yara

Eric Monti - emonti at trustwave dot com

Introduction

Ruby bindings for the yara malware analysis library.

YARA is a tool aimed at helping malware researchers to identify and classify malware families. With YARA you can create descriptions of malware families based on textual or binary information contained on samples of those families. These descriptions, named rules, consist of a set of strings and a Boolean expression which determines the rule logic.

Yara and it's code are copyrights of Victor M. Alvarez. Please see code.google.com/p/yara-project/

Usage

# basic example... find all PE files under the current dir

require 'yara'

ctx = Yara::Rules.new
ctx.compile_string "rule IsPE { condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 }"

Dir["**/*", "*"].each do |fname|
  begin
    next unless File.file?(fname)
    ctx.scan_file(fname).each {|match| puts "#{fname} -> #{match.rule}" }
  rescue Yara::ScanError => e
    STDERR.puts e
  end
end

Versioning

The current version of libyara at the time of writing is 1.5.0. Bindings have been written against this API and may not work with earlier versions of the libyara library.

The major and minor version numbers of the ruby library are intended to be in step with the C api version.

Note that yara-ruby began existence as of yara 1.4 so binding versions go back this far. The yara 1.4 binding in ruby to use is the most recent 1.4.X gem, and so on.

Requirements

Installation

First make sure you have libyara and its dependencies installed. You'll need libyara and yara.h in your search paths.

Install the yara ruby package from a gem:

(sudo)? gem install yara

Or from the github package.

git clone https://github.com/SpiderLabs/yara-ruby.git
cd yara-ruby
rake compile

Copyright

yara-ruby - Ruby bindings for the yara malware analysis library. Eric Monti Copyright (C) 2011 Trustwave Holdings

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see <www.gnu.org/licenses/>.

See LICENSE.txt