Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/DissectMalware/base64_substring
Generate a Yara rule to find base64-encoded files containg a specific keyword
https://github.com/DissectMalware/base64_substring
base64 python3 search-in-base64 yara yara-rule-generator
Last synced: 3 months ago
JSON representation
Generate a Yara rule to find base64-encoded files containg a specific keyword
- Host: GitHub
- URL: https://github.com/DissectMalware/base64_substring
- Owner: DissectMalware
- License: apache-2.0
- Created: 2018-07-13T02:59:51.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2018-07-13T13:46:08.000Z (almost 6 years ago)
- Last Synced: 2024-01-22T03:44:45.967Z (5 months ago)
- Topics: base64, python3, search-in-base64, yara, yara-rule-generator
- Language: Python
- Homepage:
- Size: 11.7 KB
- Stars: 40
- Watchers: 6
- Forks: 3
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- awesome-yara - base64_substring
- awesome-yara-Resource - base64_substring
README
# About
Often malware analysts require to search through base64-encoded samples with a search term such as Application.Run. base64_substring helps them by enumerating all possible base64 encoding for a given search term and generating a yara rule that checks those possiblities.
# How to Run
Example: generating a yara rule that matches base64-encoded file containing *Application* term.
```
> python generate_yara_rule.py
> Please enter a rule name
MyRule
> Please enter a text
Application
```
# Further Reading
["Searching for Content in Base-64 Strings" by Lee Holmes](http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/)