Development

Architecture

Yaramod is a C++ library with Python bindings capable of parsing, building, formatting and also modifying YARA rules; hence the main four parts of Yaramod are:

Parser of YARA rules

The main parser class is the ParserDriver class declared in the header file parser_driver.h and defined in source file parser_driver.cpp. The parser is based on POG and its grammar and tokens are defined in methods defineTokens and defineGrammar of the ParserDriver class. Detailed wiki page on how to use yaramod to parse YARA rules can be found in this section.

Builder of YARA rules

The builder machinery is declared within the builder folder. The YaraExpressionBuilder creates expressions so that YARA rules conditions can be created. The YaraHexStringBuilder is a tool for easy creation of hexadecimal strings. The YaraRuleBuilder helps to create YARA rules and the YaraFileBuilder is there to construct YARA files from rules and module imports. More on the construction of YARA files is written here.

YARA rules formatting

The main component taking care of proper formatting of YARA files is the TokenStream defined in file tokenstream.h. Each YaraFile instance holds a TokenStream instance in which all Tokens that the YaraFile refers to are stored. The TokenStream::getText method prints the tokens formatted in the desired format. The YaraFile::getTextFormatted method simply calls the getText method of the TokenStream that it owns. Please see wiki page for more on formatting.

YARA rules modifying visitor

The class ModifyingVisitor is defined in modifying_visitor.h and serves as the base class for our custom visitors designed to modify specific parts of visited conditions. See section Modifying Rulesets for more information and examples.

Run it locally

See Installation section.