tessl/pypi-yara-python
Python interface for YARA, a powerful malware identification and classification tool
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-yara-python@3.11.0index.mddocs/
YARA Python Interface
YARA-Python provides Python bindings for YARA (Yet Another Recursive Acronym), a powerful malware identification and classification tool. It enables Python developers to compile YARA rules, scan files, memory, and processes for pattern matches, and handle malware detection workflows within Python applications.
Package Information
- Package Name: yara-python
- Package Type: pypi
- Language: Python (C extension)
- Installation:
pip install yara-python - License: Apache 2.0
- Platform Support: Windows, macOS, Linux, FreeBSD, OpenBSD
Core Imports
import yaraBasic Usage
import yara
# Compile YARA rules from source
rules = yara.compile(source='''
rule TestRule {
strings:
$text = "malicious"
condition:
$text
}
''')
# Scan data for matches
matches = rules.match(data="This contains malicious content")
# Process results
for match in matches:
print(f"Rule {match.rule} matched!")
for offset, identifier, data in match.strings:
print(f" Found '{data}' at offset {offset}")
# Save compiled rules for reuse
rules.save(filepath="compiled_rules.yarc")
# Load previously compiled rules
loaded_rules = yara.load(filepath="compiled_rules.yarc")Architecture
YARA-Python follows a three-layer architecture:
- Compilation Layer: Compiles textual YARA rules into optimized Rules objects
- Scanning Layer: Applies compiled rules to various data sources (files, memory, processes)
- Results Layer: Provides structured access to match results with rule metadata
The package supports both static and dynamic linking against the YARA library, with optional modules for enhanced functionality including magic file type detection, PE/Mach-O/DEX executable parsing, and Cuckoo sandbox integration.
Capabilities
Rule Compilation and Loading
Compile YARA rules from various sources (strings, files, file-like objects) with support for external variables, include callbacks, and namespace organization. Save and load compiled rules for performance optimization.
def compile(source=None, filepath=None, file=None, filepaths=None, sources=None,
includes=True, externals=None, error_on_warning=False, include_callback=None): ...
def load(filepath=None, file=None): ...Pattern Matching and Scanning
Scan files, memory buffers, and running processes with compiled YARA rules. Support for callbacks, timeouts, external variables, and module-specific data processing.
class Rules:
def match(self, filepath=None, pid=None, data=None, externals=None, callback=None,
fast=False, timeout=60, modules_data=None, modules_callback=None,
which_callbacks=None): ...Configuration and Error Handling
Configure YARA engine parameters and handle various error conditions including syntax errors, timeouts, and warnings with structured exception hierarchy.
def set_config(stack_size=None, max_strings_per_rule=None): ...
class Error(Exception): ...
class SyntaxError(Error): ...
class TimeoutError(Error): ...
class WarningError(Error): ...Configuration and Error Handling
Version Information
__version__: str # YARA library version string
YARA_VERSION: str # YARA library version string
YARA_VERSION_HEX: int # YARA library version as hexadecimalTypes
class Rules:
"""Compiled YARA rules container supporting iteration."""
def match(self, filepath=None, pid=None, data=None, externals=None, callback=None,
fast=False, timeout=60, modules_data=None, modules_callback=None,
which_callbacks=None): ...
def save(self, filepath=None, file=None): ...
def profiling_info(self): ...
def __iter__(self): ... # Iterate over Rule objects
class Rule:
"""Individual YARA rule representation."""
identifier: str # Rule name/identifier
tags: list # List of rule tags
meta: dict # Rule metadata dictionary
class Match:
"""Represents a rule match result."""
rule: str # Name of the matching rule
namespace: str # Namespace of the matching rule
tags: list # Tags associated with the rule
meta: dict # Metadata dictionary from the rule
strings: list # List of (offset, identifier, data) tuplesConstants
# Callback control constants
CALLBACK_CONTINUE: int = 0 # Continue processing in callbacks
CALLBACK_ABORT: int = 1 # Abort processing in callbacks
CALLBACK_MATCHES: int = 0x01 # Callback for matching rules only
CALLBACK_NON_MATCHES: int = 0x02 # Callback for non-matching rules only
CALLBACK_ALL: int = 0x03 # Callback for all rules