Skip to content

Instantly share code, notes, and snippets.

@wxsBSD

wxsBSD/base64.md

Created Dec 3, 2019
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Base64 modifier in YARA
Raw
base64.md 
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64

    // Custom alphabets are supported, but I have it commented out for now. ;)
    //$b = "This program cannot" base64("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/")
  condition:
    #a == 3
}
wxs@wxs-mbp yara % ./yara -s rules/test.yara rules/test.yara
a rules/test.yara
0x2f:$a: VGhpcyBwcm9ncmFtIGNhbm5vd
0x6a:$a: RoaXMgcHJvZ3JhbSBjYW5ub3
0xa6:$a: aGlzIHByb2dyYW0gY2Fubm9
wxs@wxs-mbp yara %
@itsreallynick

This comment has been minimized.

Sign in to view
Copy link

@itsreallynick itsreallynick commented Dec 3, 2019

Hero.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment