Yara editor / browser
The Yara editor / browser is accessed using the F7 shortcut and allows you to work with Yara rules. You can create new rules, edit existing ones using an embedded editor and browse all matching and non-matching rules in a glance.
For more informations on how Malcat supports Yara rules, please refer to Yara signatures.
Table of Contents
Viewing Yara rules
Yara rules list
The Yara view displays a list of all the matching and non-matching Yara rules found in the directory data/signatures
(and in the User data directory) for the current analyzed file. Columns can be clicked in order to change the rules sort order. By default, matching rules are displayed first and remaining rules are sorted by number of matching strings.
By clicking on a rule in the list, it will be set as the current rule and the rule code will be displayed in the Yara rule editor below. If you want to view a specific yara rule file, you can toggle the directory lister by clicking on the leftmost button in the middle on the screen, left of the yara rule file name. Clicking on a file in the directory lister will be open it inside the Yara editor.

The yara rule browser / editor
When a rule has been selected in the list, the quick view in the bottom left will also display a summary of the current rule, including comments and metadata, as well as the list of every matching patterns for this rule. Clicking on a pattern brings you to the pattern location inside the Hexadecimal view.
Current Yara rule
The concept of current rule is pretty important in Malcat. By clicking on a rule or after creating a new one, the current rule marker will be set. In the future, all contextual actions in Malcat that are in need of a Yara rule will use this rule as a target. This includes:
Adding the current selection as an hexadecimal pattern
Adding a string as an ascii/wide string pattern
Adding selected instructions as a pre-commented hexadecimal pattern
The name of the current rule will be repeated inside the context menu
.Filtering rules
The default Yara rule set that comes with Malcat contains already more than 2000 rules. Navigating through this many rules can be sometimes a challenge. By chance, it is really easy to look for a specific rule in Malcat. If you use the search box located on the top right of the view, you may filter displayed rules. Only the rules containing the text you have entered will be displayed. The text is searched in:
the ID of the rule
the name of the rule (the metadata “name”)
the description of the rule (the metadata “description”)
The filtering is done on the fly, no need to hit enter.
Shortcut |
Action |
---|---|
Ctrl+F |
Set focus to the view’s search box |
Adding a rule
You can add a new Yara rule by clicking on the “+” icon left of the yara rule file name text field. A dialog will be shown where you can enter the details and metadata of the rule. By clicking ok, a rule with an empty condition will be added to the currently open Yara file. The new rule will also be set as the new current rule.

Creating a new Yara rule
The template used for new rules can be found in data/signatures/new_yara_rule.tpl
and is presented below:
rule %RULE_NAME% %RULE_TAG%{
meta:
name = "%RULE_NAME%"
category = "%RULE_CATEGORY%"
description = "%RULE_DESCRIPTION%"
author = "%RULE_AUTHOR%"
created = "%DATE%"
reliability = %RULE_RELIABILITY%
tlp = "TLP:%RULE_TLP%"
sample = "%SHA256%"
condition:
true
}
Note that if you don’t like it, you can override this template inside your user data directory like any other data files, see Customisation for more details.
Editing a Yara rule
Using the editor
You can modify any rule using the embedded Yara editor. Once your are done editing your new rule, hit Ctrl+S to save the current Yara file and rescan the analyzed binary. If you made any error, the Yara signatures analysis will fail and an error message will be displayed inside the Script editor.
Shortcut |
Action |
---|---|
Ctrl+S |
Save current rule file |