community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Matching Multiple Yara Rules with Volatility

Open nccs-neduet opened this issue 5 years ago • 1 comments

My Issue is:

I am running volatility windows exe on windows 7 machine. Whenever I try matching multiple YARA rules with against a memory dump file by running following command:

>volatility_2.6_win64_standalone.exe -f GUESTWINDOWS-PC-20200131-113322.raw --profile=Win7SP1x64 yarascan -y "..\yara-rules\index.yar"

I get the following error:

Volatility Foundation Volatility Framework 2.6 Traceback (most recent call last): File "vol.py", line 192, in <module> File "vol.py", line 183, in main File "volatility\commands.py", line 147, in execute File "volatility\plugins\malware\malfind.py", line 342, in render_text File "volatility\plugins\malware\malfind.py", line 305, in calculate File "volatility\plugins\malware\malfind.py", line 246, in _scan_process_memor y File "volatility\plugins\malware\malfind.py", line 142, in scan File "volatility\plugins\malware\malfind.py", line 110, in scan yara.Error: internal error: 30 Failed to execute script vol

I am using default yara rules repository given here. If I use a yar file without any includes, volatility runs fine.

Please help me out with this issue.

nccs-neduet avatar Feb 03 '20 10:02 nccs-neduet

Hello,

The command to use the yara rules in Volatility2.6 is the following: vol.py -f [your memory dump file] --profile=[scan profile] yarascan --yara-file=[rule file.yar]

To execute a set of yara rules from a directory you could use Script shell "one-line":

for f in /home/remnux/lab_analysis/rules/malware/*.yar; do echo $f; vol.py -f memdump.mem --profile=Win10x64_17134 yarascan --yara-file=$f; done

Where, /home/remnux/lab_analysis/rules/malware/ is the directory where I store all the yara rules.

For Volatility3.x the syntax changes a bit, it would be as follows.

vol.py -f [your memory dump file] --profile=[scan profile] yarascan.YaraScan --yara-file=[rule file.yar]

Therefore, the "one-line" shell script would look like this:

for f in /home/remnux/lab_analysis/rules/malware/*.yar; do echo $f; vol.py -f memdump.mem --profile=Win10x64_17134 yarascan.YaraScan --yara-file=$f; done

Greetings.

LW-Homeless avatar May 01 '23 04:05 LW-Homeless