YaDa is the Yara binary file decompiler, it currently supports Yara 3.4.0 and Yara 3.9.0.
It is inspired by the project jbgalet/yaradec, which disassembles yara rule into bytecode.
./yada.py <yara_rule_binary>- Example
$ ./yada.py testcase/RARsilence.yac
rule default:APT1_RARSilent_EXE_PDF {
// ptr = 3feb
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
/*0x41ef*/ $winrar1 = "WINRAR.SFX" wide ascii
/*0x471f*/ $str2 = "Steup=" wide ascii
condition:
all of them
}
rule default:APT1_known_malicious_RARSilent {
// ptr = 4097
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
/*0x517f*/ $str1 = "Analysis And Outlook.doc" wide ascii
/*0x56af*/ $str2 = "North Korean launch.pdf" wide ascii
/*0x5bdf*/ $str3 = "Dollar General.doc" wide ascii
/*0x610f*/ $str4 = "Dow Corning Corp.pdf" wide ascii
condition:
(any of them) and APT1_RARSilent_EXE_PDF
}
You may also directly called into the decompiler API to embed the tool into your own script, there are methods to output rules syntax tree in JSON and to output the bytecode.
Please refer to classes defined in v11dec.py and v39dec.py.
If you are intrested in the implementation, check out the slides presented at SECCON 13 Open Conference, and
I also submitted YaDa as my graduate school's project. You can also checkout the report here if you prefer reading text.
- Some complex regex could not be extracted in Yara 3.9.0
- module related functionalities is not supported
for ... of ... : conditionstatement is not supported
- Support
for ... of ... : conditionstructure - Improve the support of complex regular expression
- Reduce the repetition structure in regular expressions
- Use wildcard to show same prefix variables
- Support other versions
- Rewrite in other languages
MIT License