Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AccessViolationException #10

Open
jaerith opened this issue May 13, 2020 · 3 comments
Open

AccessViolationException #10

jaerith opened this issue May 13, 2020 · 3 comments

Comments

@jaerith
Copy link

jaerith commented May 13, 2020
edited

I'm attempting to use the library via a simple example:

YSInstance YSInstance = new YSInstance();

Dictionary<string, object> CONST_YS_EXTERNAL_VALUES = 
            new Dictionary<string, object>()
                {
                    { "filename", string.Empty },
                    { "filepath", string.Empty },
                    { "extension", string.Empty }
                };

//	Get list of YARA rules
List<string> ruleFilenames = 
                    Directory.GetFiles(@"F:\Configuration\Yara", "*.yara", SearchOption.AllDirectories).ToList();

YSRules reviewRules = null;

using (YSContext context = new YSContext())
{
    //	Compiling rules
    using (YSCompiler compiler = YSInstance.CompileFromFiles(ruleFilenames, CONST_YS_EXTERNAL_VALUES))
    {
        //  Get compiled rules
        reviewRules = compiler.GetRules();

        YSReport errors = compiler.GetErrors();
        YSReport warnings = compiler.GetWarnings();
    }
}

string[] list = new string[] { "Flare", "Something", "blah blah", "offensive" };
foreach (var TmpVal in list)
{
    byte[] commTextBytes = ASCIIEncoding.ASCII.GetBytes(TmpVal);

    List<YSMatches> Matches =
        YSInstance.ScanMemory(commTextBytes,
                                                  poReviewRules,
                                                  CONST_YS_EXTERNAL_VALUES,
                                                  1000);
}

But when I call "ScanMemory()", I get the following result:

System.AccessViolationException: 'Attempted to read or write protected memory. This is often an indication that other memory is corrupt.'

Have you seen this before?
@jaerith
Copy link
Author

jaerith commented May 14, 2020

No worries. Thanks for the quick response!

I should mention that I'm a newb with the Yara stuff, and I was just trying different libraries, in order to get a feel for what's out there. In truth, I haven't installed Yara on my system yet or built the C++ library yet. I just pulled down the Nuget package and started calling the APIs to become more familiar with it. In fact, I assume that the AccessViolationException could be a result of not having the actual Yara library/executable installed on my machine. So, there's a chance that this is all my fault. :)

@AdamWhiteHat
Copy link

AdamWhiteHat commented Feb 7, 2022
edited

Have you seen this before?

Yeah, you're calling ScanMemory outside of your using statement: using (YSContext context = new YSContext()) { ... }

Your YSContext is already disposed of by then!

Try moving YSInstance.ScanMemory(...) to inside the curly braces.

@ChrisDavies-MSFT
Copy link
Contributor

Yup, that's the answer! I'm sorry I never came back to this! FYI, at some point I plan to start a new repo and upgrade to V4. Unfortunately, StellarBear is no longer working on this project :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaerith @AdamWhiteHat @ChrisDavies-MSFT