Yara
Engine yara class
Object : _analysis.scan.yara
Members
rules_loaded_count
uint64_t
number of rules loaded by yara
Functions
Yara
(void)
Yara
the class constructor creates a new Yara instance
save_rules_stream
(Stream &)
int
save your rules to and from generic data streams by using function
load_rules_stream
(Stream &)
int
retrieve your rules to and from generic data streams by using function
unload_rules
(void)
void
destroy your rules
rules_foreach
(const std::function<void(const Rule &)> &)
void
get all rules loaded
strings_foreach
(YR_RULE *, const std::function<void(const YR_STRING &)> &)
void
loop through all strings in the rule
tags_foreach
(YR_RULE *, const std::function<void(const YR_STRING &)> &)
void
will go through all the tags in the rule
metas_foreach
(Rule *, const std::function<void(const Meta &)> &)
void
get the rules metadata
load_compiler
(void)
void
compiler yout compiler yara
unload_compiler
(void)
void
destroy compiler yara
load_rules_folder
(const std::string &)
void
load rules from a file, only .yar extensions are considered
load_rules_file
(const std::string &)
int
load rules compiled .yarc
save_rules_file
(const std::string &)
int
save rules compiled to file
set_rule_buff
(const std::string &, const std::string &)
int
load rule from a buffer
set_rule_file
(const std::string &, const std::string &, const std::string &)
int
load rules from a file
load_rules
(const std::function<void()> &)
void
compiles the rules and expects a callback for the load e.g functions as a parameter. set_rule_file,set_rule_buff, load_rules_folder
scan_fast_bytes
(const std::string&, const std::function<void(yara::record::Data *)> &)
void
scans a buffer using the SCAN_FLAGS_FAST_MODE yara flag, and the first match in any rule it will return in a callback the rule that matched using (CALLBACK_ABORT)
scan_bytes
(const std::string&, YR_CALLBACK_FUNC, void *, int)
void
create and customize your scans more completely by passing the custom callback to yara
disable_rule
(Rule)
void
disable rule for scan
enable_rule
(Rule)
void
eable rule for scan
Types
Data
match_status
type::Scan
match status. Can take values: nomatch, match or none
rule
const char *
rule identifier
ns
const char *
namespace associated with the rule.
Scan
nomatch
enum
no rule gave match value: 0
match
enum
rule gave match value: 1
none
enum
default pattern value : 2
Stream
read
typedef size_t (YR_STREAM_READ_FUNC)( std::string, size_t , size_t)
callback for load_stream_rules
write
typedef size_t (YR_STREAM_WRITE_FUNC)( std::string, size_t , size_t)
callback for save_stream_rules
Rule
identifier
const char*
rule name
ns
Namespace
rule namespace
flags
int32_t
num_atoms
int32_t
number of atoms generated for this rule
required_strings
int32_t
number of strings that must match for this rule to have some possibility to match.
tags
const char*
rule tags
metas
Meta
rule metadata containing author information
strings
String
strings that matched the rule
String
identifier
const char*
string name
length
int32_t
string's length.
rule_idx
int32_t
index of the rule containing this string in the array of Rule structures stored in YR_RULES_TABLE
fixed_offset
int64_t
If the string can only match at a specific offset (for example if the condition is "$a at 0" the string $a can only match at offset 0)
required_strings
int32_t
number of strings that must match for this rule to have some possibility to match.
tags
const char*
rule tags
string
std::string
the string itself
idx
uint32_t
Index of this string in the array of String structures stored in YR_STRINGS_TABLE.
Namespace
name
const char*
namespace name
idx
int32_t
Index of this namespace in the array of Namespace structures stored in YR_NAMESPACES_TABLE
Meta
identifier
const char*
the metadata name
type
int32_t
specifies the metadata type (e.g.META_TYPE_INTEGER META_TYPE_STRING META_TYPE_BOOLEAN)
flags
int32_t
stores additional metadata properties.
integer
int64_t
the metadata value if it's an integer.
string
const char*
the metadata value if it's a string.
Import
module_name
const char*
name of the module being imported
Last updated