Skip to content

Instantly share code, notes, and snippets.

View stvemillertime's full-sized avatar

Steve stvemillertime

72 followers · 39 following
View GitHub Profile
@wxsBSD
wxsBSD / rules.md
Last active January 12, 2022 19:51
xor PE rules

One way to find PE files that start at offset 0 and have a single byte xor key:

rule single_byte_xor_pe_and_mz {
  meta:
    author = "Wesley Shields <wxs@atarininja.org>"
    description = "Look for single byte xor of a PE starting at offset 0"
  strings:
    $b = "PE\x00\x00" xor(0x01-0xff)
 condition:
@wxsBSD
wxsBSD / gist:3e9452c3699bf68ff2e83a5d6a521801
Created September 29, 2021 02:23
french yara hits, no sorting

Test rules:

wxs@wxs-mbp yara % cat rules/test.yara
rule b {
  strings:
    $a = "LSCOLORS"
  condition:
    $a
}
@singe
singe / README.md
Last active November 7, 2022 19:06
Canarytoken'ed Word .docx yara rule

Remember to unzip the .docx first, or use scan.sh.

Compile the yara rule for scan.sh to work yarac canarytoken.yar canarytoken

@wxsBSD
wxsBSD / yara-parser.md
Last active February 5, 2023 20:18

Using YARA python interface to parse files

I've shared this technique with some people privately, but might as well share it publicly now since I was asked about it. I've been using this for a while now with good success. It works well for parsing .NET droppers and other things.

If you don't know what the -D flag to YARA does I suggest you import a module and run a file through using that flag. It will print, to stdout, everything the module parsed that doesn't involve you calling a function. This is a great way to get a quick idea for the structure of a file.

For example:

wxs@mbp yara % cat always_false.yara