Scanner

yara_x

Struct Scanner 

Source 
pub struct Scanner<'r> { /* private fields */ }
Expand description

Scans data with already compiled YARA rules.

The scanner receives a set of compiled Rules and scans data with those rules. The same scanner can be used for scanning multiple files or in-memory data sequentially, but you need multiple scanners for scanning in parallel.

Implementations§

Source§

impl<'r> Scanner<'r>

Source

pub fn new(rules: &'r Rules) -> Self

Creates a new scanner.

Source

pub fn set_timeout(&mut self, timeout: Duration) -> &mut Self

Sets a timeout for scan operations.

The scan functions will return an ScanError::Timeout once the provided timeout duration has elapsed. The scanner will make every effort to stop promptly after the designated timeout duration. However, in some cases, particularly with rules containing only a few patterns, the scanner could potentially continue running for a longer period than the specified timeout.

Source

pub fn max_matches_per_pattern(&mut self, n: usize) -> &mut Self

Sets the maximum number of matches per pattern.

When some pattern reaches the maximum number of patterns it won’t produce more matches.

Source

pub fn use_mmap(&mut self, yes: bool) -> &mut Self

Specifies whether Scanner::scan_file and Scanner::scan_file_with_options may use memory-mapped files to read input.

By default, the scanner uses memory mapping for very large files, as this is typically faster than copying file contents into memory. However, this approach has a drawback: if another process truncates the file during scanning, a SIGBUS signal may occur.

Setting this option disables memory mapping and forces the scanner to always read files into an in-memory buffer instead. This method is slower, but safer.

Source

pub fn console_log<F>(&mut self, callback: F) -> &mut Self
where F: FnMut(String) + 'r,

Sets a callback that is invoked every time a YARA rule calls the console module.

The callback function is invoked with a string representing the message being logged. The function can print the message to stdout, append it to a file, etc. If no callback is set these messages are ignored.

Source

pub fn scan<'a>( &'a mut self, data: &'a [u8], ) -> Result<ScanResults<'a, 'r>, ScanError>

Scans in-memory data.

Source

pub fn scan_file<'a, P>( &'a mut self, target: P, ) -> Result<ScanResults<'a, 'r>, ScanError>
where P: AsRef<Path>,

Scans a file.

Source

pub fn scan_with_options<'a, 'opts>( &'a mut self, data: &'a [u8], options: ScanOptions<'opts>, ) -> Result<ScanResults<'a, 'r>, ScanError>

Like Scanner::scan, but allows to specify additional scan options.

Source

pub fn scan_file_with_options<'opts, P>( &mut self, target: P, options: ScanOptions<'opts>, ) -> Result<ScanResults<'_, 'r>, ScanError>
where P: AsRef<Path>,

Like Scanner::scan_file, but allows to specify additional scan options.

Source

pub fn set_global<T: TryInto<Variable>>( &mut self, ident: &str, value: T, ) -> Result<&mut Self, VariableError>
where VariableError: From<<T as TryInto<Variable>>::Error>,

Sets the value of a global variable.

The variable must has been previously defined by calling crate::Compiler::define_global, and the type it has during the definition must match the type of the new value (T).

The variable will retain the new value in subsequent scans, unless this function is called again for setting a new value.

Source

pub fn set_module_output( &mut self, data: Box<dyn MessageDyn>, ) -> Result<&mut Self, ScanError>

Sets the output data for a YARA module.

Each YARA module generates an output consisting of a data structure that contains information about the scanned file. This data structure is represented by a Protocol Buffer message. Typically, you won’t need to provide this data yourself, as the YARA module automatically generates different outputs for each file it scans.

However, there are two scenarios in which you may want to provide the output for a module yourself:

  1. When the module does not produce any output on its own.
  2. When you already know the output of the module for the upcoming file to be scanned, and you prefer to reuse this data instead of generating it again.

Case 1) applies to certain modules lacking a main function, thus incapable of producing any output on their own. For such modules, you must set the output before scanning the associated data. Since the module’s output typically varies with each scanned file, you need to call Scanner::set_module_output prior to each invocation of Scanner::scan. Once Scanner::scan is executed, the module’s output is consumed and will be empty unless set again before the subsequent call.

