Crate yara

source ·
Expand description

Yara rust safe bindings

This crate contains safe bindings to VirusTotal’s Yara library, “the pattern matching swiss-knife”.

I can be used to scan file and memory, with powerful rules statement. It is often used to recognize malwares.

This example shows how to write and use a pair of rules to check if a file is an APK, from the polydet project:

let rules = r#"
// Search for the ZIP EOCD magic anywhere in the file except the 22 last bytes.
rule IsZIP {
  strings:
    $EOCD_magic = { 50 4B 05 06 }
  condition:
    $EOCD_magic in (0..filesize - 22)
}
// Search the ZIP's LFH magic followed by 26 bytes then "AndroidManifest.xml", anywhere in zip files.
rule IsAPK {
  strings:
    //                    P  K             A  n  d  r  o  i  d  M  a  n  i  f  e  s  t  .  x  m  l
    $lfh_and_android = { 50 4B 03 04 [26] 41 6E 64 72 6F 69 64 4D 61 6e 69 66 65 73 74 2E 78 6D 6C}

  condition:
    IsZIP and $lfh_and_android
}
"#;

let mut compiler = Compiler::new()?
    .add_rules_str(rules)?;
let rules = compiler.compile_rules()?;
let results = rules.scan_file("File.apk", 5)?;

assert!(results.iter().any(|rule| rule.identifier == "IsAPK"));

Learn how to write rules on the Yara documentation.

Re-exports§

Modules§

Structs§

  • Compiler
    Yara rules compiler
  • Match
    A match within a scan.
  • MemoryBlock
  • Metadata
    Metadata specified in a rule.
  • Rule
    A rule that matched during a scan.
  • Rules
    A set of compiled rules.
  • ScanFlags
    A wrapper around yara scanning flags
  • Scanner
    A wrapper around compiled Rules, with its own set of external variables, flags and timeout.
  • Yara
    Yara initialization token.
  • YrObject
    A value from a module.
  • YrString
    A matcher string that matched during a scan.

Enums§

Traits§