From c610497fa04de41042104fdefbfa243c0bcf76a9 Mon Sep 17 00:00:00 2001
From: Eve <eevvee@tuta.io>
Date: Wed, 29 Nov 2023 09:28:34 +0000
Subject: [PATCH] Windows: update vadyarascan to use generic yarascan
 requirements

---
 .../framework/plugins/windows/vadyarascan.py  | 39 ++++++-------------
 1 file changed, 12 insertions(+), 27 deletions(-)

diff --git a/volatility3/framework/plugins/windows/vadyarascan.py b/volatility3/framework/plugins/windows/vadyarascan.py
index 4b30a9d8b4..d795818e93 100644
--- a/volatility3/framework/plugins/windows/vadyarascan.py
+++ b/volatility3/framework/plugins/windows/vadyarascan.py
@@ -18,47 +18,26 @@ class VadYaraScan(interfaces.plugins.PluginInterface):
     """Scans all the Virtual Address Descriptor memory maps using yara."""
 
     _required_framework_version = (2, 4, 0)
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
-        return [
+        # create a list of requirements for vadyarascan
+        vadyarascan_requirements = [
             requirements.ModuleRequirement(
                 name="kernel",
                 description="Windows kernel",
                 architectures=["Intel32", "Intel64"],
             ),
-            requirements.BooleanRequirement(
-                name="wide",
-                description="Match wide (unicode) strings",
-                default=False,
-                optional=True,
-            ),
-            requirements.StringRequirement(
-                name="yara_rules", description="Yara rules (as a string)", optional=True
-            ),
-            requirements.URIRequirement(
-                name="yara_file", description="Yara rules (as a file)", optional=True
-            ),
-            # This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code
-            # As such, there's a separate option to run compiled files, as happened with yara-3.9 and later
-            requirements.URIRequirement(
-                name="yara_compiled_file",
-                description="Yara compiled rules (as a file)",
-                optional=True,
-            ),
-            requirements.IntRequirement(
-                name="max_size",
-                default=0x40000000,
-                description="Set the maximum size (default is 1GB)",
-                optional=True,
-            ),
             requirements.PluginRequirement(
                 name="pslist", plugin=pslist.PsList, version=(2, 0, 0)
             ),
             requirements.VersionRequirement(
                 name="yarascanner", component=yarascan.YaraScanner, version=(2, 0, 0)
             ),
+            requirements.PluginRequirement(
+                name="yarascan", plugin=yarascan.YaraScan, version=(1, 2, 0)
+            ),
             requirements.ListRequirement(
                 name="pid",
                 element_type=int,
@@ -67,6 +46,12 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             ),
         ]
 
+        # get base yarascan requirements for command line options
+        yarascan_requirements = yarascan.YaraScan.get_yarascan_option_requirements()
+
+        # return the combined requirements
+        return yarascan_requirements + vadyarascan_requirements
+
     def _generator(self):
         kernel = self.context.modules[self.config["kernel"]]