LW-Homeless
commented
1 year ago Hello,
The command to use the yara rules in Volatility2.6 is the following: vol.py -f [your memory dump file] --profile=[scan profile] yarascan --yara-file=[rule file.yar]
To execute a set of yara rules from a directory you could use Script shell "one-line":
for f in /home/remnux/lab_analysis/rules/malware/*.yar; do echo $f; vol.py -f memdump.mem --profile=Win10x64_17134 yarascan --yara-file=$f; done
Where, /home/remnux/lab_analysis/rules/malware/ is the directory where I store all the yara rules.
For Volatility3.x the syntax changes a bit, it would be as follows.
vol.py -f [your memory dump file] --profile=[scan profile] yarascan.YaraScan --yara-file=[rule file.yar]
Therefore, the "one-line" shell script would look like this:
for f in /home/remnux/lab_analysis/rules/malware/*.yar; do echo $f; vol.py -f memdump.mem --profile=Win10x64_17134 yarascan.YaraScan --yara-file=$f; done
Greetings.
My Issue is:
I am running volatility windows exe on windows 7 machine. Whenever I try matching multiple YARA rules with against a memory dump file by running following command:
>volatility_2.6_win64_standalone.exe -f GUESTWINDOWS-PC-20200131-113322.raw --profile=Win7SP1x64 yarascan -y "..\yara-rules\index.yar"I get the following error:
Volatility Foundation Volatility Framework 2.6 Traceback (most recent call last): File "vol.py", line 192, in <module> File "vol.py", line 183, in main File "volatility\commands.py", line 147, in execute File "volatility\plugins\malware\malfind.py", line 342, in render_text File "volatility\plugins\malware\malfind.py", line 305, in calculate File "volatility\plugins\malware\malfind.py", line 246, in _scan_process_memor y File "volatility\plugins\malware\malfind.py", line 142, in scan File "volatility\plugins\malware\malfind.py", line 110, in scan yara.Error: internal error: 30 Failed to execute script volI am using default yara rules repository given here. If I use a yar file without any includes, volatility runs fine.
Please help me out with this issue.