notareverser

#include <idc.idc>


static lmd5(fmd5)
{
    auto result,size, nb, x;
    size=strlen(fmd5);
    result="";
    for (x = 0; x < size; x++)
    {

notareverser

import idaapi as ia, idc

def PLUGIN_ENTRY(): return nop()
class nop(ia.plugin_t):
 flags = ia.PLUGIN_UNL
 comment = "NOP"
 help = "select bytes, run"
 wanted_name = "NOP bytes..."
 wanted_hotkey = "Ctrl+Shift+N"

notareverser

// https://github.com/NozomiNetworks/upx-recovery-tool
rule UPX_nozomi_x86
{
  strings: $sig = { 50 e8 ?? ?? 00 00 eb  5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd}
  condition: any of them
}

rule UPX_nozomi_x64
{
  strings:

notareverser

import operator

def compileTime(data):
  from struct import unpack_from as suf
  if data[0:2] == b'\x4d\x5a':
    peOffset = suf("<H",data,0x3c)[0]
    if data[peOffset:peOffset+4] == b'\x50\x45\0\0':
      return suf("<L",data,peOffset+8)[0]
  return None

notareverser

#!/usr/bin/env python3


import argparse
import sys
import mmap
import logging

from collections import defaultdict

notareverser

#!/usr/bin/env python3


import argparse
import sys
import json

import logging

notareverser

#!/usr/bin/env python3

import sys
import argparse
import os
import hashlib

def parseArguments():
    parser = argparse.ArgumentParser(description="Rename files based on their MD5")
    parser.add_argument('file',

notareverser

rule Windows_7z_SFX
{
  strings:
      $makeCommandFile_prefix_1 = {53 56 8b 75 08 66 83 7e 02 3a 0f 85 ?? ?? ?? ?? 0f b7 46 04 66 3d 5c 00 74 0a 66 3d 2f 00 0f 85 ?? ?? ?? ?? 66 8b 06 66 89 45 f0 8d 45 f0 33 db 50 66 c7 45 f2 3a 00 66 c7 45 f4 5c 00 66 89 5d f6 ff 15}

      $makeCommandFile_prefix_2 = {53 8b 45 08 33 db 89 5d fc 66 83 78 02 3a 0f 85 ?? ?? ?? ?? 66 8b 48 04 66 83 f9 5c 74 0a 66 83 f9 2f 0f 85 ?? ?? ?? ?? 66 8b 00 66 c7 45 e6 3a 00 66 89 45 e4 8d 45 e4 50 66 c7 45 e8 5c 00 66 89 5d ea ff 15}

      $makeCommandFile_prefix_3 = {53 56 8b 75 08 33 db 66 83 7e 02 3a 89 5d fc 0f 85 ?? ?? ?? ?? 66 8b 46 04 66 3d 5c 00 74 0a 66 3d 2f 00 0f 85 ?? ?? ?? ?? 66 8b 06 66 89 45 e4 8d 45 e4 50 66 c7 45 e6 3a 00 66 c7 45 e8 5c 00 66 89 5d ea ff 15}

      $makeCommandFile_prefix_4 = {8b 45 08 66 83 78 02 3a 0f 85 ?? ?? ?? ?? 0f b7 48 04 66 83 f9 5c 74 0a 66 83 f9 2f 0f 85 ?? ?? ?? ?? 66 8b 00 6a 3a 66 89 45 e8 58 66 89 45 ea 6a 5c 58 66 89 45 ec 33 c0 66 89 45 ee 8d 45 e8 50 ff 15}

notareverser

rule zlib
{
  strings:
      $distfix = {10 05 01 00 17 05 01 01 13 05 11 00 1b 05 01 10 11 05 05 00 19 05 01 04 15 05 41 00 1d 05 01 40 10 05 03 00 18 05 01 02 14 05 21 00 1c 05 01 20 12 05 09 00 1a 05 01 08 16 05 81 00 40 05 00 00 10 05 02 00 17 05 81 01 13 05 19 00 1b 05 01 18 11 05 07 00 19 05 01 06 15 05 61 00 1d 05 01 60 10 05 04 00 18 05 01 03 14 05 31 00 1c 05 01 30 12 05 0d 00 1a 05 01 0c 16 05 c1 00 40 05 00 00}

      $lenfix_prefix = {60 07 00 00 00 08 50 00 00 08 10 00 14 08 73 00 12 07 1f 00 00 08 70 00 00 08 30 00 00 09 c0 00 10 07 0a 00 00 08 60 00 00 08 20 00 00 09 a0 00 00 08 00 00 00 08 80 00 00 08 40 00 00 09 e0 00 10 07 06 00 00 08 58 00 00 08 18 00 00 09 90 00 13 07 3b 00 00 08 78 00 00 08 38 00 00 09 d0 00 11 07 11 00 00 08 68 00 00 08 28 00 00 09 b0 00 00 08 08 00 00 08 88 00 00 08 48 00 00 09 f0 00 10 07 04 00 00 08 54 00 00 08 14 00 15 08 e3 00 13 07 2b 00 00 08 74 00 }
  condition:
    all of them
}

notareverser

Today for #100DaysOfYARA I want to further explore one of my favorite topics

"How to reliably detect libraries", or how to identify that a particular program has linked or otherwise included a particular library.


Detecting libraries (especially ones written in C) pose unique challenges compared to malware, to include:

- libraries tend to be platform/architecture nonspecific
- compilerisms overwhelm otherwise decent signal
- copy/pasta and groupthink across libraries