官网: https://yara.readthedocs.io/en/stable/gettingstarted.html
官方下载地址: https://github.com/VirusTotal/yara/releases
文档里面给出的是源码安装, ubuntu可以使用下面的命令安装:
# apt install yara
# yara --help # 查看具体用法
安装成功使用如下命令使用:
# yara path/a.yar path/b.yar ... path/z.yar path/soft
中间可以放多个yara规则文件, 最后给出一个要检查的软件即可
无论是规则文件还是被检测的文件都可以使用相对路径或绝对路径
yara规则说明:
rule 规则名
{
meta:
固定格式元数据,用于说明引用
strings:
变量范围定义
condition:
判断条件
}
示例:
rule ExampleRule
{
meta:
author = "这是作者"
description = "这是描述信息"
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
$my_text_string or $my_hex_string
}
rule FlashNewfunction
{
meta:
ref = "CVE-2010-1297"
hide = true
impact = 5
ref = "http://blog.xanda.org/tag/jsunpack/"
strings:
$unescape = "unescape" fullword nocase
$shellcode = /%u[A-Fa-f0-9]{4}/
$shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
$cve20101297 = /\/Subtype ?\/Flash/
condition:
($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
}
如果希望检测后输出规则作者和描述信息, 可以使用-m参数, 如果希望输出匹配的到关键数据,可以使用-s参数,示例如下:
# yara -m one.yar soft.exe # 输出规则名/作者/描述
rule_name [author="", description=""]
# yara -s one.yar soft.exe # 输出匹配到的字符
rule_name
KLSDKFJISDF
SDKFLKLDSFD
参考链接:
https://github.com/Yara-Rules/rules
https://github.com/spyre-project/spyre
https://github.com/InQuest/awesome-yara