Struct yara::Rules

source · 
pub struct Rules { /* private fields */ }
Expand description

A set of compiled rules.

Obtained from compiling or loading a pre-compiled rule.

Implementations§

source§

impl Rules

source

pub unsafe fn unsafe_try_from(rules: *mut YR_RULES) -> Result<Self, YaraError>

Takes ownership of the given YR_RULES handle.

Safety

The provided pointer must be valid, and be acquired from the Yara library, either through [yr_compiler_get_rules], [yr_rules_load] or [yr_rules_load_stream].

source§

impl Rules

source

pub fn scanner(&self) -> Result<Scanner<'_>, YaraError>

Create a Scanner from this set of rules.

You can create as many scanners as you want, and they each can have their own scan flag, timeout, and external variables defined.

source

pub fn scan_mem<'r>( &'r self, mem: &[u8], timeout: i32 ) -> Result<Vec<Rule<'r>>, YaraError>

Scan memory.

Returns a Vec of maching rules.

  • mem - Slice to scan.
  • timeout - the timeout is in seconds.
Example
let mut compiler = Compiler::new()?
    .add_rules_str("rule contains_rust {
  strings:
    $rust = \"rust\" nocase
  condition:
    $rust
}")?;
let rules = compiler.compile_rules().unwrap();
let results = rules.scan_mem("I love Rust!".as_bytes(), 5).unwrap();
assert_eq!(1, results.len());

let contains_rust_rule = &results[0];
assert_eq!("contains_rust", contains_rust_rule.identifier);
assert_eq!(1, contains_rust_rule.strings.len());

let string = &contains_rust_rule.strings[0];
assert_eq!("$rust", string.identifier);

let m = &string.matches[0];
assert_eq!(7, m.offset);
assert_eq!(4, m.length);
assert_eq!(b"Rust", m.data.as_slice());
source

pub fn scan_mem_callback<'r>( &'r self, mem: &[u8], timeout: i32, callback: impl FnMut(CallbackMsg<'r>) -> CallbackReturn ) -> Result<(), YaraError>

Scan memory with custom callback

Returns

  • mem - Slice to scan
  • timeout - the timeout is in seconds
  • callback - YARA callback more read here
source

pub fn scan_file<'r, P: AsRef<Path>>( &'r self, path: P, timeout: i32 ) -> Result<Vec<Rule<'r>>, Error>

Scan a file.

Return a Vec of matching rules.

  • path - Path to file
  • timeout - the timeout is in seconds
source

pub fn scan_file_callback<'r, P: AsRef<Path>>( &'r self, path: P, timeout: i32, callback: impl FnMut(CallbackMsg<'r>) -> CallbackReturn ) -> Result<(), Error>

Scan file with custom callback

Returns

  • path - Path to file
  • timeout - the timeout is in seconds
  • callback - YARA callback more read here
source

pub fn scan_process( &self, pid: u32, timeout: i32 ) -> Result<Vec<Rule<'_>>, YaraError>

Attach a process, pause it, and scan its memory.

Return a Vec of matching rules.

  • pid - Process id
  • timeout - the timeout is in seconds
Permissions

You need to be able to attach to process pid.

source

pub fn scan_process_callback<'r>( &'r self, pid: u32, timeout: i32, callback: impl FnMut(CallbackMsg<'r>) -> CallbackReturn ) -> Result<(), YaraError>

Attach a process, pause it, and scan its memory.

Returns

  • pid - Process id
  • timeout - the timeout is in seconds
  • callback - YARA callback more read here
Permissions

You need to be able to attach to process pid.

source

pub fn scan_fd<'r, F: AsRawFd>( &'r self, fd: &F, timeout: i32 ) -> Result<Vec<Rule<'r>>, Error>

Scan a opened file.

Return a Vec of matching rules.

  • file - the object that implements get raw file descriptor or file handle
  • timeout - the timeout is in seconds
source

pub fn scan_fd_callback<'r, F: AsRawFd>( &'r self, fd: &F, timeout: i32, callback: impl FnMut(CallbackMsg<'r>) -> CallbackReturn ) -> Result<(), Error>

Scan a opened file with custom callback

Returns

  • file - the object that implements get raw file descriptor or file handle
  • timeout - the timeout is in seconds
  • callback - YARA callback more read here
source

pub fn save(&mut self, filename: &str) -> Result<(), YaraError>

Save the rules to a file.

Note: this method is mut because Yara modifies the Rule arena during serialization.

source

pub fn save_to_stream<W>(&mut self, writer: W) -> Result<(), Error>where W: Write,

Save the rules in a Writer.

Note: this method is mut because Yara modifies the Rule arena during serialization.

source

pub fn load_from_stream<R: Read>(reader: R) -> Result<Self, Error>

Load rules from a pre-compiled rules file.

source

pub fn load_from_file(filename: &str) -> Result<Self, YaraError>

Load rules from a pre-compiled rules file.

source

pub fn set_flags(&mut self, flags: ScanFlags)

Trait Implementations§

source§

impl Drop for Rules

source§

fn drop(&mut self)

Executes the destructor for this type. Read more
source§

impl Send for Rules

This is safe because Yara TLS have are short-lived and we control the callback, ensuring we cannot change thread while they are defined.

source§

impl Sync for Rules

This is safe because Yara have a mutex on the YR_RULES

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for Twhere U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.