Environment and installation
Operating system: win10
Installation address: https://github.com/VirusTotal/yara/releases/tag/v4.2.0-rc1
Just under this address
Tool use
Open in cmd directory
Command:
yara my_rule my_file
The first parameter is your yara rule file, and the second parameter is the detection file, which can be a directory
yara rule writing
Each rule of yara consists of a series of strings and a bool expression, and all of them have keywords.
Rules are composed of letters, numbers and underscores. The first character of a string cannot be a number, and a single description cannot exceed 128 characters
yara's basic rules are defined as follows:
rule ExampleRule
{
strings:
$my_text_string = "text here"
$my_hex_string = {E2 34 A1 C8 23 FB}
condition:
$my_text_string or $my_hex_string
}
The string area is not required and the condition area is required.
There can be rules with only conditional areas, such as:
rule Dummy
{
condition:
true
}
strings section
Three kinds of Strings can be used in the Strings section: text string, hexadecimal string and regular expression.
Text string: used to define the readable part of a file or memory;
Hexadecimal string: used to define hexadecimal byte content;
Regular expression: can be used in text string and hexadecimal string.
Text string adopts""quote;
Hexadecimal use{}Reference, each hexadecimal character is separated by a space, and can only contain hexadecimal characters;
Regular expressions can be used directly in text strings and hexadecimal strings, or alone//quote.
Escape
The escape of string is directly consistent with that of other languages.
Case
yara is case sensitive by default. You can use the nocase keyword to make yara case insensitive.
For example:
rule NocaseTextExample
{
strings:
$text_string ="foobar" nocase //Foobar can be replaced by foobar, foobar, etc
condition:
$text_string
}
Character set representation
If a character is represented by two bytes in the target file, that is, in the form of wide characters, the wide keyword can be used to represent the text string. If you want to represent both wide characters and ASCII code, you can use the ASCII keyword again.
For example:
rule WideAsciiTextExample
{
strings:
$text_string ="foobar" nocase wide ascii
condition:
$text_string
}
Match a single phrase text string
If you want to match a single phrase text string, you can use the fullword keyword.
For example:
rule FullwordTextExample
{
strings:
$text_string = "foobar"fullword
condition:
$text_string
}
/*
abcfoobar
foobar-abc
foobar.abc
In the above three cases, only the third case will be matched
*/
condition section
The condition part usually consists of a bool type expression. If the expression is true, it will be detected; otherwise, it cannot be detected.
The expression consists of bool operator, relational operator, arithmetic operator, bitwise operator and yara keyword.
Keywords involved in the condition part and their usage.
#Used to indicate the number of occurrences
rule CountExample
{
strings:
$a = "dummy1"
$b = "dummy2"
condition:
#a == 6 and #b > 10
}
/*
Replace $with #
#a Represents the number of occurrences of $a
*/
in
in: used to determine the range of offset addresses relative to files or processes.
rule InExample
{
strings:
$a = "dummy1"
$b = "dummy2"
condition:
$a in (0..100) and $b in (100..filesize)
}
/*
$a Appears at offset address 0~0x100 and $b appears after 0x100
*/
filesize
filesize represents the file size. If the target is not a file, it will be ignored
rule FileSizeExample
{
condition:
filesize > 200KB
}
at
Represents the offset position or virtual address of the string in the file
rule CountExample
{
strings:
$a = "text1"
$b = "text2"
$c = "text3"
condition:
$a at 100 and $b at 0x004C0000 and $cat 300
}
entrypoint
Indicates the file entry point, which is applicable to PE files, ELF files and running programs
This variable has been deprecated in yara3 Completely discarded after 0
rule FileSizeExample
{
string:
$a = {E8 00 00 00}
condition:
$a at entrypoint
}
int8/16/32,uint8/16/32
Access the corresponding data type at the corresponding address. If you want to read a large integer, use the corresponding function be ending with
int8(<offset or virtualaddress>) int16(<offset or virtualaddress>) int32(<offset or virtualaddress>) uint8(<offset or virtualaddress>) uint16(<offset or virtualaddress>) uint32(<offset or virtual address>)
For example:
rule IsPE
{
condition:
// MZ signature at offset 0
uint16(0) == 0x5A4D and
// PE signature at offset stored in MZheader at 0x3C
uint32(uint32(0x3C)) == 0×00004550
}
of
aggregate
rule Example
{
strings:
$a = "dummy1"
$b = "dummy2"
$c = "dummy3"
condtion:
2 of ($a,$b,$c) //When two strings in $a$b$c exist in the file, it indicates a match
}
??
Match one byte unknown, i.e. wildcard
?
Match half byte unknowns, that is, wildcards
[X-Y]
The character length can be matched in the range of X to Y
Limit: x < = y;
If X=Y, [x] is equivalent to [X-Y];
Starting with YARA 2.0, unbounded jumps like [X -] or [- X] can also be used
rule JumpExample
{
strings:
$hex_string = { F4 23 [4-6] 62 B4 }
condition:
$hex_string
}
/*
F4 23 01 02 03 04 62 B4
F4 23 00 00 00 00 00 62 B4
F4 23 15 82 A3 04 45 22 62 B4
The above three strings can match
*/
them/($*)
You can use them / ($*) to refer to all rules
rule OfExample4
{
strings:
$a = "dummy1"
$b = "dummy2"
$c = "dummy3"
condition:
1 of them // equivalent to 1 of ($*)
}
@
@Used to represent the offset or virtual address of a string in a file or memory
@a[i] indicates the offset or virtual address of the string a for the ith time in the file or memory
If i is greater than the actual number of occurrences, NaN(not a number) will be returned
rule OfExample4
{
strings:
$a = "dummy1"
$b = "dummy2"
$c = "dummy3"
condition:
@a[1]=0x123456
}
!
! Used to represent the length of a string that appears in a file or memory
The usage is basically the same as @
!a=!a[1]
rule OfExample4
{
strings:
$a = "dummy1"
$b = "dummy2"
$c = "dummy3"
condition:
!a[1]=0x123456
}
for xxx of xxx : (xxx)
Use for n of ($a, $B, $C): ($at entrypoint) to indicate that n strings in the character set meet the conditions
$is used to refer to each string in the character set, others such as @# And so on
rule OfExample4
{
strings:
$a1 = "dummy1"
$a2 = "dummy2"
$a3 = "dummy3"
condition:
for 2 of ($a*) : ($ at entrypoint)
}
for xxx i in (xxx) : (xxx)
The function usage is basically consistent with the previous one
rule OfExample4
{
strings:
$a1 = "dummy1"
$a2 = "dummy2"
$a3 = "dummy3"
condition:
for 2 i in (1..#a) : ( @a[i] < 100 ) // Traverse all locations where $a appears, and the offset should be less than 100
}
Other yara keywords
yara keyword is as follows:
global
Global rule: global rule with the highest priority
private
Private rule: private rule. No matching information will be output during matching
TagRule
rule TagRule: the rule tag allows you to display only the rules you are interested in when YARA outputs, and filter out the output information of other rules
You can add multiple tags to a rule
rule TagRule : dummy1 dummy 2
{
strings:
$a = "dummy1"
$b = "dummy2"
condition:
$a and $b
}
Reference rule
In another rule, you can reference it directly
import
You can use import to import other modules, which can be third-party or official modules, or modules written by yourself
include
This part is similar to C language and can be used to contain other rule files
notes
yara uses / / for single line comments and / * * / for multi line comments.
mate
mate is an optional part of yara to place additional information about the rule
External variable
Can be used in Ext_ Add an external variable to VaR, which can be directly referenced when writing rules