YarGen Versions Save

yarGen is a generator for YARA rules

0.23.4

3 years ago
  • fix: broken super rule generation

0.23.3

3 years ago
  • bugfix in the processing of UTF16 encoded strings

0.23.2

3 years ago
  • fix: unescaped \ and " characters in rules

0.23.1

3 years ago
  • Ported to Python3
  • Replaced pickle with json
  • May still contain many bugs

0.18.0

6 years ago
  • PE module integration (imphashes and exports)
  • New database set (improved speed and lower memory usage)
  • New db-lookup.py tool
  • New regular expressions for better string extractions
  • Easier manual post processing due to new lines in the conditions
  • Code refactoring

Note: The exports expression works fine with older versions of YARA that support the pe module. (tested with 3.5.0) The imphash expression works fine with all YARA version 3.6 and higher.

Raw Version screen shot 2017-08-14 at 19 55 03

Modified Version screen shot 2017-08-14 at 21 51 26

DB Lookup Tool screen shot 2017-08-14 at 21 19 28

DB Lookup Tool Examples screen shot 2017-08-14 at 21 19 16

0.17.1

7 years ago
  • Fixed some bugs with the '-i identifier' option
  • Shows output on database merge (to spot merging bottlenecks during initialization)
  • New prebuilt database locations on our servers (New databases apply the new maximum opcode length and should produce much better results)

0.17.0

7 years ago

Database Download

The database files are not included in the repo anymore. Use "--update" to get the string and opcode databases or download them from the following URL and place them in a "./dbs" sub folder.

Download URL

https://drive.google.com/drive/folders/0B2S_IOa0MiOHS0xmekR6VWRhZ28

Multiple Database Support

yarGen now allows creating multiple databases for opcodes or strings. You can easily create a new database by using "-c" for new database creation and pass an identifier "-i identifier" e.g. "office". It will then create two new database files named "good-strings-office.db" and "good-opcodes-office.db" that will initialized during startup together with the built-in databases.

Example

Create a new strings and opcodes database from an Office 2013 program directory:

yarGen.py -c --opcodes -i office -g /opt/packs/office2013

The analysis and string extraction process will create the following new databases in the "./dbs" sub folder.

good-strings-office.db
good-opcodes-office.db

You can then directly use them in the rule creation process because from version 0.17.0 on, all *.db files in the sub folder "./dbs" will be initialized during startup.

You can update the once created databases with the "-u" parameter

yarGen.py -u --opcodes -i office -g /opt/packs/office365

This would update the "office" databases with new strings extracted from files in the given directory.