View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0007994||Kali Linux||Queued Tool Addition||public||2022-10-09 23:01||2022-11-01 14:35|
|Summary||0007994: yaralyzer is a tool to visually inspect and force decode YARA and regex matches found in both binary and text data.|
[Description] Visually inspect all of the regex matches (and their sexier, more cloak and dagger cousins, the YARA matches) found in binary data and/or text. See what happens when you force various character encodings upon those matched bytes. With colors.
Some screenshots are visible here: https://github.com/michelcrypt4d4mus/yaralyzer#example-output
[Dependencies] python 3.9+
[Similar tools] http://www.binaryalert.io/yara-matches.html (sort of - it writes matches to a DB rather than STDOUT, and it doesn't do any encoding detection or force decodes)
[Activity] Development started mid summer 2022 originally as an internal engine of a related tool, the pdfalyzer: https://github.com/michelcrypt4d4mus/pdfalyzer. actively being maintained, kind of surprising amount of interest since it was open sourced last week
[How to install]
Note, using source code to acquire (e.g. git clone/svn checkout) can’t be used - Also downloading from the head. Please use a “tag” or “release” version.
Scan against YARA definitions in a file:
yaralyze --yara-rules /path/to/malware_rules.yara lacan_buys_the_dip.pdf
Scan against an arbitrary YARA compatible regular expression:
yaralyze --regex-pattern 'evil.*of\s+\w+byte' the_crypto_archipelago.exe
Scan against an arbitrary YARA hex pattern
yaralyze --hex-pattern 'd0 93 d0 a3 d0 [-] 9b d0 90 d0 93' one_day_in_the_life_of_ivan_cryptosovich.bin
[Packaged] - Is the tool already packaged for Debian?
@kali-team, please could this be packaged up.