1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
%global _empty_manifest_terminate_build 0
Name: python-mkYARA
Version: 1.0.0
Release: 1
Summary: Generating YARA rules based on binary code
License: GPLv3
URL: https://pypi.org/project/mkYARA/
Source0: https://mirrors.aliyun.com/pypi/web/packages/b0/2e/da30e5e4ae94eaacf88b41ea776b7228df97a7cbd931da2c1e112020f317/mkYARA-1.0.0.tar.gz
BuildArch: noarch
%description
# mkYARA
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code that can change between samples. mkYARA aims to automate this part of writing rules by generating executable code signatures that wildcard all these little pieces of executable code that are not static.
## Installation
Installation is as easy as installing the pip package.
```
pip install mkyara
```
## Usage
```python
import codecs
from capstone import CS_ARCH_X86, CS_MODE_32
from mkyara import YaraGenerator
gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32)
gen.add_chunk(b"\x90\x90\x90", offset=1000)
gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100)
gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True)
rule = gen.generate_rule()
rule_str = rule.get_rule_string()
print(rule_str)
```
## Standalone Tool
mkYARA comes with a standalone tool that is cross platform, as in, it can create signatures for Windows binaries running under Linux.
```commandline
usage: mkyara [-h] [-i {x86}] [-a {32,64,x86,x64}] -f FILE_PATH [-n RULENAME]
-o OFFSET -s SIZE [-m {loose,normal,strict}] [-r RESULT] [-v]
Generate a Yara rule based on disassembled code
optional arguments:
-h, --help show this help message and exit
-i {x86}, --instruction_set {x86}
Instruction set
-a {32,64,x86,x64}, --instruction_mode {32,64,x86,x64}
Instruction mode
-f FILE_PATH, --file_path FILE_PATH
Sample file path
-n RULENAME, --rulename RULENAME
Generated rule name
-o OFFSET, --offset OFFSET
File offset for signature
-s SIZE, --size SIZE Size of desired signature
-m {loose,normal,strict}, --mode {loose,normal,strict}
Wildcard mode for yara rule generation
loose = wildcard all operands
normal = wildcard only displacement operands
strict = wildcard only jmp/call addresses
-r RESULT, --result RESULT
Output file
-v, --verbose Increase verbosity
```
## IDA Plugin
mkYARA comes with a IDA plugin to easily create YARA signatures by selecting a set of instructions and choosing one of the mkYARA -> Generate YARA rule options. Installation is as easy as installing the pip package and copying the mkyara_plugin.py to your IDA plugin directory.
%package -n python3-mkYARA
Summary: Generating YARA rules based on binary code
Provides: python-mkYARA
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-pip
%description -n python3-mkYARA
# mkYARA
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code that can change between samples. mkYARA aims to automate this part of writing rules by generating executable code signatures that wildcard all these little pieces of executable code that are not static.
## Installation
Installation is as easy as installing the pip package.
```
pip install mkyara
```
## Usage
```python
import codecs
from capstone import CS_ARCH_X86, CS_MODE_32
from mkyara import YaraGenerator
gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32)
gen.add_chunk(b"\x90\x90\x90", offset=1000)
gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100)
gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True)
rule = gen.generate_rule()
rule_str = rule.get_rule_string()
print(rule_str)
```
## Standalone Tool
mkYARA comes with a standalone tool that is cross platform, as in, it can create signatures for Windows binaries running under Linux.
