Skip navigation.
Home

plusvic's blog

YARA 1.5 released

A new version of YARA has been released. This version provides some new features, including:

* Process memory scanning
* Support for ELF files
* Faster regular expressions by using RE2 instead of PCRE

For more information visit:
http://code.google.com/p/yara-project

YARA 1.4 released

A new version of YARA have been released. This version improves the scanning speed and fix an annoying bug which causes crashes on 64-bits Windows. It also introduces external variables, a feature that allows you to create rules dependent on variables provided from the outside world.

Get the latest documentation here

YARA 1.3 released

I'm glad to announce a new version of YARA which includes three new major features, some of them inspired by requests and suggestions of some users out there. They are:

* C-style includes. Now you can include a YARA source file into another just like you do in your C programs with the #include pre-processor directive.

* Metadata in rules. Rules now can contain associated metadata in identifier/value pairs. Metadata information can be string, integer or boolean values. This metadata can be accessed later from the yara-python extension.

* Multi-source compilation in yara-python. A group of YARA source files can be compiled together in yara-python. In this way rules from different sources can be matched at the same time against your data, which is more efficient than compiling and matching each source independently.

Here is an example of the "include" and "metadata" features:

include "./includes/some_other_rules.yar"

rule silent_banker : banker
{
    meta:                                         
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

For more info:
http://code.google.com/p/yara-project/

YARA v1.2 released

A new version of YARA have been released. This version introduces some bug fixes and new features, such as:

* Sub-string alternatives in hex strings.
* Global rules.
* Enhanced "of" operator and a new "for..of" operator
* Anonymous strings
* uintXX and intXX functions to read integers from a given offset
* yara-python improvements

I've also started to create some rules for packer identification based on PEiD's signatures, there are just a few for now, but I expect to include more in the future.

YARA: a malware identification and classification tool

YARA is open-source multi-platorm tool that allows you to create your own signatures to identify malware families based on text or hex strings presents on samples of those families. The signatures are written in a special-purpose language looking like this:

rule silent_banker : banker
{
    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

Complex signatures can be created by using boolean operators, wild-cards, regular expressions and much more. You can find more information on the project site:

http://code.google.com/p/yara-project/

Syndicate content