How does Yara really search for a string in a binary file ?

[Fredus69]

Hello,

I'm wondering a lot of questions every time.
Since i use Yara, there is a question that i didn't find answer yet.

When i make a very simple yara rule file, like this one :

rule test_rule : test
{
strings:
$1 = "text"

condition:
	any of them

And i run this yara rule against a binary file with this command line : " yara test.yara -s binary"

=> What action really does yara to check if the strings "test" exists in the file "binary" ?
=> Does it use a simple "grep" (or something equivalent if it is on a linux computer) on the file "binary" ?
=> Or does it make something more complex ?

Thank for the help on this question

Fred

[plusvic]

YARA doesn't use the actual grep under the hood, it implements its own scanning logic that has the Aho-Corasick algorithm at its core.

This blog post can sheds some light on how YARA works internally.