Swift - Yara Malware Detection для любого файла macOS или iOS ⇐ IOS

[Anonymous]

Я пишу логику, чтобы обнаружить, содержит ли выбранный файл, угрожающий вредоносным программным обеспечением или сейчас. В настоящее время, используя код ниже, я всегда получаю вредоносные программы, обнаруживая результаты, даже случай успеха. Пожалуйста, помогите мне в этом < /p>
rules.yara

rule TestMalware {
strings:
$malware = "malicious pattern"
condition:
$malware // Match only if the string is found
}
< /code>
viewcontroller.swift
import Cocoa

class ViewController: NSViewController {

private var yaraRules: UnsafeMutablePointer?

override func viewDidLoad() {
super.viewDidLoad()
if !initializeYARA() {
handleError("YARA initialization failed.")
}
}

deinit {
cleanupYARA()
}

private func initializeYARA() -> Bool {
// Initialize YARA library
guard yr_initialize() == ERROR_SUCCESS else {
handleError("Failed to initialize YARA.")
return false
}

// Get the rule file path from the bundle
guard let ruleFilePath = Bundle.main.path(forResource: "rules", ofType: "yara") else {
handleError("Could not find YARA rule file in bundle.")
yr_finalize()
return false
}

print("Rule file path: \(ruleFilePath)")

// Open the rules file
guard let cString = ruleFilePath.cString(using: .utf8),
let fileHandle = fopen(cString, "r") else {
handleError("Failed to open rules file.")
yr_finalize()
return false
}

defer {
fclose(fileHandle)
}

// Create the YARA compiler
var compiler: UnsafeMutablePointer?
guard yr_compiler_create(&compiler) == ERROR_SUCCESS else {
handleError("Failed to create YARA compiler.")
yr_finalize()
return false
}

defer {
yr_compiler_destroy(compiler)
}

// Add rules file to compiler
if yr_compiler_add_file(compiler, fileHandle, nil, nil) != ERROR_SUCCESS {
handleError("Failed to compile YARA rules.")
yr_finalize()
return false
}

// Get compiled rules
guard yr_compiler_get_rules(compiler, &yaraRules) == ERROR_SUCCESS else {
handleError("Failed to load compiled YARA rules.")
yr_finalize()
return false
}

print("YARA rules successfully loaded.")
return true
}

@IBAction func actionYARAScanButtonTapped(_ sender: Any) {
guard yaraRules != nil else {
handleError("YARA rules not initialized. Please initialize first.")
return
}
runMalwareScan()
}
}

extension ViewController {

private func runMalwareScan() {
let openPanel = NSOpenPanel()
openPanel.message = "Select a file to scan for malware"
openPanel.canChooseFiles = true
openPanel.canChooseDirectories = false
openPanel.allowsMultipleSelection = false

openPanel.begin { [weak self] result in
guard result == .OK, let filePath = openPanel.url?.path else { return }
print("Selected file for scanning: \(filePath)")

if let isMalicious = self?.scanFile(at: filePath), isMalicious {
self?.showScanResult(" Malware Detected!", "The selected file has a suspicious extension.")
} else {
self?.showScanResult(" File Clean", "No suspicious extensions were detected in the selected file.")
}
}
}

func scanFile(at path: String) -> Bool {
guard let rules = yaraRules else {
handleError("YARA rules not initialized")
return false
}

// Read file content into memory
guard let fileData = try? Data(contentsOf: URL(fileURLWithPath: path)) else {
handleError("Failed to read file content at path: \(path)")
return false
}

// Print file content for debugging
if let fileContent = String(data: fileData, encoding: .utf8) {
print("File content: \(fileContent)")
}

var matchFound = false

let callback: YR_CALLBACK_FUNC = { context, message, rule, userData in
guard let userData = userData else { return CALLBACK_ERROR }
let matchFoundPtr = userData.assumingMemoryBound(to: Bool.self)
matchFoundPtr.pointee = true

if let rule = rule {
let rulePointer = rule.assumingMemoryBound(to: YR_RULE.self)
let ruleIdentifier = String(cString: rulePointer.pointee.identifier)
print("[YARA Match] Rule matched: \(ruleIdentifier)") // Debugging matched rule
}

return CALLBACK_CONTINUE
}

let result = fileData.withUnsafeBytes { bytes in
yr_rules_scan_mem(
rules,
bytes.baseAddress,
fileData.count,
SCAN_FLAGS_FAST_MODE,
callback,
&matchFound,
0
)
}

guard result == ERROR_SUCCESS else {
handleError("Scan failed with error: \(result)")
return false
}

print("Match found: \(matchFound)") // Debugging match result
return matchFound
}

private func cleanupYARA() {
if let rules = yaraRules {
yr_rules_destroy(rules)
}
yr_finalize()
}

private func showScanResult(_ title: String, _ message: String) {
DispatchQueue.main.async {
let alert = NSAlert()
alert.messageText = title
alert.informativeText = message
alert.alertStyle = .informational
alert.addButton(withTitle: "OK")
alert.runModal()
}
}
}

extension ViewController {
private func handleError(_ message: String) {
print("[YARA Error] \(message)")
let alert = NSAlert()
alert.messageText = "YARA Error"
alert.informativeText = message
alert.alertStyle = .warning
alert.addButton(withTitle: "OK")
alert.runModal()
}
}


Подробнее здесь: https://stackoverflow.com/questions/793 ... cos-or-ios