/Hyara

Yara rule making tool (IDA Pro & Binary Ninja & Cutter Plugin)

Primary LanguagePythonMIT LicenseMIT

Hyara

Version

Hyara is plugin that provides convenience when writing yararule.

The plugin is currently undergoing a major revision!

Instructions

Start Screen and Options

  • When you run Hyara, it docks itself to the right and docks the output window to the left.
  • After specifying the address, press the Make button to show the specified hexadecimal or strings as a result.
  • The results are saved in the table below when you click Save.
  • If you double-click the table, you can clear the rule.
  • Export Yara Rule
    • Exports the previously created yara rules.

  • Right Click
    • You can select either start address or end address. (IDA Pro, Cutter)

  • Comment Option
    • Annotates the instructions next to the condition rule(s).
  • Rich Header and imphash
    • Adds rich header and imphash matching to the rule.
  • String option
    • This option extracts strings within the range specified.

Installation

IDA Pro & BinaryNinja

  • IDA Pro

    pip install -r requirements.txt
    • copy Hyara_IDA.py and hyara_lib folder to $ida_dir/plugins
    • Activate via Edit -> Plugins -> Hyara (or CTRL+SHIFT+Y)

  • BinaryNinja

    • Just use the plugin manager!
    • Activate via View -> Other Docks -> Show Hyara

Cutter

  • Windows
C:\\Users\\User\\AppData\\Local\\Programs\\Python\\Python37\\python.exe -m pip install -I -t $cutter_dir/python37/site-packages -r requirements.txt

copy __init__.py, Hyara_Cutter.py and hyara_lib folder to $cutter_dir/plugins/python/Hyara

  • Linux

cp -r /tmp/.mount_Cutter5o3a5G/usr /root
pip3.9 install -I -t /root/usr/lib/python3.9/site-packages -r /root/Hyara/requirements.txt
./Cutter-v2.1.0-x64.Linux.AppImage --pythonhome /root/usr

copy __init__.py, Hyara_Cutter.py and hyara_lib folder to /root/.local/share/rizin/cutter/plugins/python/Hyara

Activate via Windows -> Plugins -> Hyara

Features

  • GUI-based
  • Supports BinaryNinja, Cutter, and IDA
  • YaraChecker
    • Tests the yararule on the fly
  • YaraDetector
    • Shows which part is detected in the sample loaded to disassembler, and when "Address" is clicked, it moves to the corresponding address on the disassembler view.
  • YaraIcon
    • Creates yara rules for icon resources embedded in the PE.

Author

👤 hyuunnn

Special Thanks