Skip to content

Instantly share code, notes, and snippets.

Wesley Shields wxsBSD

Block or report user

Report or block wxsBSD

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View bf2y.md
View base64 and ascii working.md
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64 ascii

    // Custom alphabets are supported, but I have it commented out for now. ;)
@wxsBSD
wxsBSD / base64.md
Created Dec 3, 2019
Base64 modifier in YARA
View base64.md
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64

    // Custom alphabets are supported, but I have it commented out for now. ;)
View yara-parser.md

Using YARA python interface to parse files

I've shared this technique with some people privately, but might as well share it publicly now since I was asked about it. I've been using this for a while now with good success. It works well for parsing .NET droppers and other things.

If you don't know what the -D flag to YARA does I suggest you import a module and run a file through using that flag. It will print, to stdout, everything the module parsed that doesn't involve you calling a function. This is a great way to get a quick idea for the structure of a file.

For example:

wxs@mbp yara % cat always_false.yara
View gist:07a5709fdcb59d346e9e

Problems with pehash implementations

I've started to add a pehash implementation to YARA. I decided to base my implementation on the description in the paper and only use the totalhash and viper implementations for comparing results. In doing so I've noticed some problems, and it is unclear who is right.

Totalhash implementation

For starters let's take a look at running the pehash.py implementation from totalhash against a binary.

wxs@psh Desktop % shasum 4180ee367740c271e05b3637ee64619fb9fe7b1d2b28866e590e731b9f81de36
View gist:a3ba7f4733125813e58a

Note

This is outdated. The canonical source of documentation on this is over here.

Introduction

I recently put YARA inside osquery and thought I would provide some details on how to use it. There are two YARA related tables in osquery, which serve very different purposes. The first table, called yara_events, uses osquery's pub-sub framework to monitor for filesystem changes and will execute YARA when a file change event fires. The second table, called yara, is an on-demand YARA scanning table.

Configuration

View yara-loop-optimization.md

I've been working on optimizing the YARA compiler to generate better bytecode for loops. The goal is to skip as much of loops as possible by not iterating further once the loop condition is met. Here's the rule I'm using. Completely contrived and excessive, but it's to show the performance improvement:

wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  condition:
    for any i in (0..100000000): (i == 1)
}
wxs@wxs-mbp yara %
@wxsBSD
wxsBSD / gist:019740e83faa7a7206f4
Last active May 11, 2019
YARA, now with more Math(TM)! (Thanks @alexcpsec)
View gist:019740e83faa7a7206f4

Introduction

I'd like to explain some of the new things I've added to YARA which will be in the next release. This is in addition to the stuff I've written about here, which are already in 3.2.0. If you have not read that I suggest you start there as it will tie in nicely with some of the things I'm going to mention here. Lastly, some of these things are not yet merged into master but I expect them to be very soon.

Math Module

There is a new module in YARA called math. The intention of this module is to expose some functions which you can use in your rules to calculate specific properties.

Functions

In particular it provides these functions for calculating different values:

  • entropy
View keybase.md

Keybase proof

I hereby claim:

  • I am wxsbsd on github.
  • I am wxs (https://keybase.io/wxs) on keybase.
  • I have a public key whose fingerprint is 96D1 2E6B F61C 2F3D 83EF 8F0B BE54 310C 17F0 AA37

To claim this, I am signing this object:

View yara-loop-optimization-details.md

YARA Loop Optimization Details

Let's look at the bytecode without my optimizations. Before we do that let's set some terminology, because I find it easier to use names compared YARA VM memory locations. These are the names I've mostly borrowed from the comments in the grammar:

  • memory 0: lower bound
  • memory 1: boolean_expression accumulator
  • memory 2: iteration counter
  • memory 3: upper bound

We'll be using this rule for the first example:

You can’t perform that action at this time.