[−][src]Crate yara
Yara rust safe bindings
This crate contains safe bindings to VirusTotal's Yara library, "the pattern matching swiss-knife".
I can be used to scan file and memory, with powerful rules statement. It is often used to recognize malwares.
This example shows how to write and use a pair of rules to check if a file is an APK, from the polydet project:
let rules = r#" // Search for the ZIP EOCD magic anywhere in the file except the 22 last bytes. rule IsZIP { strings: $EOCD_magic = { 50 4B 05 06 } condition: $EOCD_magic in (0..filesize - 22) } // Search the ZIP's LFH magic followed by 26 bytes then "AndroidManifest.xml", anywhere in zip files. rule IsAPK { strings: // P K A n d r o i d M a n i f e s t . x m l $lfh_and_android = { 50 4B 03 04 [26] 41 6E 64 72 6F 69 64 4D 61 6e 69 66 65 73 74 2E 78 6D 6C} condition: IsZIP and $lfh_and_android } "#; let mut compiler = Compiler::new()?; compiler.add_rules_str(rules)?; let rules = compiler.compile_rules()?; let results = rules.scan_file("File.apk", 5)?; assert!(results.iter().any(|rule| rule.identifier == "IsAPK"));
Learn how to write rules on the Yara documentation.
Re-exports
pub use crate::errors::*; |
Modules
errors |
Structs
Compiler | Yara rules compiler |
Match | A match within a scan. |
Metadata | Metadata specified in a rule. |
Rule | A rule that matched during a scan. |
Rules | A set of compiled rules. |
Yara | Yara initialization token. |
YrString | A matcher string that matched during a scan. |
Enums
MetadataValue | Type of the value in MetaData |