%global _empty_manifest_terminate_build 0
Name:		python-mkYARA
Version:	1.0.0
Release:	1
Summary:	Generating YARA rules based on binary code
License:	GPLv3
URL:		https://pypi.org/project/mkYARA/
Source0:	https://mirrors.aliyun.com/pypi/web/packages/b0/2e/da30e5e4ae94eaacf88b41ea776b7228df97a7cbd931da2c1e112020f317/mkYARA-1.0.0.tar.gz
BuildArch:	noarch


%description
# mkYARA
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code that can change between samples. mkYARA aims to automate this part of writing rules by generating executable code signatures that wildcard all these little pieces of executable code that are not static.

## Installation
Installation is as easy as installing the pip package.
``` 
pip install mkyara
```

## Usage
```python
import codecs
from capstone import CS_ARCH_X86, CS_MODE_32
from mkyara import YaraGenerator

gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32)
gen.add_chunk(b"\x90\x90\x90", offset=1000)
gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100)
gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True)
rule = gen.generate_rule()
rule_str = rule.get_rule_string()
print(rule_str)
```

## Standalone Tool
mkYARA comes with a standalone tool that is cross platform, as in, it can create signatures for Windows binaries running under Linux. 

```commandline
usage: mkyara [-h] [-i {x86}] [-a {32,64,x86,x64}] -f FILE_PATH [-n RULENAME]
              -o OFFSET -s SIZE [-m {loose,normal,strict}] [-r RESULT] [-v]

Generate a Yara rule based on disassembled code

optional arguments:
  -h, --help            show this help message and exit
  -i {x86}, --instruction_set {x86}
                        Instruction set
  -a {32,64,x86,x64}, --instruction_mode {32,64,x86,x64}
                        Instruction mode
  -f FILE_PATH, --file_path FILE_PATH
                        Sample file path
  -n RULENAME, --rulename RULENAME
                        Generated rule name
  -o OFFSET, --offset OFFSET
                        File offset for signature
  -s SIZE, --size SIZE  Size of desired signature
  -m {loose,normal,strict}, --mode {loose,normal,strict}
                        Wildcard mode for yara rule generation
                        loose = wildcard all operands
                        normal = wildcard only displacement operands
                        strict = wildcard only jmp/call addresses
  -r RESULT, --result RESULT
                        Output file
  -v, --verbose         Increase verbosity

```


## IDA Plugin
mkYARA comes with a IDA plugin to easily create YARA signatures by selecting a set of instructions and choosing one of the mkYARA -> Generate YARA rule options. Installation is as easy as installing the pip package and copying the mkyara_plugin.py to your IDA plugin directory.

%package -n python3-mkYARA
Summary:	Generating YARA rules based on binary code
Provides:	python-mkYARA
BuildRequires:	python3-devel
BuildRequires:	python3-setuptools
BuildRequires:	python3-pip
%description -n python3-mkYARA
# mkYARA
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code that can change between samples. mkYARA aims to automate this part of writing rules by generating executable code signatures that wildcard all these little pieces of executable code that are not static.

## Installation
Installation is as easy as installing the pip package.
``` 
pip install mkyara
```

## Usage
```python
import codecs
from capstone import CS_ARCH_X86, CS_MODE_32
from mkyara import YaraGenerator

gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32)
gen.add_chunk(b"\x90\x90\x90", offset=1000)
gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100)
gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True)
rule = gen.generate_rule()
rule_str = rule.get_rule_string()
print(rule_str)
```

## Standalone Tool
mkYARA comes with a standalone tool that is cross platform, as in, it can create signatures for Windows binaries running under Linux. 

```commandline
usage: mkyara [-h] [-i {x86}] [-a {32,64,x86,x64}] -f FILE_PATH [-n RULENAME]
              -o OFFSET -s SIZE [-m {loose,normal,strict}] [-r RESULT] [-v]

Generate a Yara rule based on disassembled code

optional arguments:
  -h, --help            show this help message and exit
  -i {x86}, --instruction_set {x86}
                        Instruction set
  -a {32,64,x86,x64}, --instruction_mode {32,64,x86,x64}
                        Instruction mode
  -f FILE_PATH, --file_path FILE_PATH
                        Sample file path
  -n RULENAME, --rulename RULENAME
                        Generated rule name
  -o OFFSET, --offset OFFSET
                        File offset for signature
  -s SIZE, --size SIZE  Size of desired signature
  -m {loose,normal,strict}, --mode {loose,normal,strict}
                        Wildcard mode for yara rule generation
                        loose = wildcard all operands
                        normal = wildcard only displacement operands
                        strict = wildcard only jmp/call addresses
  -r RESULT, --result RESULT
                        Output file
  -v, --verbose         Increase verbosity

