Skip to content

AzzOnFire/yarka

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Yarka - create YARA signatures from selection

IDA plugin with no dependencies to easily create YARA signatures by selecting a set of instructions, strings or binary data. Just select chunk and press Ctrl+Y to make the rule

Screenshot of opened editor dialog

Features

  • Make rule from any entities in selection in "Disassembly" and "Decompile" views
  • Make rule from selection in "Strings" view
  • Make "hunting" ruleset from selection in "Functions" view, rule contains basic blocks and data refs content (strings, constants, etc...)
  • Yara syntax highlighting
  • Easy customization (see "Customization" section)

Installation

Copy yarka.py and yarka to your IDA plugins directory (%IDA_HOME%/plugins).

Customization

You can customize the rules format to suit your needs. To do this, replace global parameters in header of yarka.py file

Rule style parameters:

  • WRAP_CURLY_BRACE - wrap curly brace on a new line (default: False)
  • INDENT_HEADERS - indent meta, strings, condition (default: False)

Rule editor default parameters (also editable in the editor window):

  • DEFAULT_SHOW_COMMENTS - show comments (default: True)
  • DEFAULT_STRICT_RULE - don't wildcard relative offsets (default: False)
  • DEFAULT_INDENT - rule indentation (default: 2)

Default fields in meta section. Values can be string or lambda functions

DEFAULT_META_FIELDS = {
    'company': 'Security Inc.',
    'date': lambda: str(date.today()),
}

Default fields in conditions section. Values can be string or lambda functions (with optional argument - strings count):

DEFAULT_CONDITIONS = [
    lambda: '(PE)' in idaapi.get_file_type_name() and 'uint16(0) == 0x5A4D',
    lambda count: f'{2 * count // 3} of them' if count > 2 else 'all of them'
]

TODO

  • More entities for hunting ruleset (available now via hotkey Ctrl+Alt+Y)
  • Identify more bugs during use (waiting for your issues!)

Credits

Thanks to mkYARA IDA plugin, which was the inspiration for this project

Releases

No releases published

Packages

No packages published

Languages