Halogen is a tool to automate the creation of yara rules against image files embedded within a malicious document.
Halogen help
python3 halogen.py -h
usage: halogen.py [-h] [-f FILE] [-d DIR] [-n NAME] [--png-idat] [--jpg-sos]
Halogen: Automatically create yara rules based on images embedded in office
documents.
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE File to parse
-d DIR, --directory DIR
directory to scan for image files.
-n NAME, --rule-name NAME
specify a custom name for the rule file
--png-idat For PNG matches, instead of starting with the PNG file
header, start with the IDAT chunk.
--jpg-sos For JPG matches, skip over the header and look for the
Start of [Scan](<https://www.kitploit.com/search/label/Scan> "Scan" ) marker, and begin the match there.
Testing it out
Weβve included some test document files with embedded images for you to test this out with. Running python3 halogen/halogen.py -d tests/ > /tmp/halogen_test.yara
will produce the test yara file containing all images found within the files inside the tests/
directory.
>From here you can run yara -s /tmp/halogen_test.yara tests/
and observe which images match which files.
Notes
--png-idat
you can start at the IDAT chunk found within a PNG file. We also reduced the bytes returned when matching on the IDAT chunk.--jpg-sos
flag.Contributing
Please contribute pull requests in python3, and submit any bugs you find as issues.