radareorg/r2yara

# r2yara [](https://github.com/radareorg/r2yara/actions/workflows/ci.yml?query=branch%3Amain) r2 和 YARA，配合使用更强大！ ## 许可证和作者 LGPLv3 - 版权所有 2014-2024 - pancake, jvoisin, jfrankowski, Sylvain Pelissier ## 安装 可以使用 `r2pm` 工具运行以下命令来安装 r2yara： ``` r2pm -ci r2yara ``` ## 文档 安装后，您将在 `radare2` shell 中获得 `yr` 命令 ``` [0x100003a84]> yr? Usage: yr [action] [args..] load and run yara rules inside r2 | yr [file] add yara rules from file | yr same as yr? | yr-* unload all the rules | yr? show this help (same as 'yara?') | yrg[?][-sx] generate yara rule | yrl list loaded rules | yrs[q] scan the current file, suffix with 'q' for quiet mode | yrt ([tagname]) list tags from loaded rules, or list rules from given tag | yrv show version information about r2yara and yara ``` 请参阅 `man 7 r2yara` 获取一些示例。 ### Yara 生成器用法 r2yara 允许直接在 radare2 内部创建 YARA 规则。 **命令概览** ``` [0x100003a84]> yrg? Usage: yrg [action] [args..] load and run yara rules inside r2 | yrg- delete last pattern added to the yara rule | yrg-* delete all the patterns in the current rule | yrgs ([len]) add string (optionally specify the length) | yrgx ([len]) add hexpairs of blocksize (or custom length) | yrgf ([len]) add function bytepattern signature | yrgz add all strings referenced from current function ``` 要开始使用 r2yara 自动创建 YARA 规则，请按照以下步骤操作： **生成 YARA 规则：** ``` [0x100003a84]> yrg WARN: See 'yrg?' to find out which subcommands use to append patterns to the rule rule rulename : test { meta: author = "user" description = "My first yara rule" date = "2024-10-22" version = "0.1" } ``` 这将显示当前的 YARA 规则。 **从二进制文件中添加字符串作为模式：** ``` [0x100003a84]> yrgs ``` **添加十六进制模式：** ``` [0x100003a84]> yrgx ``` **（可选）添加函数签名：** ``` [0x100003a84]> yrgf ``` **添加完所需的模式后，添加当前生成的 yara 规则：** ``` [0x100003a84]> yr+ [0x100003a84]> yrl rulename ``` 然后该规则就可以像其他规则一样直接使用了。

标签：AMSI绕过, Assetfinder, Caido项目解析, r2yara, Radare2, TLS指纹, YARA, 二进制分析, 云安全监控, 云安全运维, 云资产可视化, 云资产清单, 威胁检测, 客户端加密, 恶意代码分析, 情报收集, 漏洞研究, 签名编写, 规则生成, 逆向工程, 配置文件, 静态分析