search

hillu / go-yara

Go bindings for YARA
BSD 2-Clause "Simplified" License
356 stars 113 forks source link

simple-yara failed to run #153

Closed fengchao-1998 closed 3 months ago

fengchao-1998 commented 3 months ago

simple-yara failed to run

Hi, I got an error when running simple-yara. The configuration and errors are as follows:

config:

Linux
golang:
   version:
      1.21.5
yara :
    version:
      4.30
    build command(source install): 
      ./bootstrap.sh 
      ./configure --disable-shared --enable-static --without-crypto --prefix="third"
      make && make install

run.sh: 
     export YARA_SRC=$(pwd)/third
     export CGO_CFLAGS="-I${YARA_SRC}/include/"
     export CGO_LDFLAGS="-L${YARA_SRC}/lib/ -lyara"
     go run -tags yara_no_pkg_config main.go  -rule ./online_20220222.yar ./virus/webshell/java/brower.jsp

result:

2024/06/27 15:35:58 <00> Scanning file ./virus/webshell/java/brower.jsp... 
SIGSEGV: segmentation violation
PC=0x4aeeaa m=0 sigcode=1
signal arrived during cgo execution

goroutine 18 [syscall, locked to thread]:
runtime.cgocall(0x4af281, 0xc000127990)
        /usr/local/go/src/runtime/cgocall.go:157 +0x4b fp=0xc000127968 sp=0xc000127930 pc=0x4095ab
github.com/hillu/go-yara/v4._Cfunc_rule_namespace(0x7f29814e1470)
        _cgo_gotypes.go:1166 +0x48 fp=0xc000127990 sp=0xc000127968 pc=0x492788
github.com/hillu/go-yara/v4.(*Rule).Namespace(0x7f2981869508?)
        /home/10306682@zte.intra/go/pkg/mod/github.com/hillu/go-yara/v4@v4.3.2/rule.go:126 +0x1a fp=0xc0001279b0 sp=0xc000127990 pc=0x495a9a
github.com/hillu/go-yara/v4.(*MatchRules).RuleMatching(0xc000112030, 0x506d60?, 0xc000127b50?)
        /home/10306682@zte.intra/go/pkg/mod/github.com/hillu/go-yara/v4@v4.3.2/rules_callback.go:190 +0x57 fp=0xc000127ad0 sp=0xc0001279b0 pc=0x4976d7
github.com/hillu/go-yara/v4.scanCallbackFunc(0x2185880, 0x1, 0x7f29814e1470, 0x30?)
        /home/10306682@zte.intra/go/pkg/mod/github.com/hillu/go-yara/v4@v4.3.2/rules_callback.go:129 +0x282 fp=0xc000127bf8 sp=0xc000127ad0 pc=0x497142
_cgoexp_e4084b5c9b87_scanCallbackFunc(0x7ffd0e6d4930)
        _cgo_gotypes.go:2005 +0x29 fp=0xc000127c28 sp=0xc000127bf8 pc=0x498d09
runtime.cgocallbackg1(0x498ce0, 0xc000127db0?, 0x0)
        /usr/local/go/src/runtime/cgocall.go:329 +0x2c2 fp=0xc000127cf8 sp=0xc000127c28 pc=0x409aa2
runtime.cgocallbackg(0x441bfc?, 0xc000116000?, 0x300000002?)
        /usr/local/go/src/runtime/cgocall.go:245 +0x109 fp=0xc000127d88 sp=0xc000127cf8 pc=0x409749
runtime.cgocallbackg(0x498ce0, 0x7ffd0e6d4930, 0x0)
        <autogenerated>:1 +0x29 fp=0xc000127db0 sp=0xc000127d88 pc=0x4668c9
runtime.cgocallback(0xc000127e10, 0x4095d5, 0x4afdf7)
        /usr/local/go/src/runtime/asm_amd64.s:1035 +0xcc fp=0xc000127dd8 sp=0xc000127db0 pc=0x46436c
runtime.systemstack_switch()
        /usr/local/go/src/runtime/asm_amd64.s:474 +0x8 fp=0xc000127de8 sp=0xc000127dd8 pc=0x4625e8
runtime.cgocall(0x4afdf7, 0xc000127e48)
        /usr/local/go/src/runtime/cgocall.go:175 +0x75 fp=0xc000127e20 sp=0xc000127de8 pc=0x4095d5
github.com/hillu/go-yara/v4._Cfunc_yr_scanner_scan_file(0x2185880, 0x2185a80)
        _cgo_gotypes.go:1804 +0x4b fp=0xc000127e48 sp=0xc000127e20 pc=0x4933cb
github.com/hillu/go-yara/v4.(*Scanner).ScanFile.func3(0xc00010c060?, 0x20?)
        /home/10306682@zte.intra/go/pkg/mod/github.com/hillu/go-yara/v4@v4.3.2/scanner.go:182 +0x46 fp=0xc000127e88 sp=0xc000127e48 pc=0x498086
github.com/hillu/go-yara/v4.(*Scanner).ScanFile(0xc00010c060, {0x7ffd0e6d6ab1?, 0x0?})
        /home/10306682@zte.intra/go/pkg/mod/github.com/hillu/go-yara/v4@v4.3.2/scanner.go:182 +0x88 fp=0xc000127ee0 sp=0xc000127e88 pc=0x497fa8
main.main.func2(0x0?, 0x0?)
        /home/10306682@zte.intra/Go_Code/yara_scanner/main.go:198 +0x51 fp=0xc000127fc0 sp=0xc000127ee0 pc=0x4adad1
main.main.func6()
        /home/10306682@zte.intra/Go_Code/yara_scanner/main.go:202 +0x2b fp=0xc000127fe0 sp=0xc000127fc0 pc=0x4ada4b
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc000127fe8 sp=0xc000127fe0 pc=0x4645c1
created by main.main in goroutine 1
        /home/10306682@zte.intra/Go_Code/yara_scanner/main.go:194 +0x778

