{"id":8569,"date":"2020-01-26T17:32:09","date_gmt":"2020-01-26T12:02:09","guid":{"rendered":"http:\/\/kalilinuxtutorials.com\/?p=8569"},"modified":"2020-01-26T17:32:09","modified_gmt":"2020-01-26T12:02:09","slug":"yarasafe","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/yarasafe\/","title":{"rendered":"Yarasafe : SAFE Embeddings To Match Functions In Yara"},"content":{"rendered":"\n<p><strong>YARASAFE <\/strong>is for automatic binary function similarity checks with Yara. SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli L., Di Luna G.A., Petroni F., Querzoni L. and Baldoni R. You can use SAFE to create your function embedding to use inside yara rules.<\/p>\n\n\n\n<p>If you are interested take a look at our research paper: https:\/\/arxiv.org\/abs\/1811.05296. If you are using this for your research please cite:<\/p>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>@inproceedings{massarelli2018safe,<br>   title={SAFE: Self-Attentive Function Embeddings for Binary Similarity},<br>   author={Massarelli, Luca and Di Luna, Giuseppe Antonio and Petroni, Fabio and Querzoni, Leonardo and Baldoni, Roberto},<br>   booktitle={Proceedings of 16th Conference on Detection of Intrusions and Malware &amp; Vulnerability Assessment (DIMVA)},<br>   year={2019}<br> }<\/strong><\/p>\n\n\n\n<p>This is not the code for reproducing the experiments in the paper. If you are interested on it take a look at: https:\/\/github.com\/gadiluna\/SAFE<\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Introduction<\/strong><\/p>\n\n\n\n<p>Using yarasafe you can easily create signature for binary functions without looking at the assembly code at all! You just need to install the IDA Pro Plugins that you find the IDA Pro Plugin folder of this repository.<\/p>\n\n\n\n<p>Once you have installed the plugin you can start creating embeddings for the function you want to match. These embeddings can be inserted into yara rules to match function using yara. <\/p>\n\n\n\n<p>To create powerful rule, you can combine multiple functions embeddings with standard yara rules.In this repository you will find the plugin for IDA Pro, and the yarasafe module.<\/p>\n\n\n\n<p>Yarasafe can match functions with more than 50 instructions and less than 150.<\/p>\n\n\n\n<p class=\"has-text-align-center\"><strong>Also Read &#8211; <a href=\"https:\/\/kalilinuxtutorials.com\/gophish-open-source-phishing-toolkit\/\">Gophish : Open-Source Phishing Toolkit<\/a><\/strong><\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Requirements<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>python3<\/li><li>radare2<\/li><li>jansson<\/li><\/ul>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong><a href=\"https:\/\/github.com\/lucamassarelli\/yarasafe#quickstart\"><\/a>Quickstart<\/strong><\/p>\n\n\n\n<p>First of all install the IDA Pro plugin. You can find the instruction for doing it in the ida-pro-plugin folder of this repository. Then you can use our docker container or you can build yara with yarasafe module.<\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong><a href=\"https:\/\/github.com\/lucamassarelli\/yarasafe#docker\"><\/a>Docker<\/strong><\/p>\n\n\n\n<p>The fastest way to use yarasafe is to use our docker container.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Pull the images:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>docker pull massarelli\/yarasafe<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Start the docker mounting the folder that contains the rule and the file to analyze:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>docker run -v {FOLDER_TO_MOUNT}:\/home\/yarasafe\/test -it massarelli\/yarasafe bash<\/strong><\/p>\n\n\n\n<p>Launch yara inside the docker with your rule!<\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Ubuntu<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Clone the repository:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>git clone https:\/\/github.com\/lucamassarelli\/yarasafe.git<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Install yara dependencies:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>sudo apt-get install automake libtool make gcc flex bison <br>sudo apt-get install libjansson-dev<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Install radare2 on your system:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>git clone https:\/\/github.com\/radare\/radare2.git<br> cd radare2<br> .\/sys\/install.sh<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Install yarasafe dependencies:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>cd yarasafe\/python_script<br> pip3 install -r requirements.txt<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Compile:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>.\/bootstrap.sh<br> .