원클릭으로 Manus에서 모든 스킬 실행

시작하기

yara-sigs

스타186

포크14

업데이트2026년 3월 13일 13:16

Scan a state snapshot's memory dumps with YARA signatures to detect packers, crypto constants, malware, and more

설치

Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.

Manus에서 실행

출처

dariushoule

dariushoule/x64dbg-skills

GitHub 저장소 열기 Creator 저장소 보기

다운로드

Manus에서 실행

yara-sigs

Scan debuggee memory (via a state snapshot) against a large YARA signature database to identify packers, crypto constants, anti-debug tricks, malware families, and more.

Instructions

Follow these steps exactly:

1. Check prerequisites

Run pip show yara-python via Bash. If not installed, tell the user to run pip install yara-python and stop. Run git --version via Bash. If not installed, tell the user to install Git and stop.

2. Ensure the YARA signature database is available

Check if the directory ${CLAUDE_PLUGIN_ROOT}\yarasigs exists (use dir). If it does not exist, clone it:

git clone --recurse-submodules https://github.com/x64dbg/yarasigs "${CLAUDE_PLUGIN_ROOT}\yarasigs"

If the directory exists but looks incomplete (missing Yara-Rules or citizenlab subdirectories), update submodules:

git -C "${CLAUDE_PLUGIN_ROOT}\yarasigs" submodule update --init --recursive

3. Determine what to scan for

The YARA database contains many rule categories. If the user specified what they want to scan for in their invocation, use that. Otherwise, ask the user what they want to scan for using AskUserQuestion with these options:

Packers & compilers — Detect packers (UPX, Themida, etc.) and compiler signatures
Crypto constants — Find cryptographic algorithm constants (AES S-boxes, RSA, MD5, etc.)
Anti-debug / anti-VM — Detect anti-debugging and anti-virtualization techniques
All signatures — Scan with every available rule (slower, more noise)

Map the selection to rule category paths:

Selection	Rule paths (relative to `yarasigs/`)
Packers & compilers	`packer.yara`, `packer_compiler_signatures.yara`, `Yara-Rules/packers/`
Crypto constants	`crypto_signatures.yara`, `Yara-Rules/crypto/`
Anti-debug / anti-VM	`Yara-Rules/antidebug_antivm/`
All signatures	All `.yar` and `.yara` files recursively

4. Obtain a snapshot to scan

Check if a recent snapshot exists in ${CLAUDE_PLUGIN_ROOT}\snapshots (use dir).

If snapshots exist, ask the user whether to use an existing snapshot or take a fresh one.
If no snapshots exist, tell the user you need to take a snapshot first.

To take a fresh snapshot, invoke the state-snapshot skill via Skill("state-snapshot"). After it completes, note the snapshot directory path.

5. Run the YARA scan

Execute the scan script:

python "${CLAUDE_PLUGIN_ROOT}\skills\yara-sigs\yara_scan.py" --snapshot-dir <snapshot_path> --yarasigs-dir "${CLAUDE_PLUGIN_ROOT}\yarasigs" --categories <category> [--module-filter <module_name>]

Where <category> is one of: packers, crypto, antidebug, or all.

Module filtering: If the user asks to focus on a specific module (e.g. the main executable), pass --module-filter <name> where <name> is a substring of the module name as shown in the memory map (e.g. secret_encryptor). This merges all of the module's sections into a single buffer before scanning, which is critical for YARA rules whose patterns span multiple PE sections (e.g. MD5 init constants in .text + T-table in .rdata). Always prefer using --module-filter when scanning a specific module rather than relying on per-region scanning.

The script writes results to <snapshot_path>/yara_results.json and prints a summary to stdout.

6. Report results

Read <snapshot_path>/yara_results.json if it exists and the stdout summary is not sufficient.

Present findings organized by:

Match summary — How many rules matched across how many memory regions
Matches by rule — Each matched rule name, its description/metadata, and which memory regions it hit (with base addresses and region info from memory_map.json)
Notable findings — Call out anything especially interesting (known packers, specific crypto algorithms, anti-debug patterns)

If no matches were found, tell the user and suggest trying a broader category (e.g., "all").

이 저장소의 다른 Skills

같은 저장소

state-snapshot

dariushoule/x64dbg-skills

Capture a full debuggee state snapshot (all committed memory regions + processor state) to disk for offline analysis

2026-03-13186

find-oep

dariushoule/x64dbg-skills

Smart trace-based OEP finder for packed/protected PE executables. Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic OEP detection, then captures a state snapshot at the original entry point.

