Skip to content

Releases: Neo23x0/yarGen

yarGen 0.23.4

29 Dec 12:59
@Neo23x0 Neo23x0
0.23.4
98e6231
Compare
Choose a tag to compare
yarGen 0.23.4 Latest
Latest
  • fix: broken super rule generation
Assets 2
Loading

yarGen 0.23.3

27 Jul 10:35
@Neo23x0 Neo23x0
0.23.3
74e95e7
Compare
Choose a tag to compare
yarGen 0.23.3
  • bugfix in the processing of UTF16 encoded strings
Assets 2
Loading

yarGen 0.23.2

16 Jul 17:15
@Neo23x0 Neo23x0
0.23.2
3750491
Compare
Choose a tag to compare
yarGen 0.23.2
  • fix: unescaped \ and " characters in rules
Assets 2
Loading

yarGen 0.23.1

15 Jul 13:54
@Neo23x0 Neo23x0
0.23.1
5488aff
Compare
Choose a tag to compare
yarGen 0.23.1
  • Ported to Python3
  • Replaced pickle with json
  • May still contain many bugs
Assets 2
Loading

yarGen 0.18.0

14 Aug 19:49
@Neo23x0 Neo23x0
0.18.0
dd90be5
Compare
Choose a tag to compare
yarGen 0.18.0
  • PE module integration (imphashes and exports)
  • New database set (improved speed and lower memory usage)
  • New db-lookup.py tool
  • New regular expressions for better string extractions
  • Easier manual post processing due to new lines in the conditions
  • Code refactoring

Note:
The exports expression works fine with older versions of YARA that support the pe module. (tested with 3.5.0)
The imphash expression works fine with all YARA version 3.6 and higher.

Raw Version
screen shot 2017-08-14 at 19 55 03

Modified Version
screen shot 2017-08-14 at 21 51 26

DB Lookup Tool
screen shot 2017-08-14 at 21 19 28

DB Lookup Tool Examples
screen shot 2017-08-14 at 21 19 16

Assets 2
Loading

Bugfixes and new DB Locations

22 Feb 10:44
@Neo23x0 Neo23x0
0.17.1
ac54606
Compare
Choose a tag to compare
Bugfixes and new DB Locations
  • Fixed some bugs with the '-i identifier' option
  • Shows output on database merge (to spot merging bottlenecks during initialization)
  • New prebuilt database locations on our servers
    (New databases apply the new maximum opcode length and should produce much better results)
Assets 3
Loading

yarGen 0.17.0

06 Feb 11:24
@Neo23x0 Neo23x0
0.17.0
f02129f
Compare
Choose a tag to compare
yarGen 0.17.0

Database Download

The database files are not included in the repo anymore. Use "--update" to get the string and opcode databases or download them from the following URL and place them in a "./dbs" sub folder.

Download URL

https://drive.google.com/drive/folders/0B2S_IOa0MiOHS0xmekR6VWRhZ28

Multiple Database Support

yarGen now allows creating multiple databases for opcodes or strings. You can easily create a new database by using "-c" for new database creation and pass an identifier "-i identifier" e.g. "office". It will then create two new database files named "good-strings-office.db" and "good-opcodes-office.db" that will initialized during startup together with the built-in databases.

Example

Create a new strings and opcodes database from an Office 2013 program directory:

yarGen.py -c --opcodes -i office -g /opt/packs/office2013

The analysis and string extraction process will create the following new databases in the "./dbs" sub folder.

good-strings-office.db
good-opcodes-office.db

You can then directly use them in the rule creation process because from version 0.17.0 on, all *.db files in the sub folder "./dbs" will be initialized during startup.

You can update the once created databases with the "-u" parameter

yarGen.py -u --opcodes -i office -g /opt/packs/office365

This would update the "office" databases with new strings extracted from files in the given directory.

Assets 3
Loading