def yara(self, signature, pids=None, regex=None):
"""Scans processes using provided YARA rule.
Args:
signature: YARA rule to run.
pids: List of pids of processes to scan.
regex: A regex to match against the process name.
Returns:
A list of YARA matches.
"""
if pids is None:
pids = []
args = flows_pb2.YaraProcessScanRequest()
args.yara_signature = signature
args.ignore_grr_process = False
if regex is not None:
args.process_regex = regex
args.pids.extend(pids)
try:
yara = self._client.CreateFlow(name='YaraProcessScan', args=args)
except api_errors.AccessForbiddenError as e:
raise errors.ApprovalMissingError(self.id, e)
_timeout.await_flow(yara)
return [_.payload for _ in yara.ListResults()]
def yara(
self,
signature: Text,
pids: Optional[Sequence[int]] = None,
regex: Optional[Text] = None,
) -> Sequence[flows_pb2.YaraProcessScanMatch]:
"""Scans processes using provided YARA rule.
Args:
signature: YARA rule to run.
pids: List of pids of processes to scan.
regex: A regex to match against the process name.
Returns:
A list of YARA matches.
"""
if pids is None:
pids = []
args = flows_pb2.YaraProcessScanRequest()
args.yara_signature = signature
args.ignore_grr_process = False
if regex is not None:
args.process_regex = regex
args.pids.extend(pids)
try:
yara = self._client.CreateFlow(name='YaraProcessScan', args=args)
except api_errors.AccessForbiddenError as e:
raise errors.ApprovalMissingError(self.id, e)
_timeout.await_flow(yara)
def yara_result(
result: message.Message) -> flows_pb2.YaraProcessScanMatch:
if not isinstance(result, flows_pb2.YaraProcessScanMatch):
raise TypeError(
f'Unexpected flow result type: {type(result)!r}')
return result
return [yara_result(result.payload) for result in yara.ListResults()]