Magic module — yara 4.5.0 documentation (original) (raw)

yara

New in version 3.1.0.

The Magic module allows you to identify the type of the file based on the output of file, the standard Unix command.

Important

This module is not built into YARA by default, to learn how to include it refer to Compiling and installing YARA. Bad news for Windows users: this module is not supported on Windows.

There are two functions in this module: type() and mime_type(). The first one returns the descriptive string returned by file, for example, if you run file against some PDF document you'll get something like this:

$file some.pdf some.pdf: PDF document, version 1.5

The type() function would return "PDF document, version 1.5" in this case. Using the mime_type() function is similar to passing the--mime argument to file.:

$file --mime some.pdf some.pdf: application/pdf; charset=binary

mime_type() would return "application/pdf", without the charset part.

By experimenting a little with the file command you can learn which output to expect for different file types. These are a few examples:

• JPEG image data, JFIF standard 1.01
• PE32 executable for MS Windows (GUI) Intel 80386 32-bit
• PNG image data, 1240 x 1753, 8-bit/color RGBA, non-interlaced
• ASCII text, with no line terminators
• Zip archive data, at least v2.0 to extract

libmagic will try and read its compiled file type database from /etc/magic.mgc by default. If this file doesn't exist, you can set the environment variable MAGIC to point to a magic.mgc file and libmagic will attempt to load from there as an alternative.

type()

Function returning a string with the type of the file.

Example: magic.type() contains "PDF"

mime_type()

Function returning a string with the MIME type of the file.

Example: magic.mime_type() == "application/pdf"