Yara python module – part 002 .

Before we start, I have to tell you that it is the continuation of an older tutorial you find here.
As you know the YARA is tool aimed at helping malware researchers to identify and classify malware samples.
The YARA tool help you to create descriptions of malware families based on textual or binary patterns.
This patterns – rules come with description consists of a set of strings and a boolean expression which determine its logic.
The YARA tool can be found on the official website.
First you need to install the python version
I used the yara-python-3.7.0.win-amd64-py3.5 version.
You need to use Python 3.5.0 version from here.
Let’s test the yara python module:

You can see the yara python module works well.
Let’s make a rule and test with a PDF file. This rule will tell us if the PDF come with links.
The rule is one file named detectpdflinks into this path:
C:\\BackUP\\Tools\\Python35\\detectpdflinks
The source code of this rule is:

Now will make the python script to use this yara rule with one pdf file:

You can see the uri on the variable named $the_uri.

admin

born 1976

Posted in All, Programming, Python, YARA. Tagged with , , , , , .