volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Add convenience method for YaraScanner

Open JSCU-CNI opened this issue 6 months ago • 2 comments

This convenience method makes it easier to use the YaraScanner with a Python defined YARA rule. This makes one off, single file plugins easier to make because one can include the YARA rule directly in Python instead of having to include the rule in a separate YARA file. I.e.:


RULE = """rule ExampleRule
{
    strings:
        $line = { 00 01 02 03 }

    condition:
        all of them
}
"""

class Plugin:
    [setup]
    
    def _generator(self, layer):
        rule = yarascan.YaraScanner.from_text(RULE)
        scanner = yarascan.YaraScanner(rules=rule)
        [...]
""""

JSCU-CNI avatar Jun 27 '25 12:06 JSCU-CNI

Oh, ruff spotted that formatted_rule now isn't defined, we can just use rule. 5:)

ikelos avatar Jul 21 '25 19:07 ikelos

Also, the type hinting uses yara which may not exist if yara_x is the only installed instance. The previous methods avoided it by just not type hinting, but if you want to do it correctly, I guess assign the type to a variable after the import has been made, and then use that type in the signature...

ikelos avatar Jul 21 '25 19:07 ikelos