Matching Multiple Yara Rules with Volatility #36
Comments
|
Hello, The command to use the yara rules in Volatility2.6 is the following: To execute a set of yara rules from a directory you could use Script shell "one-line":
Where, /home/remnux/lab_analysis/rules/malware/ is the directory where I store all the yara rules. For Volatility3.x the syntax changes a bit, it would be as follows. vol.py -f [your memory dump file] --profile=[scan profile] yarascan.YaraScan --yara-file=[rule file.yar] Therefore, the "one-line" shell script would look like this:
Greetings. |
My Issue is:
I am running volatility windows exe on windows 7 machine. Whenever I try matching multiple YARA rules with against a memory dump file by running following command:
>volatility_2.6_win64_standalone.exe -f GUESTWINDOWS-PC-20200131-113322.raw --profile=Win7SP1x64 yarascan -y "..\yara-rules\index.yar"I get the following error:
Volatility Foundation Volatility Framework 2.6 Traceback (most recent call last): File "vol.py", line 192, in <module> File "vol.py", line 183, in main File "volatility\commands.py", line 147, in execute File "volatility\plugins\malware\malfind.py", line 342, in render_text File "volatility\plugins\malware\malfind.py", line 305, in calculate File "volatility\plugins\malware\malfind.py", line 246, in _scan_process_memor y File "volatility\plugins\malware\malfind.py", line 142, in scan File "volatility\plugins\malware\malfind.py", line 110, in scan yara.Error: internal error: 30 Failed to execute script volI am using default yara rules repository given here. If I use a yar file without any includes, volatility runs fine.
Please help me out with this issue.
The text was updated successfully, but these errors were encountered: