mkYARA Logo

mkYARA

0
Free
Visit Website

Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code that can change between samples. mkYARA aims to automate this part of writing rules by generating executable code signatures that wildcard all these little pieces of executable code that are not static. Installation is as easy as installing the pip package. pip install mkyara Usage: import codecs from capstone import CS_ARCH_X86, CS_MODE_32 from mkyara import YaraGenerator gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32) gen.add_chunk(b"\x90\x90\x90", offset=1000) gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100) gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True) rule = gen.generate_rule() rule_str = rule.get_rule_string() print(rule_str) Standalone Tool: mkYARA comes with a standalone tool that is cross platform, as in, it can create signatures for Windows binaries running under Linux. Usage: mkyara [-h] [-i {x86}

FEATURES

ALTERNATIVES

IDA Pro plugin for finding crypto constants

A Python script that converts shellcode into a PE32 or PE32+ file.

Scans running processes for potentially malicious implants and dumps them.

Hyara is a plugin that simplifies writing YARA rules with various convenient features.

Educational resources for reverse engineering tutorials by lena151.

A tool to detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.

Fernflower is an analytical decompiler for Java with command-line options and support for external classes.

Ropper is a tool for analyzing binary files and searching for gadgets to build rop chains for different architectures.

PINNED