Skip to content
/ YaraVM Public

This repository contains an IDA processor for loading and disassembling compiled yara rules.

32 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

milankovo/YaraVM

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
compiled_rules
compiled_rules
 
 
img
img
 
 
src
src
 
 
README.md
README.md
 
 

Repository files navigation

YaraVM

Yara is a tool for matching patterns in files, commonly used for malware analysis. Yara rules can be compiled into a binary format that can later be loaded and executed. This repository contains a processor module and a loader for IDA Pro, enabling you to load and analyze compiled Yara rules.

Installation

To install the YaraVM into IDA, follow these steps:

  1. Copy the yara_loader.py file to the IDA loaders folder.
  2. Copy the yara_proc.py file to the IDA proc folder.
  3. Copy the libyara.til file to the IDA til folder.
  4. Now you can open the compiled yara rules in IDA.

For convenience, you can use the following commands to create the necessary symlinks:

mkdir -p ~/.idapro/loaders
mkdir -p ~/.idapro/procs
mkdir -p ~/.idapro/til

ln -s $PWD/src/yara_loader.py ~/.idapro/loaders/yara_loader.py
ln -s $PWD/src/yara_proc.py ~/.idapro/procs/yara_proc.py
ln -s $PWD/src/libyara.til ~/.idapro/til/libyara.til

Demonstration

You can load the file test.yar.bin into IDA Pro to see the Yara bytecode and the regex bytecode.

loader in action yara bytecode regex bytecode

About

This repository contains an IDA processor for loading and disassembling compiled yara rules.

Resources

Readme
Activity

Stars

32 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages