Skip to content

mazen91111/YARA-Rule-Generator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
yara_generator.py
yara_generator.py
 
 

Repository files navigation

🧬 YARA-Rule-Generator

Automatically generate YARA detection rules from malware samples.
Designed for threat hunters, malware analysts, and SOC engineers.

⚙️ Features

Feature Details
🔡 Smart String Extraction Scores strings by malware relevance (API calls, URLs, C2 patterns)
🔢 Hex Pattern Mining Extracts recurring byte sequences as hex signatures
📊 Entropy Condition Adds math.entropy() condition for packed samples
🏷️ Full Meta Block SHA-256 hash, date, author, tool attribution
📁 Multi-file Support Generate rules for multiple samples at once
💾 Export to .yar Save combined ruleset to a YARA file

🚀 Installation

git clone https://github.com/mazen91111/YARA-Rule-Generator.git
cd YARA-Rule-Generator
pip install -r requirements.txt

🧪 Usage

# Single sample
python yara_generator.py -f malware.exe

# Multiple samples → combined .yar file
python yara_generator.py -f sample1.exe sample2.dll -o detection.yar

# Custom options
python yara_generator.py -f ransomware.exe --max-strings 15 --hex-patterns 5

📸 Example Output

// YARA Rule generated by YARA-Rule-Generator
// File    : suspicious.exe
// SHA-256 : a3f1c9...
// Entropy : 7.81
// Date    : 2025-01-01 12:00 UTC

rule detect_suspicious_exe
{
    meta:
        description = "Auto-generated rule for suspicious.exe"
        sha256      = "a3f1c9..."
        entropy     = "7.81"
        author      = "mazen91111"
        date        = "2025-01-01"
        tool        = "YARA-Rule-Generator"

    strings:
        $s1 = "VirtualAlloc" ascii wide nocase
        $s2 = "CreateRemoteThread" ascii wide nocase
        $s3 = "http://192.168.1.100/payload" ascii wide nocase
        $b1 = { 55 8B EC 83 EC 10 }
        $b2 = { 60 BE 00 10 40 00 }

    condition:
        5 of them and math.entropy(0, filesize) >= 7.0
}

🎯 String Scoring System

Strings are scored based on malware relevance:

Pattern Score
Win32 API calls (VirtualAlloc, CreateRemoteThread…) +2
Network functions (socket, connect, InternetOpen…) +2
URLs (http://, https://) +3
IP addresses +2
Crypto-related (xor, encrypt, base64…) +2
Length > 10 chars +1

👤 Author

Mazen Obed@mazen91111
Malware Development | Red Team | Threat Hunting

⚠️ Disclaimer

For educational and research purposes only.
Use only on files you own or have explicit permission to analyze.

📄 License

MIT License

About

Auto-generate YARA detection rules from malware samples

Topics

python cybersecurity threat-hunting malware-analysis yara red-team yara-rules malware-detection

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages