New-YaraStringSearchRule.ps1
|
<#PSScriptInfo
.VERSION 1.0 .GUID 7d95a538-2b51-4117-9935-74df97dc5159 .AUTHOR Lee Holmes .DESCRIPTION Convert an incoming sequence of bytes or strings to a Yara rule #> param( ## The value that we would like to search for [Parameter(Mandatory, ValueFromPipeline)] $Value, ## The description to apply to the Yara rule meta field [Parameter()] $Description = "Search for strings" ) begin { $Description = $Description -replace "\\","\\" -replace "`"","\`"" "rule string_search { meta: description = `"$Description`" strings:" $conditions = @() $counter = 0 } process { ## Auto-number the strings to search for $condition = "`$s{0:000}" -f $counter $conditions += $condition $counter++ ## If it's a byte sequence, generate the hex encoded version of a Yara ## rule if($Value -is [byte[]]) { $hexByteSequence = ($Value | Foreach-Object { [Convert]::ToString($_, 16).PadLeft(2, "0").ToUpper() }) -join " " " $condition = {$hexByteSequence}" } else { ## Otherwise, embed it as a string (escaping special chararacters first) $Value = $Value -replace "\\","\\" -replace "`"","\`"" " $condition = `"$Value`"" } } end { ## Emit the final condition element " condition:" " " + ($conditions -join " or ") "}" } |