architect exporters

PatternGenerator - create wildcard patterns from hex regions.

class PatternGenerator[source]

Bases: object

Generate wildcard byte patterns from a region and its static mask.

Static bytes become exact match values; volatile bytes become wildcards (??). The result can be exported as YARA or JSON.

static generate(reference_bytes, static_mask, name='unnamed_pattern', min_static_ratio=0.3)[source]

Generate a pattern dict from reference bytes and static mask.

Parameters:

  • reference_bytes (bytes) – Bytes from the reference dump.

  • static_mask (List[bool]) – Per-byte static/volatile flags.

  • name (str) – Pattern name.

  • min_static_ratio (float) – Minimum ratio of static bytes required.

Returns:

Pattern dict with hex_pattern, wildcard_pattern, metadata. None if insufficient static bytes.

Return type:

dict | None

static find_anchors(static_mask, min_anchor_length=4)[source]

Find contiguous runs of static bytes that can serve as anchors.

Parameters:

  • static_mask (List[bool]) – Per-byte static flags.

  • min_anchor_length (int) – Minimum consecutive static bytes for an anchor.

Returns:

List of (start_offset, length) tuples for anchor regions.

Return type:

List[Tuple[int, int]]

static infer_fields(variance, key_offset, key_length, threshold=2000.0)[source]

Segment variance into structural fields and dynamic regions.

Walks the variance array and groups contiguous bytes by whether their variance is below threshold (static) or above (dynamic). The known key region is labeled key_material regardless of individual byte variance.

Returns:

List of field dicts with offset, length, type ('static', 'dynamic', or 'key_material'), mean_variance, and label.

Parameters:
Return type:

List[dict]

YaraExporter - export patterns as YARA rules.

class YaraExporter[source]

Bases: object

Export byte patterns as YARA detection rules.

static export(pattern, rule_name=None, description=None, tags=None)[source]

Export a pattern dict as a YARA rule string.

Parameters:

  • pattern (dict) – Pattern dict from PatternGenerator.generate().

  • rule_name (str | None) – YARA rule name (defaults to sanitized pattern name).

  • description (str | None) – Rule description.

  • tags (list | None) – Optional YARA tags.

Returns:

YARA rule as a string.

Return type:

str

JsonExporter - export patterns as JSON signature files.

class JsonExporter[source]

Bases: object

Export byte patterns as JSON signatures compatible with pattern_loader.

static export(pattern, library='', tls_version='', description='', structural_rules=None)[source]

Export a pattern as a JSON signature dict.

Parameters:

  • pattern (dict) – Pattern dict from PatternGenerator.generate().

  • library (str) – Target library name.

  • tls_version (str) – TLS version (‘12’ or ‘13’).

  • description (str) – Human-readable description.

  • structural_rules (Dict[str, List[dict]] | None) – Optional before/after structural rules.

Returns:

JSON-serializable dict compatible with pattern_loader.

Return type:

dict

static save(signature, output_path)[source]

Save a JSON signature to a file.

Parameters:
Return type:

None

static to_string(signature)[source]

Convert a signature to a formatted JSON string.

Parameters:

signature (dict)

Return type:

str

Volatility3Exporter - generate self-contained Volatility3 plugins from patterns.

class Volatility3Exporter[source]

Bases: object

Export byte patterns as self-contained Volatility3 Python plugins.

static export(pattern, plugin_name=None, description=None, yara_rule=None)[source]

Export a pattern dict as a Volatility3 plugin Python source.

Parameters:

  • pattern (dict) – Pattern dict from PatternGenerator.generate(), optionally enriched with key_offset, key_length, vtypes, and fields by vol3_emit.

  • plugin_name (str | None) – Plugin class name (defaults to CamelCase of pattern name).

  • description (str | None) – Human-readable description.

  • yara_rule (str | None) – Pre-built YARA rule string. Generated if not provided.

Returns:

Complete Python source code for a Volatility3 plugin.

Return type:

str

static save(content, output_path)[source]

Write plugin source to a file.

Parameters:
Return type:

None