I'm on Mac os12.2.1 trying to run yara where it returns a match using basic hex string content.
Yara rule (file name: rulehexstr)
rule hex_new { strings: $hexnew = { 48 65 6c 6c 6f } condition: $hexnew }
For the yara file, I used echo -n "HELLO" | od -A n -t x1 > inputfile.
So, when I call yara rulehexstr inputfile, I expect output of hex_new inputfile, but it returns nothing.
How do I create a file that will return a match on the above rule?
My hex was wrong for uppercase letters. And using this post, I did
echo -n $'\x48\x45\x4c\x4c\x4f' > filehexstr-uppercase-hello.datThen, running
yara rulehexstr filehexstr-uppercase-hello.datreturnedhex_new filehexstr-uppercase-hello.dat.