```


## IDA Plugin
mkYARA comes with a IDA plugin to easily create YARA signatures by selecting a set of instructions and choosing one of the mkYARA -> Generate YARA rule options. Installation is as easy as installing the pip package and copying the mkyara_plugin.py to your IDA plugin directory.

%package help
Summary:	Development documents and examples for mkYARA
Provides:	python3-mkYARA-doc
%description help
# mkYARA
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code that can change between samples. mkYARA aims to automate this part of writing rules by generating executable code signatures that wildcard all these little pieces of executable code that are not static.

## Installation
Installation is as easy as installing the pip package.
``` 
pip install mkyara
```

## Usage
```python
import codecs
from capstone import CS_ARCH_X86, CS_MODE_32
from mkyara import YaraGenerator

gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32)
gen.add_chunk(b"\x90\x90\x90", offset=1000)
gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100)
gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True)
rule = gen.generate_rule()
rule_str = rule.get_rule_string()
print(rule_str)
```

## Standalone Tool
mkYARA comes with a standalone tool that is cross platform, as in, it can create signatures for Windows binaries running under Linux. 

```commandline
usage: mkyara [-h] [-i {x86}] [-a {32,64,x86,x64}] -f FILE_PATH [-n RULENAME]
              -o OFFSET -s SIZE [-m {loose,normal,strict}] [-r RESULT] [-v]

Generate a Yara rule based on disassembled code

optional arguments:
  -h, --help            show this help message and exit
  -i {x86}, --instruction_set {x86}
                        Instruction set
  -a {32,64,x86,x64}, --instruction_mode {32,64,x86,x64}
                        Instruction mode
  -f FILE_PATH, --file_path FILE_PATH
                        Sample file path
  -n RULENAME, --rulename RULENAME
                        Generated rule name
  -o OFFSET, --offset OFFSET
                        File offset for signature
  -s SIZE, --size SIZE  Size of desired signature
  -m {loose,normal,strict}, --mode {loose,normal,strict}
                        Wildcard mode for yara rule generation
                        loose = wildcard all operands
                        normal = wildcard only displacement operands
                        strict = wildcard only jmp/call addresses
  -r RESULT, --result RESULT
                        Output file
  -v, --verbose         Increase verbosity

```


## IDA Plugin
mkYARA comes with a IDA plugin to easily create YARA signatures by selecting a set of instructions and choosing one of the mkYARA -> Generate YARA rule options. Installation is as easy as installing the pip package and copying the mkyara_plugin.py to your IDA plugin directory.

%prep
%autosetup -n mkYARA-1.0.0

%build
%py3_build

%install
%py3_install
install -d -m755 %{buildroot}/%{_pkgdocdir}
if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
pushd %{buildroot}
if [ -d usr/lib ]; then
	find usr/lib -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/lib64 ]; then
	find usr/lib64 -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/bin ]; then
	find usr/bin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/sbin ]; then
	find usr/sbin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
touch doclist.lst
if [ -d usr/share/man ]; then
	find usr/share/man -type f -printf "\"/%h/%f.gz\"\n" >> doclist.lst
fi
popd
mv %{buildroot}/filelist.lst .
mv %{buildroot}/doclist.lst .

%files -n python3-mkYARA -f filelist.lst
%dir %{python3_sitelib}/*

%files help -f doclist.lst
%{_docdir}/*

%changelog
* Fri Jun 09 2023 Python_Bot <Python_Bot@openeuler.org> - 1.0.0-1
- Package Spec generated