fn2yara - Function based Yara signature generation
fn2yara [--output-filename=YARA_FILE] [--min-instructions=NUMBER] [--max-string-bytes=NUMBER] [--basic-blocks] [--comparison] [--threshold=NUMBER] [--prefix=STRING] [--address-only] [--include-thunks] [--oldway] [...Pharos options...] EXECUTABLE_FILE
fn2yara --help
fn2yara --rose-version
@PHAROS_OPTS_POD@
fn2yara does stuff...
The following options are specific to the fn2yara program.
- --output-filename=YARA_FILE, -o=YARA_FILE
-
output filename (defaults to the filename suffixed by .yara)
- --min-instructions=NUMBER, -m=NUMBER
-
Minimum number of instructions needed for an instruction block to be output for a function. default = 5.
- --max-string-bytes=NUMBER, -M=NUMBER
-
Maximum size allowed for a yara string (in bytes) to be output for a function (no rule generated if any string exceeds this). Default = 10000.
- --basic-blocks, -B
-
Split rules strictly by basic blocks
- --comparison, -c
-
Output a yara single rule that matches all instruction blocks found in the program.
- --threshold=NUMBER, -T=NUMBER
-
A percentage threshold for the number of strings that need to match in any given rule. Default = 100.
- --prefix=STRING, -p=STRING
-
Prefix for rule names
- --address-only, -a
-
Only output addresses of candidate functions, rather than rules. Not in YARA format.
- --include-thunks
-
include thunks in output
- --oldway, -o
-
use old hacky way to PIC. (probably should be removed)
@PHAROS_OPTIONS_POD@
Put examples here.
@PHAROS_ENV_POD@
@PHAROS_FILES_POD@
Written by the Software Engineering Institute at Carnegie Mellon University. The primary author was Michael Duggan.
Copyright 2018 Carnegie Mellon University. All rights reserved. This software is licensed under a "BSD" license. Please see LICENSE.txt for details.