from pprint import pprint

%%yara -n myrules
/* 
    My first rule called "helloworld" 
    with category "testing"
*/
rule helloworld : testing
{
    meta:
        version = "0.1"
    strings:
        $a = "hello" ascii
        $b = "world" nocase
    condition:
        all of them
}

pprint( myrules.match_data(data="This is a hello WoRlD test") )

%%yara
rule badrule
{
    strings:
        $a = "hello"
    conditio: //<-- oops
        all of them
}

# Base Volatility import
import volatility.conf as conf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace

registry.PluginImporter()
config = conf.ConfObject()

registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)

cmds = registry.get_plugin_classes(commands.Command, lower = True)

# Use-case specific imports 
from volatility.plugins.filescan import PSScan
import volatility.utils as utils
import volatility.constants as constants

config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file:///c:/ds_fuzz_hidden_proc.img"

# A simplified (and surely imperfect) merging of code from YaraScan, VadYaraScanner, and BaseYaraScanner from volatility.malfind
def yrscan(task, rules, contextsize=16):
    results = []
    
    for vad, address_space in task.get_vads():
        offset = vad.Start
        maxlen = vad.Length
        
        # Start scanning from offset until maxlen:
        i = offset
    
        while i < offset + maxlen:
            # Read some data and match it.
            to_read = min(constants.SCAN_BLOCKSIZE + 1024, offset + maxlen - i)
            data = address_space.zread(i, to_read)
            if data:
                for match in rules.match_data(data).get('main', []):
                    if all([hit['offset'] < constants.SCAN_BLOCKSIZE for hit in match.get('strings', [])]):
                        results.append((i, match))

            i += constants.SCAN_BLOCKSIZE
    return results

%%yara -n volarules

rule exe_on_desktop
{
    // Look for files on the Desktop that end in .exe
    strings:
        $a = /\\Desktop\\[\w .-]{1,20}\.exe/ nocase
    condition:
        all of them
}


ps = PSScan(config)

for task in ps.calculate():
    
    # Pass the compiled rules object to our method yrscan
    hits = yrscan(task, volarules)
    
    if len(hits) > 0:
        print '-----------------------------------'
        print 'Process name: %s' % task.ImageFileName
        print 'PID: %s' % task.UniqueProcessId
        print 'PPID: %s' % task.InheritedFromUniqueProcessId
        print 'Create time: %s' % (task.CreateTime or '')
        print 'Exit time: %s' % (task.ExitTime or '')
    else:
        next
                
    for addr, hit in hits:
        print '> Rule name: %s' % hit.get('rule')
        for string in hit.get('strings', []):
            # Modified from original
            # https://code.google.com/p/volatility/source/browse/tags/Volatility-2.1.0/volatility/plugins/malware/malfind.py#481
            print "".join(
                     ["{0:#010x}  {1:<48}  {2}\n".format(string.get('offset') + addr + o, h, ''.join(c))
                     for o, h, c in utils.Hexdump(string.get('data', ''))
                     ])

import pandas as pd
from cStringIO import StringIO

useragentcsv = """useragent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.65 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.65 Safari/537.36"
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22"
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
"Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B144 Safari/8536.25"
"Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25"
Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0
Googlebot/2.1 (+http://www.google.com/bot.html)
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
"""

df = pd.read_csv(StringIO(useragentcsv))
df.head(5)

%%yara -n uarules -e useragent
rule iPad_iPhone
{
    condition:
        useragent contains "iPhone;" or 
        useragent contains "iPad;"
}

rule Chrome25Plus
{
    condition:
        useragent matches /Chrome\/((2[5-9])|3[0-9])/
}

def yarafilter(rules):
    
    # Specify a list of the column names we used in for external variables
    # in the yara rules
    externals = ['useragent']
    
    def worker(row):
        m = rules.match(data="  ", externals=row[externals].to_dict())
        
        if m:
            return ','.join( [y.get('rule', '') for y in m.get('main', [])] )
        else:
            return ''
        
    return worker

df['yarahits'] = df.apply(yarafilter(uarules), axis=1)

df