dissect.target.plugins.filesystem.yara#

Module Contents#

Classes#

YaraPlugin

Plugin to scan files against a local YARA rules file.

Attributes#

dissect.target.plugins.filesystem.yara.YaraMatchRecord#
class dissect.target.plugins.filesystem.yara.YaraPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin to scan files against a local YARA rules file.

DEFAULT_MAX_SIZE#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

yara(rule_files, scan_path='/', max_size=DEFAULT_MAX_SIZE)#

Scan files up to a given maximum size with a local YARA rule file.

Example

target-query <TARGET> -f yara –rule-file /path/to/yara_sigs.rule