You can't do that, YARA modules are designed for a very specific purpose, which is exposing additional information to the rules about the file being scanned. Modifying the rules themselves or launch the scanning of a new file is out of the scope of YARA modules.
On Fri, Jan 31, 2020 at 6:54 PM Jared Jones <[email protected]> wrote: > Hello > > I am trying to write module for Yara that loads the file into memory, > loads some user provided signatures, alters both the file and the > signatures, and then runs a scan for the altered signatures in the altered > file. > > I have been following the "How to write your own module" documentation to > initialize the module and declare its functions. However, I am having > trouble understanding Yara C API. How can I use yr_rules_scan_mem or > another function to scan the altered file (stored in the program as a > `uint8_t`) with an altered signature (also stored as `uint8_t`)? > > Thanks, > Jared Jones > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/dc958701-3525-4ecb-a943-8678b2352ba9%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/dc958701-3525-4ecb-a943-8678b2352ba9%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAD7Y4L43zU%2BkAbTa357j3xU3pM5xNBPvmDZKMUgzF5twdhraSw%40mail.gmail.com.
