Steve stvemillertime
notareverser
/ nozomi_upx.yara
Created
October 4, 2022 12:14
YARA signatures derived from Nozomi UPX recovery tool https://github.com/NozomiNetworks/upx-recovery-tool
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // https://github.com/NozomiNetworks/upx-recovery-tool | |
| rule UPX_nozomi_x86 | |
| { | |
| strings: $sig = { 50 e8 ?? ?? 00 00 eb 5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd} | |
| condition: any of them | |
| } | |
| rule UPX_nozomi_x64 | |
| { | |
| strings: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import argparse | |
| import sys | |
| import json | |
| import logging | |
tlansec
/ externals_example.py
Created
February 21, 2022 10:08
Simple script to demo use of yara-python + externals
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple script to demo use of yara-python + externals | |
| # think of all the externals you could define! | |
| import os | |
| import sys | |
| import yara | |
| example_rule = ''' | |
| rule demo_externals | |
| { |
notareverser
/ generate-stackstrings-yara.py
Last active
May 14, 2022 17:15
Script to generate stackstrings YARA signatures for common implementation patterns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys, string, struct | |
| def strByByte(_strval): | |
| strval = bytearray(_strval.encode()) | |
| for s in strval: yield s | |
| def strByDword(_strval): | |
| strval = bytearray(_strval.encode()) |
yt0ng
/ console_kungfu.yar
Created
February 5, 2022 15:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Must have console module via yara-4.2.0-rc1+ | |
| // expects decoded beacons | |
| import "pe" | |
| import "console" | |
| rule CobaltStrike_Watermark_Profiler: Profiler | |
| { | |
| meta: |
notareverser
/ shannon-sig.py
Created
January 19, 2022 16:37
A Python program to generate regular-expression YARA signatures for yes/no maps of shellcode under single-byte encodings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # for our homey, Claude Shannon | |
| import sys | |
| import logging | |
| import binascii | |
| import hashlib | |
| import argparse |
shellcromancer
/ imov_stackstrings.yara
Created
January 8, 2022 03:51
YARA rule to find stack strings via indirect moves.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule obfus_stackstring_imov { | |
| meta: | |
| descrption = "Identify stack-strings obfuscation via indirect moves." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-07" | |
| reference = "https://www.mandiant.com/resources/automatically-extracting-obfuscated-strings" | |
| strings: | |
| $mov_r = { c6 4? ?? 72 } // mov byte [rdi + ?], 0x72 ; 'r' | |
| $mov_s = { c6 4? 0? 73 } // mov byte [rdi + ?], 0x73 ; 's' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| import "hash" | |
| import "math" | |
| import "time" | |
| rule Gootloader_container { | |
| meta: | |
| description = "Gootloader Dropper Container" | |
| author = "Droogy" | |
g-les
/ 100_days_of_yara.yar
Last active
September 26, 2022 01:01
100 Days of YARA to be updated with rules & ideas as the year progresses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Goals for #100DaysofYARA: | |
| better understanding of bitwise operators | |
| use math module beyond general entropy of a section / resource | |
| position specific things beyond what PE module tells us | |
| do some funky stuff with hashing | |
| */ |
JusticeRage
/ go_tmilk.py
Created
October 15, 2021 17:22
Go Type Milking - IDA script to extract type information from Go binaries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| got_tmilk.py - Go Type Milking | |
| Written by Ivan Kwiatkowski @ Kaspersky GReAT | |
| Shared under the terms of the GPLv3 license | |
| """ | |
| C_HEADER = """ | |
| enum golang_kind : __int8 | |
| { | |
| INVALID = 0x0, |
NewerOlder