Author: alden
Copy disassembly nicely formatted for YARA rules.
This is a really simple plugin that allows you to copy disassembly in a way that can be used in YARA rules. You have the option to either copy the assembly code as it is or use address wildcarding to create more robust rules.
To copy the disassembly you desire, select it regardless of the view. Next, navigate to Plugins > Copy for YARA > [Options]. The resulting formatted text will then be automatically copied to your clipboard.
This format will attempt to wildcard possible address tokens to make rules more robust. It uses two strategies to accomplish this:
x86
49 8b 5e 08 // mov rbx, qword [r14+0x8]
48 8d bd 48 ff ff ff // lea rdi, [rbp-0xb8 {var_c0}]
4c 89 fe // mov rsi, r15
4c 89 f2 // mov rdx, r14
e8 ?? ?? ?? ?? // call sub_1000ca056
ARM
f7 03 01 aa // mov x23, x1
e0 03 01 aa // mov x0, x1
ca ?? ?? ?? // bl sub_100128728
f9 03 00 aa // mov x25, x0
f8 03 01 aa // mov x24, x1
9a ?? ?? ?? // bl sub_1001bd674
f9 03 00 36 // tbz w25, #0, 0x10012788c
This will simply copy the bytes of assembly in a compact way with no comments if that's your jam.
49 8b 5e 08 48 8d bd 48 ff ff ff 4c 89 fe 4c 89 f2 e8 ff 0c 00 00
Copies all the bytes with comments but no wildcarding.
49 8b 5e 08 // mov rbx, qword [r14+0x8]
48 8d bd 48 ff ff ff // lea rdi, [rbp-0xb8 {var_c0}]
4c 89 fe // mov rsi, r15
4c 89 f2 // mov rdx, r14
e8 ff 0c 00 00 // call sub_1000ca056
This will generate a quick complete rule that you can use, in the future the metadata will be customizable with settings.
rule binary_ninja_export {
meta:
description = "Auto generated by Binary Ninja YARA plugin"
architecture = "aarch64"
strings:
$bytes = { f7 03 01 aa e0 03 01 aa ca ?? ?? ?? f9 03 00 aa f8 03 01 aa 9a ?? ?? ?? f9 03 00 36 }
condition:
$bytes
}
This plugin is released under an MIT license.