yarGen is a generator for YARA rules
OTHER License
Bot releases are visible (Hide)
Published by Neo23x0 about 4 years ago
Published by Neo23x0 over 4 years ago
\
and "
characters in rulesPublished by Neo23x0 over 4 years ago
Published by Neo23x0 about 7 years ago
Note:
The exports
expression works fine with older versions of YARA that support the pe
module. (tested with 3.5.0)
The imphash
expression works fine with all YARA version 3.6 and higher.
Raw Version
Modified Version
DB Lookup Tool
DB Lookup Tool Examples
Published by Neo23x0 over 7 years ago
Published by Neo23x0 over 7 years ago
The database files are not included in the repo anymore. Use "--update" to get the string and opcode databases or download them from the following URL and place them in a "./dbs" sub folder.
https://drive.google.com/drive/folders/0B2S_IOa0MiOHS0xmekR6VWRhZ28
yarGen now allows creating multiple databases for opcodes or strings. You can easily create a new database by using "-c" for new database creation and pass an identifier "-i identifier" e.g. "office". It will then create two new database files named "good-strings-office.db" and "good-opcodes-office.db" that will initialized during startup together with the built-in databases.
Create a new strings and opcodes database from an Office 2013 program directory:
yarGen.py -c --opcodes -i office -g /opt/packs/office2013
The analysis and string extraction process will create the following new databases in the "./dbs" sub folder.
good-strings-office.db
good-opcodes-office.db
You can then directly use them in the rule creation process because from version 0.17.0 on, all *.db files in the sub folder "./dbs" will be initialized during startup.
You can update the once created databases with the "-u" parameter
yarGen.py -u --opcodes -i office -g /opt/packs/office365
This would update the "office" databases with new strings extracted from files in the given directory.