French notareverser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule InnoSetup | |
| { | |
| strings: | |
| $integrity_check_merged = {b9 ?? ?? ?? ?? b2 01 b8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? c3 00 ff ff ff ff 47 00 00 00 54 68 65 20 73 65 74 75 70 20 66 69 6c 65 73 20 61 72 65 20 63 6f 72 72 75 70 74 65 64 2e 20 50 6c 65 61 73 65 20 6f 62 74 61 69 6e 20 61 20 6e 65 77 20 63 6f 70 79 20 6f 66 20 74 68 65 20 70 72 6f 67 72 61 6d 2e 00} | |
| $lzmadecompsmall = {53 83 c4 f8 8b d8 89 1c 24 c6 44 24 04 00 54 6a 00 b9 ?? ?? ?? ?? b2 01 b8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 5a 5b c3 00 ff ff ff ff 32 00 00 00 6c 7a 6d 61 64 65 63 6f 6d 70 73 6d 61 6c 6c 3a 20 43 6f 6d 70 72 65 73 73 65 64 20 64 61 74 61 20 69 73 20 63 6f 72 72 75 70 74 65 64 20 28 25 64 29 00} | |
| $lzma_merged = {53 83 c4 f8 8b d8 89 1c 24 c6 44 24 04 00 54 6a 00 b9 ?? ?? ?? ?? b2 01 ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 5a 5b c3 00 ff ff ff ff 27 00 00 00 6c 7a 6d 61 3a 20 43 6f 6d 70 72 65 73 73 65 64 20 64 61 74 61 20 69 73 20 63 6f 72 72 75 70 74 65 64 20 28 25 64 29 00} | |
| condition: |
notareverser
/ code-signatures.treatise.txt
Created
February 15, 2022 16:22
A brief treatise on code-based YARA signatures
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Today for #100DaysOfYARA I want to dive in to some of the dirty secrets of creating/maintaining code-based YARA signatures | |
| Let's use SQLite3 as an example. Go get the source here (I prefer the amalgamation): | |
| https://sqlite.org/download.html | |
| I would like to reliably detect when a file is using SQLite. I often look at Windows executables, so I'm going to first concentrate on x86 programs that use this library. The easiest way to find them is to first concentrate on cleartext strings. In this case, I'm gonna pop over to VirusTotal and search for an easily-identifiable string: | |
| content: "failed to allocate %u bytes of memory" type:pe |
notareverser
/ generate-stackstrings-yara.py
Last active
May 14, 2022 17:15
Script to generate stackstrings YARA signatures for common implementation patterns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys, string, struct | |
| def strByByte(_strval): | |
| strval = bytearray(_strval.encode()) | |
| for s in strval: yield s | |
| def strByDword(_strval): | |
| strval = bytearray(_strval.encode()) |
notareverser
/ kernel32.yara
Last active
February 9, 2022 13:14
Another stack-string signature for kernel32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule stackstring_kernel32_large_stack | |
| { | |
| strings: | |
| $v = { c785[1-4]6b[3-4] | |
| c785[1-4]65[3-4] | |
| c785[1-4]72[3-4] | |
| c785[1-4]6e[3-4] | |
| c785[1-4]65[3-4] | |
| c785[1-4]6c[3-4] | |
| c785[1-4]33[3-4] |
notareverser
/ A #100DaysOfYARA story
Created
January 28, 2022 13:03
Here's a little story all about how my rules got flipped, turned upside down
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Let's do something a little different today and talk about WHY we use YARA signatures. | |
| I'm going to do this by walking through an example. | |
| If you want to play along, I've put all my #100DaysofYARA rules here | |
| https://gist.github.com/notareverser/d5f4f0d09285edca3ec027534c233271 | |
| I was doing something unrelated and happened across this file: | |
| Filename: b1fcc3a7ca7a4829a9f9ce636b784656.virustotal |
notareverser
/ YARA rules for #100DaysOfYARA
Created
January 28, 2022 11:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule ASPack_PE | |
| { | |
| strings: | |
| $unpackStub = {60 e8 03 00 00 00 e9 eb 04 5d 45 55 c3 e8 01 00 00 00 eb 5d bb ed ff ff ff} | |
| condition: | |
| $unpackStub at pe.entry_point or (uint8(@unpackStub-1) == 0x90) | |
| } |
notareverser
/ shannon-sig.py
Created
January 19, 2022 16:37
A Python program to generate regular-expression YARA signatures for yes/no maps of shellcode under single-byte encodings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # for our homey, Claude Shannon | |
| import sys | |
| import logging | |
| import binascii | |
| import hashlib | |
| import argparse |
notareverser
/ yara-merge.py
Created
January 13, 2022 13:44
Merge N YARA rules from a file, where the rules have a single string, and the strings are all of the same length
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # yes, this is crappy code | |
| # yes, it generally gets the job done | |
| import sys | |
| def countRules(data): return data.count('rule ') |
NewerOlder