hyuunnn / hyara Goto Github PK
View Code? Open in Web Editor NEWYara rule making tool (IDA Pro & Binary Ninja & Cutter & Ghidra Plugin)
License: MIT License
Yara rule making tool (IDA Pro & Binary Ninja & Cutter & Ghidra Plugin)
License: MIT License
Radare2 is a highly-portable crossplatform reverse engineering framework and a toolkit without dependencies. It has support for analyzing binaries, disassembling code, debugging programs, attaching to remote GDB/LLDB, WinDbg servers, rich plugin system (see r2pm
), and integration with various decompilers. It is actively developed and can be easily integrated in various open source and commercial products. I believe, it will be highly beneficial to support these and provide a package for install from r2pm
, see the package repository here: https://github.com/radareorg/radare2-pm
For documentation on writing plugins for radare2 see Scripting and Plugins Radare2 Book chapters. Radare2 already has a Yara plugins:
r2pm install r2yara
for installing Yara with r2 plugin insider2pm install yara-r2
for installing Yara plugin for radare2 itself.pcy
command of radare2 to print the data in the Yara format.Cutter is a crossplatform Qt/C++ GUI frontend to radare2:
For documentation on writing plugins for Cutter see the official tutorial and the curated list of various popular plugins.
It will be developed in Java. (using Swing)
Can you split out the Binary Ninja plugin as a sub module so that it can be directly added to the plugin manager?
See: https://binary.ninja/2019/07/04/plugin-manager-2.0.html for more information.
if you keep updating your old release but keeping the version number the same Binary Ninja users who use the plugin manager won't get any updates they need to update their plugin. You need to actually increment the plugin version number so that the plugin manager knows to update.
You might find this tool helpful for automating that:
Just realized that this is my own theme question.
First: thank you for writing Hyara, it's a pretty useful tool.
Maybe I did something wrong, but the plugin didn't run after cloning from master, because of missing imports.
After looking into the source, I noticed that the imports of IDA functionality was mixed wildcard imports and pure module imports, which results in inconsistent code. I think it's probably a good idea to import module-wise and call it explicitly as a module function. In my opinion, the code becomes more readable and maintainable this way.
I started to convert it, fixed the missing imports and will open a pull request.
Hyara
fails to work with IDA pro 7.5
and python3
. As Python
2 is no longer supported, it would be worth a update to Hyara
.
Be aware that for now yara-python can't automatically install from PIP on macos in some configurations (likely homebrew related) until a new release is triggered:
The work-around described at the end of the issue works for me. To adapt to the runtime environment of BN, copy/paste the log and add the appropriate environment variabels (assuming a homebrew python). Something like:
CFLAGS="-I/opt/homebrew/opt/openssl/include" LDFLAGS="-L/opt/homebrew/opt/openssl/lib" pip install \\
yara-python /opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/bin/python3.11 \\
-m pip --isolated --disable-pip-version-check install --upgrade --upgrade-strategy only-if-needed --target \\
/Users/jwiens/Library/Application Support/Binary Ninja/python311/site-packages yara-python>=4.3.0
Because when this window is present, I cannot operate my original IDA window, it will have focus on the detector window.
Using yara-python-4.3.1 on IDA 8.3
Yara Checker raise 'yara.StringMatch' object is not subscriptable
error.
This is probably because yara-python reports matches has changed between versions 4.2.3 and version 4.3.0.
In version 4.2.3 matches the yara.Match object contained an attribute strings which was a list of Tuples. In version 4.3.0 (and presumably any future version) the match object contains an attribute strings which is a list of yara.StringMatchInstance values.
Similar issue: volatilityfoundation/volatility3#932
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.