How to scan using yara-ctypes yara.scan

This page should contain all of the information required to successfully operate yara.scan as a system scanning utility.

Executing yara.cli

Once yara-ctypes is installed into your Python environment you can run the scan module by executing the scan module as follows:

$ python -m yara.cli -h

or:

$ yara-ctypes -h

Performing a scan

List available modules:

$ yara-ctypes --list

Rules + example.packer_rules
      + hbgary.sockets
      + hbgary.libs
      + hbgary.compression
      + hbgary.fingerprint
      + hbgary.integerparsing
      + hbgary.antidebug
      + hbgary.microsoft

Scan process memory:

$ ps
  PID TTY          TIME CMD
 6975 pts/7    00:00:05 bash
13479 pts/7    00:00:00 ps

$ sudo yara-ctypes --proc 6975 > result.out

Rules + hbgary.compiler
      + example.packer_rules
      + hbgary.sockets
      + hbgary.libs
      + hbgary.compression
      + hbgary.fingerprint
      + hbgary.integerparsing
      + hbgary.antidebug
      + hbgary.microsoft
scan queue: 0       result queue: 0
scanned 1 items... done.

$ ls -lah result.out

-rw-rw-r-- 1 mick mick 222K Sep  1 17:36 result.out

Scan a file:

$ sudo yara-ctypes /usr/bin/ > result.out

Rules + hbgary.compiler
      + example.packer_rules
      + hbgary.sockets
      + hbgary.libs
      + hbgary.compression
      + hbgary.fingerprint
      + hbgary.integerparsing
      + hbgary.antidebug
      + hbgary.microsoft
scan queue: 0       result queue: 0
scanned 1518 items... done.

> ls -lah result.out

-rw-rw-r-- 1 mick mick 17M Sep  1 17:37 result.out

YARA rules files and folder

If you are not familiar with YARA rules files visit yara project to learn more.

To make life simple the yara.rules module supports filtered namespaced loading of multiple YARA rules files into a single context. This is managed through a translation of folder names and file names into ‘.’ seperated names. The root of this folder structured is defined by the YARA_RULES path.

By default the YARA_RULES path points to the following path:

os.path.dirname(:mod:`yara.rules`.__file__) + '/rules'

Included rules folder

The rules folder shipped with yara-ctypes helps with testing and works as a good example set of YARA rules for people to get started from.

Packaged rules folder:

./rules/hbgary/libs.yar
./rules/hbgary/compression.yar
./rules/hbgary/fingerprint.yar
./rules/hbgary/microsoft.yar
./rules/hbgary/sockets.yar
./rules/hbgary/integerparsing.yar
./rules/hbgary/compiler.yar
./rules/hbgary/antidebug.yar
./rules/example/packer_rules.yar

Building a Rules object using yara.load_rules() will load all of the above yar files into the following namespaces:

hbgary.libs
hbgary.compression
hbgary.fingerprint
hbgary.microsoft
hbgary.sockets
hbgary.integerparsing
hbgary.compiler
hbgary.antidebug
example.packer_rules

Using yara-ctypes rules folders

This section will walk you through defining and loading a realistic rules folder.

A practical rules folder example:

We set out by defining two sub directories, one for our process memory specific signatures and the other for our file signatures.

Here is what it looks like:

~/rules/
    pid/loggers.yar
    pid/spammers.yar
    pid/infectors.yar
    file/loggers.yar
    file/spammers.yar
    file/infectors.yar

Accessing a rules folder:

To access our new rules folder we need to let yara.scan know where to look. We can do this by setting the env variable YARA_RULES to export YARA_RULES=~/rules/. Alternatively, we can specify the root of the rules folder with the input argument --root=~/rules/.

Confirm the rules are being loaded by yara.scan:

$ yara-ctypes --list
Rules + file.loggers
      + file.infectors
      + file.spammers
      + pid.spammers
      + pid.loggers
      + pid.infectors

Blacklisting and whitelisting namespaces:

Let’s say we want to scan a bunch of files against all of the yar files under ~/rules/file/. We can do this two ways. By either setting our --whitelist=file or setting our --blacklist=pid.

i.e.:

$ yara-ctypes --blacklist=pid --list
Rules + file.infectors
      + file.loggers
      + file.spammers

Whitelist and blacklist parameters are globbed out (i.e. pid*).

The results are in and we find that file.spammers namespace is producing far too much noise. Let’s remove file.spammers from scan too:

$ yara-ctypes --blacklist=pid,file.spamm --list
Rules + file.infectors
      + file.loggers

To demonstrate the namespace convetion further, we may find ourselves wanting to run a scan which includes `pid.spammers`. To do this we can simply run:

$ yara-ctypes --blacklist=file.spamm --whitelist=pid.spam,file --list
Rules + file.infectors
      + file.loggers
      + pid.spammers