Yara WorkBench


Author: David Zimmer
Date: 12.17.19 - 2:56am



Releasing a new tool today to help you develop and test Yara Signatures.

Yara Workbench is a full IDE with syntax highlighting, code completion, bench marking, match offsets, and in depth match details.



Since the initial video I had added in a couple more bonuses such as:
  • module dump: (yara -D option)
    • loads into a syntax highlight control
    • if intVal > 9 dump values default to hex
    • dll_imports[]{.name, .funcCount} fields
  • launch selected file in an internal or external hex editor
  • launch selected file in external disassembler

I also added two new functions to the pe module. pe.dbg(string) and pe.dbg(int). These can be used as a simple way to get some insight into how yara is running.

This can come in handy for example in the following scenario:
  • pe.imphash() output is not included in the pe module dump
  • a sample file has a corrupt import table
  • what value does imphash() return? hint its not UNDEFINED or ""
With the new functions we can display its output with pe.dbg(pe.imphash()) to see the value of d41d8cd98f00b204e9800998ecf8427e which is md5("")

This could also be useful if a uint32() read was not returning what you expected, and wanted an easy way to see some debug output.

The dbg function will always return 1 so it can be used in the condition section without error.

Another useful example would be using it to get yara to dump pe section entropy:

import "pe"
import "math"

rule test
{
     condition:
        for all i in (0 .. pe.number_of_sections -1):(
            pe.dbg( 
                pe.sections[i].name,
                math.entropy(
                    pe.sections[i].raw_data_offset, 
                    pe.sections[i].raw_data_size
                )
            )
        )

		
}


I hacked it into an existing module since the built in functions like uint32() get compiled into rules as binary opcodes and it just wasnt worth the fuss to add a native dbg() function at this point. Adding new functions to modules was quite easy below are the basic mods I used:

//dzzie
define_function(dbg)
{
	char* name = string_argument(1);
	vb_dbg(cb_dbg, name);
	return_integer(1);
}

define_function(dbgi)
{
	char buf[255];
	int v = integer_argument(1);
	if (v < 10)
		snprintf(buf, sizeof(buf), "%d", v);
	else
		snprintf(buf, sizeof(buf), "0x%x", v);

	vb_dbg(cb_dbg, buf);
	return_integer(1);
}

define_function(dbgf)
{
	char buf[255];
	float v = float_argument(1);
	snprintf(buf, sizeof(buf), "%.6f", v);
	vb_dbg(cb_dbg, buf);
	return_integer(1);
}

define_function(dbgsf)
{
	char* txt = string_argument(1);
	float v = float_argument(2);
	int sz = strlen(txt) + 255;
	char* buf = (char*)malloc(sz);
	if (buf == NULL) {
		vb_dbg(cb_dbg, "dbgsf Failed to malloc %d bytes",sz);
		return_integer(1);
	}
	snprintf(buf, sz, "%s = %.6f", txt, v);
	vb_dbg(cb_dbg, buf);
	free(buf);
	return_integer(1);
}

define_function(dbgsi)
{
	char* txt = string_argument(1);
	int v = integer_argument(2);
	int sz = strlen(txt) + 255;
	char* buf = (char*)malloc(sz);
	if (buf == NULL) {
		vb_dbg(cb_dbg, "dbgsi Failed to malloc %d bytes", sz);
		return_integer(1);
	}
	snprintf(buf, sz, "%s = %x", txt, v);
	vb_dbg(cb_dbg, buf);
	free(buf);
	return_integer(1);
}


//dzzie

 //dzzie
  begin_struct_array("dll_imports");
  declare_string("name");
  declare_integer("funcCount");
  end_struct("dll_imports");

  declare_function("dbg", "s", "i", dbg); //name,arg,retType,func
  declare_function("dbg", "i", "i", dbgi);
  declare_function("dbg", "f", "i", dbgf);
  declare_function("dbg", "sf", "i", dbgsf);
  declare_function("dbg", "si", "i", dbgsi);
  //dzzie





Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 67 + 23 = ? followed by the letter: K 



Twitter
RSS
About Me
More Blogs
Main Site
Posts:
Yara WorkBench
SafeArrayGetVartype
vbdec dbg updates
vb6 PCode NOP
vb6 API and call backs
how pcode works Pt1
PrintFile
ImpAdCallNonVirt
Reversing PCode Args
VB6 PCode Disassembly
VB6 PCode Debugger
UConnect Disable Cell Modem
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
KANAL Mod
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
findDll
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
BootLoaders
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation