[−][src]Crate yara

Yara rust safe bindings

This crate contains safe bindings to VirusTotal's Yara library, "the pattern matching swiss-knife".

I can be used to scan file and memory, with powerful rules statement. It is often used to recognize malwares.

This example shows how to write and use a pair of rules to check if a file is an APK, from the polydet project:

let rules = r#"
// Search for the ZIP EOCD magic anywhere in the file except the 22 last bytes.
rule IsZIP {
  strings:
    $EOCD_magic = { 50 4B 05 06 }
  condition:
    $EOCD_magic in (0..filesize - 22)
}
// Search the ZIP's LFH magic followed by 26 bytes then "AndroidManifest.xml", anywhere in zip files.
rule IsAPK {
  strings:
    //                    P  K             A  n  d  r  o  i  d  M  a  n  i  f  e  s  t  .  x  m  l
    $lfh_and_android = { 50 4B 03 04 [26] 41 6E 64 72 6F 69 64 4D 61 6e 69 66 65 73 74 2E 78 6D 6C}

  condition:
    IsZIP and $lfh_and_android
}
"#;

let mut compiler = Compiler::new()?;
compiler.add_rules_str(rules)?;
let rules = compiler.compile_rules()?;
let results = rules.scan_file("File.apk", 5)?;

assert!(results.iter().any(|rule| rule.identifier == "IsAPK"));

Learn how to write rules on the Yara documentation.

Re-exports

pub use crate::errors::*;

Modules

errors

Structs

Compiler	Yara rules compiler
Match	A match within a scan.
Metadata	Metadata specified in a rule.
Rule	A rule that matched during a scan.
Rules	A set of compiled rules.
Yara	Yara initialization token.
YrString	A matcher string that matched during a scan.

Enums

MetadataValue

Type of the value in MetaData

Constants

SCAN_FLAGS_FAST_MODE
SCAN_FLAGS_NO_TRYCATCH
SCAN_FLAGS_PROCESS_MEMORY