wxs@wxs-mbp yara % cat rules/test.yara
rule a {
strings:
// This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
// AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
// AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
$a = "This program cannot" base64 ascii
// Custom alphabets are supported, but I have it commented out for now. ;)
//$b = "This program cannot" base64("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/")
condition:
#a == 8
}
wxs@wxs-mbp yara % ./yara -s rules/test.yara rules/test.yara
a rules/test.yara
0x1b:$a: This program cannot
0x2f:$a: VGhpcyBwcm9ncmFtIGNhbm5vd
0x54:$a: This program cannot
0x6a:$a: RoaXMgcHJvZ3JhbSBjYW5ub3
0x8e:$a: This program cannot
0xa6:$a: aGlzIHByb2dyYW0gY2Fubm9
0xc9:$a: This program cannot
0x147:$a: This program cannot
wxs@wxs-mbp yara %
Created
December 4, 2019 04:33
-
-
Save wxsBSD/795d4c46d7c8ca1bf2121097dc69dec1 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
yaas