mkYARA
mkYARA copied to clipboard
fox-it
Generating YARA rules based on binary code
Hi! I was working on my disassembler's instruction wildcarding and also had a look at how you have been doing it with mkYARA. While revisiting capstone's internals, I noticed that...
``` File "/Users/xx/Library/Python/3.9/lib/python/site-packages/capstone/__init__.py", line 941, in __init__ status = _cs.cs_open(arch, mode, ctypes.byref(self.csh)) ctypes.ArgumentError: argument 1: : wrong type ```
Fix issue described in https://github.com/fox-it/mkYARA/issues/6#issue-1019668718 Rewrote coding data bytes to hex by binascii.hexlify(). Intended to make python2-3 compatible code without python version checks. Fix ida plugin getting md5 file string....
Just took sample code from README.md ```python import codecs from capstone import CS_ARCH_X86, CS_MODE_32 from mkyara import YaraGenerator gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32) gen.add_chunk(b"\x90\x90\x90", offset=1000) gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100) gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True)...
For Mkyara standalone What Does the -s command does in terms of size. It changes the code chunk from which it makes Yara rule....???? and by what unit for example...
It is not generating the IDA rule on the mentioned IDA version. When "generate Yara rule" is clicked only meta-data is shown in the dialogue box. ``` rule generated_rule {...
In this Pull Request I: - Added support for strings in rules - Extended the IDA plugin by a "String Yara Rule" option - Added a "clear" button to the...
