Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rjzak/decompressingyara

For running Yara rules on malware samples stored in compressed files.
https://github.com/rjzak/decompressingyara

golang malware yara

Last synced: 4 months ago
JSON representation

For running Yara rules on malware samples stored in compressed files.

Host: GitHub
URL: https://github.com/rjzak/decompressingyara
Owner: rjzak
License: apache-2.0
Created: 2019-12-27T15:53:51.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2023-04-24T03:56:58.000Z (almost 2 years ago)
Last Synced: 2024-06-20T03:32:59.677Z (8 months ago)
Topics: golang, malware, yara
Language: Go
Size: 9.77 KB
Stars: 6
Watchers: 3
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: readme.md
- License: LICENSE

Awesome Lists containing this project

README

__Decompressing Yara:__ For when your malware samples are stored compressed, but you still want to run rules against them.

Currently supports:
* GZip
* BZip2
* LZMA ([XZ](https://tukaani.org/xz/))

Modules used:
* Go-Yara: https://github.com/hillu/go-yara
* XZ: https://github.com/ulikunitz/xz

Motivation: I've had to test Yara rules with malware which was compressed, but also on different systems, which may or may not have Yara installed. Maybe it was an older version of Yara. I've compiled the project statically against [libyara](https://github.com/VirusTotal/yara), making my sysadmin life easier. Since it was useful to me, maybe someone else would benefit. Currently it only runs a rule file against a directory of files.

Future thoughts:
* Files in archives, such as Zip and Tar.
* Support for password-protected Zip and 7z files, and testing the usual passwords against them.