Case 2) applies when you have previously stored the module’s output for certain scanned data. In such cases, when rescanning the data, you can utilize this function to supply the module’s output, thereby preventing redundant computation by the module. This optimization enhances performance by eliminating the need for the module to reparse the scanned data.


The data argument must be a Protocol Buffer message corresponding to any of the existing YARA modules.

Source

pub fn set_module_output_raw( &mut self, name: &str, data: &[u8], ) -> Result<&mut Self, ScanError>

Similar to Scanner::set_module_output, but receives a module name and the protobuf message as raw data.

name can be either the YARA module name (i.e: “pe”, “elf”, “dotnet”, etc.) or the fully-qualified name for the protobuf message associated to the module (i.e: “pe.PE”, “elf.ELF”, “dotnet.Dotnet”, etc.).

Source

pub fn slowest_rules(&self, n: usize) -> Vec<ProfilingData<'_>>

Available on crate feature rules-profiling only.

Returns profiling data for the slowest N rules.

The profiling data reflects the cumulative execution time of each rule across all scanned files. This information is useful for identifying performance bottlenecks. To reset the profiling data and start fresh for subsequent scans, use Scanner::clear_profiling_data.

Source

pub fn clear_profiling_data(&mut self)

Available on crate feature rules-profiling only.

Clears all accumulated profiling data.

This method resets the profiling data collected during rule execution across scanned files. Use this to start a new profiling session, ensuring the results reflect only the data gathered after this method is called.

Trait Implementations§

Source§

impl<'r> From<Scanner<'r>> for Scanner<'r>

Source§

fn from(scanner: Scanner<'r>) -> Self

Converts to this type from the input type.

Auto Trait Implementations§

§

impl<'r> Freeze for Scanner<'r>

§

impl<'r> !RefUnwindSafe for Scanner<'r>

§

impl<'r> !Send for Scanner<'r>

§

impl<'r> !Sync for Scanner<'r>

§

impl<'r> Unpin for Scanner<'r>

§

impl<'r> !UnwindSafe for Scanner<'r>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> Conv for T

Source§

fn conv<T>(self) -> T
where Self: Into<T>,

Converts self into T using Into<T>. Read more
Source§

impl<T> FmtForward for T

Source§

fn fmt_binary(self) -> FmtBinary<Self>
where Self: Binary,

Causes self to use its Binary implementation when Debug-formatted.
Source§

fn fmt_display(self) -> FmtDisplay<Self>
where Self: Display,

Causes self to use its Display implementation when Debug-formatted.
Source§

fn fmt_lower_exp(self) -> FmtLowerExp<Self>
where Self: LowerExp,

Causes self to use its LowerExp implementation when Debug-formatted.
Source§

fn fmt_lower_hex(self) -> FmtLowerHex<Self>
where Self: LowerHex,

Causes self to use its LowerHex implementation when Debug-formatted.
Source§

fn fmt_octal(self) -> FmtOctal<Self>
where Self: Octal,

Causes self to use its Octal implementation when Debug-formatted.
Source§

fn fmt_pointer(self) -> FmtPointer<Self>
where Self: Pointer,

Causes self to use its Pointer implementation when Debug-formatted.
Source§

fn fmt_upper_exp(self) -> FmtUpperExp<Self>
where Self: UpperExp,

Causes self to use its UpperExp implementation when Debug-formatted.
Source§

fn fmt_upper_hex(self) -> FmtUpperHex<Self>
where Self: UpperHex,

Causes self to use its UpperHex implementation when Debug-formatted.
Source§

fn fmt_list(self) -> FmtList<Self>
where &'a Self: for<'a> IntoIterator,

Formats each item in a sequence. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pipe for T
where T: ?Sized,

