notareverser · January 8, 2023 16:56 · notareverser · Jan 3, 2023
diff --git a/generate-simple-yara.idc b/generate-simple-yara.idc
 #include <idc.idc>


 static lmd5(fmd5)
 {
    auto result,size, nb, x;
    size=strlen(fmd5);
    result="";
    for (x = 0; x < size; x++)
    {
        nb = ord(fmd5[x]);
 	if (nb > 64)
 	{
            nb = nb + 32;
        }
 	result=sprintf("%s%c",result, nb);
    }
    return result;
 }

 static make_hex_string(byte_values, num_bytes)
 {
    auto result, x, nb;
    result = "";
       
    for (x = 0; x < ord(num_bytes); x++)
    {
        nb = ord(byte_values[x]);
        if (nb < 0)
        {
            nb = (nb + 256)&0xff;
        }
        result = sprintf("%s %02x",result,nb);
    }
    return result;
 } 


 class generate_rule
 {
   generate_rule()
   {
      this.flags = PLUGIN_UNL;
      this.comment = "Generate YARA rule for selected bytes";
      this.help = "Select some bytes, and then run this plugin";
      this.wanted_name = "Generate YARA...";
      this.wanted_hotkey = "Ctrl+Shift+Y";
   }

   init()
   {
      return PLUGIN_OK;
   }



   run(arg)
   {
      auto start, end, size, bytes, hex_string, fmd5, rule;
      Message("Attempting to generate YARA rule\n");
      start = read_selection_start();
      end = read_selection_end();
      rule = "";
      fmd5 = lmd5(retrieve_input_file_md5());
      if (start != end)
      {
          size = ord(end-start);
          Message("Generating signature from %08x to %08x\n", start, end);
 	  bytes = get_bytes(start, size, 0);
 	  if (bytes != 0)
 	  {
 	      Message("Got %d bytes from selection\n", size);
 	      hex_string = make_hex_string(bytes, size);

              rule = sprintf("rule rule_%s_bytes_%08x_%08x\n",fmd5, start, end);
 	      rule = sprintf("%s{\n  strings: $v = {%s}\n  condition: $v\n}\n", rule, hex_string);
 	      Message(rule);
 	  }
 	  
      }
   }

   term() {}
 }


 static PLUGIN_ENTRY()
 {
   return generate_rule();
 }
	#include <idc.idc>


	static lmd5(fmd5)
	{
	auto result,size, nb, x;
	size=strlen(fmd5);
	result="";
	for (x = 0; x < size; x++)
	{
	nb = ord(fmd5[x]);
	if (nb > 64)
	{
	nb = nb + 32;
	}
	result=sprintf("%s%c",result, nb);
	}
	return result;
	}

	static make_hex_string(byte_values, num_bytes)
	{
	auto result, x, nb;
	result = "";

	for (x = 0; x < ord(num_bytes); x++)
	{
	nb = ord(byte_values[x]);
	if (nb < 0)
	{
	nb = (nb + 256)&0xff;
	}
	result = sprintf("%s %02x",result,nb);
	}
	return result;
	}


	class generate_rule
	{
	generate_rule()
	{
	this.flags = PLUGIN_UNL;
	this.comment = "Generate YARA rule for selected bytes";
	this.help = "Select some bytes, and then run this plugin";
	this.wanted_name = "Generate YARA...";
	this.wanted_hotkey = "Ctrl+Shift+Y";
	}

	init()
	{
	return PLUGIN_OK;
	}



	run(arg)
	{
	auto start, end, size, bytes, hex_string, fmd5, rule;
	Message("Attempting to generate YARA rule\n");
	start = read_selection_start();
	end = read_selection_end();
	rule = "";
	fmd5 = lmd5(retrieve_input_file_md5());
	if (start != end)
	{
	size = ord(end-start);
	Message("Generating signature from %08x to %08x\n", start, end);
	bytes = get_bytes(start, size, 0);
	if (bytes != 0)
	{
	Message("Got %d bytes from selection\n", size);
	hex_string = make_hex_string(bytes, size);

	rule = sprintf("rule rule_%s_bytes_%08x_%08x\n",fmd5, start, end);
	rule = sprintf("%s{\n strings: $v = {%s}\n condition: $v\n}\n", rule, hex_string);
	Message(rule);
	}

	}
	}

	term() {}
	}


	static PLUGIN_ENTRY()
	{
	return generate_rule();
	}