\/configure<br> make<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Export environment variable:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>export YARAPYSCRIPT={PATH_TO_YARASAFE_REPO}\/python_script<\/strong><\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>MacOS<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Clone the repository:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>git clone https:\/\/github.com\/lucamassarelli\/yarasafe.git<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Install yara dependencies:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>brew install automake libtool flex bison <br>brew install jansson<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Install radare2 on your system:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>git clone https:\/\/github.com\/radare\/radare2.git<br> cd radare2<br> .\/sys\/install.sh<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Install yarasafe dependencies:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>cd yarasafe\/python_script<br> pip3 install -r requirements.txt<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Compile:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>.\/bootstrap.sh<br> .\/configure.sh<br> make<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Export environment variable:<\/li><\/ul>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>export YARAPYSCRIPT={PATH_TO_YARASAFE_REPO}\/python_script<\/strong><\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Testing<\/strong><\/p>\n\n\n\n<p>Inside the folder rules you can find the rule sample_safe_rule.yar. This rule should trigger with any PE file:<\/p>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>yara {PATH_TO_YARASAFE_REPO}\/rules\/sample_safe_rule.yar {FILES}<\/strong><\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>How to write your rule<\/strong><\/p>\n\n\n\n<p>To create your safe-yara-rule, you first need to create the embeddings for your function. In order to accomplish this, you can use the IDA Pro plugin shipped within this repository. <\/p>\n\n\n\n<p>Inside the folder ida-pro-plugin you can find all the information on how to run the plugin!<\/p>\n\n\n\n<p>Once you get the embeddings for your functions, you just need to create the rule. An example of safe-yara-rule is:<\/p>\n\n\n\n<p class=\"has-text-color has-background has-vivid-green-cyan-color has-very-dark-gray-background-color\"><strong>import &#8220;safe&#8221;<br> rule example<br> {<br>     meta:<br>         description = &#8220;This is just an example&#8221;<br>         threat_level = 3<br>         in_the_wild = true<br>     condition:<br>     safe.similarity(&#8220;[-0.02724416,0.00640265,0.01138294,-0.07013566,0.00306808,-0.09757628,0.10414989,-0.13555837,-0.07873314,-0.00725415,-0.01418876,-0.05907412,-0.12452127,0.06237456,0.02260636,-0.06013175,0.11689295,-0.00200026,-0.03594812,0.07857288,-0.00288544,0.01148411,0.00891006,0.04702956,0.1205316,0.0079077,-0.07449158,0.00653283,0.15414064,0.13021031,0.01325423,-0.35491243,-0.00992016,-0.21460094,0.0558461,-0.07761839,-0.10909985,-0.05616508,0.01800609,0.06736821,0.00308393,0.04241242,-0.08351246,0.13501632,-0.10729794,-0.10229874,0.00066896,-0.01963937,0.05516102,-0.01612499,-0.09743191,-0.0314435,-0.01470971,-0.00125769,-0.01774654,0.2332938,0.14166495,0.16998142,-0.04843156,-0.08931472,0.13102795,0.14147657,0.02275739,-0.04335862,0.05724025,0.03936686,-0.10526938,-0.11637416,-0.0112917,0.05484914,-0.06934103,0.2543144,-0.17833991,-0.00828893,0.00174531,-0.03048271,-0.04773486,0.095866,-0.14434388,0.11433239,-0.10749247,0.03952292,0.03988512,-0.11541581,-0.07812429,-0.04978319,0.32052052,-0.0497911,-0.13022986,0.02477266,-0.05968329,0.01724695,0.01577485,-0.0497415,0.24494685,0.00361651,-0.08172874,-0.07473877,-0.01046288,0.02298573]&#8221;) &gt; 0.95<br><br>}<\/strong><\/p>\n\n\n\n<p>The rule will be satisfied if inside the sample there is at least one function whose similarity with target is more then 0.95.<\/p>\n\n\n\n<p class=\"has-background has-text-align-center has-light-green-cyan-background-color\"><strong>Adding safe to your version of yara<\/strong><\/p>\n\n\n\n<p>If you want to add safe to your yara repository:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Install all dependencies<\/li><li>Copy the file libyara\/modules\/safe.c into your_rep\/libyara\/modules\/safe.c<\/li><li>Copy the folder libyara\/include\/python into your_rep\/libyara\/include<\/li><li>At the end of libyara\/modules\/module_list add &#8220;` MODULE(safe)<\/li><li>Modify libyara\/Makefile.am:<br><ul><li><strong>after the line:<\/strong><br>libyara_la_LDFLAGS = -version-number 3:8:1<br><\/li><\/ul><ul><li><strong>add:<\/strong><br>libyara_la_LDFLAGS += -LPATH_TO_PYTHON3.*_LIB -lpython3.