goroutine 1 [semacquire]:
runtime.gopark(0x481be8?, 0x0?, 0xc0?, 0x60?, 0x41c596?)
        /usr/local/go/src/runtime/proc.go:398 +0xce fp=0xc000059ba8 sp=0xc000059b88 pc=0x43a70e
runtime.goparkunlock(...)
        /usr/local/go/src/runtime/proc.go:404
runtime.semacquire1(0xc000108018, 0x86?, 0x1, 0x0, 0xc8?)
        /usr/local/go/src/runtime/sema.go:160 +0x218 fp=0xc000059c10 sp=0xc000059ba8 pc=0x449898
sync.runtime_Semacquire(0xc000114000?)
        /usr/local/go/src/runtime/sema.go:62 +0x25 fp=0xc000059c48 sp=0xc000059c10 pc=0x4612c5
sync.(*WaitGroup).Wait(0xc000106060?)
        /usr/local/go/src/sync/waitgroup.go:116 +0x48 fp=0xc000059c70 sp=0xc000059c48 pc=0x46bcc8
main.main()
        /home/10306682@zte.intra/Go_Code/yara_scanner/main.go:220 +0xa25 fp=0xc000059f40 sp=0xc000059c70 pc=0x4ad4e5
runtime.main()
        /usr/local/go/src/runtime/proc.go:267 +0x2bb fp=0xc000059fe0 sp=0xc000059f40 pc=0x43a2bb
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc000059fe8 sp=0xc000059fe0 pc=0x4645c1

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
        /usr/local/go/src/runtime/proc.go:398 +0xce fp=0xc000044fa8 sp=0xc000044f88 pc=0x43a70e
runtime.goparkunlock(...)
        /usr/local/go/src/runtime/proc.go:404
runtime.forcegchelper()
        /usr/local/go/src/runtime/proc.go:322 +0xb3 fp=0xc000044fe0 sp=0xc000044fa8 pc=0x43a593
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc000044fe8 sp=0xc000044fe0 pc=0x4645c1
created by runtime.init.6 in goroutine 1
        /usr/local/go/src/runtime/proc.go:310 +0x1a

goroutine 3 [GC sweep wait]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
        /usr/local/go/src/runtime/proc.go:398 +0xce fp=0xc000045778 sp=0xc000045758 pc=0x43a70e
runtime.goparkunlock(...)
        /usr/local/go/src/runtime/proc.go:404
runtime.bgsweep(0x0?)
        /usr/local/go/src/runtime/mgcsweep.go:280 +0x94 fp=0xc0000457c8 sp=0xc000045778 pc=0x427054
runtime.gcenable.func1()
        /usr/local/go/src/runtime/mgc.go:200 +0x25 fp=0xc0000457e0 sp=0xc0000457c8 pc=0x41c405
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0000457e8 sp=0xc0000457e0 pc=0x4645c1
created by runtime.gcenable in goroutine 1
        /usr/local/go/src/runtime/mgc.go:200 +0x66

goroutine 4 [GC scavenge wait]:
runtime.gopark(0xc000076000?, 0x544ec8?, 0x1?, 0x0?, 0xc000007520?)
        /usr/local/go/src/runtime/proc.go:398 +0xce fp=0xc000045f70 sp=0xc000045f50 pc=0x43a70e
runtime.goparkunlock(...)
        /usr/local/go/src/runtime/proc.go:404
runtime.(*scavengerState).park(0x7fc400)
        /usr/local/go/src/runtime/mgcscavenge.go:425 +0x49 fp=0xc000045fa0 sp=0xc000045f70 pc=0x424929
runtime.bgscavenge(0x0?)
        /usr/local/go/src/runtime/mgcscavenge.go:653 +0x3c fp=0xc000045fc8 sp=0xc000045fa0 pc=0x424ebc
runtime.gcenable.func2()
        /usr/local/go/src/runtime/mgc.go:201 +0x25 fp=0xc000045fe0 sp=0xc000045fc8 pc=0x41c3a5
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc000045fe8 sp=0xc000045fe0 pc=0x4645c1
created by runtime.gcenable in goroutine 1
        /usr/local/go/src/runtime/mgc.go:201 +0xa5

goroutine 5 [finalizer wait]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
        /usr/local/go/src/runtime/proc.go:398 +0xce fp=0xc000046620 sp=0xc000046600 pc=0x43a70e
runtime.runfinq()
        /usr/local/go/src/runtime/mfinal.go:193 +0x107 fp=0xc0000467e0 sp=0xc000046620 pc=0x41b427
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0000467e8 sp=0xc0000467e0 pc=0x4645c1
created by runtime.createfing in goroutine 1
        /usr/local/go/src/runtime/mfinal.go:163 +0x3d

rax    0x200000000
rbx    0xc000127990
rcx    0xc000127990
rdx    0xc000127920
rdi    0x7f29814e1470
rsi    0x7fc4a0
rbp    0x7ffd0e6d4800
rsp    0x7ffd0e6d4800
r8     0x7fc880
r9     0x0
r10    0x890
r11    0xffffffffffffffff
r12    0xc000127a30
r13    0x7275
r14    0xc000116000
r15    0x5
rip    0x4aeeaa
rflags 0x10202
cs     0x33
fs     0x0
gs     0x0

webshell.zip

online_20220222.yar.zip

hillu commented 3 months ago

Using go 1.22.4 and YARA 4.5.1 as currently shipped in Debian/testing and commit 4f5cd55ec92e1cf17f11e2d74e232a178d1e2f58, I observe no such crash. I shall look into this further next week. In the meantime, could you please tell me which version (or which commit ID) of go-yara you are using? Could you also try if using current YARA and Go versions fixes your problem? Thanks.

fengchao-1998 commented 3 months ago

@hillu go.mod file:

module yara_scanner

go 1.21.5

require github.com/hillu/go-yara/v4 v4.3.2
fengchao-1998 commented 3 months ago

@hillu it's ok with YARA 4.5.1, thanks.

hillu commented 3 months ago

@fengchao-1998 Thanks.