0

YARA

模式匹配的瑞士军刀。「The pattern matching swiss knife」

官方网站
Github 资源库
主要指标
  • 所有者: VirusTotal/yara
  • 平台: Linux, Mac, Windows
  • 许可证: BSD 3-Clause "New" or "Revised" License
  • 分类:
  • 主题:
  • 喜欢:
    0
      比较:

Github星跟踪图

YARA 简介

YARA 是一个工具,旨在(但不限于)帮助恶意软件研究人员识别和分类恶意软件样本。通过 YARA,你可以根据文本或二进制模式创建恶意软件家族(或任何你想描述的)的描述。每个描述,又称规则,由一组字符串和一个布尔表达式组成,决定其逻辑。让我们看一个例子: 

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

上面的规则是告诉 YARA,任何包含这三个字符串之一的文件必须报告为 silent_banker。这只是一个简单的例子,通过使用通配符、不区分大小写的字符串、正则表达式、特殊运算符和许多其他功能,可以创建更复杂和强大的规则,你可以在 YARA 的文档 中找到解释。

YARA 是多平台的,可以在 Windows、Linux 和 Mac OS X 上运行,可以通过其命令行界面使用,也可以通过 yara-python 扩展的 Python 脚本使用。

额外的资源

如果你打算用 YARA 来扫描压缩文件(.zip,.tar 等),你应该看看 yextend,这是一个非常有用的 YARA 扩展,由 Bayshore Networks 开发并开源的。

此外,来自 InQuest 的人策划了一个很棒的 YARA 相关东西的列表。

谁在使用 YARA

你在使用它吗?想看到你的网站列在这里吗?


主要指标

概览
名称与所有者VirusTotal/yara
主编程语言C
编程语言C (语言数: 12)
平台Linux, Mac, Windows
许可证BSD 3-Clause "New" or "Revised" License
所有者活动
创建于2012-12-06 15:33:08
推送于2025-06-04 11:52:31
最后一次提交2025-06-04 13:52:28
发布数52
最新版本名称v4.5.4 (发布于 )
第一版名称v1.7.1 (发布于 2013-11-26 12:48:14)
用户参与
星数8.9k
关注者数320
派生数1.5k
提交数3.2k
已启用问题?
问题数1083
打开的问题数156
拉请求数822
打开的拉请求数24
关闭的拉请求数201
项目设置
已启用Wiki?
已存档?
是复刻?
已锁定?
是镜像?
是私有?

Join the chat at https://gitter.im/VirusTotal/yara
Travis build status
AppVeyor build status
Coverity status

YARA in a nutshell

YARA is a tool aimed at (but not limited to) helping malware researchers to
identify and classify malware samples. With YARA you can create descriptions of
malware families (or whatever you want to describe) based on textual or binary
patterns. Each description, a.k.a rule, consists of a set of strings and a
boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The above rule is telling YARA that any file containing one of the three strings
must be reported as silent_banker. This is just a simple example, more
complex and powerful rules can be created by using wild-cards, case-insensitive
strings, regular expressions, special operators and many other features that
you'll find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used
through its command-line interface or from your own Python scripts with the
yara-python extension.

Additional resources

If you plan to use YARA to scan compressed files (.zip, .tar, etc) you should
take a look at yextend, a very
helpful extension to YARA developed and open-sourced by Bayshore Networks.

Additionally, the guys from InQuest have curated an
awesome list of YARA-related stuff.

Who's using YARA

Are you using it? Want to see your site listed here?