Skip to content

Instantly share code, notes, and snippets.

@wxsBSD wxsBSD/base64.md
Created Dec 3, 2019

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Base64 modifier in YARA
Raw
base64.md 
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64

    // Custom alphabets are supported, but I have it commented out for now. ;)
    //$b = "This program cannot" base64("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/")
  condition:
    #a == 3
}
wxs@wxs-mbp yara % ./yara -s rules/test.yara rules/test.yara
a rules/test.yara
0x2f:$a: VGhpcyBwcm9ncmFtIGNhbm5vd
0x6a:$a: RoaXMgcHJvZ3JhbSBjYW5ub3
0xa6:$a: aGlzIHByb2dyYW0gY2Fubm9
wxs@wxs-mbp yara %
@itsreallynick

This comment has been minimized.

Sign in to view
Copy link

itsreallynick commented Dec 3, 2019

Hero.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.