Hacking 101: Introduction to YARA rules

rule test
{
meta:
description = "Example"
threat_level = x
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "PEJXQZAKCBGMTUVODFRYSIHLNW"
condition:
($a or $b) and ($c or $d)
}
rule Example_Rule
{
strings:
$my_text_string = "text"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
$my_text_string or $my_hex_string
}

Comments:

YARA rules can be included with comments similar to c source code, single-line and multi-line comments can be used in Yara rules.

/*
This is a multi-line comment.
*/
rule Example // this is a single-line comment
{
condition:
True
}

Strings:

There are three types of strings in YARA: hexadecimal strings, text strings and regular expressions.

Conditions:

Conditions are just Boolean articulations as those that can be found in all programming dialects, for instance in an if explanation. They can contain the run of the mill Boolean administrators and, or and not and social administrators >=, <=, <, >, == and !=. Additionally, the number-crunching administrators (+, — , *, \, %) and bitwise administrators (and, |, <<, >>, ~, ^) can be utilized on numerical articulations.

rule condition_Example
{
strings:
$a = "text1"
$b = "text2"
$c = "text3"
$d = "text4"
condition:
($a or $b) and ($c or $d)
}

String counterbalances:

In most of the cases, when a string identifier is utilized in a condition, we are eager to know whether the related string is anyplace inside the record or procedure memory, yet now and then we have to know whether the string is at some particular counterbalance on the document or at some virtual location inside the procedure address space. In such circumstances, the administrator at is the thing that we need. This administrator is utilized as appeared in the accompanying model:

Conclusion:

To put it plainly, YARA is flexible, incredible and accessible. Its expectation to learn and adapt is delicate and its application is wide. In this present reality where your adversary covers up on display and around the bend, it has crazy identification ability to illuminate the suspicious, pernicious or plain simply intriguing. In the event that it hasn’t found a home in your toolbox, you ought to consistently request the best.

Wanna connect:

Linkedin: https://www.linkedin.com/in/akshay-jain-533a79111/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store