mkYARA

Writing YARA rules based on the executable code found in malware can be a challenging task. An analyst cannot simply copy and paste the raw executable code directly into a YARA rule, as this code includes variable values, such as memory addresses and offsets.

The analyst must disassemble the code and create wildcards for all the components that may vary between samples. mkYARA is designed to streamline this process by automatically generating executable code signatures that wildcard all these dynamic pieces of executable code that are not static.

Installation is straightforward; you just need to install the pip package using the following command: pip install mkyara Usage: import codecs from capstone import CS_ARCH_X86, CS_MODE_32 from mkyara import YaraGenerator gen = YaraGenerator("normal", CS_ARCH_X86, CS_MODE_32) gen.add_chunk(b"\x90\x90\x90", offset=1000) gen.add_chunk(codecs.decode("6830800000E896FEFFFFC3", "hex"), offset=0x100) gen.add_chunk(b"\x90\x90\x90\xFF\xD7", is_data=True) rule = gen.generate_rule() rule_str = rule.get_rule_string() print(rule_str) Standalone Tool: mkYARA includes a standalone tool that is cross-platform, meaning it can create signatures for Windows binaries even when running on Linux. Usage: mkyara [-h] [-i {x86} Requirements: 1. Keep all technical terms and concepts exactly as they are 2. Make the language clearer and more accessible 3. Keep the same content structure and format 4. Do not add or remove any information 5. Maintain similar length; if the content is very short, then add a bit more detail.