Steve stvemillertime

## regopenparams_rule_writer.yar
import "pe"
import "console"

private rule rulewriter_regopenparams_miner {
    meta:
        author = "Greg Lesnewich"
        description = "mine out API calls that are x-ref'd from things that might be registry values being pushed to the stack "
        reference = "https://learn.microsoft.com/en-us/windows/win32/sysinfo/predefined-keys"
        date = "2024-01-28"
        version = "1"

## copy_yara_format_bytes.py
"""Binary Ninja plugin for copying opcode bytes to the clipboard formatted to YARA best practice."""
import json

from binaryninja.enums import InstructionTextTokenType, LinearDisassemblyLineType
from binaryninja.interaction import get_text_line_input
from binaryninja.plugin import PluginCommand
from binaryninja.settings import Settings
import PySide6

s = Settings()

## rich_header_yara.py
#!/usr/bin/env python
import argparse
import binascii
import hashlib
import os
import re
import sys
import traceback

__author__  = "Jeff White [karttoon] @noottrak"

## yara_performance_guidelines.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                stvemillertime
                / yara_performance_guidelines.md
            
            
              Created
              February 19, 2023 23:48
                — forked from Neo23x0/yara_performance_guidelines.md
            
              
                YARA Performance Guidelines
              
          
    This Gist has been transfered into a Github Repo.
You'll find the most recent version here.
YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7


## mstscax_ole.yar
rule terminal_services_scripting {
  meta:
    author = "David Cannings"
    description = "Microsoft Terminal Services Client Control (not safe for scripting)"
    ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D"
    generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/"

  strings:
    // Parsers will open files without the full 'rtf'
    $header_rtf = "{\\rt" nocase

## yara_example_1.yar
import "math"

rule example {
  meta:
    author = "David Cannings"
    description = "Rule example - finding a chunk of code near other known code"

  strings:
    $chunk = { AA BB CC DD }
    $chunk_prologue = { 11 22 33 44 }

## high_entropy_pe_rules.yar
/*

Original rule from: https://gist.github.com/g-les/0745a9d6cd7f4abb3083a8dee1eaf984

Two variations on the original rule by @greglesnewich.

Conversation on Twitter at: https://twitter.com/edeca/status/1477650229709225990

*/

## server.py
import socket
import hashlib
import struct

import time


class IdUid:
    def __init__(self):

## nozomi_upx.yara
// https://github.com/NozomiNetworks/upx-recovery-tool
rule UPX_nozomi_x86
{
  strings: $sig = { 50 e8 ?? ?? 00 00 eb  5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd}
  condition: any of them
}

rule UPX_nozomi_x64
{
  strings:

## 100_days_of_yara.yar
/*
Goals for #100DaysofYARA:

better understanding of bitwise operators
use math module beyond general entropy of a section / resource
position specific things beyond what PE module tells us
do some funky stuff with hashing


*/
	import "pe"
	import "console"

	private rule rulewriter_regopenparams_miner {
	meta:
	author = "Greg Lesnewich"
	description = "mine out API calls that are x-ref'd from things that might be registry values being pushed to the stack "
	reference = "https://learn.microsoft.com/en-us/windows/win32/sysinfo/predefined-keys"
	date = "2024-01-28"
	version = "1"
	"""Binary Ninja plugin for copying opcode bytes to the clipboard formatted to YARA best practice."""
	import json

	from binaryninja.enums import InstructionTextTokenType, LinearDisassemblyLineType
	from binaryninja.interaction import get_text_line_input
	from binaryninja.plugin import PluginCommand
	from binaryninja.settings import Settings
	import PySide6

	s = Settings()
	#!/usr/bin/env python
	import argparse
	import binascii
	import hashlib
	import os
	import re
	import sys
	import traceback

	__author__ = "Jeff White [karttoon] @noottrak"
	rule terminal_services_scripting {
	meta:
	author = "David Cannings"
	description = "Microsoft Terminal Services Client Control (not safe for scripting)"
	ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D"
	generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/"

	strings:
	// Parsers will open files without the full 'rtf'
	$header_rtf = "{\\rt" nocase
	import "math"

	rule example {
	meta:
	author = "David Cannings"
	description = "Rule example - finding a chunk of code near other known code"

	strings:
	$chunk = { AA BB CC DD }
	$chunk_prologue = { 11 22 33 44 }
	/*

	Original rule from: https://gist.github.com/g-les/0745a9d6cd7f4abb3083a8dee1eaf984

	Two variations on the original rule by @greglesnewich.

	Conversation on Twitter at: https://twitter.com/edeca/status/1477650229709225990

	*/
	import socket
	import hashlib
	import struct

	import time



	class IdUid:
	def __init__(self):
	// https://github.com/NozomiNetworks/upx-recovery-tool
	rule UPX_nozomi_x86
	{
	strings: $sig = { 50 e8 ?? ?? 00 00 eb 5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd}
	condition: any of them
	}

	rule UPX_nozomi_x64
	{
	strings:
	/*
	Goals for #100DaysofYARA:

	better understanding of bitwise operators
	use math module beyond general entropy of a section / resource
	position specific things beyond what PE module tells us
	do some funky stuff with hashing


	*/