Skip to content

Implement memory scanning action using YARA #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
panhania merged 10 commits into from
Oct 28, 2025
Merged

Implement memory scanning action using YARA #164

panhania merged 10 commits into from
Oct 28, 2025

Conversation

@CRefice
Copy link
Collaborator

@CRefice CRefice commented Oct 15, 2025

This PR adds VirusTotal/yara-x as an (optional) dependency and adds an action, yara_scan_memory that uses it to scan one or more running processes' memory using a specified YARA signature.

The extra dependency introduced some other transitive dependencies that broke some test code (mostly due to the library bringing in some additional impl traits on standard types), so there are also some edits to unrelated files to fix those breakages.

@CRefice CRefice force-pushed the crefice/yara-scan-action branch from 63adc4d to ac9834e Compare October 15, 2025 12:40
@panhania
Copy link
Member

panhania commented Oct 15, 2025

The extra dependency introduced some other transitive dependencies that broke some test code (mostly due to the library bringing in some additional impl traits on standard types)

How is it possible? Doesn't it break the orphan rule? 🤔

@CRefice CRefice force-pushed the crefice/yara-scan-action branch from 584f4d5 to ba13dc2 Compare October 15, 2025 14:25
@CRefice
Copy link
Collaborator Author

CRefice commented Oct 15, 2025

The extra dependency introduced some other transitive dependencies that broke some test code (mostly due to the library bringing in some additional impl traits on standard types)

How is it possible? Doesn't it break the orphan rule? 🤔

One of the errors was caused by a dependency introducing something like impl Into<MyType> for usize (which is legal) and that caused a test to fail to compile because it had a call to assert_eq!(expected_value, some_usize.into()) without explicitly specifying the type, and the compiler got confused because that into could also have been a MyType now whereas it couldn't have previously. I was also shocked by this.

panhania
panhania reviewed Oct 21, 2025
View reviewed changes
@CRefice CRefice force-pushed the crefice/yara-scan-action branch 3 times, most recently from 3415051 to e7fcb07 Compare October 22, 2025 12:01
@CRefice CRefice requested a review from panhania October 22, 2025 12:06
@CRefice CRefice force-pushed the crefice/yara-scan-action branch from 4b8832d to 9abc282 Compare October 28, 2025 10:53
@panhania panhania changed the title Implement process memory scanning action using yara-x Implement memory scanning action using YARA Oct 28, 2025
@panhania panhania merged commit b3a8a86 into google:master Oct 28, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@panhania panhania panhania approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CRefice @panhania