View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0007994||Kali Linux||[All Projects] Queued Tool Addition||public||2022-10-09 23:01||2022-11-01 14:35|
|Target Version||Fixed in Version|
|Summary||0007994: yaralyzer is a tool to visually inspect and force decode YARA and regex matches found in both binary and text data.|
[Author] Michel de Cryptadamus
[Description] Visually inspect all of the regex matches (and their sexier, more cloak and dagger cousins, the YARA matches) found in binary data and/or text. See what happens when you force various character encodings upon those matched bytes. With colors.
Can be run with a yara rule file, a dir full of yarn rules, or off the cuff with --hex-pattern and --regex-pattern
Some screenshots are visible here: https://github.com/michelcrypt4d4mus/yaralyzer#example-output
[Dependencies] python 3.9+
chardet = "^5.0.0"
python-dotenv = "^0.21.0"
rich = "^12.5.1"
rich-argparse-plus = "^0.3.1"
yara-python = "^4.2.3"
[Similar tools] http://www.binaryalert.io/yara-matches.html (sort of - it writes matches to a DB rather than STDOUT, and it doesn't do any encoding detection or force decodes)
[Activity] Development started mid summer 2022 originally as an internal engine of a related tool, the pdfalyzer: https://github.com/michelcrypt4d4mus/pdfalyzer. actively being maintained, kind of surprising amount of interest since it was open sourced last week
[How to install] `pipx install yaralyzer` is the easiest way
Note, using source code to acquire (e.g. git clone/svn checkout) can’t be used - Also downloading from the head. Please use a “tag” or “release” version.
[How to use] - What are some basic commands/functions to demonstrate it?
# Scan against YARA definitions in a file:
yaralyze --yara-rules /path/to/malware_rules.yara lacan_buys_the_dip.pdf
# Scan against an arbitrary YARA compatible regular expression:
yaralyze --regex-pattern 'evil.*of\s+\w+byte' the_crypto_archipelago.exe
# Scan against an arbitrary YARA hex pattern
yaralyze --hex-pattern 'd0 93 d0 a3 d0 [-] 9b d0 90 d0 93' one_day_in_the_life_of_ivan_cryptosovich.bin
[Packaged] - Is the tool already packaged for Debian?
@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging