Skip to content

For running Yara rules on malware samples stored in compressed files.

License

Notifications You must be signed in to change notification settings

rjzak/decompressingyara

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Decompressing Yara: For when your malware samples are stored compressed, but you still want to run rules against them.

Currently supports:

  • GZip
  • BZip2
  • LZMA (XZ)

Modules used:

Motivation: I've had to test Yara rules with malware which was compressed, but also on different systems, which may or may not have Yara installed. Maybe it was an older version of Yara. I've compiled the project statically against libyara, making my sysadmin life easier. Since it was useful to me, maybe someone else would benefit. Currently it only runs a rule file against a directory of files.

Future thoughts:

  • Files in archives, such as Zip and Tar.
  • Support for password-protected Zip and 7z files, and testing the usual passwords against them.

About

For running Yara rules on malware samples stored in compressed files.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages