[plugin]
name = "FeedYara"
description = "Feed yara with internet rules"
author = [ "@remoob", "@maldeclabs" ]
[api.valhalla]
base_url = "https://valhalla.nextron-systems.com"
default_output_file = "valhalla-rules.yar"
version = "v1"
1
Loading the file with the configuration
local config = Configuration:new()
config:setup("example.conf")
config:load()
2
Get Fields
local name = config:get("plugin.name")
local version = config:get("plugin.version")
print("Name plugin : ",name, "Version : ", version)
local authors = config:get("plugin.authors")
for index, author in ipairs(authors) do
print("Author:", author)
end
Creating logging personalized
You will need to create a new configuration file with section and then load it using :
Try to avoid creating sink 2 name that are the same as others already created, this may cause problems.
1
Loading the file with the configuration
local config = Configuration:new()
config:setup("example.conf")
2
Passing the config to logging
local logging = Logging:new()
logging:setup(config)
logging:load()
3
Use the functions provided for logging
local sha = Sha:new()
logging:info("sha.gen_sha256_hash(the_best_engine) = " .. sha:gen_sha256_hash("the_best_engine"))
Creating a new instance of Yara
1
Instantiate a new object
local yara = Yara:new()
2
Load rule using buff
yara:load_rules(function ()
local rule = [[
rule Malware { condition: true }
]]
if(yara:set_rule_buff(rule, "Malware") ~= 0) then
_engine.logging:error("There is a problem loading the rule, check for possible syntax errors")
end
end)
_engine.logging:info("yara.rules_loaded_count = " .. tostring(yara.rules_loaded_count)) -- expected 1
3
Scanning with the scan_fast_bytes function
yara:scan_fast_bytes("malicious_buff", function(data)
if data.match_status == 1 then
_engine.logging:warn("Match find rule : " .. data.rule .. " namespace: " .. data.ns)
else
_engine.logging:info("Not match.")
end
end)
4
Scanning with the scan_bytes function
yara:scan_bytes("malicious_buff", function(message, rule)
if (message == 1 or message == 2) then -- CALLBACK_MSG_RULE_MATCHING and CALLBACK_MSG_RULE_NOT_MATCHING
_engine.logging:info("Rule identifier" .. rule.identifier)
_engine.logging:info("Rule ns name" .. rule.ns.name)
elseif (message == 3) then -- CALLBACK_MSG_SCAN_FINISHED
_engine.logging:info("The scan was completed successfully ...")
end
return 0 -- CALLBACK_CONTINUE
end, 1) -- SCAN_FLAGS_FAST_MODE
Get all rules loaded Yara
Collect all rules sent to yara
1
Load yara rules
local yara = Yara:new()
yara:load_rules(function ()
local rule = [[
rule Malware { condition: true }
]]
if(yara:set_rule_buff(rule, "Malware") ~= 0) then
_engine.logging:error("There is a problem loading the rule, check for possible syntax errors")
end
end)
2
Call the yara function (rules foreach)
yara:rules_foreach(function (rule)
_engine.logging:info("Rule identifier = " .. rule.identifier)
yara:metas_foreach(rule, function (meta)
local value = function ()
if(meta.type ~= 2) then
return meta.integer
else
return meta.string
end
end
_engine.logging:info(meta.identifier .. " = " .. value())
end)
end)
end)
Stream Yara rules
Save your yara rules and recover
1
Create new Stream
local yr_stream = Stream:new()
2
Add handler for callback write
yr_stream:write(function(data)
local file = "rules.yarc"
local f = io.open(file, "a")
if not f then
error("Failed to open file: " .. file)
end
local success, err = f:write(data)
f:close()
if not success then
error("Write error: " .. tostring(err))
end
end)
Alternative using directly the file to save the rules
_analysis.scan.yara:save_rules_file("rules.yarc") -- save rules compiled in file
4
Add handler for callback read
local file = "rules.yarc"
local f = io.open(file, "rb")
yr_stream:read(function(length)
if not f then
error("Failed to open file:" .. file)
end
local data = f:read(length)
if not data then
return ""
end
return data
end)
Alternative using directly the file to load the rules
_analysis.scan.yara:load_rules_file("rules.yarc") -- load rules compiled in file
Creating web gateway
Easy to upload endpoints to receive and send information using plugins
1
Create new instance Web
Web.new(_engine.server, "/example", function (req)
_engine.logging:info("req.remote_ip_address = " .. req.remote_ip_address) -- Save ip client in log
if(req.method == HTTPMethod.Post) then
return Response.new(200, req.body)
end
return Response.new(200, "Method Get")
end, HTTPMethod.Get, HTTPMethod.Post)
Create and load a model using LLaMA
Load your gguf model and customize your llama
1
Create new instance Llama
local llama = Llama:new()
2
Load your model
local model_config = llama:load_model_default_params()
model_config.n_gpu_layers = 1 -- number of layers to store in VRAM
llama:load_model_file("llm4decompile.gguf", model_config) --Optional parameter to pass some custom settings
3
Load context
local context_config = llama:load_context_default_params()
context_config.n_threads = 10 -- number of threads to use for generation
llama:load_context(context_config) -- Optional parameter to pass some custom settings
server:setup(config, logging)
server:run_async() -- run async server
Parsing Json format
With the engine you can create and analyze jsons
1
Creating json
-- Creating a main JSON object
local json = Json:new()
-- Adding basic information
json:add("engine", "MalDec Engine")
json:add("version", 1.0)
-- Creating a list of modules
local modules = {}
-- First module
local module1 = Json:new()
module1:add("id", 1)
module1:add("name", "Scanner Module")
module1:add("enabled", true)
module1:add("score", 95.5)
table.insert(modules, module1)
-- Second module with a reference to the first one
local module2 = Json:new()
module2:add("id", 2)
module2:add("name", "Detection Rules")
module2:add("enabled", false)
module2:add("score", 88.2)
module2:add("dependency", module1) -- Reference to module1
table.insert(modules, module2)
-- Adding the list of modules to the main JSON object
json:add("modules", modules)
-- Converting to string and printing
print(json:to_string())
