`dissect.target.plugins.filesystem.yara`¶

Module Contents¶

Classes¶

YaraPlugin

Plugin to scan files against a local YARA rules file.

Functions¶

`process_rules`	Generate compiled YARA rules from the given path(s).
`compile_yara`	Compile or load the given YARA file(s) to rules.
`is_valid_yara`	Determine if the given YARA file(s) compile without errors or warnings.

Attributes¶

`HAS_YARA`
`log`
`YaraMatchRecord`
`DEFAULT_MAX_SCAN_SIZE`

dissect.target.plugins.filesystem.yara.HAS_YARA = True¶

dissect.target.plugins.filesystem.yara.log¶

dissect.target.plugins.filesystem.yara.YaraMatchRecord¶

dissect.target.plugins.filesystem.yara.DEFAULT_MAX_SCAN_SIZE = 10485760¶

class dissect.target.plugins.filesystem.yara.YaraPlugin(target: dissect.target.target.Target)¶

Bases: dissect.target.plugin.Plugin

Plugin to scan files against a local YARA rules file.

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

yara(rules: list[str | pathlib.Path], path: str = '/', max_size: int = DEFAULT_MAX_SCAN_SIZE, check: bool = False) → collections.abc.Iterator[YaraMatchRecord]¶

Scan files inside the target up to a given maximum size with YARA rule file(s).

Parameters:

rules – list of strings or Path objects pointing to rule files to use.
path – string of absolute target path to scan.
max_size – Files larger than this size will not be scanned.
check – Check if provided rules are valid, only compiles valid rules.

Returns:

Iterator yields YaraMatchRecord.

dissect.target.plugins.filesystem.yara.process_rules(paths: list[str | pathlib.Path], check: bool = False) → yara.Rules | None¶

Generate compiled YARA rules from the given path(s).

Provide path to one (compiled) YARA file or directory containing YARA files.