forensic/yara
directoryThe directory forensic/yara exists as a sub-directory to the file system root.
The directory is hidden by default. It will appear once forensic mode has been started and processing is completed if optional yara rules have been specified.
The directory contains results of a forensic yara scan of process and kernel virtual address spaces.
The forensic scan is conducted with rules specified in the start-up option -forensic-yara-rules
. The rules may be either compiled rules or source rules (including index rules referencing other rules). Example: memprocfs.exe -device c:\dumps\win10.raw -forensic-yara-rules c:\yara\rules\windows_malware_index.yar
The files in the forensic/yara directory are listed in the table below:
File | Description |
---|---|
match-count.txt | The number of yara matches. |
result.txt | Detailed yara match information. |
rules.txt | The user-defined rules used in the scan. |
The example shows looking at forensic yara matches which indicates Trickbot in the svchost.exe process.
[[resources/root_forensic_yara.png]]
The forensic/yara sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_fc_yara.c in the vmm project.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。