byronwai · February 29, 2024 14:46
diff --git a/batch-vol-nix-yara.sh b/batch-vol-nix-yara.sh
 #!/bin/bash

 # Usage: ./batch-vol-nix-yara.sh <volatility_directory> <output_format> <mem_dir> <yara_rule_dir> <output_dir> <number_of_thread>
 ## Example: ./batch-vol-nix-yara.sh "./volatility/" "quick" "./memory-images/" "./yara-rules/" "./yara-log/" "5"

 # Custom Volatility 3 location (directory)
 volatility_directory="$1"

 # Output format (quick, csv, json)
 output_format="$2"

 # Path to the directory containing the memory image files or a single memory image file
 memory_images="$3"

 # Path to the directory containing the custom YARA rule files
 yara_rules_directory="$4"

 # Path to the output directory
 output_directory="$5"

 # Maximum number of parallel scans
 max_parallel_scans="${6:-5}"

 # Function to perform YARA rule scanning for a single rule and memory image
 perform_yara_scan() {
    local rule_file="$1"
    local mem_dump="$2"  # Memory dump file path
    
    local mem_name=$(basename "$mem_dump")
    mem_name="${mem_name%.*}"
        
    # Get the filename without the directory path or extension
    local rule_filename=$(basename "$rule_file")
    rule_filename="${rule_filename%.*}"

    # Get the subdirectory path relative to the yara_rules_directory
    local subdirectory=$(dirname "${rule_file#$yara_rules_directory/}")

    # Determine the appropriate output file extension based on the output format
    case "$output_format" in
        "quick")
            # Construct the log file path by appending .log to the rule filename
            local log_file="./${output_directory}/${mem_name}/yara-rules/${rule_filename// /}.log"
            ;;
            
        "csv")
            # Construct the log file path by appending .csv to the rule filename
            local log_file="./${output_directory}/${mem_name}/csv/yara-rules/${rule_filename// /}.csv"
            ;;
            
        "json")
            # Construct the log file path by appending .json to the rule filename
            local log_file="./${output_directory}/${mem_name}/json/yara-rules/${rule_filename// /}.json"
            ;;
            
        *) echo "Invalid output format. Please use 'quick', 'csv', or 'json'." >&2; exit 1;;
    esac

    # Create the subdirectory for the log file if it doesn't exist
    mkdir -p "$(dirname "$log_file")"

    # Execute the Volatility command with the current YARA rule file
    local command="python3 $volatility_directory/vol.py -f $mem_dump yarascan.YaraScan --yara-file $rule_file"
    echo "Scanning with rule: $rule_filename" | tee "$log_file"
    echo "Command: $command" | tee -a "$log_file"
    echo "-----" >> "$log_file"
    echo "" >> "$log_file"

    # Execute the command and append the output to the corresponding log file
    eval "$command" >> "$log_file"
 }

 export -f perform_yara_scan

 # If the input is a directory, find all memory image files in the specified directory
 # If the input is a single file, use it as the memory image
 if [ -d "$memory_images" ]; then
    memory_images=$(find "$memory_images" -type f -name "*.lime")
 fi

 # Find all subdirectories within the yara_rules_directory
 subdirectories=$(find "$yara_rules_directory" -type d \( ! -name ".git" -a ! -name ".github" \))

 # Iterate through each subdirectory
 for subdir in $subdirectories; do
    # Find all YARA rule files in the current subdirectory
    rule_files=$(find "$subdir" -type f \( -name "*.yara" -o -name "*.yar" \))
    
    # Iterate through each YARA rule file
    for rule_file in $rule_files; do
        # Execute the YARA rule scan in parallel for each memory image
        for memory_image in $memory_images; do
            perform_yara_scan "$rule_file" "$memory_image" &
            
            # Limit the number of parallel scans
            if [[ $(jobs -r -p | wc -l) -ge $max_parallel_scans ]]; then
              wait -n
            fi
        done
    done
 done

