Expand description
Yara rust safe bindings
This crate contains safe bindings to VirusTotal’s Yara library, “the pattern matching swiss-knife”.
I can be used to scan file and memory, with powerful rules statement. It is often used to recognize malwares.
This example shows how to write and use a pair of rules to check if a file is an APK, from the polydet project:
let rules = r#"
// Search for the ZIP EOCD magic anywhere in the file except the 22 last bytes.
rule IsZIP {
strings:
$EOCD_magic = { 50 4B 05 06 }
condition:
$EOCD_magic in (0..filesize - 22)
}
// Search the ZIP's LFH magic followed by 26 bytes then "AndroidManifest.xml", anywhere in zip files.
rule IsAPK {
strings:
// P K A n d r o i d M a n i f e s t . x m l
$lfh_and_android = { 50 4B 03 04 [26] 41 6E 64 72 6F 69 64 4D 61 6e 69 66 65 73 74 2E 78 6D 6C}
condition:
IsZIP and $lfh_and_android
}
"#;
let mut compiler = Compiler::new()?
.add_rules_str(rules)?;
let rules = compiler.compile_rules()?;
let results = rules.scan_file("File.apk", 5)?;
assert!(results.iter().any(|rule| rule.identifier == "IsAPK"));
Learn how to write rules on the Yara documentation.
Re-exports§
pub use crate::errors::*;
Modules§
Structs§
- Yara rules compiler
- A match within a scan.
- Metadata specified in a rule.
- A rule that matched during a scan.
- A set of compiled rules.
- A wrapper around yara scanning flags
- A wrapper around compiled Rules, with its own set of external variables, flags and timeout.
- Yara initialization token.
- A value from a module.
- A matcher string that matched during a scan.
Enums§
Traits§
- Trait implemented by the types the compiler can use as value.