Yara editor / browser

The Yara editor / browser is accessed using the F7 shortcut and allows you to work with Yara rules. You can create new rules, edit existing ones using an embedded editor and browse all matching and non-matching rules in a glance.

For more informations on how Malcat supports Yara rules, please refer to Yara signatures.

Table of Contents

Viewing Yara rules
Adding a rule
Editing a Yara rule
- Using the editor
- Using context menus

Viewing Yara rules 

Yara rules list 

The Yara view displays a list of all the matching and non-matching Yara rules found in the directory data/signatures (and in the User data directory) for the current analyzed file. Columns can be clicked in order to change the rules sort order. By default, matching rules are displayed first and remaining rules are sorted by number of matching strings.

By clicking on a rule in the list, it will be set as the current rule and the rule code will be displayed in the Yara rule editor below. If you want to view a specific yara rule file, you can toggle the directory lister by clicking on the leftmost button in the middle on the screen, left of the yara rule file name. Clicking on a file in the directory lister will be open it inside the Yara editor.

../../_images/yara.png — The yara rule browser / editor

When a rule has been selected in the list, the quick view in the bottom left will also display a summary of the current rule, including comments and metadata, as well as the list of every matching patterns for this rule. Clicking on a pattern brings you to the pattern location inside the Hexadecimal view.

Current Yara rule 

The concept of current rule is pretty important in Malcat. By clicking on a rule or after creating a new one, the current rule marker will be set. In the future, all contextual actions in Malcat that are in need of a Yara rule will use this rule as a target. This includes:

Adding the current selection as an hexadecimal pattern
Adding a string as an ascii/wide string pattern
Adding selected instructions as a pre-commented hexadecimal pattern

The name of the current rule will be repeated inside the context menu RightClick ‣ Add XXX to Yara ‣ Add to yara rule <name of current rule>.

Filtering rules 

The default Yara rule set that comes with Malcat contains already more than 2000 rules. Navigating through this many rules can be sometimes a challenge. By chance, it is really easy to look for a specific rule in Malcat. If you use the search box located on the top right of the view, you may filter displayed rules. Only the rules containing the text you have entered will be displayed. The text is searched in:

the ID of the rule
the name of the rule (the metadata “name”)
the description of the rule (the metadata “description”)

The filtering is done on the fly, no need to hit enter.

Shortcut	Action
`Ctrl+F`	Set focus to the view’s search box

Adding a rule 

You can add a new Yara rule by clicking on the “+” icon left of the yara rule file name text field. A dialog will be shown where you can enter the details and metadata of the rule. By clicking ok, a rule with an empty condition will be added to the currently open Yara file. The new rule will also be set as the new current rule.

../../_images/newrule.png — Creating a new Yara rule

The template used for new rules can be found in data/signatures/new_yara_rule.tpl and is presented below:

rule %RULE_NAME% %RULE_TAG%{
    meta:
        name        = "%RULE_NAME%"
        category    = "%RULE_CATEGORY%"
        description = "%RULE_DESCRIPTION%"
        author      = "%RULE_AUTHOR%"
        created     = "%DATE%"
        reliability = %RULE_RELIABILITY%
        tlp         = "TLP:%RULE_TLP%"
        sample      = "%SHA256%"

    condition:
        true
}

Note that if you don’t like it, you can override this template inside your user data directory like any other data files, see Customisation for more details.

Editing a Yara rule 

Using the editor 

You can modify any rule using the embedded Yara editor. Once your are done editing your new rule, hit Ctrl+S to save the current Yara file and rescan the analyzed binary. If you made any error, the Yara signatures analysis will fail and an error message will be displayed inside the Script editor.

Shortcut	Action
`Ctrl+S`	Save current rule file

Using context menus 

Malcat makes it easy to add strings and bytes from within the different Views to the Current Yara rule. After selecting an interesting pattern, you can add using the context menu RightClick ‣ Add to Yara rule ‣ …. Currently, you can add:

selected bytes from the Hexadecimal view or Structure/text view as either a string or hexadecimal pattern
selected string(s) from the Strings list as either ascii or wide strings
selected instructions from the Disassembly view as commented hexadecimal patterns

../../_images/asm2yara.png — Adding selected code to the current Yara rule

Note that the file won’t be rescanned until you hit Ctrl+S. Also for hexadecimal pattern, you can make use of exclusion masks (cf. Excluding bytes from selection). Excluded bytes/nibbles will be replaced by jokers (?) in the added Yara hexadecimal pattern.

Note

If you are not sure if a pattern will create false postives, make use of Malcat’s Searching in the corpus feature to search the pattern inside a large set of clean files efficiently.