Skip to content

Commit

Permalink
Initial commit for r2yara documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sylvainpelissier
sylvainpelissier authored Aug 19, 2024
1 parent f7df05b commit 3e1da03
Show file tree
Hide file tree
Showing 2 changed files with 101 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@
* [Packaging](plugins/r2pm.md)
* [R2Frida](r2frida/intro.md)
* [First Steps](r2frida/first_steps.md)
* [R2Yara](r2yara/intro.md)
* [Crackmes](crackmes/intro.md)
* [IOLI](crackmes/ioli/intro.md)
* [IOLI 0x00](crackmes/ioli/ioli_0x00.md)
Expand Down
100 changes: 100 additions & 0 deletions src/r2yara/intro.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
# r2yara

r2yara is the integration of [Yara](https://virustotal.github.io/yara/) into radare2. Yara is a powerful binary analysis tool using rules to identity or classify patterns in a binaries.

## Installation

r2yara is maintained in a separate repository. It can be installed with the `r2pm` package manager:

```console
$ r2pm -ci r2frida
```

The package manager handle automatically the installation and compilation of the Yara library.

## Usage

As soon as r2yara is installed, two sets of commands are available in r2. The first set of command are invoked with the command `yara`:

```console
[0x00000000]> yara
Usage: yara [action] [args..] load and run yara rules inside r2
| yara add [file] Add yara rules from file, or open $EDITOR with yara rule template
| yara clear Clear all rules
| yara help Show this help (same as 'yara?')
| yara list List all rules
| yara scan[S] Scan the current file, if S option is given it prints matching strings
| yara show [name] Show rules containing name
| yara tag [name] List rules with tag 'name'
| yara tags List tags from the loaded rules
| yara version Show version information about r2yara and yara
```

The second kind of shorter commands start with `yr`:

```console
[0x00000000]> yr
Usage: yr [action] [args..] load and run yara rules inside r2
| yr [file] add yara rules from file
| yr same as yr?
| yr-* unload all the rules
| yr? show this help (same as 'yara?')
| yrg[?][-sxf] generate yara rule
| yrl list loaded rules
| yrs[q] scan the current file, suffix with 'q' for quiet mode
| yrt ([tagname]) list tags from loaded rules, or list rules from given tag
| yrv show version information about r2yara and yara
```

### Rule management

The plugin include two rules files by default in the folder `rules` of the plugin. The already loaded rules can be listed:

```console
[0x00055a40]> yrl
HelloWorld
BLOWFISH_Constants
MD5_Constants
RC6_Constants
RIPEMD160_Constants
SHA1_Constants
SHA256_Constants
SHA512_Constants
WHIRLPOOL_Constants
```

The rules can be cleared:

```console
[0x00055a40]> yr-
INFO: Rules cleared
[0x00055a40]> yrl
```

Other rules can be added from an external files.

```console
[0x00055a40]> yr r2yara/rules/crypto.yara
```

### Scan

The current binary can be scanned with the currently loaded rules to see if any rule matches a pattern in the binary:

```console
[0x00055a40]> yrs
BLOWFISH_Constants
0x004960c0: yara3.BLOWFISH_Constants_0 : a60b31d1
0x004960c4: yara3.BLOWFISH_Constants_1 : acb5df98
0x004960c8: yara3.BLOWFISH_Constants_2 : db72fd2f
0x004960cc: yara3.BLOWFISH_Constants_3 : b7df1ad0
0x004964c0: yara3.BLOWFISH_Constants_4 : e9707a4b
0x004968c8: yara3.BLOWFISH_Constants_5 : 1c264cf6
SHA256_Constants
0x001936c4: yara4.SHA256_Constants_0 : 982f8a42
0x0019372b: yara4.SHA256_Constants_1 : 91443771
0x0019379d: yara4.SHA256_Constants_2 : cffbc0b5
0x001937e5: yara4.SHA256_Constants_3 : a5dbb5e9
```

As soon as a pattern is identified, a flag is created at the pattern address.

0 comments on commit 3e1da03

Please sign in to comment.