Skip to content

Instantly share code, notes, and snippets.

View stvemillertime's full-sized avatar

Steve stvemillertime

72 followers · 39 following
View GitHub Profile
@wxsBSD
wxsBSD / yara-parser.md
Last active February 5, 2023 20:18

Using YARA python interface to parse files

I've shared this technique with some people privately, but might as well share it publicly now since I was asked about it. I've been using this for a while now with good success. It works well for parsing .NET droppers and other things.

If you don't know what the -D flag to YARA does I suggest you import a module and run a file through using that flag. It will print, to stdout, everything the module parsed that doesn't involve you calling a function. This is a great way to get a quick idea for the structure of a file.

For example:

wxs@mbp yara % cat always_false.yara
@singe
singe / README.md
Last active November 7, 2022 19:06
Canarytoken'ed Word .docx yara rule

Remember to unzip the .docx first, or use scan.sh.

Compile the yara rule for scan.sh to work yarac canarytoken.yar canarytoken

@notareverser
notareverser / nozomi_upx.yara
Created October 4, 2022 12:14
YARA signatures derived from Nozomi UPX recovery tool https://github.com/NozomiNetworks/upx-recovery-tool
// https://github.com/NozomiNetworks/upx-recovery-tool
rule UPX_nozomi_x86
{
strings: $sig = { 50 e8 ?? ?? 00 00 eb 5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd}
condition: any of them
}
rule UPX_nozomi_x64
{
strings:
@g-les
g-les / 100_days_of_yara.yar
Last active September 26, 2022 01:01
100 Days of YARA to be updated with rules & ideas as the year progresses
/*
Goals for #100DaysofYARA:
better understanding of bitwise operators
use math module beyond general entropy of a section / resource
position specific things beyond what PE module tells us
do some funky stuff with hashing
*/
@Droogy
Droogy / 100DaysOfYARA.yar
Last active September 6, 2022 05:55
100 Days of YARA
import "pe"
import "hash"
import "math"
import "time"
rule Gootloader_container {
meta:
description = "Gootloader Dropper Container"
author = "Droogy"
@wxsBSD
wxsBSD / gist:3e9452c3699bf68ff2e83a5d6a521801
Created September 29, 2021 02:23
french yara hits, no sorting

Test rules:

wxs@wxs-mbp yara % cat rules/test.yara
rule b {
  strings:
    $a = "LSCOLORS"
  condition:
    $a
}
@notareverser
notareverser / boilerplate.py
Created May 13, 2022 11:45
Boilerplate Python script
#!/usr/bin/env python3
import argparse
import sys
import json
import logging
@notareverser
notareverser / generate-stackstrings-yara.py
Last active May 14, 2022 17:15
Script to generate stackstrings YARA signatures for common implementation patterns
#!/usr/bin/env python3
import sys, string, struct
def strByByte(_strval):
strval = bytearray(_strval.encode())
for s in strval: yield s
def strByDword(_strval):
strval = bytearray(_strval.encode())
@JusticeRage
JusticeRage / go_tmilk.py
Created October 15, 2021 17:22
Go Type Milking - IDA script to extract type information from Go binaries
"""
got_tmilk.py - Go Type Milking
Written by Ivan Kwiatkowski @ Kaspersky GReAT
Shared under the terms of the GPLv3 license
"""
C_HEADER = """
enum golang_kind : __int8
{
INVALID = 0x0,
@tlansec
tlansec / externals_example.py
Created February 21, 2022 10:08
Simple script to demo use of yara-python + externals
# Simple script to demo use of yara-python + externals
# think of all the externals you could define!
import os
import sys
import yara
example_rule = '''
rule demo_externals
{