YARA is a tool designed to help malware researchers identify and classify malware samples. It's been called the pattern-matching Swiss Army knife for security researchers .
Yarascan is a volatility plugin that scan a memory image for yara signature.Yaracan can be uses with rule file or you can define what are you looking for on the fly.In this diary I am not going to discuss how to write yara rules.
In this example yarascan will search memory.img for sigantures defined in Stuxnet.yar file
And here is the output , it will show the name of the rule ,the memory address ,process name and process ID.
And here is another example where you can define a yara rule on the fly ,
And here is the output
Or you can specify the process which you want to scan it for a specific signature by using -p option
Oct 20th 2017
7 months ago
How you can run several yara rules at the same time using Volatility?
vol.py -f memory.img yarascan --yara-file=stuxnet.yar,edd.yar,worm.yar
On the other hand, Do you have experience to run yara rules through Volatility using a index_rules.yar?
vol.py -f memory.img yarascan --yara-file=index_rules.yar
Where the content of the file index_rules.yar would be:
Generated by Yara-Rules
Thanks a lot for your time and support.
Oct 23rd 2017
6 months ago