Rewrite YARA runner to modern C++

[Eran-YT]

This rewrites most of the YARA code into C++ and moves it into a class

[Neo23x0]

Does not build anymore. Maybe I made a mistake in that merge from master due to conflicts. It removed two functions TestYaraRulesOnFile and TestYaraRulesOnFile from Raccine.cpp. But even if I re-add them, the build fails.

[Eran-YT]

I’ll fix it when I can

[Eran-YT]

It compiles now, I think the issue was that I used std::ranges::transform that is only available in Visual Studio Preview @Neo23x0

[Neo23x0]

Could you resolve the conflicts? I guess this happened due to some change overlaps with other pull requests.

[Neo23x0]

After merging the two other pull requests, it doesn't match with the YARA rules anymore and prints a string to command line showing the full invoked command line check with yara64.exe

[Eran-YT]

After merging the two other pull requests, it doesn't match with the YARA rules anymore and prints a string to command line showing the full invoked command line check with yara64.exe

That’s in this PR? Or in the main branch?

[Neo23x0]

On the main branch after merging the two other PRs. I thought that maybe this PR fixes it, once it gets merged, since it refactors the YARA handling, wich is broken.

[Eran-YT]

I’m not sure if this PR fixes it, but I’ll resolve the conflicts and make sure the yara handling works later today

[Eran-YT]

But we really need some tests and a CI/CD pipeline to make sure that this kind of thing happens again

[Eran-YT]

I resolved the conflicts, and it works on my machine, can you verify the YARA handing works?

[Neo23x0]

But we really need some tests and a CI/CD pipeline to make sure that this kind of thing happens again

I was thinking about Github's Azure pipelines but I've tried it once and failed to implement a simple test with on of my projects. I didn't spend more than 30mins though. Maybe @mback2k can give us a hand?

[Eran-YT]

Can you verify the YARA handling works now @Neo23x0 ?

[Neo23x0]

I get build errors

[Eran-YT]

I fixed those, did you pull from the branch?

[Neo23x0]

Okay, I pulled the newest changes and it builds. I can't see the YARA Matching, not even the invocation of the yara64.exe process.

Simple test:

powershell -ENCOD Jaaaaa

should produce a YARA rule match

[Neo23x0]

I think we should add a Debug flag in Registry that would write more lines to the log or eventlog when set to 1.

[Eran-YT]

I think we should add a Debug flag in Registry that would write more lines to the log or eventlog when set to 1.

That's a good idea

[Eran-YT]

powershell -ENCOD Jaaaaa

While debugging, I found out that

powershell -ENCOD Jaaaaa

does NOT trigger the YARA rule, but

powershell.exe -ENCOD Jaaaaa

does trigger it. This can be seen in the ma_emotet.yar rule:

/* Encoded Command */
      $s1 = ".exe -ENCOD " ascii

Is this correct?

[Eran-YT]

Also

vssadmin.exe delete shadows

Triggers the YARA rule

[Neo23x0]

Oh, yes, that was my fault, sorry.