Skip to content

Instantly share code, notes, and snippets.

Avatar

Wesley Shields wxsBSD

View GitHub Profile
View gist:2e9b270552122cd865cdafe01989fdca
import platform
import yara

print(f"Platform version: {platform.version()}")
print(f"Python version: {platform.python_version()}")
print(f"YARA version: {yara.YARA_VERSION}")


r = """
View foo.md
#include <ctype.h>
#include <stdio.h>

int main(void) {
  for (int i = 0; i <= 255; i++)
    printf("0x%02x %u\n", i, !isalnum(i));
  return 0;
}
View gist:5cc0aab5fc99eccaf20eb95b94ed79e8
import platform
import yara

print(f"Platform version: {platform.version()}")
print(f"Python version: {platform.python_version()}")
print(f"YARA version: {yara.YARA_VERSION}")

rules = yara.compile(source='rule a { strings: $a = "foo" fullword condition: $a }')
for c in range(256):
@wxsBSD
wxsBSD / gist:4ec929a0eb07d8e3feeccc49e0d9aa2a
Last active Dec 26, 2020
Counting string matches in YARA with awk
View gist:4ec929a0eb07d8e3feeccc49e0d9aa2a

Counting number of times strings match in YARA with awk...

wxs@wxs-mbp yara % cat rules/test.yara
rule a { strings: $a = "FreeBSD" nocase  $b = "usage: " condition: any of them }
wxs@wxs-mbp yara % ./yara -s rules/test.yara /bin/ls
a /bin/ls
0xb8e1:$a: FreeBSD
0xb9a1:$a: FreeBSD
0xb9f1:$a: FreeBSD
@wxsBSD
wxsBSD / fib.md
Created Oct 15, 2020
fib.bf - A Fibonacci Generator Written In Brainfuck Running On YARA
View fib.md

fib.bf - A Fibonacci Generator Written In Brainfuck Running On YARA

Wait, What?

Back in January I wrote bf2y which is a brainfuck to YARA compiler. bf2y takes in an arbitrary brainfuck program and outputs the instructions to execute the brainfuck code on the YARA virtual machine (well, a slightly modified VM). If you want the full details of how it works go read the code, but I want to talk about writing a Fibonacii number generator for it.

First, A BF Primer

@wxsBSD
wxsBSD / yrrc.md
Created May 10, 2020
yrrc example
View yrrc.md

Here's an example of how part of yrrc works. Starting with these rules:

wxs@wxs-mbp yrrc % cat rules/test.yara
rule a {
  meta:
    sample = "24c422e681f1c1bd08286c7aaf5d23a5f088dcdb0b219806b3a9e579244f00c5"
  condition:
    true
}
View bf2y.md
View base64 and ascii working.md
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64 ascii

    // Custom alphabets are supported, but I have it commented out for now. ;)
@wxsBSD
wxsBSD / base64.md
Created Dec 3, 2019
Base64 modifier in YARA
View base64.md
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64

    // Custom alphabets are supported, but I have it commented out for now. ;)
View keybase.md

Keybase proof

I hereby claim:

  • I am wxsbsd on github.
  • I am wxs (https://keybase.io/wxs) on keybase.
  • I have a public key whose fingerprint is 96D1 2E6B F61C 2F3D 83EF 8F0B BE54 310C 17F0 AA37

To claim this, I am signing this object: