Skip to content

Instantly share code, notes, and snippets.

View stvemillertime's full-sized avatar

Steve stvemillertime

72 followers · 39 following
View GitHub Profile
@wxsBSD
wxsBSD / yara-parser.md
Last active February 5, 2023 20:18

Using YARA python interface to parse files

I've shared this technique with some people privately, but might as well share it publicly now since I was asked about it. I've been using this for a while now with good success. It works well for parsing .NET droppers and other things.

If you don't know what the -D flag to YARA does I suggest you import a module and run a file through using that flag. It will print, to stdout, everything the module parsed that doesn't involve you calling a function. This is a great way to get a quick idea for the structure of a file.

For example:

wxs@mbp yara % cat always_false.yara
@singe
singe / README.md
Last active November 7, 2022 19:06
Canarytoken'ed Word .docx yara rule

Remember to unzip the .docx first, or use scan.sh.

Compile the yara rule for scan.sh to work yarac canarytoken.yar canarytoken

@wxsBSD
wxsBSD / gist:3e9452c3699bf68ff2e83a5d6a521801
Created September 29, 2021 02:23
french yara hits, no sorting

Test rules:

wxs@wxs-mbp yara % cat rules/test.yara
rule b {
  strings:
    $a = "LSCOLORS"
  condition:
    $a
}
@wxsBSD
wxsBSD / rules.md
Last active January 12, 2022 19:51
xor PE rules

One way to find PE files that start at offset 0 and have a single byte xor key:

rule single_byte_xor_pe_and_mz {
  meta:
    author = "Wesley Shields <wxs@atarininja.org>"
    description = "Look for single byte xor of a PE starting at offset 0"
  strings:
    $b = "PE\x00\x00" xor(0x01-0xff)
 condition:
@JusticeRage
JusticeRage / go_tmilk.py
Created October 15, 2021 17:22
Go Type Milking - IDA script to extract type information from Go binaries
"""
got_tmilk.py - Go Type Milking
Written by Ivan Kwiatkowski @ Kaspersky GReAT
Shared under the terms of the GPLv3 license
"""
C_HEADER = """
enum golang_kind : __int8
{
INVALID = 0x0,
@g-les
g-les / 100_days_of_yara.yar
Last active September 26, 2022 01:01
100 Days of YARA to be updated with rules & ideas as the year progresses
/*
Goals for #100DaysofYARA:
better understanding of bitwise operators
use math module beyond general entropy of a section / resource
position specific things beyond what PE module tells us
do some funky stuff with hashing
*/
@Droogy
Droogy / 100DaysOfYARA.yar
Last active September 6, 2022 05:55
100 Days of YARA
import "pe"
import "hash"
import "math"
import "time"
rule Gootloader_container {
meta:
description = "Gootloader Dropper Container"
author = "Droogy"
@shellcromancer
shellcromancer / imov_stackstrings.yara
Created January 8, 2022 03:51
YARA rule to find stack strings via indirect moves.
rule obfus_stackstring_imov {
meta:
descrption = "Identify stack-strings obfuscation via indirect moves."
author = "@shellcromancer <root@shellcromancer.io>"
version = "0.1"
date = "2022-01-07"
reference = "https://www.mandiant.com/resources/automatically-extracting-obfuscated-strings"
strings:
$mov_r = { c6 4? ?? 72 } // mov byte [rdi + ?], 0x72 ; 'r'
$mov_s = { c6 4? 0? 73 } // mov byte [rdi + ?], 0x73 ; 's'
@notareverser
notareverser / shannon-sig.py
Created January 19, 2022 16:37
A Python program to generate regular-expression YARA signatures for yes/no maps of shellcode under single-byte encodings
#!/usr/bin/env python
# for our homey, Claude Shannon
import sys
import logging
import binascii
import hashlib
import argparse
@yt0ng
yt0ng / console_kungfu.yar
Created February 5, 2022 15:38
// Must have console module via yara-4.2.0-rc1+
// expects decoded beacons
import "pe"
import "console"
rule CobaltStrike_Watermark_Profiler: Profiler
{
meta: