diff --git a/README.md b/README.md index 5923c32..243cbe9 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # r2yara [![GithubCI Status](https://github.com/radareorg/r2yara/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/radareorg/r2yara/actions/workflows/ci.yml?query=branch%3Amain) -r2 and yara, better together! +r2 and YARA, better together! ## License and Author(s) @@ -9,7 +9,7 @@ LGPLv3 - Copyright 2014-2024 - pancake, jvoisin, jfrankowski, Sylvain Pelissier ## Installation -After running this command: +r2yara can be installed with `r2pm` tool running this command: ```sh r2pm -ci r2yara @@ -17,12 +17,10 @@ r2pm -ci r2yara ## Documentation -See `man 7 r2yara` for some examples. - -You will get the `yr` command inside `radare2` shell +After installation, you will get the `yr` command inside `radare2` shell ``` -[0x100003a84]> yr?* +[0x100003a84]> yr? Usage: yr [action] [args..] load and run yara rules inside r2 | yr [file] add yara rules from file | yr same as yr? @@ -33,6 +31,18 @@ Usage: yr [action] [args..] load and run yara rules inside r2 | yrs[q] scan the current file, suffix with 'q' for quiet mode | yrt ([tagname]) list tags from loaded rules, or list rules from given tag | yrv show version information about r2yara and yara +``` + +See `man 7 r2yara` for some examples. + +### Yara generator usage + +r2yara allows the creation of YARA rules directement inside radare2. + +**Commands Overview** + +```bash +[0x100003a84]> yrg? Usage: yrg [action] [args..] load and run yara rules inside r2 | yrg- delete last pattern added to the yara rule | yrg-* delete all the patterns in the current rule @@ -40,74 +50,50 @@ Usage: yrg [action] [args..] load and run yara rules inside r2 | yrgx ([len]) add hexpairs of blocksize (or custom length) | yrgf ([len]) add function bytepattern signature | yrgz add all strings referenced from current function -[0x100003a84]> ``` -### Yara generator usage - -**Commands Overview** - -**yrg** - Initialize a YARA rule. -**yrgs** - Add strings as patterns. -**yrgx** - Add hex patterns. -**yrgf** - Add function byte signatures. -**yrgz** - Add all strings from the current function. - To start using r2yara to create YARA rules automatically, follow these steps: -**Open a binary with radare2:** - -``` -r2 -``` - **Generate a YARA rule:** ``` -yrg +[0x100003a84]> yrg +WARN: See 'yrg?' to find out which subcommands use to append patterns to the rule +rule rulename : test { + meta: + author = "user" + description = "My first yara rule" + date = "2024-10-22" + version = "0.1" +} ``` -This initializes a new YARA rule. +This shows the current YARA rule. **Add strings from the binary as patterns:** ``` -yrgs +[0x100003a84]> yrgs ``` **Add hex patterns:** ``` -yrgx +[0x100003a84]> yrgx ``` **Optionally, add function signatures:** ``` -yrgf +[0x100003a84]> yrgf ``` -**Once you've added the desired patterns, save the rule:** +**Once you've added the desired patterns, add the currently generated yara rule:** ``` -ys +[0x100003a84]> yr+ +[0x100003a84]> yrl +rulename ``` -**To scan the binary with the loaded rules:** - -``` -yrs -``` -**yrs** - Scan the binary with loaded YARA rules. -**ys** - Save the generated rule. - -Run it like this: - -``` -$ radare2 /bin/ls -> yr hello.yara # load this rule -> yrs # scan for all the loaded rules -HelloWorld -0x000045f9: yara0.HelloWorld_0 : 6c6962 -0x00004685: yara0.HelloWorld_1 : 6c6962 -``` +Then the rule can be used directly as any other rules.