|
| 1 | +--- |
| 2 | +title: "YARA-X as a file inspection tool" |
| 3 | +description: "How YARA-X can be used for extracting information from multiple file formats" |
| 4 | +summary: "" |
| 5 | +date: 2024-05-24T00:00:00+01:00 |
| 6 | +lastmod: 2024-05-24T00:00:00+01:00 |
| 7 | +draft: false |
| 8 | +weight: 50 |
| 9 | +categories: [ ] |
| 10 | +tags: [ ] |
| 11 | +contributors: [ "Victor M. Alvarez" ] |
| 12 | +pinned: false |
| 13 | +homepage: false |
| 14 | +seo: |
| 15 | + title: "YARA-X as file inspection tool" |
| 16 | + description: "How YARA-X can be used for extracting information from multiple file formats" |
| 17 | + canonical: "" # custom canonical URL (optional) |
| 18 | + noindex: false # false (default) or true |
| 19 | +--- |
| 20 | + |
| 21 | +As you may already know, YARA-X has modules that can parse certain file formats |
| 22 | +and produce a data structure containing information extracted from the parsed |
| 23 | +files. This information can be leveraged to create more precise and powerful |
| 24 | +rules tailored to each file format's unique characteristics. |
| 25 | + |
| 26 | +YARA-X supports the parsing of several file formats, including: |
| 27 | + |
| 28 | +* [PE](https://en.wikipedia.org/wiki/Portable_Executable) (Portable Executable) |
| 29 | +* [.NET](https://en.wikipedia.org/wiki/.NET_Framework) (PE file for the .NET |
| 30 | + framework) |
| 31 | +* [ELF](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format) ( |
| 32 | + Executable and Linkable Format) |
| 33 | +* [Mach-O](https://en.wikipedia.org/wiki/Mach-O) (Mach Object file format) |
| 34 | +* [LNK](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943) ( |
| 35 | + Windows Shortcut) |
| 36 | + |
| 37 | +For each of these formats, YARA-X constructs a comprehensive data structure |
| 38 | +that describes the file in detail. |
| 39 | + |
| 40 | +While the legacy YARA also had the capability to parse these file formats, |
| 41 | +YARA-X brings a significant improvement by making the inspection of these data |
| 42 | +structures much more straightforward. This is accomplished through the dump |
| 43 | +command: |
| 44 | + |
| 45 | +``` |
| 46 | +yr dump [FILE] |
| 47 | +``` |
| 48 | + |
| 49 | +By executing this command, YARA-X parses the specified file using all the |
| 50 | +relevant modules and outputs the generated data structures. The output is |
| 51 | +provided in YAML format by default, chosen for its readability and ease of use |
| 52 | +by both humans and machines. But JSON format is also available. |
| 53 | + |
| 54 | +Previously, YARA offered the `--print-module-data` option (or `-D`), which |
| 55 | +provided similar functionality. However, it required users to pass a YARA source |
| 56 | +file that imported the desired modules, and the output was often cumbersome and |
| 57 | +difficult to interpret. This option was primarily intended as a debugging tool |
| 58 | +but gained unexpected popularity among users for extracting information about |
| 59 | +certain file formats. |
| 60 | + |
| 61 | +With the introduction of the `dump` command in YARA-X, this process is greatly |
| 62 | +simplified, providing users with a more efficient and user-friendly way to |
| 63 | +access detailed information about various file formats. See how the output |
| 64 | +of this command looks like: |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | +If you want to learn more about the `dump` command, see its [documentation]({{< |
| 69 | +ref "cli.md" >}}#dump) |
| 70 | + |
0 commit comments