Giters

TcM1911 / zig2yar

Use Radare2's zignatures to generate Yara signatures

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

golangradare2yara

zig2yar

Use Radare2's zignatures to generate Yara signatures

The offset can be given as the symbol name, as seen in the video, or hex value:

$ zig2yar -o 0x1000043f1 /bin/ls
{ 55 48 89 e5 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? be ?? ?? ?? ?? ba 01 00 00 00 e8 ?? ?? ?? ?? bf 01 00 00 00 e8 ?? ?? ?? ?? }

Signatures with boundries instead of wildcards can be generated by using the -r flag. Single "?" and double "??" are ignored. Example:

$ zig2yar -o entry0 -r /bin/ls
{ 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 28 06 00 00 48 89 f3 41 89 fe 48 [6] 48 [6] 45 85 f6 7f ?? e8 [4] 48 [6] 31 ff e8 [4] bf 01 00 00 00 e8 [4] 85 c0 74 ?? c7 [9] 48 [6] e8 [4] 48 85 c0 74 ?? 80 [2] 74 ?? 48 89 c7 e8 [4] eb ?? 48 [3]bf 01 00 00 00 be [4] 31 c0 e8 [4] 83 f8 ff 74 ?? 0f b7 [2] 85 c0 74 ?? 89 [5] c7 [9] eb ?? c6 [6] 48 [6] e8 [4] 48 85 c0 74 ?? 48 89 c7 e8 [4] 89 [5] e8 [4] 41 [5] 85 c0 75 ?? c6 [6] eb ?? c6 [6] c7 [9] 48 [6] 44 89 f7 48 89 de e8 [4] 8d [2] 83 [2] 0f 87 [4] 48 [6] 48 [3] 48 01 c1 ff e1 c6 [6] 31 c0 89 [5] 89 [5] eb ?? c7 [9] c7 [9] eb ?? 48 [6] 48 [6] ba 01 00 00 00 e8 [4] eb ?? 31 c0 89 [5] 89 [5] c7 [9] e9 [4] c6 [6] 48 [6] 48 [6] e8 [4] 84 c0 0f 84 [4] e9 [4] 48 [6] 48 [6] e8 [4] 84 c00f 84 [4] b8 01 00 00 00 89 [5] e9 [4] c7 [9] e9 [4] c6 05 3f 41 00 00 }

A scaling factor can be used to calculate the upper bounds using the -s:

$ zig2yar -o entry0 -r -s 1.5 /bin/ls
{ 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 28 06 00 00 48 89 f3 41 89 fe 48 [6-9] 48 [6-9] 45 85 f6 7f ?? e8 [4-6] 48 [6-9] 31 ff e8 [4-6] bf 01 00 00 00 e8 [4-6] 85 c0 74 ?? c7 [9-13] 48 [6-9] e8 [4-6] 48 85 c0 74 ?? 80 [2-3] 74 ?? 48 89 c7 e8 [4-6] eb ?? 48 [3-4] bf 01 00 00 00 be [4-6] 31 c0 e8 [4-6] 83 f8 ff 74 ?? 0f b7 [2-3] 85 c0 74 ?? 89 [5-7] c7 [9-13] eb ?? c6 [6-9] 48 [6-9] e8 [4-6] 48 85 c0 74 ?? 48 89 c7 e8 [4-6] 89 [5-7] e8 [4-6] 41 [5-7] 85 c0 75 ?? c6 [6-9] eb ?? c6 [6-9] c7 [9-13] 48 [6-9] 44 89 f7 48 89 de e8 [4-6] 8d [2-3] 83 [2-3] 0f 87 [4-6] 48 [6-9] 48 [3-4] 48 01 c1 ff e1 c6 [6-9] 31c0 89 [5-7] 89 [5-7] eb ?? c7 [9-13] c7 [9-13] eb ?? 48 [6-9] 48 [6-9] ba 01 00 00 00 e8 [4-6] eb ?? 31 c0 89 [5-7] 89 [5-7] c7 [9-13] e9 [4-6] c6 [6-9] 48 [6-9] 48 [6-9] e8 [4-6] 84 c0 0f 84 [4-6] e9 [4-6] 48 [6-9] 48 [6-9] e8 [4-6] 84 c0 0f 84 [4-6] b8 01 00 00 00 89 [5-7] e9 [4-6] c7 [9-13] e9 [4-6] c6 05 3f 41 00 00 }

About

Use Radare2's zignatures to generate Yara signatures

golangradare2yara

License:GNU General Public License v3.0

Languages

Language:Go 100.0%