go-yara: Unable to use ScanProc

I am unable to read the memory of the desired process with the PID, and I was also unable to do it with the example provided in this same repository. Do you know why this could be?

When running the code, it gives me this error: could not attach to process

package scan

import (
	"fmt"
	"strings"

	"github.com/hillu/go-yara/v4"
)

func Teca() {
	c, err := yara.NewCompiler()
	if c == nil || err != nil {
		return
	}

	rule := `
	rule Suspicious_Injection {

		strings:
		$a1 = {2e 74 68 65 6d 69 64 61}
	
		condition:
		all of them
	}`

	if err = c.AddString(rule, ""); err != nil {
		return
	}

	r, err := c.GetRules()
	if err != nil {
		return
	}

	var m yara.MatchRules

	err = r.ScanProc(9152, 0, 0, &m)
	if err != nil {
		fmt.Println(err)
		return
	}

	if len(m) > 0 {
		for _, match := range m {
			rule := strings.Replace(match.Rule, "_", " ", -1)
			fmt.Println(rule)
		}
	}
}

image

About this issue

  • Original URL
  • State: closed
  • Created 10 months ago
  • Comments: 23 (9 by maintainers)

Most upvoted comments

Let me add a few windows experiences about process scanning on Windows. We primarily use SYSTEM account (because our product is a service) or Administrator account to scan with yara. You may need to run your Powershell or cmd.exe terminal as administrator and run your scanner executable on that terminal. I’ve never had an issue with the administrator account except for some protected special windows processes. Secondly, there may be a security product installed on the system that can block such actions; then exceptions should be added to those products.

+1
ozanh on Oct 2, 2023
Read more comments on GitHub
← go-yara: Segfault with YARA 4.1.0 RC2
vue-lazyload: Unable to get srcset to work as expected →