What is Yara

The pattern matching swiss knife for malware researchers (and everyone else)

To me Yara is regex with logic and metadata. It allows you to create rules to match patterns in data and adding matadata to give it more context. You can run yara as a executable or with the yara-python library. For this I will be using it with yara-python.

Yara rules

The first thing we need is a rule set. These rules are easy to read and write.
A rule set says that if the data matches the conditions return the matches.

Here is an example rule:

rule example

In this example rule the condition is true so it will always return a match.
We can do better than that though. Lets create a rule to match a file with the string hello yara. I'll call this rule hello_yara.

rule hello_yara
        $a = "hello yara"

We can write this rule to a file or in our code as a python string. Which I will cover later. In most cases you will have more than one rule and having all these rules in your code gets ugly and hard to read so lets create a file and save it there. There doesn't seam to be a naming convention so I am naming it example.yara.

Yara Python

Yara scans data typically in the form of a file, however yara-python can also take data in the form of a python string or a running process. That being said lets create a file with hello yara some where in it. For me I am going to create a file called test.txt which only contains hello yara.

Install yara-python with pip

pip instatll yara-python

With yara-python installed, the rule, and the test file, we can now begging to write some code.

import yara-python 

rules = yara.compile(filepath='example.yara')
match = rules.match(filepath='test.xt')

if match:
    print("[!] Found", example)


[!] Found {'main': [{'tags': [], 'meta': {}, 'strings': [{'data': 'hello yara', 'offset': 0, 'identifier': '$a', 'flags': 19}], 'rule': 'hello_yara', 'matches': True}]}

This is as about as simple as it can get. We give yara-python the rules and some data and it does its thing. If there is a match it returns a dictionary.

This doesn't seam like much now but lets use it to detect DoublePulsar. For reference I wrote this article on doublepulsar.


yara rules
awsome yara