Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

View wxsBSD's full-sized avatar

Wesley Shields wxsBSD

183 followers · 1 following
View GitHub Profile
@wxsBSD
wxsBSD / bf2y.md
Last active January 17, 2020 21:37
bf2y
@wxsBSD
wxsBSD / base64 and ascii working.md
Created December 4, 2019 04:33 
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64 ascii

 // Custom alphabets are supported, but I have it commented out for now. ;)
@wxsBSD
wxsBSD / base64.md
Created December 3, 2019 03:25
Base64 modifier in YARA 
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64

 // Custom alphabets are supported, but I have it commented out for now. ;)
@wxsBSD
wxsBSD / keybase.md
Created May 8, 2019 00:30

Keybase proof

I hereby claim:

  • I am wxsbsd on github.
  • I am wxs (https://keybase.io/wxs) on keybase.
  • I have a public key whose fingerprint is 96D1 2E6B F61C 2F3D 83EF 8F0B BE54 310C 17F0 AA37

To claim this, I am signing this object:

@wxsBSD
wxsBSD / yara-loop-optimization-details.md
Last active April 29, 2022 15:08

YARA Loop Optimization Details

Let's look at the bytecode without my optimizations. Before we do that let's set some terminology, because I find it easier to use names compared YARA VM memory locations. These are the names I've mostly borrowed from the comments in the grammar:

  • memory 0: lower bound
  • memory 1: boolean_expression accumulator
  • memory 2: iteration counter
  • memory 3: upper bound

We'll be using this rule for the first example:

@wxsBSD
wxsBSD / yara-loop-optimization.md
Last active April 29, 2022 15:08

I've been working on optimizing the YARA compiler to generate better bytecode for loops. The goal is to skip as much of loops as possible by not iterating further once the loop condition is met. Here's the rule I'm using. Completely contrived and excessive, but it's to show the performance improvement:

wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  condition:
    for any i in (0..100000000): (i == 1)
}
wxs@wxs-mbp yara %
@wxsBSD
wxsBSD / gist:2936585412fd57f039fd7ecd7b24cd1b
Created May 21, 2018 01:16
/*
* fmtid + 24 == number of property identifiers and offsets
* fmtid + 28 == start of property identifier and offsets (4 bytes each)
*/
rule test {
strings:
//$fmtid = { 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae }
$fmtid = { e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 }
$redacted_author = "REDACTED AUTHOR"
condition:
@wxsBSD
wxsBSD / yara-parser.md
Last active February 5, 2023 20:18

Using YARA python interface to parse files

I've shared this technique with some people privately, but might as well share it publicly now since I was asked about it. I've been using this for a while now with good success. It works well for parsing .NET droppers and other things.

If you don't know what the -D flag to YARA does I suggest you import a module and run a file through using that flag. It will print, to stdout, everything the module parsed that doesn't involve you calling a function. This is a great way to get a quick idea for the structure of a file.

For example:

wxs@mbp yara % cat always_false.yara
@wxsBSD
wxsBSD / ssl-profiling-local.bro
Last active April 3, 2020 01:21

SSL Profiling in Bro

I wrote profiling applications over SSL recently and this is my attempt at doing so in Bro. I haven't written a Bro script before this one so I'm betting I've got a bunch of things wrong here. The code comes in two parts. The first is the main script which has the core logic. The second part is the "local" script which defines the application profiles you are interested in.

The Main Script

@load base/protocols/conn
@load base/protocols/ssl
@load base/frameworks/notice
@wxsBSD
wxsBSD / gist:6d5e777afc31b3cf46d0
Last active July 14, 2018 16:56
Inferring contents of SSL sessions

Disclaimer

Everything I'm talking about below is not new, but I thought it was an interesting idea and realized I already had the majority of pieces in place to play with it. I want to share what I learned. If you are at all interested in exploring this topic further a good paper on it is here. Also, a few years ago IOActive published a blog post on the technique which is also a good read. Finally, the last two paragraphs in section 6 of RFC5246 clearly document the problem the best I've been able to find:

Any protocol designed for use over TLS must be carefully designed to
deal with all possible attacks against it.  As a practical matter,
this means that the protocol designer must be aware of what security
properties TLS does and does not provide and cannot safely rely on
the latter.