[Name] yaralyzer
[Version] 0.6.2
[Homepage] https://github.com/michelcrypt4d4mus/yaralyzer
[Download] https://pypi.org/project/yaralyzer/#files
[Author] Michel de Cryptadamus
[Licence] GPLv3

[Description] Visually inspect all of the regex matches (and their sexier, more cloak and dagger cousins, the YARA matches) found in binary data and/or text. See what happens when you force various character encodings upon those matched bytes. With colors.
Can be run with a yara rule file, a dir full of yarn rules, or off the cuff with --hex-pattern and --regex-pattern

Some screenshots are visible here: https://github.com/michelcrypt4d4mus/yaralyzer#example-output

[Dependencies] python 3.9+
chardet = "^5.0.0"
python-dotenv = "^0.21.0"
rich = "^12.5.1"
rich-argparse-plus = "^0.3.1"
yara-python = "^4.2.3"

[Similar tools] http://www.binaryalert.io/yara-matches.html (sort of - it writes matches to a DB rather than STDOUT, and it doesn't do any encoding detection or force decodes)

[Activity] Development started mid summer 2022 originally as an internal engine of a related tool, the pdfalyzer: https://github.com/michelcrypt4d4mus/pdfalyzer. actively being maintained, kind of surprising amount of interest since it was open sourced last week

[How to install] pipx install yaralyzer is the easiest way

Note, using source code to acquire (e.g. git clone/svn checkout) can’t be used - Also downloading from the head. Please use a “tag” or “release” version.
[How to use] - What are some basic commands/functions to demonstrate it?

Scan against YARA definitions in a file:

yaralyze --yara-rules /path/to/malware_rules.yara lacan_buys_the_dip.pdf

Scan against an arbitrary YARA compatible regular expression:

yaralyze --regex-pattern 'evil.*of\s+\w+byte' the_crypto_archipelago.exe

Scan against an arbitrary YARA hex pattern

yaralyze --hex-pattern 'd0 93 d0 a3 d0 [-] 9b d0 90 d0 93' one_day_in_the_life_of_ivan_cryptosovich.bin

[Packaged] - Is the tool already packaged for Debian?
no