Struct Rules

pub struct Rules { /* private fields */ }

Expand description

A set of compiled rules.

Obtained from compiling or loading a pre-compiled rule.

Implementations§

impl Rules

pub unsafe fn unsafe_try_from(rules: *mut YR_RULES) -> Result<Self, YaraError>

Takes ownership of the given YR_RULES handle.

§Safety

The provided pointer must be valid, and be acquired from the Yara library, either through yr_compiler_get_rules, yr_rules_load or yr_rules_load_stream.

impl Rules

pub fn get_rules(&self) -> Vec<RulesetRule<'_>>

pub fn scanner(&self) -> Result<Scanner<'_>, YaraError>

Create a Scanner from this set of rules.

You can create as many scanners as you want, and they each can have their own scan flag, timeout, and external variables defined.

pub fn scan_mem<'r>( &'r self, mem: &[u8], timeout: i32, ) -> Result<Vec<Rule<'r>>, YaraError>

Scan memory.

Returns a Vec of maching rules.

mem - Slice to scan.
timeout - the timeout is in seconds.

§Example

let mut compiler = Compiler::new()?
    .add_rules_str("rule contains_rust {
  strings:
    $rust = \"rust\" nocase
  condition:
    $rust
}")?;
let rules = compiler.compile_rules().unwrap();
let results = rules.scan_mem("I love Rust!".as_bytes(), 5).unwrap();
assert_eq!(1, results.len());

let contains_rust_rule = &results[0];
assert_eq!("contains_rust", contains_rust_rule.identifier);
assert_eq!(1, contains_rust_rule.strings.len());

let string = &contains_rust_rule.strings[0];
assert_eq!("$rust", string.identifier);

let m = &string.matches[0];
assert_eq!(7, m.offset);
assert_eq!(4, m.length);
assert_eq!(b"Rust", m.data.as_slice());

pub fn scan_mem_callback<'r>( &'r self, mem: &[u8], timeout: i32, callback: impl FnMut(CallbackMsg<'r>) -> CallbackReturn, ) -> Result<(), YaraError>

Scan memory with custom callback

Returns

mem - Slice to scan
timeout - the timeout is in seconds
callback - YARA callback more read here

pub fn scan_file<'r, P: AsRef<Path>>( &'r self, path: P, timeout: i32, ) -> Result<Vec<Rule<'r>>, Error>

Scan a file.

Return a Vec of matching rules.

path - Path to file
timeout - the timeout is in seconds

pub fn scan_file_callback<'r, P: AsRef<Path>>( &'r self, path: P, timeout: i32, callback: impl FnMut(CallbackMsg<'r>) -> CallbackReturn, ) -> Result<(), Error>

Scan file with custom callback

Returns

path - Path to file
timeout - the timeout is in seconds
callback - YARA callback more read here

pub fn scan_process( &self, pid: u32, timeout: i32, ) -> Result<Vec<Rule<'_>>, YaraError>

Attach a process, pause it, and scan its memory.

Return a Vec of matching rules.

pid - Process id
timeout - the timeout is in seconds

§Permissions

You need to be able to attach to process pid.

pub fn scan_process_callback<'r>( &'r self, pid: u32, timeout: i32, callback: impl FnMut(CallbackMsg<'r>) -> CallbackReturn, ) -> Result<(), YaraError>

Attach a process, pause it, and scan its memory.

Returns

pid - Process id
timeout - the timeout is in seconds
callback - YARA callback more read here

§Permissions

You need to be able to attach to process pid.

pub fn scan_fd<'r, F: AsRawFd>( &'r self, fd: &F, timeout: i32, ) -> Result<Vec<Rule<'r>>, Error>

Scan a opened file.

Return a Vec of matching rules.

file - the object that implements get raw file descriptor or file handle
timeout - the timeout is in seconds

pub fn scan_fd_callback<'r, F: AsRawFd>( &'r self, fd: &F, timeout: i32, callback: impl FnMut(CallbackMsg<'r>) -> CallbackReturn, ) -> Result<(), Error>

Scan a opened file with custom callback

Returns

file - the object that implements get raw file descriptor or file handle
timeout - the timeout is in seconds
callback - YARA callback more read here

pub fn save(&mut self, filename: &str) -> Result<(), YaraError>

Save the rules to a file.

Note: this method is mut because Yara modifies the Rule arena during serialization.

pub fn save_to_stream<W>(&mut self, writer: W) -> Result<(), Error>
where W: Write,

Save the rules in a Writer.

Note: this method is mut because Yara modifies the Rule arena during serialization.

pub fn load_from_stream<R: Read>(reader: R) -> Result<Self, Error>

Load rules from a pre-compiled rules file.

pub fn load_from_file(filename: &str) -> Result<Self, YaraError>

Load rules from a pre-compiled rules file.

pub fn set_flags(&mut self, flags: ScanFlags)

Trait Implementations§

impl Drop for Rules

fn drop(&mut self)

Executes the destructor for this type. Read more

impl Send for Rules

This is safe because Yara TLS have are short-lived and we control the callback, ensuring we cannot change thread while they are defined.

impl Sync for Rules

This is safe because Yara have a mutex on the YR_RULES

Auto Trait Implementations§

impl Freeze for Rules

impl RefUnwindSafe for Rules

impl Unpin for Rules

impl UnwindSafe for Rules

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.