Pkg.YARARules — API for scanning with YARA rules

Overview

The Pkg.YARARules module contains the API for scanning with YARA rules.

It’s important to note that official YARA API is exposed via the Pro.yara module. This module provides wrapper functionality for simplicity.

Scanning All Processes

The following code example demonstrates how scan all processes on a system using YARA:

from Pro.Core import *
from Pro.UI import proContext
from Pkg.YARARules import *

def scanProcesses():
    procs = NT_GetProcessList()
    n = procs.size()
    wo = proContext().startWait("Scanning...", NTIWait.NoProgress)
    objs = []
    for i in range(n):
        objs.append((procs.at(i).pid, procs.at(i).pid))
    matches = YARAMultiScan(objs, wo)
    wo.stop()
    print(matches)

Module API

Pkg.YARARules module API.

Functions:

YARAMultiScan(objs[, wo, yarc, objs_name])	Performs a parallelized YARA scan on multiple objects.
YARAScan(obj[, wo, yarc])	Performs a YARA scan on a specified object.

YARAMultiScan(objs: List[Tuple[Any, Union[CFFObject, NTContainer, str, int]]], wo: Optional[NTIWait] = None, yarc: Optional[str] = None, objs_name: Optional[str] = None) → List[Any, Dict[str, Any]]

Performs a parallelized YARA scan on multiple objects.

Parameters

• objs (List[Tuple[Any, Union[CFFObject, NTContainer, str, int]]]) – A list of tuples containing the object identifier and the object to scan. The object can be either a Pro.Core.CFFObject, an Pro.Core.NTContainer, a file name or a process id.

• wo (Optional[NTIWait]) – An optional wait object.

• yarc (Optional[str]) – An optional path to a compiled YARA rules file to be used for the scan.

• objs_name (Optional[str]) – An optional name for the objects being scanned.

Returns

Returns the a list of tuples containing the object identifier and its matches.

Return type

List[Any, Dict[str, Any]]

See also YARAScan().

YARAScan(obj: Union[Pro.Core.CFFObject, Pro.Core.NTContainer, str, int], wo: Optional[Pro.Core.NTIWait] = None, yarc: Optional[str] = None) → Dict[str, Any]

Performs a YARA scan on a specified object.

Parameters

• obj (Union[CFFObject, NTContainer, str, int]) – The object to scan. The object can be either a Pro.Core.CFFObject, an Pro.Core.NTContainer, a file name or a process id.

• wo (Optional[NTIWait]) – An optional wait object.

• yarc (Optional[str]) – An optional path to a compiled YARA rules file to be used for the scan.

Returns

Returns the matches.

Return type

Dict[str, Any]

See also YARAMultiScan().