```commandline
usage: mkyara [-h] [-i {x86}] [-a {32,64,x86,x64}] -f FILE_PATH [-n RULENAME]
-o OFFSET -s SIZE [-m {loose,normal,strict}] [-r RESULT] [-v]
Generate a Yara rule based on disassembled code
optional arguments:
-h, --help show this help message and exit
-i {x86}, --instruction_set {x86}
Instruction set
-a {32,64,x86,x64}, --instruction_mode {32,64,x86,x64}
Instruction mode
-f FILE_PATH, --file_path FILE_PATH
Sample file path
-n RULENAME, --rulename RULENAME
Generated rule name
-o OFFSET, --offset OFFSET
File offset for signature
-s SIZE, --size SIZE Size of desired signature
-m {loose,normal,strict}, --mode {loose,normal,strict}
Wildcard mode for yara rule generation
loose = wildcard all operands
normal = wildcard only displacement operands
strict = wildcard only jmp/call addresses
-r RESULT, --result RESULT
Output file
-v, --verbose Increase verbosity
```
## IDA Plugin
mkYARA comes with a IDA plugin to easily create YARA signatures by selecting a set of instructions and choosing one of the mkYARA -> Generate YARA rule options. Installation is as easy as installing the pip package and copying the mkyara_plugin.py to your IDA plugin directory.
%package help
Summary: Development documents and examples for mkYARA
Provides: python3-mkYARA-doc
%description help
# mkYARA
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code that can change between samples. mkYARA aims to automate this part of writing rules by generating executable code signatures that wildcard all these little pieces of executable code that are not static.
## Installation
Installation is as easy as installing the pip package.
```
pip install mkyara
```
## Usage
```python
import codecs
from capstone import CS_ARCH_X86, CS_MODE_32
from mkyara import YaraGenerator
gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32)
gen.add_chunk(b"\x90\x90\x90", offset=1000)
gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100)
gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True)
rule = gen.generate_rule()
rule_str = rule.get_rule_string()
print(rule_str)
```
## Standalone Tool
mkYARA comes with a standalone tool that is cross platform, as in, it can create signatures for Windows binaries running under Linux.
```commandline
usage: mkyara [-h] [-i {x86}] [-a {32,64,x86,x64}] -f FILE_PATH [-n RULENAME]
-o OFFSET -s SIZE [-m {loose,normal,strict}] [-r RESULT] [-v]
Generate a Yara rule based on disassembled code
optional arguments:
-h, --help show this help message and exit
-i {x86}, --instruction_set {x86}
Instruction set
-a {32,64,x86,x64}, --instruction_mode {32,64,x86,x64}
Instruction mode
-f FILE_PATH, --file_path FILE_PATH
Sample file path
-n RULENAME, --rulename RULENAME
Generated rule name
-o OFFSET, --offset OFFSET
File offset for signature
-s SIZE, --size SIZE Size of desired signature
-m {loose,normal,strict}, --mode {loose,normal,strict}
Wildcard mode for yara rule generation
loose = wildcard all operands
normal = wildcard only displacement operands
strict = wildcard only jmp/call addresses
-r RESULT, --result RESULT
Output file
-v, --verbose Increase verbosity
```
## IDA Plugin
mkYARA comes with a IDA plugin to easily create YARA signatures by selecting a set of instructions and choosing one of the mkYARA -> Generate YARA rule options. Installation is as easy as installing the pip package and copying the mkyara_plugin.py to your IDA plugin directory.
%prep
%autosetup -n mkYARA-1.0.0
%build
%py3_build
%install
%py3_install
install -d -m755 %{buildroot}/%{_pkgdocdir}
if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
pushd %{buildroot}
if [ -d usr/lib ]; then
find usr/lib -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/lib64 ]; then
find usr/lib64 -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/bin ]; then
find usr/bin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/sbin ]; then
find usr/sbin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
touch doclist.lst
if [ -d usr/share/man ]; then
find usr/share/man -type f -printf "\"/%h/%f.gz\"\n" >> doclist.lst
fi
popd
mv %{buildroot}/filelist.lst .
mv %{buildroot}/doclist.lst .
%files -n python3-mkYARA -f filelist.lst
%dir %{python3_sitelib}/*
%files help -f doclist.lst
%{_docdir}/*
%changelog
* Fri Jun 09 2023 Python_Bot <Python_Bot@openeuler.org> - 1.0.0-1
- Package Spec generated
|
