逆向工程 - Yara Rule - Hello, world!

參考資訊：
https://yara.readthedocs.io/en/stable/writingrules.html

main.yara

rule hello
{
strings:
    $match_string = "Hello, world!"

condition:
    $match_string
}

main.c

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
    printf("Hello, world!\n");
    return 0;
}

Build and Test

$ gcc main.c -o main
$ yara -rs main.yara main
    hello main
    0x2004:$match_string: Hello, world!