Open JohnLaTwC opened 3 years ago
adding my2cent in this issue, could be interesting even to integrate in the pipeline the use of https://github.com/microsoft/vcpkg to handle the yara lib.
The support to yara 4.0.2 was merged not long ago: https://github.com/microsoft/vcpkg/tree/master/ports/yara
Another reason this is important is to remove a possible infinite loop. Imagine someone sets raccine to intercept cmd.exe and it gets invoked. Well, raccine intercepts it via IFEO keys and spawns runyara.bat to apply yara rules. Running a batch file creates another...cmd.exe. Which invokes raccine, which runs runyara.bat, which... you get the picture. So probably need to look at this sooner rather than later.
Today our installer ships yara64.exe to support our Yara rules. I think eventually we want to move to incorporating yara as a library so it's linked into raccine.exe. Some pros/cons to think through:
Pros for status quo:
Today getting a new drop of yara is as simple as taking the release binaries from the yara project and including them.
No need to build yara library ourselves or deal with keeping yara source in sync with its master
Cons (arguments for moving to a linked yaralib):
Every interception calls
CreateProcess
for each .yar rule--imagine when a user copies their favorite rule repo of 100 .yar rules in our rules directory. This is an expensive API. It's also a common interception point by local anti-virus and security programs. The more work you do in the CP code path, the more potential for conflicts and side effects down the road in deployment. Having a yara.lib would avoid the need for additionalCreateProcess
calls because all the yara checks would happen in raccine.exe. As raccine interception points grow, some of them may be invoked quite frequently--we already hook powershell. So we need to be thoughtful about this.We can have better control over our use of Yara. Examples:
import context
just like the pe module and add additional context in a more natural way). https://github.com/VirusTotal/yara/blob/7517bbdf8778c37fa494966b39623dc6c2ccfce9/cli/yara.c#L122References: Sources: https://github.com/VirusTotal/yara Yara C API: https://yara.readthedocs.io/en/stable/capi.html Visual Studio files: https://github.com/VirusTotal/yara/tree/master/windows