Simple YARA Generator - Binary Ninja YARA Rule Generator

A Binary Ninja plugin that allows you to generate YARA rules from selected assembly instructions with intelligent architecture-aware wildcarding.

Features

• Select assembly instructions in Binary Ninja and generate YARA rules
• Architecture-aware wildcarding using Capstone Engine
• Three-column view showing:
  • Raw bytes (hex format)
  • Wildcarded bytes with intelligent opcode preservation
  • Assembly instruction text
• Individual checkbox control for each instruction to toggle wildcarding
• Real-time YARA rule preview with one instruction per line
• Copy to clipboard functionality
• Support for multiple architectures (x86, x64, ARM, ARM64, MIPS)

Architecture Support

The plugin uses Capstone Engine for intelligent instruction analysis:

• x86/x64: Analyzes operands to identify and wildcard immediate values and displacements
• ARM: Wildcards all but the last byte (configurable)
• ARM64: Preserves opcode bits, wildcards immediate values in middle bytes
• Thumb: Conservative wildcarding of operands
• MIPS: Basic operand wildcarding
• Fallback: Simple heuristics when Capstone analysis fails

Architecture-Specific Wildcarding

Simple YARA Generator uses Capstone Engine to provide intelligent, architecture-aware wildcarding:

ARM64/AArch64

• Opcode Preservation: Automatically preserves critical opcode bytes (e.g., the 40 f9 pattern in ldr instructions)
• Operand Wildcarding: Intelligently wildcards register fields and immediate values
• Example: ldr x16, [x16] (bytes: 10 02 40 f9) becomes ?? ?? 40 f9

x86/x64

• Operand Detection: Uses byte-pattern matching to locate immediate values and displacements
• Prefix Handling: Preserves instruction prefixes and opcodes
• Memory Operands: Automatically wildcards displacement values in memory references

ARM/Thumb

• Conservative Approach: Preserves condition codes and primary opcode information
• Size Awareness: Handles both 2-byte and 4-byte instructions appropriately

Installation (if not using the plugin manager)

1. Copy the YaraBN folder to your Binary Ninja plugins directory:

   • macOS: ~/Library/Application Support/Binary Ninja/plugins/
   • Windows: %APPDATA%\Binary Ninja\plugins\
   • Linux: ~/.binaryninja/plugins/

2. Install dependencies:

   pip install capstone

3. Restart Binary Ninja or reload plugins

Usage

1. Open a binary in Binary Ninja
2. Select the assembly instructions you want to include in your YARA rule (click and drag in the disassembly view)
3. Right-click and select Generate YARA Rule from the context menu, or access it via Plugins → Generate YARA Rule
4. A dialog will open showing three columns:
   • Wildcard: Checkbox to enable/disable wildcarding for each instruction
   • Raw Bytes: The actual bytes of the instruction in hex format
   • Wildcarded Bytes: The intelligently wildcarded version of the bytes
   • Assembly: The assembly instruction text
5. Check/uncheck the boxes to control which instructions should use wildcarded bytes
6. View the real-time YARA rule preview at the bottom
7. Click "Copy to Clipboard" to copy the generated YARA rule

YARA Rule Format

The generated YARA rules follow this format:

rule generated_rule {
    meta:
        description = "Auto-generated YARA rule from Binary Ninja"
        author = "Simple YARA Generator Plugin"
        
    strings:
        $hex_string = { 
            77 06 	    // ja      0x805252d
            83 ?? ?? 	// add     esp, 0x4
            5b 	        // pop     ebx {__saved_ebx}
            5d 	        // pop     ebp {__saved_ebp}
            c3 	        // retn     {__return_addr}
        }
        
    condition:
        $hex_string
}

Each instruction appears on its own line with its assembly comment for easy identification.

Customization

YARA Rule Templates

Simple YARA Generator uses a customizable template for generating YARA rules. The plugin includes a default template:

• yara_template.txt - Default template with metadata fields

You can customize the YARA rule format by editing the yara_template.txt file in the plugin directory. The template uses Python's .format() syntax with the placeholder {hex_content} for the instruction bytes.

Example custom template:

rule my_custom_rule {{
    meta:
        author = "Your Name"
        date = "2025-06-29"
        
    strings:
        $pattern = {{ {hex_content} }}
        
    condition:
        $pattern at entrypoint
}}

FAQ

Q: Is this really necessary?
A: If I can save 2 clicks by writing a plugin I will. Don't judge me.

Q: Why do you use Capstone and not the native BN API?
A: Unfortunately the BN API doesn't provide information about the bytes that make up the instruction.

Q: Can I trust the wildcarding?
A: TL;DR: No. Longer answer: The automatic wildcard should be considered a somewhat informed suggestion. I find that in most cases, if I need to wildcard part of an instruction I keep the opcode and wildcard the rest. Notice how I said in most cases?

Q: Why will it only generate 1 string per rule?
A: Take the created rule as a suggestion, and either use the output of this plugin as input for your brain, or an external brain like an LLM. Mileage may vary.

Requirements

• Binary Ninja
• Capstone

License

MIT License - see plugin.json for full license text.