Giters

DissectMalware / base64_substring

Generate a Yara rule to find base64-encoded files containg a specific keyword

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

base64yarasearch-in-base64yara-rule-generatorpython3

About

Often malware analysts require to search through base64-encoded samples with a search term such as Application.Run. base64_substring helps them by enumerating all possible base64 encoding for a given search term and generating a yara rule that checks those possiblities.

How to Run

Example: generating a yara rule that matches base64-encoded file containing Application term.

> python generate_yara_rule.py
> Please enter a rule name
  MyRule
> Please enter a text
  Application

Further Reading

"Searching for Content in Base-64 Strings" by Lee Holmes

About

Generate a Yara rule to find base64-encoded files containg a specific keyword

base64yarasearch-in-base64yara-rule-generatorpython3

License:Apache License 2.0

Languages

Language:Python 100.0%