2026-03-11186

vuln-hunter

dariushoule/x64dbg-skills

Hunt for vulnerabilities in a running debuggee by analyzing imports/exports, triaging attack surface, and iteratively testing for bugs with PoC generation.

2026-03-11186

shellcode-analyzer

dariushoule/x64dbg-skills

Load, unpack, and analyze shellcode in x64dbg. Use this skill when the user wants to analyze shellcode, load a shellcode blob into a debugger, unpack encoded/encrypted shellcode, or perform static/dynamic analysis of shellcode payloads.

2026-03-05186

decompile

dariushoule/x64dbg-skills

Decompile a function to C-like pseudocode using angr

2026-02-12186

state-diff

dariushoule/x64dbg-skills

Compare two state snapshots to identify register and memory changes between two points in time

2026-02-12186

name	yara-sigs
description	Scan a state snapshot's memory dumps with YARA signatures to detect packers, crypto constants, malware, and more
allowed-tools	mcp__x64dbg__get_debugger_status, mcp__x64dbg__pause, mcp__x64dbg__disconnect, mcp__x64dbg__connect_to_session, Bash, Read, AskUserQuestion, Skill

yara-sigs

Scan debuggee memory (via a state snapshot) against a large YARA signature database to identify packers, crypto constants, anti-debug tricks, malware families, and more.

Instructions

Follow these steps exactly:

1. Check prerequisites

Run pip show yara-python via Bash. If not installed, tell the user to run pip install yara-python and stop. Run git --version via Bash. If not installed, tell the user to install Git and stop.

2. Ensure the YARA signature database is available

Check if the directory ${CLAUDE_PLUGIN_ROOT}\yarasigs exists (use dir). If it does not exist, clone it:

git clone --recurse-submodules https://github.com/x64dbg/yarasigs "${CLAUDE_PLUGIN_ROOT}\yarasigs"

If the directory exists but looks incomplete (missing Yara-Rules or citizenlab subdirectories), update submodules:

git -C "${CLAUDE_PLUGIN_ROOT}\yarasigs" submodule update --init --recursive

3. Determine what to scan for

Packers & compilers — Detect packers (UPX, Themida, etc.) and compiler signatures
Crypto constants — Find cryptographic algorithm constants (AES S-boxes, RSA, MD5, etc.)
Anti-debug / anti-VM — Detect anti-debugging and anti-virtualization techniques
All signatures — Scan with every available rule (slower, more noise)

Map the selection to rule category paths:

Selection	Rule paths (relative to `yarasigs/`)
Packers & compilers	`packer.yara`, `packer_compiler_signatures.yara`, `Yara-Rules/packers/`
Crypto constants	`crypto_signatures.yara`, `Yara-Rules/crypto/`
Anti-debug / anti-VM	`Yara-Rules/antidebug_antivm/`
All signatures	All `.yar` and `.yara` files recursively

4. Obtain a snapshot to scan

Check if a recent snapshot exists in ${CLAUDE_PLUGIN_ROOT}\snapshots (use dir).

If snapshots exist, ask the user whether to use an existing snapshot or take a fresh one.
If no snapshots exist, tell the user you need to take a snapshot first.

To take a fresh snapshot, invoke the state-snapshot skill via Skill("state-snapshot"). After it completes, note the snapshot directory path.

5. Run the YARA scan

Execute the scan script:

python "${CLAUDE_PLUGIN_ROOT}\skills\yara-sigs\yara_scan.py" --snapshot-dir <snapshot_path> --yarasigs-dir "${CLAUDE_PLUGIN_ROOT}\yarasigs" --categories <category> [--module-filter <module_name>]

Where <category> is one of: packers, crypto, antidebug, or all.

The script writes results to <snapshot_path>/yara_results.json and prints a summary to stdout.

6. Report results

Read <snapshot_path>/yara_results.json if it exists and the stdout summary is not sufficient.

Present findings organized by:

Match summary — How many rules matched across how many memory regions
Matches by rule — Each matched rule name, its description/metadata, and which memory regions it hit (with base addresses and region info from memory_map.json)
Notable findings — Call out anything especially interesting (known packers, specific crypto algorithms, anti-debug patterns)

If no matches were found, tell the user and suggest trying a broader category (e.g., "all").