Hyara (IDA Plugin)

Hyara is IDA Plugin that provides convenience when writing yard rules.

You can designate the start and end addresses to automatically create rules.

It was created based on GUI, and adding features and improvements are currently underway.

Features

Hyara start screen and 2 options

• When you run Hyara, it aligns to the right like the below picture and the output window is aligned to the left.
• Select/Exit button uses IDAViewWrapper api to get the clicked address in IDA View. After done, you have to press it again to finish.
• After specifying the address, press the “Make” button to show the specified hexadecimal or strings as a result.
• When you click “Save”, those results will be saved in the table below.
• Press “Export Yara Rule” to finally create the yararule using variables stored in the previous step.
• The comment option on the upper right side annotates the assemblies nicely.
• The wildcard option works but further development are still ongoing.

Installation

git clone https://github.com/hy00un/Hyara.git
cd Hyara
pip install -r requirements.txt

copy Hyara.py to (IDA Pro installation directory)/plugins

copy assembler_disassembler.py to (IDA Pro installation directory)/plugins

Use

String option

• This option is to extract strings within the range user specified.

YaraChecker

• You can test the yararule you write on the fly.
• The recursive feature is applied by default, so you should carefully set the path.

YaraIcon

• “YaraIcon” provides the convenience when you write the rule with Icon.

assem_disassembler

• When creating rules, be sure to check how the assembly changes when you use wildcards.
• Normally people use a website to convert assembly but you can check it by using this feature.

Source: https://github.com/hy00un/