Yara wrapper
- class malduck.yara.Yara(rule_paths=None, name='r', strings=None, condition='any of them')[source]
Represents Yara ruleset. Rules can be compiled from set of files or defined in code (single rule only).
Most simple rule (with default identifiers left):
from malduck.yara import Yara, YaraString Yara(strings="MALWR").match(data=b"MALWRMALWARMALWR").r.string == [0, 11]
Example of more complex rule defined in Python:
from malduck.yara import Yara, YaraString ruleset = Yara(name="MalwareRule", strings={ "xor_stub": YaraString("This program cannot", xor=True, ascii=True), "code_ref": YaraString("E2 34 ?? C8 A? FB", type=YaraString.HEX), "mal1": "MALWR", "mal2": "MALRW" }, condition="( $xor_stub and $code_ref ) or any of ($mal*)") # If mal1 or mal2 are matched, they are grouped into "mal" # Print appropriate offsets match = ruleset.match(data=b"MALWR MALRW") if match: # ["mal1", "mal", "mal2"] print(match.MalwareRule.keys()) if "mal" in match.MalwareRule: # Note: Order of offsets for grouped strings is undetermined print("mal*", match.MalwareRule["mal"])
- Parameters:
rule_paths (dict) – Dictionary of {“namespace”: “rule_path”}. See also
Yara.from_dir()
.name (str) – Name of generated rule (default: “r”)
strings (dict or str or
YaraString
) – Dictionary representing set of string patterns ({“string_identifier”: YaraString or plain str})condition (str) – Yara rule condition (default: “any of them”)
- static from_dir(path, recursive=True, followlinks=True)[source]
Find rules (recursively) in specified path. Supported extensions: *.yar, *.yara
- Parameters:
path (str) – Root path for searching
recursive (bool) – Search recursively (default: enabled)
followlinks (bool) – Follow symbolic links (default: enabled)
- Return type:
- match(offset_mapper=None, extended=False, **kwargs)[source]
Perform matching on file or data block
- Parameters:
filepath (str) – Path to the file to be scanned
data (str) – Data to be scanned
offset_mapper (function) – Offset mapping function. For unmapped region, should returned None. Used by
malduck.procmem.ProcessMemory.yarav()
extended (bool (optional, default False)) – Returns extended information about matched strings and rules
- Return type:
malduck.yara.YaraRulesetOffsets
ormalduck.yara.YaraRulesetMatches
if extended is set to True
- class malduck.yara.YaraString(value, type=YaraStringType.TEXT, **modifiers)[source]
Formatter for Yara string patterns
- Parameters:
value (str) – Pattern value
type (
YaraString.TEXT
/YaraString.HEX
/YaraString.REGEX
) – Pattern type (default isYaraString.TEXT
)modifiers – Yara string modifier flags
- malduck.yara.YaraMatches
alias of
YaraRulesetOffsets
- malduck.yara.YaraMatch
alias of
YaraRuleOffsets