AdamWhiteHat/YaraWrapper.cs

## YaraWrapper.cs
using System;
using System.Linq;
using System.Collections.Generic;
using YaraSharp;

namespace YaraUseExample;

public class YaraWrapper : IDisposable
{
    public bool IsDisposed { get; private set; }

    private List<YSRules> _rulesToCleanup;
    private List<YSScanner> _yaraScanners;
    private YSInstance _yaraInstance;
    private YSContext _yaraContext;

    public YaraWrapper()
    {
        IsDisposed = false;
        _rulesToCleanup = new List<YSRules>();
        _yaraScanners = new List<YSScanner>();
        _yaraInstance = new YSInstance();
        _yaraContext = new YSContext();
    }

    public void AddRuleSet(List<string> yaraRuleFiles)
    {
        YSRules compiledRules = null;

        using (YSCompiler compiler = _yaraInstance.CompileFromFiles(yaraRuleFiles, null))
        {

            YSReport warnings = compiler.GetWarnings();
            if (!warnings.IsEmpty())
            {
                // Report warnings
            }
            YSReport errors = compiler.GetErrors();
            if (!errors.IsEmpty())
            {
                // Log errors. Maybe bail?
            }

            compiledRules = compiler.GetRules();
            _rulesToCleanup.Add(compiledRules);
        }

        YSScanner scanner = new YSScanner(compiledRules, null);
        _yaraScanners.Add(scanner);

        // Personally, I use a Dictionary<string, YSScanner> here, where the key is the SHA256 hash of the rule files
        // Then for any rule set, I get the hash and check the dictionary, thereby caching any sets of rules,
        // but this may be overkill for your needs.
        // Just a thought.
    }

    public List<string> ScanFile(string fullFilePath)
    {
        List<string> results = new List<string>();

        foreach (YSScanner scanner in _yaraScanners)
        {
            List<YSMatches> scanResults = scanner.ScanFile(filePath);
            if (scanResults.Any())
            {
                results = scanResults.Select(match => match.Rule.Identifier).ToList();
                // OR
                // List<YSMatch> matches =  scanResults.SelectMany(match => match.Matches.SelectMany(kvp => kvp.Value)).ToList();
            }
        }

        return results.Distinct();
    }

    public void Dispose()
    {
        if (!IsDisposed)
        {
            IsDisposed = true;

            foreach (YSRules rule in _rulesToCleanup)
            {
                rule.Dispose();
            }
            foreach (YSScanner scanner in _yaraScanners)
            {
                scanner.Dispose();
            }

            _yaraContext.Dispose();
            _yaraInstance = null;
        }
    }
}
	using System;
	using System.Linq;
	using System.Collections.Generic;
	using YaraSharp;

	namespace YaraUseExample;

	public class YaraWrapper : IDisposable
	{
	public bool IsDisposed { get; private set; }

	private List<YSRules> _rulesToCleanup;
	private List<YSScanner> _yaraScanners;
	private YSInstance _yaraInstance;
	private YSContext _yaraContext;

	public YaraWrapper()
	{
	IsDisposed = false;
	_rulesToCleanup = new List<YSRules>();
	_yaraScanners = new List<YSScanner>();
	_yaraInstance = new YSInstance();
	_yaraContext = new YSContext();
	}

	public void AddRuleSet(List<string> yaraRuleFiles)
	{
	YSRules compiledRules = null;

	using (YSCompiler compiler = _yaraInstance.CompileFromFiles(yaraRuleFiles, null))
	{

	YSReport warnings = compiler.GetWarnings();
	if (!warnings.IsEmpty())
	{
	// Report warnings
	}
	YSReport errors = compiler.GetErrors();
	if (!errors.IsEmpty())
	{
	// Log errors. Maybe bail?
	}

	compiledRules = compiler.GetRules();
	_rulesToCleanup.Add(compiledRules);
	}

	YSScanner scanner = new YSScanner(compiledRules, null);
	_yaraScanners.Add(scanner);

	// Personally, I use a Dictionary<string, YSScanner> here, where the key is the SHA256 hash of the rule files
	// Then for any rule set, I get the hash and check the dictionary, thereby caching any sets of rules,
	// but this may be overkill for your needs.
	// Just a thought.
	}

	public List<string> ScanFile(string fullFilePath)
	{
	List<string> results = new List<string>();

	foreach (YSScanner scanner in _yaraScanners)
	{
	List<YSMatches> scanResults = scanner.ScanFile(filePath);
	if (scanResults.Any())
	{
	results = scanResults.Select(match => match.Rule.Identifier).ToList();
	// OR
	// List<YSMatch> matches = scanResults.SelectMany(match => match.Matches.SelectMany(kvp => kvp.Value)).ToList();
	}
	}

	return results.Distinct();
	}

	public void Dispose()
	{
	if (!IsDisposed)
	{
	IsDisposed = true;

	foreach (YSRules rule in _rulesToCleanup)
	{
	rule.Dispose();
	}
	foreach (YSScanner scanner in _yaraScanners)
	{
	scanner.Dispose();
	}

	_yaraContext.Dispose();
	_yaraInstance = null;
	}
	}
	}
No results found