I've been playing with the Yara API to scan PE files. Everything seems to
be working except when trying to get all of the matches for the rules. I'm
sure it has to do with the callback function when using
yr_rules_scan_file() and I can retrieve one of the identifier matches but
that's it.
I duplicated one of the signatures and renamed the rule in each so I know
they should match. The only place I can find the identifier is
rule->identifier. I haven't been successful in find example code that does
it. Any help would be appreciated.
int scan_callback(
YR_SCAN_CONTEXT* context,
int message,
void* message_data, //contains YR_RULE*
void* user_data)
{
YR_RULE* rule = (YR_RULE*) message_data;
If I run yara itself I get back 3
> yara rules/* extract_files/FHHABdWzHcR8YPZOe
Contains_PE_File2 extract_files/FHHABdWzHcR8YPZOe
Contains_PE_File3 extract_files/FHHABdWzHcR8YPZOe
Contains_PE_File extract_files/FHHABdWzHcR8YPZOe
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/yara-project/2adcdab0-72b3-4454-a237-24aca5cefa77n%40googlegroups.com.
