IDAPython plugin for generating whole yara rules/ patterns from x86/x86-64 code. Operation called 'parameterization' applyes to selected code/function. This operation finds alternatives for any possible operands and create pattern based on that information.
Example rule you can found in examples folder.
Tested on IDA 7.5+
Copy plugin to your IDA_HOME/plugins folder and install dependencies.
pip install capstone tabulate plyara
According to intel manual a instruction have the following structure
| Instruction prefix | Opcode | Mod R/M | SIB | Displacement | Immediate value |
|---|
Let's consider that parts.
Currently only the REX prefix parameterized as 4?.
| Mod | Reg | R/M |
|---|---|---|
| 2bit | 3bit | 3bit |
For every instruction contained Mod R/M byte the plugin creates a list of candidates on ModR/M positions uses following rules
- Mod are fixed
- Reg If accorded settings enabled, the plugin creates 8 possible candidates (0b000 to 0b111)
- R/M If accorded settings enabled, the plugin creates 8 possible candidates (0b000 to 0b111)
So, 4 generation available
- Mod | ??? | ???
- Mod | REG | ???
- Mod | REG | R/M
- Mod | ??? | R/M
Besides, you can choose particular registers for parameterization
SIB byte parametersized the same way as Mod R/M byte but Scale fixed instead Mod
| Scale | Index | Base |
|---|---|---|
| 2bit | 3bit | 3bit |
If Displacement/Immediate value is an address or offset special trick are used. Because actual code placed in small range of addresses, some bytes can be fixed (last 2 or 1 byte).