*m -ljansson <br><\/li><\/ul><\/li><li>Compile! `<\/li><\/ul>\n\n\n\n<div class=\"wp-block-button aligncenter is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-background has-vivid-cyan-blue-background-color\" href=\"https:\/\/github.com\/lucamassarelli\/yarasafe\"><strong>Download<\/strong><\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>YARASAFE is for automatic binary function similarity checks with Yara. SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli L., Di Luna G.A., Petroni F., Querzoni L. and Baldoni R. You can use SAFE to create your function embedding to use inside yara rules. If you are interested take a look [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":16062,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png","fifu_image_alt":"Yarasafe : SAFE Embeddings To Match Functions In Yara","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[1033,2920,3861,3864],"class_list":["post-8569","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-embeddings","tag-safe","tag-yara","tag-yarasafe"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Yarasafe : SAFE Embeddings To Match Functions In Yara<\/title>\n<meta name=\"description\" content=\"YARASAFE is for automatic binary function similarity checks with Yara.SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/yarasafe\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Yarasafe : SAFE Embeddings To Match Functions In Yara\" \/>\n<meta property=\"og:description\" content=\"YARASAFE is for automatic binary function similarity checks with Yara.SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/yarasafe\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2020-01-26T12:02:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"Yarasafe : SAFE Embeddings To Match Functions In Yara\",\"datePublished\":\"2020-01-26T12:02:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/\"},\"wordCount\":794,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png\",\"keywords\":[\"Embeddings\",\"SAFE\",\"YARA\",\"Yarasafe\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/\",\"name\":\"Yarasafe : SAFE Embeddings To Match Functions In Yara\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png\",\"datePublished\":\"2020-01-26T12:02:09+00:00\",\"description\":\"YARASAFE is for automatic binary function similarity checks with Yara.SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/yarasafe\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/yarasafe\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Yarasafe : SAFE Embeddings To Match Functions In Yara","description":"YARASAFE is for automatic binary function similarity checks with Yara.SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/yarasafe\/","og_locale":"en_US","og_type":"article","og_title":"Yarasafe : SAFE Embeddings To Match Functions In Yara","og_description":"YARASAFE is for automatic binary function similarity checks with Yara.SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli","og_url":"https:\/\/kalilinuxtutorials.com\/yarasafe\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2020-01-26T12:02:09+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/yarasafe\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/yarasafe\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"Yarasafe : SAFE Embeddings To Match Functions In Yara","datePublished":"2020-01-26T12:02:09+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/yarasafe\/"},"wordCount":794,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/yarasafe\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png","keywords":["Embeddings","SAFE","YARA","Yarasafe"],"articleSection":["Kali Linux"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/yarasafe\/","url":"https:\/\/kalilinuxtutorials.com\/yarasafe\/","name":"Yarasafe : SAFE Embeddings To Match Functions In Yara","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/yarasafe\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/yarasafe\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png","datePublished":"2020-01-26T12:02:09+00:00","description":"YARASAFE is for automatic binary function similarity checks with Yara.SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/yarasafe\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/yarasafe\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png","contentUrl":"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-6JkKe6MOuC0\/XiscCu8H_GI\/AAAAAAAAEmU\/9wIcEFFurskmVCISk1LSF5tjiaeiVGj8QCLcBGAsYHQ\/s1600\/yara-logo.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":35816,"url":"https:\/\/kalilinuxtutorials.com\/chroma\/","url_meta":{"origin":8569,"position":0},"title":"Chroma : Powering LLM Apps With An Efficient Embedding Database","author":"Varshini","date":"January 28, 2025","format":false,"excerpt":"Chroma - the open-source embedding database. The fastest way to build Python or JavaScript LLM apps with memory! pip install chromadb # python client # for javascript, npm install chromadb! # for client-server mode, chroma run --path \/chroma_db_path The core API is only 4 functions (run our Google Colab or\u2026","rel":"","context":"In &quot;Database Assessment&quot;","block_context":{"text":"Database Assessment","link":"https:\/\/kalilinuxtutorials.com\/category\/dba\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Chroma-.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Chroma-.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Chroma-.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Chroma-.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Chroma-.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Chroma-.