Yara signatures (malcat.sigs)
- malcat.sigs: bindings.Signatures
The
malcat.sigs
object is abindings.Signatures
instance that gives you access to all matching and unmatching Yara signatures evaluated against the current file.
Note that in addition to this documentation, you can find usage examples in the sample script which is loaded when you hit F8.
Table of Contents
Accessing / enumerating cross-references
Malcat embeds a Yara scanner as one of its analyses (see Yara signatures). The result of the scan is available through the malcat.sigs
python object. Accessing the result of the scan can be useful in your scripts. If you plan to limit your script to Delphi programs for instance, a simple if "Delphi" in malcat.sigs
is enough.
- class bindings.Signatures
- __iter__()
Iterate over all matching signatures
for sig in malcat.sigs: print(f"yara rule {sig.name} ({sig.id}) : {sig.type} matched !")
- Return type
iterator over
ScanRule
- __getitem__(name)
Returns the first (matching or not)
ScanRule
whoseScanRule.id
orScanRule.name
is name. Prioritiy is given to the id matching. If no rule with this id can be found, the search is performed on the name. If no such rule can be found,None
is returned.if malcat.sigs["Delphi"].matching: print("Delphi!")
- Parameters
name (str) – rule id or name to search for
- Return type
ScanRule
orNone
- __contains__(name)
return True iff a rule named name has matched the file. Prioritiy is given to the id matching. If no rule with this id can be found, the search is performed on the name. If no such rule can be found,
False
is returned.if "Delphi" in malcat.sigs: print("Delphi!")
- Parameters
name (str) – rule id or name to search for
- Return type
bool
- __len__(name)
return the number of Yara signatures in database
- Return type
int
Rule object
Yara rule
Yara rules are python objects of type bindings.ScanRule
and offer the following interface:
- class bindings.ScanRule
- id: str
Yara rule unique identifier
- name: str
nice name for the rule (not always unique)
- matching: bool
did the rule match?
- reliability: int
reliability score of the rule, an int between 0 and 100 inclusive. 100 means the rule has no FP/FN
- type: bindings.ScanRule.Type
the dangeority of the rule
- category: str
the category metadata of the rule: “packer”, “compiler”, “evasion”, etc.
- description: str
the description metadata of the rule, a free-form string
- tags: List[str]
all the Yara tags for the rule
- __len__()
number of matching strings / patterns
- Return type
int
- patterns: List[ScanPattern]
the list of all string/regexp patterns (matching and non-matching) of the rule, see below
for pattern in malcat.sigs["QakBot"].patterns: for offset, size in pattern.matches: print(f" - pattern {pattern.id} matched at #{offset:x}-#{offset + size:x}")
Pattern
Patterns are any entry defined in the “strings:” portion of a Yara rule. They have the following interface: