How to get condition string from rule via C API?

VirusTotal / yara

The pattern matching swiss knife

https://virustotal.github.io/yara/

BSD 3-Clause "New" or "Revised" License

7.95k stars 1.42k forks source link

How to get condition string from rule via C API? #1998

Closed mavam closed 8 months ago

mavam commented 8 months ago

Say I'm processing matches in this callback:

int callback(YR_SCAN_CONTEXT* context, int message, void* message_data, void* user_data);

I get a YR_RULE* by casting message_data, and I've looked for a "condition" member in the the underlying YR_RULE struct, but I can't find anything here.

As I am reporting matches, it would be quite valuable context to also report the textual condition.

plusvic commented 8 months ago

You can't, compiled rules don't retain the original source code, so the condition's text is lost after compilation.