wxs@wxs-mbp yara % cat rules/test.yara
rule a {
strings:
// This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
// AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
// AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
$a = "This program cannot" base64
// Custom alphabets are supported, but I have it commented out for now. ;)
//$b = "This program cannot" base64("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/")
condition:
#a == 3
}
wxs@wxs-mbp yara % ./yara -s rules/test.yara rules/test.yara
a rules/test.yara
0x2f:$a: VGhpcyBwcm9ncmFtIGNhbm5vd
0x6a:$a: RoaXMgcHJvZ3JhbSBjYW5ub3
0xa6:$a: aGlzIHByb2dyYW0gY2Fubm9
wxs@wxs-mbp yara %
Created
December 3, 2019 03:25
-
-
Save wxsBSD/53743da5f55c5912317dea0ec2d03096 to your computer and use it in GitHub Desktop.
Base64 modifier in YARA
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hero.