Yara wrapper

class malduck.yara.Yara(rule_paths=None, name='r', strings=None, condition='any of them')[source]

Represents Yara ruleset. Rules can be compiled from set of files or defined in code (single rule only).

Most simple rule (with default identifiers left):

from malduck.yara import Yara, YaraString

Yara(strings="MALWR").match(data=b"MALWRMALWARMALWR").r.string == [0, 11]

Example of more complex rule defined in Python:

from malduck.yara import Yara, YaraString

ruleset = Yara(name="MalwareRule",
strings={
    "xor_stub": YaraString("This program cannot", xor=True, ascii=True),
    "code_ref": YaraString("E2 34 ?? C8 A? FB", type=YaraString.HEX),
    "mal1": "MALWR",
    "mal2": "MALRW"
}, condition="( $xor_stub and $code_ref ) or any of ($mal*)")

# If mal1 or mal2 are matched, they are grouped into "mal"

# Print appropriate offsets

match = ruleset.match(data=b"MALWR MALRW")

if match:
    # ["mal1", "mal", "mal2"]
    print(match.MalwareRule.keys())
    if "mal" in match.MalwareRule:
        # Note: Order of offsets for grouped is arbitrary
        print("mal*", match.MalwareRule["mal"])
Parameters

  • rule_paths (dict) – Dictionary of {“namespace”: “rule_path”}. See also Yara.from_dir().

  • name (str) – Name of generated rule (default: “r”)

  • strings (dict or str or YaraString) – Dictionary representing set of string patterns ({“string_identifier”: YaraString or plain str})

  • condition (str) – Yara rule condition (default: “any of them”)

static from_dir(path, recursive=True, followlinks=True)[source]

Find rules (recursively) in specified path. Supported extensions: *.yar, *.yara

Parameters

  • path (str) – Root path for searching

  • recursive (bool) – Search recursively (default: enabled)

  • followlinks (bool) – Follow symbolic links (default: enabled)

Return type

Yara

match(offset_mapper=None, **kwargs)[source]

Perform matching on file or data block

Parameters

  • filepath (str) – Path to the file to be scanned

  • data (str) – Data to be scanned

  • offset_mapper (function) – Offset mapping function. For unmapped region, should returned None. Used by malduck.procmem.ProcessMemory.yarav()

Return type

YaraMatches

class malduck.yara.YaraString(value, type=0, **modifiers)[source]

Formatter for Yara string patterns

Parameters
HEX = 1

Hexadecimal string ( “aa bb cc dd” => ‘{ aa bb cc dd }’ )

REGEX = 2

Regex string ( ‘value’ => ‘/value/’ )

TEXT = 0

Text string ( ‘value’ => ‘“value”’ )

class malduck.yara.YaraMatches(match_results, offset_mapper=None)[source]

Represented matching results. Returned by Yara.match().

Rules can be referenced by both attribute and index.

keys()[source]

List of matched rule identifiers

class malduck.yara.YaraMatch(match, offset_mapper=None)[source]

Represented matching results for rules. Returned by YaraMatches.<rule>.

Strings can be referenced by both attribute and index.

get(item)[source]

Get matched string offsets or empty list if not matched

keys()[source]

List of matched string identifiers