Yara wrapper

class malduck.yara.Yara(rule_paths=None, name='r', strings=None, condition='any of them')[source]

Represents Yara ruleset. Rules can be compiled from set of files or defined in code (single rule only).

Most simple rule (with default identifiers left):

from malduck.yara import Yara, YaraString

Yara(strings="MALWR").match(data=b"MALWRMALWARMALWR").r.string == [0, 11]

Example of more complex rule defined in Python:

from malduck.yara import Yara, YaraString

ruleset = Yara(name="MalwareRule",
strings={
    "xor_stub": YaraString("This program cannot", xor=True, ascii=True),
    "code_ref": YaraString("E2 34 ?? C8 A? FB", type=YaraString.HEX),
    "mal1": "MALWR",
    "mal2": "MALRW"
}, condition="( $xor_stub and $code_ref ) or any of ($mal*)")

# If mal1 or mal2 are matched, they are grouped into "mal"

# Print appropriate offsets

match = ruleset.match(data=b"MALWR MALRW")

if match:
    # ["mal1", "mal", "mal2"]
    print(match.MalwareRule.keys())
    if "mal" in match.MalwareRule:
        # Note: Order of offsets for grouped strings is undetermined
        print("mal*", match.MalwareRule["mal"])
Parameters:
  • rule_paths (dict) – Dictionary of {“namespace”: “rule_path”}. See also Yara.from_dir().

  • name (str) – Name of generated rule (default: “r”)

  • strings (dict or str or YaraString) – Dictionary representing set of string patterns ({“string_identifier”: YaraString or plain str})

  • condition (str) – Yara rule condition (default: “any of them”)

static from_dir(path, recursive=True, followlinks=True)[source]

Find rules (recursively) in specified path. Supported extensions: *.yar, *.yara

Parameters:
  • path (str) – Root path for searching

  • recursive (bool) – Search recursively (default: enabled)

  • followlinks (bool) – Follow symbolic links (default: enabled)

Return type:

Yara

match(offset_mapper=None, extended=False, **kwargs)[source]

Perform matching on file or data block

Parameters:
  • filepath (str) – Path to the file to be scanned

  • data (str) – Data to be scanned

  • offset_mapper (function) – Offset mapping function. For unmapped region, should returned None. Used by malduck.procmem.ProcessMemory.yarav()

  • extended (bool (optional, default False)) – Returns extended information about matched strings and rules

Return type:

malduck.yara.YaraRulesetOffsets or malduck.yara.YaraRulesetMatches if extended is set to True

class malduck.yara.YaraString(value, type=YaraStringType.TEXT, **modifiers)[source]

Formatter for Yara string patterns

Parameters:
  • value (str) – Pattern value

  • type (YaraString.TEXT / YaraString.HEX / YaraString.REGEX) – Pattern type (default is YaraString.TEXT)

  • modifiers – Yara string modifier flags

malduck.yara.YaraMatches

alias of YaraRulesetOffsets

malduck.yara.YaraMatch

alias of YaraRuleOffsets