View Issue Details

IDProjectCategoryView StatusLast Update
0007994Kali Linux[All Projects] Queued Tool Additionpublic2022-11-01 14:35
Reportermccrypter Assigned To 
Status acknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0007994: yaralyzer is a tool to visually inspect and force decode YARA and regex matches found in both binary and text data.
Description[Name] yaralyzer
[Version] 0.6.2
[Author] Michel de Cryptadamus
[Licence] GPLv3

[Description] Visually inspect all of the regex matches (and their sexier, more cloak and dagger cousins, the YARA matches) found in binary data and/or text. See what happens when you force various character encodings upon those matched bytes. With colors.
Can be run with a yara rule file, a dir full of yarn rules, or off the cuff with --hex-pattern and --regex-pattern

Some screenshots are visible here:

[Dependencies] python 3.9+
chardet = "^5.0.0"
python-dotenv = "^0.21.0"
rich = "^12.5.1"
rich-argparse-plus = "^0.3.1"
yara-python = "^4.2.3"

[Similar tools] (sort of - it writes matches to a DB rather than STDOUT, and it doesn't do any encoding detection or force decodes)

[Activity] Development started mid summer 2022 originally as an internal engine of a related tool, the pdfalyzer: actively being maintained, kind of surprising amount of interest since it was open sourced last week

[How to install] `pipx install yaralyzer` is the easiest way

Note, using source code to acquire (e.g. git clone/svn checkout) can’t be used - Also downloading from the head. Please use a “tag” or “release” version.
[How to use] - What are some basic commands/functions to demonstrate it?

# Scan against YARA definitions in a file:
yaralyze --yara-rules /path/to/malware_rules.yara lacan_buys_the_dip.pdf

# Scan against an arbitrary YARA compatible regular expression:
yaralyze --regex-pattern 'evil.*of\s+\w+byte' the_crypto_archipelago.exe

# Scan against an arbitrary YARA hex pattern
yaralyze --hex-pattern 'd0 93 d0 a3 d0 [-] 9b d0 90 d0 93' one_day_in_the_life_of_ivan_cryptosovich.bin

[Packaged] - Is the tool already packaged for Debian?



2022-11-01 14:35

administrator   ~0017034

@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~

Issue History

Date Modified Username Field Change
2022-10-09 23:01 mccrypter New Issue
2022-11-01 14:35 g0tmi1k Note Added: 0017034
2022-11-01 14:35 g0tmi1k Status new => acknowledged
2022-11-01 14:35 g0tmi1k Category New Tool Requests => Queued Tool Addition