MCPcopy Index your code
hub / github.com/VirusTotal/yara

github.com/VirusTotal/yara @v4.5.7

Chat with this repo
repository ↗ · DeepWiki ↗ · release v4.5.7 ↗ · + Follow
1,379 symbols 3,558 edges 179 files 267 documented · 19%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Join the chat at https://gitter.im/VirusTotal/yara AppVeyor build status Coverity status

[!IMPORTANT] This project is in maintenance mode. More info: https://virustotal.github.io/yara-x/blog/yara-x-is-stable/

YARA in a nutshell

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Additional resources

Do you use GitHub for storing your YARA rules? YARA-CI may be a useful addition to your toolbelt. This is GitHub application that provides continuous testing for your rules, helping you to identify common mistakes and false positives.

If you plan to use YARA to scan compressed files (.zip, .tar, etc) you should take a look at yextend, a very helpful extension to YARA developed and open-sourced by Bayshore Networks.

Additionally, the guys from InQuest have curated an awesome list of YARA-related stuff.

Who's using YARA

Are you using it? Want to see your site listed here?

Core symbols most depended-on inside this repo

yr_free
called by 292
libyara/mem.c
yr_malloc
called by 91
libyara/mem.c
yr_arena_ref_to_ptr
called by 56
libyara/arena.c
yr_initialize
called by 44
libyara/libyara.c
yr_parser_emit
called by 44
libyara/parser.c
yr_re_node_create
called by 43
libyara/re.c
yyget_extra
called by 39
libyara/lexer.c
yr_compiler_destroy
called by 39
libyara/compiler.c

Shape

Function 1,091
Class 260
Enum 14
Method 14

Languages

C81%
C++19%
TypeScript1%

Modules by API surface

libyara/lexer.c57 symbols
libyara/include/yara/types.h56 symbols
libyara/re_lexer.c53 symbols
libyara/hex_lexer.c50 symbols
libyara/re.c42 symbols
libyara/modules/dotnet/dotnet.c42 symbols
tests/test-rules.c39 symbols
libyara/modules/pe/pe.c34 symbols
cli/yara.c32 symbols
libyara/include/yara/pe.h31 symbols
libyara/compiler.c31 symbols
libyara/include/yara/dotnet.h29 symbols

For agents

$ claude mcp add yara \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page