Tuesday, October 12, 2010

Scanning Memory Objects with Yara

Below are some Python inserts to enable yara scanning of in-memory objects while parsing something, like a PDF. This particular example enables Yara signature scanning of parsed, filtered PDF objects via Didier Steven's PDF-Parser.

[...imports...]

import yara
import mmap
rules = yara.compile('path/rulefile')

[...parsing code...]

############################ yara insert around line 558
############################ just before
######### print ' %s' % FormatOutput(filtered, options.raw)

memmap=mmap.mmap(-1,len(filtered))
memmap.write(filtered)
memmap.seek(0)
matches = rules.match(data=memmap.read(len(filtered)))
memmap.close()
for m in matches:
__ print ' yara: %s' % (m)

##################################

[...resume Didier's code...]

print ' %s' % FormatOutput(filtered, options.raw)