Skip to content

Using run_yextend

Jump to bottom
Dre edited this page Aug 29, 2016 · 4 revisions

run_yextend is a wrapper around yextend and its sole purpose is to output yextend results in a more visually appealing fashion. In a Linux bash terminal there is support for colored output.

A standard yextend run looks like this:

dre@debian:~/software/yextend$ ./yextend test_rulesets/lorem_pdf.yara test_files/lipsum.txt.pdf 

===============================ALPHA===================================
File Name: test_files/lipsum.txt.pdf
File Size: 40450
File Signature (MD5): ec650a3a287603d350718b74716aee1c

=======================================================================

Yara Result(s): invalid_trailer_structure:[author=Glenn Edwards (@hiddenillusion),version=0.1,weight=1,detected offsets=0x0:$magic,hit_count=1]
Scan Type: Yara Scan (PDF - Raw data)
Parent File Name: test_files/lipsum.txt.pdf
Child File Name: test_files/lipsum.txt.pdf
File Signature (MD5): ec650a3a287603d350718b74716aee1c


Yara Result(s): LOREM_FILE_BODY:[type=PDF body text (lorem),detected offsets=0x3b:$lipsum_pdf_body_lorem-0x429:$lipsum_pdf_body_lorem-0x1250:$lipsum_pdf_body_lorem-0x12f6:$lipsum_pdf_body_lorem-0x1374:$lipsum_pdf_body_lorem-0x166e:$lipsum_pdf_body_lorem-0x1b6f:$lipsum_pdf_body_lorem-0x1eb7:$lipsum_pdf_body_lorem-0x2149:$lipsum_pdf_body_lorem-0x282b:$lipsum_pdf_body_lorem-0x2a8a:$lipsum_pdf_body_lorem-0x2f1d:$lipsum_pdf_body_lorem-0x301e:$lipsum_pdf_body_lorem-0x305f:$lipsum_pdf_body_lorem-0x3324:$lipsum_pdf_body_lorem-0x3653:$lipsum_pdf_body_lorem-0x38c9:$lipsum_pdf_body_lorem-0x3ac9:$lipsum_pdf_body_lorem-0x41a5:$lipsum_pdf_body_lorem-0x41d8:$lipsum_pdf_body_lorem-0x44df:$lipsum_pdf_body_lorem-0x5654:$lipsum_pdf_body_lorem-0x6647:$lipsum_pdf_body_lorem-0x6727:$lipsum_pdf_body_lorem-0x6939:$lipsum_pdf_body_lorem-0x721a:$lipsum_pdf_body_lorem,hit_count=26]
Scan Type: Yara Scan (PDF - Extracted text)
Parent File Name: test_files/lipsum.txt.pdf
Child File Name: test_files/lipsum.txt.pdf
File Signature (MD5): 126a551fd3801cb33c8dbacfc04ba75f


===============================OMEGA===================================
dre@debian:~/software/yextend$

The same exact run using the run_yextend wrapper yields output that is much easier to read:

dre@debian:~/software/yextend$ ./run_yextend test_rulesets/lorem_pdf.yara test_files/lipsum.txt.pdf 
===============================ALPHA===================================
File Name: test_files/lipsum.txt.pdf
File Size: 40450
File Signature (MD5): ec650a3a287603d350718b74716aee1c

=======================================================================

Yara Result(s): 
    Rule ID: invalid_trailer_structure
    Rule META:
	    author = Glenn Edwards (@hiddenillusion)
	    version = 0.1
	    weight = 1
	    detected offsets:
		    $magic at 0x0
	    hit_count = 1

Scan Type: Yara Scan (PDF - Raw data)
Parent File Name: test_files/lipsum.txt.pdf
Child File Name: test_files/lipsum.txt.pdf
File Signature (MD5): ec650a3a287603d350718b74716aee1c


Yara Result(s): 
    Rule ID: LOREM_FILE_BODY
    Rule META:
	    type = PDF body text (lorem)
	    detected offsets:
		    $lipsum_pdf_body_lorem at 0x3b
		    $lipsum_pdf_body_lorem at 0x429
		    $lipsum_pdf_body_lorem at 0x1250
		    $lipsum_pdf_body_lorem at 0x12f6
		    $lipsum_pdf_body_lorem at 0x1374
		    $lipsum_pdf_body_lorem at 0x166e
		    $lipsum_pdf_body_lorem at 0x1b6f
		    $lipsum_pdf_body_lorem at 0x1eb7
		    $lipsum_pdf_body_lorem at 0x2149
		    $lipsum_pdf_body_lorem at 0x282b
		    $lipsum_pdf_body_lorem at 0x2a8a
		    $lipsum_pdf_body_lorem at 0x2f1d
		    $lipsum_pdf_body_lorem at 0x301e
		    $lipsum_pdf_body_lorem at 0x305f
		    $lipsum_pdf_body_lorem at 0x3324
		    $lipsum_pdf_body_lorem at 0x3653
		    $lipsum_pdf_body_lorem at 0x38c9
		    $lipsum_pdf_body_lorem at 0x3ac9
		    $lipsum_pdf_body_lorem at 0x41a5
		    $lipsum_pdf_body_lorem at 0x41d8
		    $lipsum_pdf_body_lorem at 0x44df
		    $lipsum_pdf_body_lorem at 0x5654
		    $lipsum_pdf_body_lorem at 0x6647
		    $lipsum_pdf_body_lorem at 0x6727
		    $lipsum_pdf_body_lorem at 0x6939
		    $lipsum_pdf_body_lorem at 0x721a
	    hit_count = 26

Scan Type: Yara Scan (PDF - Extracted text)
Parent File Name: test_files/lipsum.txt.pdf
Child File Name: test_files/lipsum.txt.pdf
File Signature (MD5): 126a551fd3801cb33c8dbacfc04ba75f


===============================OMEGA===================================

dre@debian:~/software/yextend$
Clone this wiki locally