arranged))
}
}
if len(comment) > 0 {
return comment, true
} else {
return "", false
}
}