Author: starfleetcadet75
YARA signature scanner for Binary Ninja.
This plugin provides support for scanning binaries loaded in Binary Ninja with YARA rules. Matches are tagged with a YARA Matches tag and are displayed in the tags window. By default, a report will also be generated that lists the results from the scan. YARA rules are reloaded each time a new scan is started. Rules can be manually loaded from a file or loaded from a custom rules directory.
This plugin also provides a findcrypt equivalent for Binary Ninja by including a set of built-in YARA rules for crypto detection. The original ruleset was taken from the Yara-Rules project and has been modified to include additional signatures from other sources.
YARA rules can be loaded from a specific file by selecting Scan with File. This will not load any other rules. The Scan menu option will load all built-in signatures in addition to searching for any YARA files (*.yar, *.yara) in custom locations that the user has provided in the plugin's settings.
NOTE: This plugin scans the binary based on it's segments, which means that YARA rules that check whether the binary is a PE or ELF file will fail to match unless scanning in the raw binary view.
This plugin provides the following settings:
- Custom YARA Rules Path: Absolute path to a directory containing custom YARA rule files (*.yar, *.yara). Use a semicolon to delimit multiple paths.
- Scan Timeout: Timeout for running a YARA scan. A value of 0 disables this feature. The default value is 60 seconds. Time is specified in seconds.
- Show YARA Report: The plugin will display a report of the YARA results when the scan has finished.
This plugin requires the pip package python-yara.
This plugin is released under a MIT license.