Skip to content

JPCERTCC/AutoYara4FLIRT

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AutoYara4FLIRT

GitHub release (latest by date) GitHub top language GitHub repo size

AutoYara4FLIRT is a very simple IDA plugin that automatically generates yara rules from files. The yara rules generated from ELF files can be used to create FLIRT signatures for the technique. For more information, see our blog post in More Details link.

HOW TO INSTALL

  • Move AutoYara4FLIRT.py to IDA's plugin folder
    • Ex) c:\Program files\IDA Pro 8.2\plugins\AutoYara4FLIRT.py

USAGE

  • Select AutoYara4FLIRT on IDA
    • Ex) Edit -> Plugins -> AutoYara4FLIRT

DEMO


CLI_AutoYara

CLI_AutoYara is a simple CLI tool that automates yara rule creation and the creation of sig files from hunted ELF binaries. In Addition, this tool can target multiple malware at once. It is also easy to use, requiring no external modules other than IDA related. Sample files are also available on this github for you to try out right away!

HOW TO INSTALL

$ git clone https://github.com/JPCERTCC/AutoYara4FLIRT.git
$ cd AutoYara4FLIRT\CLI_AutoYara
  • Edit CLI_AutoYara.py
class ConfigVar:
    """
    ===================== Filepath ===========================
    """
    SIGMAKE_DIR = "C:\\sigmake.exe"                            # <<<--- the path of `sigmake.exe` !!!
    IDA_INSTAll_PATH = "C:\\\"Program Files\"\\\"IDA Pro 8.2\""
    IDA_SIG_PATH      = r"C:\Program Files\IDA Pro 8.2\sig"
    """
    ==========================================================
    """

USAGE

  • Targeted ELF -> .yara
$ python CLI_AutoYara.py --autoyara [BITS-of-Arch-in-ELFfile]
# Example
$ python CLI_AutoYara.py --autoyara 32
  • Hunted ELF -> .sig
$ python CLI_AutoYara.py --elf2sig [BITS-of-Arch-in-ELFfile] [Sig-Name] [Sig-Directory]
# Example
$ python CLI_AutoYara.py --elf2sig 32 SigName pc

DEMO (About 3 minutes)


Scope of tools

More Details


Reference

LICENSE

Please read the LICENSE page.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages