1Yara plugin 2=========== 3 4Preliminary documentation on yara can be found here: 5[Yara User's Manual](https://b161268c3bf5a87bc67309e7c870820f5f39f672.googledrive.com/host/0BznOMqZ9f3VUek8yN3VvSGdhRFU/YARA-Manual.pdf) 6 7The following is [YARA in a nutshell](https://virustotal.github.io/yara/) from this document: 8 9> YARA is a tool aimed at helping malware researchers to identify and classify malware 10families. With YARA you can create descriptions of malware families based on textual or 11binary information contained on samples of those families. These descriptions, a.k.a rules, 12consist patterns and a boolean expression which determines its logic. Rules can be 13applied to files or running processes in order to determine if it belongs to the described 14malware family. 15 16Requirements 17------------ 18 19You can either install libyara with your preferred package manager, or you 20can execute `r2pm -i yara` in order to retrieve latest source, compile, 21and install the library via the r2 package manager. You will also need `yara-r2` 22to execute the yara utility from the r2 shell. 23 24Yara in radare2 25---------- 26 27radare2 provides several commands, allowing the user, to add or remove rules, 28scan a file, and list or use rules tags. 29 30You can list the yara commands with the following r2 command `yara [help]`. 31 32Rules 33----- 34 35By default, radare2 ships with some common crypto and packers rules that you 36can find in `/usr/local/share/radare2/last/yara/` if you installed it r2 or 37`radare2/shlr/yara/` in the git repo. 38They are loaded as soon as you start using the yara plugin. 39So you can issue `yara scan` and automatically see if your binary is packed 40with a known packer. 41 42Example 43------- 44 45Load a rule file on the fly, and then scan the currently opened file: 46``` 47yara add /home/name/rules/malware.rules 48yara scan 49``` 50Yara versions 51------------- 52 53Because radare2 has support for both yara versions currently, 54depending from the version/plugin you've loaded, you need 55to use the proper versioned command. 56E.g. `yara` or `yara`. For example `yara scan`. 57