What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


YARA - A malware identification and classification tool


YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic.

  1. [Comment] Install YARA on Backtrack 5 R3
  2. [Comment] Download the tarball and extract it first
  3. root@sp:~# cd /tmp
  4. root@sp:/tmp# wget https://yara-project.googlecode.com/files/yara-1.6.tar.gz
  5. root@sp:/tmp# tar -zxvf yara-1.6.tar.gz
  6. [Comment] Install PCRE
  7. root@sp:/tmp# apt-get install libpcre3 libpcre3-dev
  8. [Comment] Install YARA
  9. root@sp:/tmp# cd yara-1.6
  10. root@sp:/tmp/yara-1.6# ./configure
  11. root@sp:/tmp/yara-1.6# make
  12. root@sp:/tmp/yara-1.6# make install
  13. [Comment] Download yara-python for python support
  14. root@sp:/tmp/yara-1.6# cd ..
  15. root@sp:/tmp# wget https://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
  16. [Comment] Extract the tarball
  17. root@sp:/tmp# tar -zxvf yara-python-1.6.tar.gz
  18. [Comment] Install python-dev to build the yara-python package
  19. [Comment] yara-python 1.6 had been ported to Python 3.x
  20. root@sp:/tmp# apt-get install python3-dev
  21. [Comment] Install YARA-Python
  22. root@sp:/tmp# cd yara-python-1.6
  23. root@sp:/tmp/yara-python-1.6# python3 setup.py install
  24. root@sp:/tmp/yara-python-1.6# cd ~
  25. root@sp:~# yara
  26. usage:  yara [OPTION]... [RULEFILE]... FILE | PID

Other version:
YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.
  1. Python: https://github.com/mjdorma/yara-ctypes
  2. Ruby: https://github.com/SpiderLabs/yara-ruby



Resources collection (Original Link - DeepEnd Research):

No comments:

Post a Comment