Skip to content
/ base64_substring Public

Generate a Yara rule to find base64-encoded files containg a specific keyword

License

Apache-2.0 license
40 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

DissectMalware/base64_substring

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
base64_substring.py
base64_substring.py
 
 
generate_yara_rule.py
generate_yara_rule.py
 
 

Repository files navigation

About

Often malware analysts require to search through base64-encoded samples with a search term such as Application.Run. base64_substring helps them by enumerating all possible base64 encoding for a given search term and generating a yara rule that checks those possiblities.

How to Run

Example: generating a yara rule that matches base64-encoded file containing Application term.

> python generate_yara_rule.py
> Please enter a rule name
  MyRule
> Please enter a text
  Application

Further Reading

"Searching for Content in Base-64 Strings" by Lee Holmes

About

Generate a Yara rule to find base64-encoded files containg a specific keyword

Topics

base64 python3 yara search-in-base64 yara-rule-generator

Resources

Readme

License

Apache-2.0 license
Activity

Stars

40 stars

Watchers

6 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages