“A good analysts asks himself “could this pattern serve as a signature?”.
Convert ascii to hex:
echo -n "text" | xxd -ps | sed 's/[[:xdigit:]]\{2\}/\\x&/g'Convert hex to ascii:
echo "6162636465666768696a6b6c6d6e6f707172737475767778797a0a" | xxd -p -rPrint out string to hex yara friendly:
echo -n "whats" | xxd -ps | sed 's/\([[:digit:]]\{2\}\)/ \1/g'Rule:
rule FindWhats
{
strings:
$s1 = {77 68 61 74 73}
condition:
any of s*
}