Yara wrapper¶
-
class
malduck.yara.
Yara
(rule_paths=None, name='r', strings=None, condition='any of them')[source]¶ Represents Yara ruleset. Rules can be compiled from set of files or defined in code (single rule only).
Most simple rule (with default identifiers left):
from malduck.yara import Yara, YaraString Yara(strings="MALWR").match(data=b"MALWRMALWARMALWR").r.string == [0, 11]
Example of more complex rule defined in Python:
from malduck.yara import Yara, YaraString ruleset = Yara(name="MalwareRule", strings={ "xor_stub": YaraString("This program cannot", xor=True, ascii=True), "code_ref": YaraString("E2 34 ?? C8 A? FB", type=YaraString.HEX), "mal1": "MALWR", "mal2": "MALRW" }, condition="( $xor_stub and $code_ref ) or any of ($mal*)") # If mal1 or mal2 are matched, they are grouped into "mal" # Print appropriate offsets match = ruleset.match(data=b"MALWR MALRW") if match: # ["mal1", "mal", "mal2"] print(match.MalwareRule.keys()) if "mal" in match.MalwareRule: # Note: Order of offsets for grouped strings is undetermined print("mal*", match.MalwareRule["mal"])
- Parameters
rule_paths (dict) – Dictionary of {“namespace”: “rule_path”}. See also
Yara.from_dir()
.name (str) – Name of generated rule (default: “r”)
strings (dict or str or
YaraString
) – Dictionary representing set of string patterns ({“string_identifier”: YaraString or plain str})condition (str) – Yara rule condition (default: “any of them”)
-
static
from_dir
(path, recursive=True, followlinks=True)[source]¶ Find rules (recursively) in specified path. Supported extensions: *.yar, *.yara
- Parameters
path (str) – Root path for searching
recursive (bool) – Search recursively (default: enabled)
followlinks (bool) – Follow symbolic links (default: enabled)
- Return type
-
match
(offset_mapper=None, extended=False, **kwargs)[source]¶ Perform matching on file or data block
- Parameters
filepath (str) – Path to the file to be scanned
data (str) – Data to be scanned
offset_mapper (function) – Offset mapping function. For unmapped region, should returned None. Used by
malduck.procmem.ProcessMemory.yarav()
extended (bool (optional, default False)) – Returns extended information about matched strings and rules
- Return type
malduck.yara.YaraRulesetOffsets
ormalduck.yara.YaraRulesetMatches
if extended is set to True
-
class
malduck.yara.
YaraString
(value, type=<YaraStringType.TEXT: 0>, **modifiers)[source]¶ Formatter for Yara string patterns
- Parameters
value (str) – Pattern value
type (
YaraString.TEXT
/YaraString.HEX
/YaraString.REGEX
) – Pattern type (default isYaraString.TEXT
)modifiers – Yara string modifier flags
-
malduck.yara.
YaraMatches
¶ alias of
malduck.yara.YaraRulesetOffsets
-
malduck.yara.
YaraMatch
¶ alias of
malduck.yara.YaraRuleOffsets