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":3801,"url":"https:\/\/kalilinuxtutorials.com\/fnord-pattern-extractor\/","url_meta":{"origin":8569,"position":1},"title":"Fnord : Pattern Extractor for Obfuscated Code","author":"R K","date":"February 8, 2019","format":false,"excerpt":"Fnord is a pattern extractor for obfuscated code. It has two main functions: Extract byte sequences and create some statisticsUse these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule. Fnord processes the file with a sliding window of varying size to extract all sequences\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3180,"url":"https:\/\/kalilinuxtutorials.com\/findyara-ida-python-plugin\/","url_meta":{"origin":8569,"position":2},"title":"FindYara &#8211; IDA Python Plugin To Scan Binary With Yara Rules","author":"R K","date":"November 11, 2018","format":false,"excerpt":"FindYara uses IDA python plugin to scan your binary with yara rules. All the yara rule matches will be listed with their offset so you can quickly hop to them! FindYara Installation Install yara-python Using pip: pip install yara-python Other methods: https:\/\/pypi.python.org\/pypi\/yara-python Copy FindYara.py to your IDA \"plugins\" directory Also\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/11\/FindYara1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/11\/FindYara1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/11\/FindYara1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/11\/FindYara1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/11\/FindYara1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/11\/FindYara1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":11454,"url":"https:\/\/kalilinuxtutorials.com\/spyre\/","url_meta":{"origin":8569,"position":3},"title":"Spyre : Simple YARA-Based IOC Scanner","author":"R K","date":"September 15, 2020","format":false,"excerpt":"Spyre is a simple host-based IOC scanner built around the YARA pattern matching engine and other scan modules. The main goal of this project is easy ope-rationalization of YARA rules and other indicators of compromise. Users need to bring their own rule sets. The awesome-yara repository gives a good overview\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":36372,"url":"https:\/\/kalilinuxtutorials.com\/yara-x-v0-13-0\/","url_meta":{"origin":8569,"position":4},"title":"YARA-X v0.13.0 : Elevating Malware Analysis With New Tools And Enhanced Features","author":"Varshini","date":"February 12, 2025","format":false,"excerpt":"The release of YARA-X v0.13.0 introduces several enhancements, bug fixes, and new tools aimed at improving the functionality and user experience of this malware analysis framework. Below is a detailed breakdown of the key updates in this version. Key Features And Updates Basic Linting with the check CommandA basic linting\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/YARA-X-v0.13.0.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/YARA-X-v0.13.0.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/YARA-X-v0.13.0.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/YARA-X-v0.13.0.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/YARA-X-v0.13.0.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/YARA-X-v0.13.0.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":28836,"url":"https:\/\/kalilinuxtutorials.com\/msi-dump\/","url_meta":{"origin":8569,"position":5},"title":"MSI Dump : A Tool That Analyzes Malicious MSI Installation","author":"R K","date":"April 26, 2023","format":false,"excerpt":"MSI Dump is a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner. On Macro-enabled Office documents we can quickly use oletools mraptor to determine whether document is malicious. If we want to dissect it further, we could bring in oletools olevba or\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg8ZegnNxqdOE6PPuDc7fmqPi7UbCw7nt39kdR8Fk2ldlHJoFKRtDTtW7U9jyAtvWP-fhZ3r177u95rzNUj4F2mONgXTX5yReCKiw7P2B0-3M8Yu1Qnu2Rr7uxGeO42Ea8j4dpuF6ZEhPSElnAozhrVbhoEYNxtRNmInN1YN47nEEBbwMQh6wBK0Byq\/s728\/kali%20temp%289%29.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg8ZegnNxqdOE6PPuDc7fmqPi7UbCw7nt39kdR8Fk2ldlHJoFKRtDTtW7U9jyAtvWP-fhZ3r177u95rzNUj4F2mONgXTX5yReCKiw7P2B0-3M8Yu1Qnu2Rr7uxGeO42Ea8j4dpuF6ZEhPSElnAozhrVbhoEYNxtRNmInN1YN47nEEBbwMQh6wBK0Byq\/s728\/kali%20temp%289%29.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg8ZegnNxqdOE6PPuDc7fmqPi7UbCw7nt39kdR8Fk2ldlHJoFKRtDTtW7U9jyAtvWP-fhZ3r177u95rzNUj4F2mONgXTX5yReCKiw7P2B0-3M8Yu1Qnu2Rr7uxGeO42Ea8j4dpuF6ZEhPSElnAozhrVbhoEYNxtRNmInN1YN47nEEBbwMQh6wBK0Byq\/s728\/kali%20temp%289%29.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg8ZegnNxqdOE6PPuDc7fmqPi7UbCw7nt39kdR8Fk2ldlHJoFKRtDTtW7U9jyAtvWP-fhZ3r177u95rzNUj4F2mONgXTX5yReCKiw7P2B0-3M8Yu1Qnu2Rr7uxGeO42Ea8j4dpuF6ZEhPSElnAozhrVbhoEYNxtRNmInN1YN47nEEBbwMQh6wBK0Byq\/s728\/kali%20temp%289%29.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/8569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=8569"}],"version-history":[{"count":0,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/8569\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/16062"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=8569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=8569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=8569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}