Back in January I wrote bf2y which is a brainfuck to YARA compiler. bf2y takes in an arbitrary brainfuck program and outputs the instructions to execute the brainfuck code on the YARA virtual machine (well, a slightly modified VM). If you want the full details of how it works go read the code, but I want to talk about writing a Fibonacii number generator for it.
import platform
import yara
print(f"Platform version: {platform.version()}")
print(f"Python version: {platform.python_version()}")
print(f"YARA version: {yara.YARA_VERSION}")
r = """
#include <ctype.h>
#include <stdio.h>
int main(void) {
for (int i = 0; i <= 255; i++)
printf("0x%02x %u\n", i, !isalnum(i));
return 0;
}
import platform
import yara
print(f"Platform version: {platform.version()}")
print(f"Python version: {platform.python_version()}")
print(f"YARA version: {yara.YARA_VERSION}")
rules = yara.compile(source='rule a { strings: $a = "foo" fullword condition: $a }')
for c in range(256):
I'd like to explain some of the new things I've added to YARA which will be in the next release. This is in addition to the stuff I've written about here, which are already in 3.2.0. If you have not read that I suggest you start there as it will tie in nicely with some of the things I'm going to mention here. Lastly, some of these things are not yet merged into master but I expect them to be very soon.
There is a new module in YARA called math
. The intention of this module is to expose some functions which you can use in your rules to calculate specific properties.
In particular it provides these functions for calculating different values:
- entropy
Here's an example of how part of yrrc works. Starting with these rules:
wxs@wxs-mbp yrrc % cat rules/test.yara
rule a {
meta:
sample = "24c422e681f1c1bd08286c7aaf5d23a5f088dcdb0b219806b3a9e579244f00c5"
condition:
true
}
I wrote profiling applications over SSL recently and this is my attempt at doing so in Bro. I haven't written a Bro script before this one so I'm betting I've got a bunch of things wrong here. The code comes in two parts. The first is the main script which has the core logic. The second part is the "local" script which defines the application profiles you are interested in.
@load base/protocols/conn
@load base/protocols/ssl
@load base/frameworks/notice
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
strings:
// This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
// AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
// AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
$a = "This program cannot" base64
// Custom alphabets are supported, but I have it commented out for now. ;)
bf2y is a brainfuck compiler which targets the YARA virtual machine. You can get it from my bf2y branch at https://github.com/wxsBSD/yara/tree/bf2y.
You will need python3 and ply (https://pypi.org/project/ply/)
I've started to add a pehash implementation to YARA. I decided to base my implementation on the description in the paper and only use the totalhash and viper implementations for comparing results. In doing so I've noticed some problems, and it is unclear who is right.
For starters let's take a look at running the pehash.py implementation from totalhash against a binary.
wxs@psh Desktop % shasum 4180ee367740c271e05b3637ee64619fb9fe7b1d2b28866e590e731b9f81de36