0

YARA

模式匹配的瑞士军刀。「The pattern matching swiss knife」

Official Site
Github repo
Main metrics
  • Owner: VirusTotal/yara
  • Platform: Linux, Mac, Windows
  • License:: BSD 3-Clause "New" or "Revised" License
  • Category::
  • Topic:
  • Like:
    0
      Compare:

Github stars Tracking Chart

YARA 简介

YARA 是一个工具,旨在(但不限于)帮助恶意软件研究人员识别和分类恶意软件样本。通过 YARA,你可以根据文本或二进制模式创建恶意软件家族(或任何你想描述的)的描述。每个描述,又称规则,由一组字符串和一个布尔表达式组成,决定其逻辑。让我们看一个例子: 

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

上面的规则是告诉 YARA,任何包含这三个字符串之一的文件必须报告为 silent_banker。这只是一个简单的例子,通过使用通配符、不区分大小写的字符串、正则表达式、特殊运算符和许多其他功能,可以创建更复杂和强大的规则,你可以在 YARA 的文档 中找到解释。

YARA 是多平台的,可以在 Windows、Linux 和 Mac OS X 上运行,可以通过其命令行界面使用,也可以通过 yara-python 扩展的 Python 脚本使用。

额外的资源

如果你打算用 YARA 来扫描压缩文件(.zip,.tar 等),你应该看看 yextend,这是一个非常有用的 YARA 扩展,由 Bayshore Networks 开发并开源的。

此外,来自 InQuest 的人策划了一个很棒的 YARA 相关东西的列表。

谁在使用 YARA

你在使用它吗?想看到你的网站列在这里吗?


Main metrics

Overview
Name With OwnerVirusTotal/yara
Primary LanguageC
Program languageC (Language Count: 12)
PlatformLinux, Mac, Windows
License:BSD 3-Clause "New" or "Revised" License
所有者活动
Created At2012-12-06 15:33:08
Pushed At2025-06-04 11:52:31
Last Commit At2025-06-04 13:52:28
Release Count52
Last Release Namev4.5.4 (Posted on )
First Release Namev1.7.1 (Posted on 2013-11-26 12:48:14)
用户参与
Stargazers Count8.8k
Watchers Count318
Fork Count1.5k
Commits Count3.2k
Has Issues Enabled
Issues Count1081
Issue Open Count156
Pull Requests Count822
Pull Requests Open Count24
Pull Requests Close Count199
项目设置
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private

Join the chat at https://gitter.im/VirusTotal/yara
Travis build status
AppVeyor build status
Coverity status

YARA in a nutshell

YARA is a tool aimed at (but not limited to) helping malware researchers to
identify and classify malware samples. With YARA you can create descriptions of
malware families (or whatever you want to describe) based on textual or binary
patterns. Each description, a.k.a rule, consists of a set of strings and a
boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The above rule is telling YARA that any file containing one of the three strings
must be reported as silent_banker. This is just a simple example, more
complex and powerful rules can be created by using wild-cards, case-insensitive
strings, regular expressions, special operators and many other features that
you'll find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used
through its command-line interface or from your own Python scripts with the
yara-python extension.

Additional resources

If you plan to use YARA to scan compressed files (.zip, .tar, etc) you should
take a look at yextend, a very
helpful extension to YARA developed and open-sourced by Bayshore Networks.

Additionally, the guys from InQuest have curated an
awesome list of YARA-related stuff.

Who's using YARA

Are you using it? Want to see your site listed here?