With the release of YARA 3.2.0 I wanted to show people how to utilize some of the new features. In particular I'll show an example for rich_signatures, import hashing and Authenticode signatures.
You'll need both of these for obvious reasons. :)
import "pe"
import "hash"
Someone recently asked me if it is possible to test if a string is in a section or not in YARA. This is my attempt at an answer, and please note that some of the capabilities are still pending a merge to master.
// Make sure the string is in the .rsrc section.
rule test_in {
strings:
$a = { DE AD BE EF 00 00 DE AD BE EF }
condition:
$a in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size))
}
Here's what I was thinking of doing...
{
// Description of the YARA rules to use. Each key is a group name used in additional_monitoring
// or in scheduled_queries if you want.
"yara": {
"sig_group_1": [ "foo.sig", "bar.sig" ],
"sig_group_2": [ "baz.sig" ]
},
I was recently asked how to check the entropy of a given section in YARA, and because the person who asked is clearly looking to learn how to fish instead of just being given fish I went into some detail on the explanation. With his permission I am sharing my response here.
It's a combination of a number of things:
math.in_range(test, lower, upper):
Given a test value, check to see if it is in range of the lower and upper bounds. This is an inclusive test.
math.entropy(offset, length):
Everything I'm talking about below is not new, but I thought it was an interesting idea and realized I already had the majority of pieces in place to play with it. I want to share what I learned. If you are at all interested in exploring this topic further a good paper on it is here. Also, a few years ago IOActive published a blog post on the technique which is also a good read. Finally, the last two paragraphs in section 6 of RFC5246 clearly document the problem the best I've been able to find:
Any protocol designed for use over TLS must be carefully designed to
deal with all possible attacks against it. As a practical matter,
this means that the protocol designer must be aware of what security
properties TLS does and does not provide and cannot safely rely on
the latter.
I hereby claim:
To claim this, I am signing this object:
This is outdated. The canonical source of documentation on this is over here.
I recently put YARA inside osquery and thought I would provide some details on how to use it. There are two YARA related tables in osquery, which serve very different purposes. The first table, called yara_events, uses osquery's pub-sub framework to monitor for filesystem changes and will execute YARA when a file change event fires. The second table, called yara, is an on-demand YARA scanning table.
I've started to add a pehash implementation to YARA. I decided to base my implementation on the description in the paper and only use the totalhash and viper implementations for comparing results. In doing so I've noticed some problems, and it is unclear who is right.
For starters let's take a look at running the pehash.py implementation from totalhash against a binary.
wxs@psh Desktop % shasum 4180ee367740c271e05b3637ee64619fb9fe7b1d2b28866e590e731b9f81de36
bf2y is a brainfuck compiler which targets the YARA virtual machine. You can get it from my bf2y branch at https://github.com/wxsBSD/yara/tree/bf2y.
You will need python3 and ply (https://pypi.org/project/ply/)
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
strings:
// This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
// AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
// AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
$a = "This program cannot" base64
// Custom alphabets are supported, but I have it commented out for now. ;)