how to use
The generated YAMA Scanner is a single binary of approximately 1MB and operates without relying on other DLLs, making it compatible with most 64-bit Windows OS.
When scanning memory with YAMA Scanner, you cannot inspect some processes unless you run it with administrator privileges. This is because Windows OS security mechanisms do not allow users with standard privileges to read the memory space of some processes. When performing a search, it is recommended to run YAMA Scanner with a user with local administrator privileges.
Yama.exe --all
The inspection results will be output to the console in the following format:
PS > .\Yama.exe --all
[YAMA Result]
Scan time: 2023-04-20 16:56:34
Host Name: DESKTOP-2TC0V6S
[Result]
No detection.
When malware is detected, the output will be in the following format:
PS > .\Yama.exe -a
[YAMA Result]
Scan time: 2023-04-20 17:04:11
Host Name: DESKTOP-2TC0V6S
[Result]
Detected suspicious process.
[Suspicious Process]
Process Name : malware.exe
Process ID : 6320
Image Path : C:\ProgramData\Temp\malware.exe
Matched Rules : APT10_ChChes_strings
Additionally, the output will be saved in a text file with the following format:
<Hostname>_<YYYMMDDHHmmss>_yama.txt
Yama.exe --pid 1234 --json
The inspection results will be output to the console in the following format:
PS > .\Yama.exe --pid 1234 -j
{
"hostname": "DESKTOP-2TC0V6S",
"is_infected": false,
"scan_time": "2023-04-20 16:59:36"
}
When malware is detected, the output will be in the following format:
PS > .\Yama.exe -p 1234 -j
{
"hostname": "DESKTOP-2TC0V6S",
"is_infected": true,
"scan_time": "2023-04-20 17:07:14",
"suspicious_process": [
{
"image_path": "C:\\ProgramData\\Temp\\malware.exe",
"matched_rules": [
"APT10_ChChes_strings"
],
"process_id": 1234,
"process_name": "malware.exe"
}
]
}
Additionally, the output will be saved in a JSON file with the following format:
<Hostname>_<YYYMMDDHHmmss>_yama.json
When YAMA Scanner is executed with administrator privileges, it records a Windows Eventlog. The event log is recorded in the following evtx file:
%SystemRoot%\System32\Winevt\Logs\Application.evtx
The EventLog provider information is as follows:
Provider Name: Yama
Provider GUID: C0F1A27E-AA60-4D7F-8DD0-8272527A7764
The recorded event IDs are as follows:
- EventID 10: YAMA Scanner startup
- EventID 11: YAMA Scanner termination
- EventID 20: No malware detection by YAMA Scanner
- EventID 40: Malware detection by YAMA Scanner
The following options are available for YAMA Scanner:
- -h, --help : shows help message and exits
- --version : prints version information and exits
- -p, --pid : PID to scan (required if not using --all)
- -a, --all : Scan all processes (required if not using --pid)
- -o, --output : Specify output directory [default: "./"]
- -j, --json : Export json report to the output directory
- -u, --uninstall : Uninstall YAMA EventLog manifest. (only do uninstall operation)
- -s, --suppress : Suppress warning logs
- -q, --quiet : Suppress all console outputs
- -v, --verbose : Increase verbosity.(-v: info, -vv: debug, -vvv: trace)