Plugin
| Arg | Description | Type |
|---|---|---|
| rules | Yara rules | string (required) |
| pid | The pid to scan | int (required) |
| context | Return this many bytes either side of a hit | int |
| key | If set use this key to cache the yara rules. | string |
Scan processes using yara rules.
This plugin uses yara’s own engine to scan process memory for the signatures.
Process memory access depends on having the SeDebugPrivilege which depends on how Velociraptor was started. Even when running as System, some processes are not accessible.