Skip to content

Instantly share code, notes, and snippets.

Avatar

Wesley Shields wxsBSD

136 followers · 0 following · 0
View GitHub Profile
@wxsBSD
wxsBSD / gist:019740e83faa7a7206f4
Last active Mar 29, 2021
YARA, now with more Math(TM)! (Thanks @alexcpsec)
View gist:019740e83faa7a7206f4

Introduction

I'd like to explain some of the new things I've added to YARA which will be in the next release. This is in addition to the stuff I've written about here, which are already in 3.2.0. If you have not read that I suggest you start there as it will tie in nicely with some of the things I'm going to mention here. Lastly, some of these things are not yet merged into master but I expect them to be very soon.

Math Module

There is a new module in YARA called math. The intention of this module is to expose some functions which you can use in your rules to calculate specific properties.

Functions

In particular it provides these functions for calculating different values:

  • entropy
@wxsBSD
wxsBSD / gist:4ec929a0eb07d8e3feeccc49e0d9aa2a
Last active Dec 26, 2020
Counting string matches in YARA with awk
View gist:4ec929a0eb07d8e3feeccc49e0d9aa2a

Counting number of times strings match in YARA with awk...

wxs@wxs-mbp yara % cat rules/test.yara
rule a { strings: $a = "FreeBSD" nocase  $b = "usage: " condition: any of them }
wxs@wxs-mbp yara % ./yara -s rules/test.yara /bin/ls
a /bin/ls
0xb8e1:$a: FreeBSD
0xb9a1:$a: FreeBSD
0xb9f1:$a: FreeBSD
@wxsBSD
wxsBSD / fib.md
Created Oct 15, 2020
fib.bf - A Fibonacci Generator Written In Brainfuck Running On YARA
View fib.md

fib.bf - A Fibonacci Generator Written In Brainfuck Running On YARA

Wait, What?

Back in January I wrote bf2y which is a brainfuck to YARA compiler. bf2y takes in an arbitrary brainfuck program and outputs the instructions to execute the brainfuck code on the YARA virtual machine (well, a slightly modified VM). If you want the full details of how it works go read the code, but I want to talk about writing a Fibonacii number generator for it.

First, A BF Primer

@wxsBSD
wxsBSD / yrrc.md
Created May 10, 2020
yrrc example
View yrrc.md

Here's an example of how part of yrrc works. Starting with these rules:

wxs@wxs-mbp yrrc % cat rules/test.yara
rule a {
  meta:
    sample = "24c422e681f1c1bd08286c7aaf5d23a5f088dcdb0b219806b3a9e579244f00c5"
  condition:
    true
}
@wxsBSD
wxsBSD / ssl-profiling-local.bro
Last active Apr 3, 2020
View ssl-profiling-local.bro

SSL Profiling in Bro

I wrote profiling applications over SSL recently and this is my attempt at doing so in Bro. I haven't written a Bro script before this one so I'm betting I've got a bunch of things wrong here. The code comes in two parts. The first is the main script which has the core logic. The second part is the "local" script which defines the application profiles you are interested in.

The Main Script

@load base/protocols/conn
@load base/protocols/ssl
@load base/frameworks/notice
@wxsBSD
wxsBSD / base64.md
Created Dec 3, 2019
Base64 modifier in YARA
View base64.md 
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64

    // Custom alphabets are supported, but I have it commented out for now. ;)
@wxsBSD
wxsBSD / base64 and ascii working.md
Created Dec 4, 2019
View base64 and ascii working.md 
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64 ascii

    // Custom alphabets are supported, but I have it commented out for now. ;)
@wxsBSD
wxsBSD / yara-parser.md
Last active Feb 25, 2020
View yara-parser.md

Using YARA python interface to parse files

I've shared this technique with some people privately, but might as well share it publicly now since I was asked about it. I've been using this for a while now with good success. It works well for parsing .NET droppers and other things.

If you don't know what the -D flag to YARA does I suggest you import a module and run a file through using that flag. It will print, to stdout, everything the module parsed that doesn't involve you calling a function. This is a great way to get a quick idea for the structure of a file.

For example:

wxs@mbp yara % cat always_false.yara
@wxsBSD
wxsBSD / bf2y.md
Last active Jan 17, 2020
bf2y
View bf2y.md
@wxsBSD
wxsBSD / gist:07a5709fdcb59d346e9e
Last active Jul 15, 2019
View gist:07a5709fdcb59d346e9e

Problems with pehash implementations

I've started to add a pehash implementation to YARA. I decided to base my implementation on the description in the paper and only use the totalhash and viper implementations for comparing results. In doing so I've noticed some problems, and it is unclear who is right.

Totalhash implementation

For starters let's take a look at running the pehash.py implementation from totalhash against a binary.

wxs@psh Desktop % shasum 4180ee367740c271e05b3637ee64619fb9fe7b1d2b28866e590e731b9f81de36