New in version 3.1.0.
The Magic module allows you to identify the type of the file based on the output of file, the standard Unix command.
This module is not built into YARA by default, to learn how to include it refer to Compiling and installing YARA. Bad news for Windows users: this module is not supported on Windows.
There are two functions in this module:
The first one returns the descriptive string returned by file, for example,
if you run file against some PDF document you’ll get something like this:
$file some.pdf some.pdf: PDF document, version 1.5
$file --mime some.pdf some.pdf: application/pdf; charset=binary
mime_type() would return “application/pdf”, without the charset part.
By experimenting a little with the file command you can learn which output to expect for different file types. These are a few examples:
- JPEG image data, JFIF standard 1.01
- PE32 executable for MS Windows (GUI) Intel 80386 32-bit
- PNG image data, 1240 x 1753, 8-bit/color RGBA, non-interlaced
- ASCII text, with no line terminators
- Zip archive data, at least v2.0 to extract
Function returning a string with the type of the file.
Example: magic.type() contains “PDF”
Function returning a string with the MIME type of the file.
Example: magic.mime_type() == “application/pdf”