Contributing is easy! All of malcontent's rules are in YARA format: just throw a new rule into the rules/ subdirectory and you are ready to go.
You can verify that your new rule works by running:
go run ./cmd/mal analyze <path>
For debugging rules, it's sometimes useful to use the yara command:
yara -s -w rules/combo/dropper/shell.yara <path>
unit tests:
make test
integration tests:
make integration
Generate an html report in out/coverage.html:
make coverage-html
Open the coverage report in a browser automatically:
make coverage-browser
Not every rule needs a test, but tests do ensure that a rules behavior stays consistent:
- Add a sample to https://github.com/chainguard-sandbox/malcontent-samples
- Create a directory within
test_datausing the same directory name as your sample:
mkdir -p test_data/macOS/2024.Rustdoor/
- Create an empty file for a specific sample file with the ending name of ".simple":
touch test_data/macOS/2024.Rustdoor/fakepdf.sh.simple
- Refresh all the testdata:
make refresh-sample-testdata
malcontent can be profiled by running --profile=true. This will generate timestamped profiles in an untracked profiles directory:
bash-5.2$ ls -l profiles/ | grep -v "total" | awk '{ print $9 }'
cpu_329605000.pprof
mem_329605000.pprof
trace_329605000.out
The traces can be inspected via go tool pprof and go tool trace.
For example, the memory profile can be inspected by running:
go tool pprof -http=:8080 profiles/mem_<timestamp>.pprof
If you get this error at installation:
ld: library 'yara' not found
The yara C library is required:
brew install yara || sudo apt install libyara-devel || sudo dnf install yara-devel || sudo pacman -S yara
Additionally, ensure that Yara's version is 4.3.2.
If this version is not available via package managers, manually download the release from here and build it from source by following these steps.
Once Yara is installed, run sudo ldconfig -v to ensure that the library is loaded.