 # Wait for all remaining parallel scans to finish
 wait
	#!/bin/bash

	# Usage: ./batch-vol-nix-yara.sh <volatility_directory> <output_format> <mem_dir> <yara_rule_dir> <output_dir> <number_of_thread>
	## Example: ./batch-vol-nix-yara.sh "./volatility/" "quick" "./memory-images/" "./yara-rules/" "./yara-log/" "5"

	# Custom Volatility 3 location (directory)
	volatility_directory="$1"

	# Output format (quick, csv, json)
	output_format="$2"

	# Path to the directory containing the memory image files or a single memory image file
	memory_images="$3"

	# Path to the directory containing the custom YARA rule files
	yara_rules_directory="$4"

	# Path to the output directory
	output_directory="$5"

	# Maximum number of parallel scans
	max_parallel_scans="${6:-5}"

	# Function to perform YARA rule scanning for a single rule and memory image
	perform_yara_scan() {
	local rule_file="$1"
	local mem_dump="$2" # Memory dump file path

	local mem_name=$(basename "$mem_dump")
	mem_name="${mem_name%.*}"

	# Get the filename without the directory path or extension
	local rule_filename=$(basename "$rule_file")
	rule_filename="${rule_filename%.*}"

	# Get the subdirectory path relative to the yara_rules_directory
	local subdirectory=$(dirname "${rule_file#$yara_rules_directory/}")

	# Determine the appropriate output file extension based on the output format
	case "$output_format" in
	"quick")
	# Construct the log file path by appending .log to the rule filename
	local log_file="./${output_directory}/${mem_name}/yara-rules/${rule_filename// /}.log"
	;;

	"csv")
	# Construct the log file path by appending .csv to the rule filename
	local log_file="./${output_directory}/${mem_name}/csv/yara-rules/${rule_filename// /}.csv"
	;;

	"json")
	# Construct the log file path by appending .json to the rule filename
	local log_file="./${output_directory}/${mem_name}/json/yara-rules/${rule_filename// /}.json"
	;;

	*) echo "Invalid output format. Please use 'quick', 'csv', or 'json'." >&2; exit 1;;
	esac

	# Create the subdirectory for the log file if it doesn't exist
	mkdir -p "$(dirname "$log_file")"

	# Execute the Volatility command with the current YARA rule file
	local command="python3 $volatility_directory/vol.py -f $mem_dump yarascan.YaraScan --yara-file $rule_file"
	echo "Scanning with rule: $rule_filename" \| tee "$log_file"
	echo "Command: $command" \| tee -a "$log_file"
	echo "-----" >> "$log_file"
	echo "" >> "$log_file"

	# Execute the command and append the output to the corresponding log file
	eval "$command" >> "$log_file"
	}

	export -f perform_yara_scan

	# If the input is a directory, find all memory image files in the specified directory
	# If the input is a single file, use it as the memory image
	if [ -d "$memory_images" ]; then
	memory_images=$(find "$memory_images" -type f -name "*.lime")
	fi

	# Find all subdirectories within the yara_rules_directory
	subdirectories=$(find "$yara_rules_directory" -type d \( ! -name ".git" -a ! -name ".github" \))

	# Iterate through each subdirectory
	for subdir in $subdirectories; do
	# Find all YARA rule files in the current subdirectory
	rule_files=$(find "$subdir" -type f \( -name ".yara" -o -name ".yar" \))

	# Iterate through each YARA rule file
	for rule_file in $rule_files; do
	# Execute the YARA rule scan in parallel for each memory image
	for memory_image in $memory_images; do
	perform_yara_scan "$rule_file" "$memory_image" &

	# Limit the number of parallel scans
	if [[ $(jobs -r -p \| wc -l) -ge $max_parallel_scans ]]; then
	wait -n
	fi
	done
	done
	done

	# Wait for all remaining parallel scans to finish
	wait
No results found