Plugin
Arg | Description | Type |
---|---|---|
rules | Yara rules in the yara DSL. | string (required) |
files | The list of files to scan. | list of Any (required) |
accessor | Accessor (e.g. ntfs,file) | string |
context | How many bytes to include around each hit | int |
start | The start offset to scan | uint64 |
end | End scanning at this offset (100mb) | uint64 |
number | Stop after this many hits (1). | int64 |
blocksize | Blocksize for scanning (1mb). | uint64 |
key | If set use this key to cache the yara rules. | string |
Scan files using yara rules.
The yara()
plugin applies a signature consisting of multiple rules
across files. You can read more about yara rules. The
accessor is used to open the various files which allows this plugin to
work across raw ntfs, zip members or indeed process memory.
Scanning proceeds by reading a block from the file, then applying the yara rule on the block. This will fail if the signature is split across block boundary. You can choose the block size to be appropriate.
If the accessor is not specified we use the yara library to directly open the file itself without Velociraptor’s accessor API. This allows Yara to mmap the file which has a number of benefits including:
The ability to scan without reading in blocks - so a signature matching the file header as well as a string deep within the file works.
Various Yara extensions like the pe
extension work allowing
rules that use such extensions to work properly.
If we are not able to open the file (for example due to sharing violations), Velociraptor will automatically fall back to the ntfs accessor (on Windows) and will automatically switch to block by block scanning.
Typically the yara rule does not change for the life of the query,
so Velociraptor caches it to avoid having to recompile it each
time. The key
variable can be used to uniquely identify the
cache key for the rule. If the key
variable is not specified, we
use the rule text itself to generate the cache key. It is
recommended that the key
parameter be specified because it makes
it more efficient since we do not need to hash the rules each time.
This plugin accepts yara rules in the rules
parameter. But typically
we only search for keywords so writing a full yara syntax rule is
tedious. Therefore we provide a shorthand way to specify the
keywords. For example:
wide nocase:foo,bar,baz
When the rule is provided in the above form, the plugin will
automatically generate a yara rule which matches any of the specified
keywords. The specification before the :
means the same thing as the
yara DSL and the following combinations are supported wide
,
wide ascii
, wide nocase
, wide nocase ascii
.
By default only the first 100mb of the file are scanned and scanning stops after one hit is found.