capa icon indicating copy to clipboard operation
capa copied to clipboard
verified publisher icon mandiant

Create a script called match-2-yara

Open jconnor0426 opened this issue 2 years ago • 1 comments

Overview

This PR creates a new script that takes CAPA rule match information and creates code-based YARA rules around them.

The script will enable users to hunt for code reuse of interesting functions in samples they are reviewing.

Features

  • Supports PE files (x86/x64/.NET)
  • Generate Code Based YARA rules with detailed comments for a single file
  • Generate Code Based YARA rules based on similarity between multiple files

Requirements

This script requires the installation of two additional python libraries:

  • mkyara
  • yaramod

Checklist

  • [ ] No CHANGELOG update needed
  • [ ] No new tests needed
  • [ ] No documentation update needed

jconnor0426 avatar Aug 10 '23 16:08 jconnor0426

Ready for Review

jconnor0426 avatar Aug 25 '23 20:08 jconnor0426