Yara Corrupt ImportsAuthor: David Zimmer Date: 03.11.20 - 6:28am When Yara encounters a corrupted import table, it tries to get along as far as it can and skips what it must: if (!pe_valid_dll_name(dll_name, pe->data_size - (size_t) offset)) { import_errors++; //dzzie imports++; continue; } This can leave things like pe.imphash() and pe.number_of_imports in weird states with no way to detect that it has encountered errors. I have submitted a proposed addition that would allow you to detect these errors through a new pe.import_errors member. Since corrupt files can easily throw your signatures for a loop, but still be flagged by AV as malicious, corruption detection is a useful feature. While researching this issue I also ended up adding a dll_imports[] array to get more insight into whats doing on. begin_struct_array("dll_imports"); declare_string("name"); declare_integer("funcCount"); end_struct("dll_imports");This along with my dbg extension allows you to dump the partial info and watch it with a yara such as the following: rule dumpImportState { condition: pe.dbg("imphash", pe.imphash()) and pe.dbg("import_errors", pe.import_errors) and pe.dbg("NumImports" , pe.number_of_imports-1) and for all i in (0 .. pe.number_of_imports):( pe.dbg( pe.dll_imports[i].funcCount, pe.dll_imports[i].name) ) } All of these extensions are already available in the latest Yara Workbench. Comments: (0) |
About Me More Blogs Main Site |