UnpacMe provides a full YARA rule management system complete with a rule editor, validator, and private rule repository. In general UnpacMe supports the current stable YARA version though with some additional limitations. Detailed documentation for the features supported can be found in the latest YARA documentation.
Limitations
- Only one YARA rule is permitted per rule definition. Multiple rules bundled in a single file will be rejected during validation.
- Rules cannot use include statements. Searches only have access to the submitted rule.
- Only the following YARA modules are supported; pe, math, magic, hash, and dotnet.
Rule Editor
The integrated YARA rule editor is a full-featured rich text editor that supports syntax highlighting and type suggestions. The rule editor also supports optional Rule Validation.
The editor can be placed in fullscreen mode by pressing the [esc] key or the fullscreen button in the top right corner of the editor. Press the [esc] key again to escape fullscreen mode.
The rule name bar at the top of the editor will automatically capture the name of the rule in the editor and can also be updated to use a custom name. An optional description field is also available to capture notes about the rule.
Editor Keyboard Shortcuts
Editor Operations
| Windows/Linux | Mac | Action |
|---|---|---|
| ESC | ESC | Fullscreen |
| Ctrl-S | Command-S | Save file |
Line Operations
| Windows/Linux | Mac | Action |
|---|---|---|
| Ctrl-D | Command-D | Remove line |
| Alt-Shift-Down | Command-Option-Down | Copy lines down |
| Alt-Shift-Up | Command-Option-Up | Copy lines up |
| Alt-Down | Option-Down | Move lines down |
| Alt-Up | Option-Up | Move lines up |
| Alt-Delete | Ctrl-K | Remove to line end |
| Alt-Backspace | Command-Backspace | Remove to linestart |
| Ctrl-Backspace | Option-Backspace, Ctrl-Option-Backspace | Remove word left |
| Ctrl-Delete | Option-Delete | Remove word right |
Selection
| Windows/Linux | Mac | Action |
|---|---|---|
| Ctrl-A | Command-A | Select all |
| Shift-Left | Shift-Left | Select left |
| Shift-Right | Shift-Right | Select right |
| Ctrl-Shift-Left | Option-Shift-Left | Select word left |
| Ctrl-Shift-Right | Option-Shift-Right | Select word right |
| Shift-Home | Shift-Home | Select line start |
| Shift-End | Shift-End | Select line end |
| Alt-Shift-Right | Command-Shift-Right | Select to line end |
| Alt-Shift-Left | Command-Shift-Left | Select to line start |
| Shift-Up | Shift-Up | Select up |
| Shift-Down | Shift-Down | Select down |
| Shift-PageUp | Shift-PageUp | Select page up |
| Shift-PageDown | Shift-PageDown | Select page down |
| Ctrl-Shift-Home | Command-Shift-Up | Select to start |
| Ctrl-Shift-End | Command-Shift-Down | Select to end |
| Ctrl-Shift-D | Command-Shift-D | Duplicate selection |
| Ctrl-Shift-M | Ctrl-Shift-M | Expand to matching |
| Ctrl-, Ctrl-P | Command-\ | Jump to matching |
| Ctrl-Shift-, Ctrl-Shift-P | Command-Shift-\ | Select to matching |
| Ctrl-Shift-L | Command-Shift-L | Expand to line |
Multicursor
| Windows/Linux | Mac | Action |
|---|---|---|
| Ctrl-Alt-Up | Ctrl-Option-Up | Add cursor above |
| Ctrl-Alt-Down | Ctrl-Option-Down | Add cursor below |
| Ctrl-Alt-Right | Ctrl-Option-Right | Add next occurrence to multi-selection |
| Ctrl-Alt-Left | Ctrl-Option-Left | Add previous occurrence to multi-selection |
| Ctrl-Alt-Shift-Up | Ctrl-Option-Shift-Up | Move multicursor from current line to the line above |
| Ctrl-Alt-Shift-Down | Ctrl-Option-Shift-Down | Move multicursor from current line to the line below |
| Ctrl-Alt-Shift-Right | Ctrl-Option-Shift-Right | Remove current occurrence from multi-selection and move to next |
| Ctrl-Alt-Shift-Left | Ctrl-Option-Shift-Left | Remove current occurrence from multi-selection and move to previous |
| Ctrl-Shift-L | Ctrl-Shift-L | Select all from multi-selection |
| Ctrl-Alt-A | Ctrl-Alt-A | Align cursors |
Go to
| Windows/Linux | Mac | Action |
|---|---|---|
| Left | Left, Ctrl-B | Go to left |
| Right | Right, Ctrl-F | Go to right |
| Ctrl-Left | Option-Left | Go to word left |
| Ctrl-Right | Option-Right | Go to word right |
| Up | Up, Ctrl-P | Go line up |
| Down | Down, Ctrl-N | Go line down |
| Alt-Left, Home | Command-Left, Home, Ctrl-A | Go to line start |
| Alt-Right, End | Command-Right, End, Ctrl-E | Go to line end |
| PageUp | Option-PageUp | Go to page up |
| PageDown | Option-PageDown, Ctrl-V | Go to page down |
| Ctrl-Home | Command-Home, Command-Up | Go to start |
| Ctrl-End | Command-End, Command-Down | Go to end |
| Ctrl-L | Command-L | Go to line... |
| Ctrl-Down | Command-Down | Scroll line down |
| Alt-E | F4 | Go to next error |
| Alt-Shift-E | Shift-F4 | Go to previous error |
Rule Revisions
YARA rules are automatically versioned as changes are made to the rule. The expandable revisions panel on the left of the editor can be used to quickly view and manage the revisions. Clicking on a revision will display the revision rule in the editor.
Any change to an existing rule will automatically create a temporary new revision though this revision is not automatically saved. Saving the changes will save the new revision and add it to the revision tree. The revisions tree has two important concepts, the Current View, and the Active Revision.
Current View
The current view is the revision that is displayed in the editor. The current view can be used to browse rule revisions. Viewing the revisions will not change the Active Revision.
Active Revision
The Active Revision is the revision of the rule that represents the current state of the rule. The Active Revision is always the last saved revision of the rule. To revert to a previous revision of the rule simply click the desired revision to display it in the Current View, then click save to set it as the Active Revision.
Shared Rules
YARA rules can be shared by clicking the Shared toggle in the rule editor. This will open a Share Rule Revisions dialogue which enable specific revisions of the rule to be shared. When a rule is shared it is added to the Community YARA Rules list and is publicly available to all users.
Enterprise Note: Only Enterprise Administrators can share and un-share enterprise rules.