Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge yara content in a single file #407

Merged
merged 1 commit into from
Oct 23, 2024
Merged

Merge yara content in a single file #407

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@ Please contribute by updating and improving the contents.
* [Github](https://github.com/radareorg/radare2-book)
* [Read it Online](https://book.rada.re/)

Read the [CONTRIBUTING.md](https://github.com/radareorg/radare2-book/blob/master/CONTRIBUTING.md) guidelines before submiting a pull request to the github repository.
Read the [CONTRIBUTING.md](https://github.com/radareorg/radare2-book/blob/master/CONTRIBUTING.md) guidelines before submitting a pull request to the github repository.

Thanks!
68 changes: 68 additions & 0 deletions src/r2yara/intro.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,3 +98,71 @@ SHA256_Constants
```

As soon as a pattern is identified, a flag is created at the pattern address.

## Rule generator

r2yara allows the creation of YARA rules inside radare2 with the `yrg` group of commands:

```console
[0x00000000]> yrg?
Usage: yrg [action] [args..] load and run yara rules inside r2
| yrg- delete last pattern added to the yara rule
| yrg-* delete all the patterns in the current rule
| yrgs ([len]) add string (optionally specify the length)
| yrgx ([len]) add hexpairs of blocksize (or custom length)
| yrgf ([len]) add function bytepattern signature
| yrgz add all strings referenced from current function
```

The current state of the YARA rule can be displayed with the `yrg` command:

```console
[0x00000000]> yrg
WARN: See 'yrg?' to find out which subcommands use to append patterns to the rule
rule rulename : test {
meta:
author = "user"
description = "My first yara rule"
date = "2024-10-22"
version = "0.1"
}
```

Let's assumed we have found an interesting string during reversing:

```console
[0x00132700]> ps
expand 32-byte k
```

To add into this pattern to the current YARA rule, the command `yrgs` can be used together with the length of the pattern to add:

```console
[0x00132700]> yrgs 16
[0x00132700]> yrg
rule rulename : test {
meta:
author = "sylvain"
description = "My first yara rule"
date = "2024-10-22"
version = "0.1"
strings:
$ = "expand 32-byte k"
condition:
all of them
```

The rule parameters can be changed in the configuration. For example to change the name of the rule, use the following command:

```console
[0x00132700]> e yara.rule = Salsa20
```

Once the rule is ready, it can be added to other active YARA rules:

```console
[0x00132700]> yr+
INFO: Rule successfully added
[0x00132700]> yrl
Salsa20
```
Loading