YARA is a multi-platform program running on Windows, Linux and Mac OS X.
More about Yara python module can see it here.
YARA used this keyword with rules under files.
1 2 3 4 5 6 | all and any ascii at condition contains entrypoint false filesize fullword for global in import include int8 int16 int32 int8be int16be int32be matches meta nocase not or of private rule strings them true uint8 uint16 uint32 uint8be uint16be uint32be wide |
The Yara documentation can be found in this link.
The Yara python module uses version 1.7.7 and this will need to use when making rules.
Installation with pip :
1 2 3 4 5 6 7 8 9 10 | C:\Python34>cd Scripts C:\Python34\Scripts>pip install yara Downloading/unpacking yara Installing collected packages: yara Running setup.py install for yara Installing yara-ctypes-script.py script to C:\Python34\Scripts Installing yara-ctypes.exe script to C:\Python34\Scripts Successfully installed yara Cleaning up... |
Let’s see this in action.
First, you need to make your user under the your_user account.
I make one folder named Yara to keep my rules see:
1 | C:\\Users\\your_user\\Dropbox\\yara\\ |
and I test this file named doc_data.txt, from here:
1 | C:\\Users\\your_user\\Dropbox\\ |
The file has this text :
1 2 3 4 5 6 7 8 9 10 11 12 13 | InfoKey: Creator InfoValue: TeX InfoKey: Producer InfoValue: pdfTeX-1.40.3 InfoKey: PTEX.Fullbanner InfoValue: This is pdfTeX using libpoppler, Version 3.141592-1.40.3-2.2 (Web2C 7.5.6) kpathsea version 3.5.6 InfoKey: ModDate InfoValue: D:20110210185614-08'00' InfoKey: CreationDate InfoValue: D:20110210185614-08'00' PdfID0: 5691a9b61e98f4c329d4f9f6deb5363c PdfID1: 5691a9b61e98f4c329d4f9f6deb5363c NumberOfPages: 24 |
and the rule file detects string has this rule:
1 2 3 4 5 6 7 8 | rule detectstring { strings: $my_text_string = "5691a9b61e98f4c329d4f9f6deb5363c" condition: $my_text_string } |
You can use the python shell with this source code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | import yara from yara import * dir(yara) ['CALLBACK_ABORT', 'CALLBACK_CONTINUE', 'INCLUDE_PATH', 'Rules', 'YARA_RULES_ROO T', 'YaraSyntaxError', '__builtins__', '__cached__', '__doc__', '__file__', '__l oader__', '__name__', '__package__', '__path__', '__spec__', '__version__', 'com pile', 'libyara_wrapper', 'load_rules', 'preprocessor', 'rules', 'version'] print(yara.version.__version__) 1.7.7 rules=yara.compile("C:\\Users\\your_user\\Dropbox\\yara\\detectstring") matches=rules.match("C:\\Users\\your_user\\Dropbox\\doc_data.txt") print(matches) {'main': [{'tags': [], 'matches': True, 'rule': 'detectstring', 'meta': {}, 'str ings': [{'flags': 19, 'identifier': '$my_text_string', 'data': '5691a9b61e98f4c3 29d4f9f6deb5363c', 'offset': 326}, {'flags': 19, 'identifier': '$my_text_string' , 'data': '5691a9b61e98f4c329d4f9f6deb5363c', 'offset': 367}]}]} |
The above rule is telling YARA that the file containing the string must be reported.
The print will show the rule compiled and the result.