Source§

fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> R
where Self: Sized,

Pipes by value. This is generally the method you want to use. Read more
Source§

fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> R
where R: 'a,

Borrows self and passes that borrow into the pipe function. Read more
Source§

fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> R
where R: 'a,

Mutably borrows self and passes that borrow into the pipe function. Read more
Source§

fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R
where Self: Borrow<B>, B: 'a + ?Sized, R: 'a,

Borrows self, then passes self.borrow() into the pipe function. Read more
Source§

fn pipe_borrow_mut<'a, B, R>( &'a mut self, func: impl FnOnce(&'a mut B) -> R, ) -> R
where Self: BorrowMut<B>, B: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.borrow_mut() into the pipe function. Read more
Source§

fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R
where Self: AsRef<U>, U: 'a + ?Sized, R: 'a,

Borrows self, then passes self.as_ref() into the pipe function.
Source§

fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R
where Self: AsMut<U>, U: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.as_mut() into the pipe function.
Source§

fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R
where Self: Deref<Target = T>, T: 'a + ?Sized, R: 'a,

Borrows self, then passes self.deref() into the pipe function.
Source§

fn pipe_deref_mut<'a, T, R>( &'a mut self, func: impl FnOnce(&'a mut T) -> R, ) -> R
where Self: DerefMut<Target = T> + Deref, T: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.deref_mut() into the pipe function.
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> Tap for T

Source§

fn tap(self, func: impl FnOnce(&Self)) -> Self

Immutable access to a value. Read more
Source§

fn tap_mut(self, func: impl FnOnce(&mut Self)) -> Self

Mutable access to a value. Read more
Source§

fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Self
where Self: Borrow<B>, B: ?Sized,

Immutable access to the Borrow<B> of a value. Read more
Source§

fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Self
where Self: BorrowMut<B>, B: ?Sized,

Mutable access to the BorrowMut<B> of a value. Read more
Source§

fn tap_ref<R>(self, func: impl FnOnce(&R)) -> Self
where Self: AsRef<R>, R: ?Sized,

Immutable access to the AsRef<R> view of a value. Read more
Source§

fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Self
where Self: AsMut<R>, R: ?Sized,

Mutable access to the AsMut<R> view of a value. Read more
Source§

fn tap_deref<T>(self, func: impl FnOnce(&T)) -> Self
where Self: Deref<Target = T>, T: ?Sized,

Immutable access to the Deref::Target of a value. Read more
Source§

fn tap_deref_mut<T>(self, func: impl FnOnce(&mut T)) -> Self
where Self: DerefMut<Target = T> + Deref, T: ?Sized,

Mutable access to the Deref::Target of a value. Read more
Source§

fn tap_dbg(self, func: impl FnOnce(&Self)) -> Self

Calls .tap() only in debug builds, and is erased in release builds.
Source§

fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self

Calls .tap_mut() only in debug builds, and is erased in release builds.
Source§

fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Self
where Self: Borrow<B>, B: ?Sized,

Calls .tap_borrow() only in debug builds, and is erased in release builds.
Source§

fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Self
where Self: BorrowMut<B>, B: ?Sized,

Calls .tap_borrow_mut() only in debug builds, and is erased in release builds.
Source§

fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Self
where Self: AsRef<R>, R: ?Sized,

Calls .tap_ref() only in debug builds, and is erased in release builds.
Source§

fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Self
where Self: AsMut<R>, R: ?Sized,

Calls .tap_ref_mut() only in debug builds, and is erased in release builds.
Source§

fn tap_deref_dbg<T>(self, func: impl FnOnce(&T)) -> Self
where Self: Deref<Target = T>, T: ?Sized,

Calls .tap_deref() only in debug builds, and is erased in release builds.
Source§

fn tap_deref_mut_dbg<T>(self, func: impl FnOnce(&mut T)) -> Self
where Self: DerefMut<Target = T> + Deref, T: ?Sized,

Calls .tap_deref_mut() only in debug builds, and is erased in release builds.
Source§

impl<T> TryConv for T

Source§

fn try_conv<T>(self) -> Result<T, Self::Error>
where Self: TryInto<T>,

Attempts to convert self into T using TryInto<T>. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V