r2yara

r2yara is the integration of Yara into radare2. Yara is a powerful binary analysis tool using rules to identity or classify patterns in a binaries.

Installation

r2yara is maintained in a separate repository. It can be installed with the r2pm package manager:

$ r2pm -ci r2frida

The package manager handle automatically the installation and compilation of the Yara library.

Usage

As soon as r2yara is installed, two sets of commands are available in r2. The first set of command are invoked with the command yara:

[0x00000000]> yara
Usage: yara  [action] [args..]   load and run yara rules inside r2
| yara add [file]   Add yara rules from file, or open $EDITOR with yara rule template
| yara clear        Clear all rules
| yara help         Show this help (same as 'yara?')
| yara list         List all rules
| yara scan[S]      Scan the current file, if S option is given it prints matching strings
| yara show [name]  Show rules containing name
| yara tag [name]   List rules with tag 'name'
| yara tags         List tags from the loaded rules
| yara version      Show version information about r2yara and yara

The second kind of shorter commands start with yr:

[0x00000000]> yr
Usage: yr [action] [args..]   load and run yara rules inside r2
| yr [file]        add yara rules from file
| yr               same as yr?
| yr-*             unload all the rules
| yr?              show this help (same as 'yara?')
| yrg[?][-sxf]     generate yara rule
| yrl              list loaded rules
| yrs[q]           scan the current file, suffix with 'q' for quiet mode
| yrt ([tagname])  list tags from loaded rules, or list rules from given tag
| yrv              show version information about r2yara and yara

Rule management

The plugin include two rules files by default in the folder rules of the plugin. The already loaded rules can be listed:

[0x00055a40]> yrl
HelloWorld
BLOWFISH_Constants
MD5_Constants
RC6_Constants
RIPEMD160_Constants
SHA1_Constants
SHA256_Constants
SHA512_Constants
WHIRLPOOL_Constants

The rules can be cleared:

[0x00055a40]> yr-
INFO: Rules cleared
[0x00055a40]> yrl

Other rules can be added from an external files.

[0x00055a40]> yr r2yara/rules/crypto.yara

Scan

The current binary can be scanned with the currently loaded rules to see if any rule matches a pattern in the binary:

[0x00055a40]> yrs
BLOWFISH_Constants
0x004960c0: yara3.BLOWFISH_Constants_0 : a60b31d1
0x004960c4: yara3.BLOWFISH_Constants_1 : acb5df98
0x004960c8: yara3.BLOWFISH_Constants_2 : db72fd2f
0x004960cc: yara3.BLOWFISH_Constants_3 : b7df1ad0
0x004964c0: yara3.BLOWFISH_Constants_4 : e9707a4b
0x004968c8: yara3.BLOWFISH_Constants_5 : 1c264cf6
SHA256_Constants
0x001936c4: yara4.SHA256_Constants_0 : 982f8a42
0x0019372b: yara4.SHA256_Constants_1 : 91443771
0x0019379d: yara4.SHA256_Constants_2 : cffbc0b5
0x001937e5: yara4.SHA256_Constants_3 : a5dbb5e9

As soon as a pattern is identified, a flag is created at the pattern address.