Fox-IT International blog

mkYARA – Writing YARA rules for the lazy analyst

Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code that can change between samples. mkYARA aims to automate this part of writing rules by generating executable code signatures that wildcard all these little pieces of executable code that are not static.

We are aware there are several similar projects (1,2) out there that attempt to solve a similar problem. However, in our experience, these implementations can be quite fragile and error prone. mkYARA leverages the Capstone disassembler library to wildcard executable code in a generic manner. For now mkYARA only supports x86 and x86-64, but with some extra development effort into the Capstone library this functionality could be expanded into other instruction sets.

The mkYARA source can be found on GitHub and an installable pip package is available. This pip package comes with a standalone tool which you can use to generate YARA rules based on executable code. There is also an IDA Pro plugin available which you can use to highlight pieces of code and generate rules directly from that position.

mkYARA generating a rule on a RC4 key that is put on the stack

mkYARA IDA Plugin