Last active
January 8, 2023 16:56
-
-
Save notareverser/1d1efb864d530d3864526ec0ead03f44 to your computer and use it in GitHub Desktop.
Extremely simple IDC script to generate a YARA rule from the selected bytes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <idc.idc> | |
static lmd5(fmd5) | |
{ | |
auto result,size, nb, x; | |
size=strlen(fmd5); | |
result=""; | |
for (x = 0; x < size; x++) | |
{ | |
nb = ord(fmd5[x]); | |
if (nb > 64) | |
{ | |
nb = nb + 32; | |
} | |
result=sprintf("%s%c",result, nb); | |
} | |
return result; | |
} | |
static make_hex_string(byte_values, num_bytes) | |
{ | |
auto result, x, nb; | |
result = ""; | |
for (x = 0; x < ord(num_bytes); x++) | |
{ | |
nb = ord(byte_values[x]); | |
if (nb < 0) | |
{ | |
nb = (nb + 256)&0xff; | |
} | |
result = sprintf("%s %02x",result,nb); | |
} | |
return result; | |
} | |
class generate_rule | |
{ | |
generate_rule() | |
{ | |
this.flags = PLUGIN_UNL; | |
this.comment = "Generate YARA rule for selected bytes"; | |
this.help = "Select some bytes, and then run this plugin"; | |
this.wanted_name = "Generate YARA..."; | |
this.wanted_hotkey = "Ctrl+Shift+Y"; | |
} | |
init() | |
{ | |
return PLUGIN_OK; | |
} | |
run(arg) | |
{ | |
auto start, end, size, bytes, hex_string, fmd5, rule; | |
Message("Attempting to generate YARA rule\n"); | |
start = read_selection_start(); | |
end = read_selection_end(); | |
rule = ""; | |
fmd5 = lmd5(retrieve_input_file_md5()); | |
if (start != end) | |
{ | |
size = ord(end-start); | |
Message("Generating signature from %08x to %08x\n", start, end); | |
bytes = get_bytes(start, size, 0); | |
if (bytes != 0) | |
{ | |
Message("Got %d bytes from selection\n", size); | |
hex_string = make_hex_string(bytes, size); | |
rule = sprintf("rule rule_%s_bytes_%08x_%08x\n",fmd5, start, end); | |
rule = sprintf("%s{\n strings: $v = {%s}\n condition: $v\n}\n", rule, hex_string); | |
Message(rule); | |
} | |
} | |
} | |
term() {} | |
} | |
static PLUGIN_ENTRY() | |
{ | |
return generate_rule(); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Fixed a dumb typo