Last active
December 14, 2023 15:01
-
-
Save albertzsigovits/31ad006beefe2088c7abe913a513517b to your computer and use it in GitHub Desktop.
YARA use-cases
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| YARA use cases: | |
| =============== | |
| Conditions: | |
| ----------- | |
| uint16(0) == 0x5A4D // MZ | |
| uint32(uint32(0x3C)) == 0x00004550 // PE | |
| uint32(0) == 0x464C457F // ELF | |
| uint8be(uint32(0x3C)+4) == 0x64 // 64-bit | |
| uint32be(uint32(0x3C)+8) == 0x174a505c // Compiled time | |
| uint32be(0) == 0x4c000000 // LNK Magic | |
| uint32be(4) == 0x01140200 // LNK Header | |
| uint16(0) == 0x2123 // Bash script | |
| Occurences: | |
| ----------- | |
| #a < 61 and #b > 20 | |
| and #a == 16 and #b == 30 | |
| and #a in (filesize-5000 .. filesize) == 2 | |
| and for all of ($*) : ( # > 3 ) | |
| and (#a > #b + #c) | |
| Position: | |
| --------- | |
| console.hex("@a[1]: ", @a[1]) | |
| and console.hex("@b[1]: ", @b[1]) | |
| and console.hex("Distance: ", @b[1]-@a[1]) | |
| and @a[1] < @b[1] | |
| and @a[1] + 0xB == @b[1] | |
| and for all of ($str*) : ( @ < @b ) | |
| and for all i in ( 1 .. filesize ) : ( @a[1] < @b[1] ) | |
| Math + PE: | |
| ---------- | |
| for any i in (0 .. pe.number_of_sections - 1): | |
| math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) > 7.9 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment