Several of my tools support YARA rules.
And of those tools, many support what I like to call “Ad Hoc rules” (or Here rules).
An Ad Hoc YARA rule is a rule that isn’t stored in a file, but is passed via the command line, and is generated ad hoc by the tool for you.
Take for example oledump.py.
When you issue the command “oledump.py -y trojan.yara sample.vir”, oledump will load all the rules found inside file trojan.yara, and scan the streams of document sample.vir with these rules.
But if you want to search for a simple string, say “virus.exe”, then you have to create a YARA rule to search for this string, store it inside a file, and pass this file to oledump via option -y.
Ad hoc rules make this process simpler. Ad hoc rules start with #.
To generate an ad hoc rule for a string, use prefix #s#. Like this:
oledump.py -y “#s#virus.exe sample.vir”
This will generate the following YARA rule:
rule string {strings: $a = “virus.exe” ascii wide nocase condition: $a}
You can also use #x# for hexadecimal, oledump.py -y “#x#D0 CF 11 E0” sample.vir:
rule hexadecimal {strings: $a = { D0 CF 11 E0 } condition: $a}
And #r# for regular expressions, oledump.py -y “#r#[a-z]+” sample.vir
rule regex {strings: $a = / [a-z]+ / ascii wide nocase condition: $a}
And you can also pass YARA rules literally (#), hexadecimal encoded (#h#) and base64 encoded (#b#).
And finally, for passing rules literally with double-quotes (“), you can use #q#: this will replace every single quote (‘) with a double quote (“).
Didier Stevens 