Yara WorkBenchAuthor: David Zimmer Date: 12.17.19 - 2:56am Releasing a new tool today to help you develop and test Yara Signatures. Yara Workbench is a full IDE with syntax highlighting, code completion, bench marking, match offsets, and in depth match details. Since the initial build I had added in a couple more bonuses such as:
I also added two new functions to the pe module. pe.dbg(string) and pe.dbg(int). These can be used as a simple way to get some insight into how yara is running. This can come in handy for example in the following scenario:
This could also be useful if a uint32() read was not returning what you expected, and wanted an easy way to see some debug output. The dbg function will always return 1 so it can be used in the condition section without error. Another useful example would be using it to get yara to dump pe section entropy: import "pe" import "math" rule test { condition: for all i in (0 .. pe.number_of_sections -1):( pe.dbg( pe.sections[i].name, math.entropy( pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size ) ) ) } Another example to see how yara handles corrupt import tables or resources: rule dumpImportState { condition: pe.dbg("imphash", pe.imphash()) and pe.dbg("import_errors", pe.import_errors) and pe.dbg("NumImports" , pe.number_of_imports-1) and for all i in (0 .. pe.number_of_imports):( pe.dbg( pe.dll_imports[i].funcCount, pe.dll_imports[i].name) ) } rule dumpResources { condition: pe.dbg("NumResources" , pe.number_of_resources-1) and for any i in (0 .. pe.number_of_resources-1):( not pe.dbgw(pe.resources[i].name_string) ) } I hacked it into an existing module since the built in functions like uint32() get compiled into rules as binary opcodes and it just wasnt worth the fuss to add a native dbg() function at this point. Adding new functions to modules was quite easy below are the basic mods I used. (More details on the import_errors and dll_imports[] can be found in Yara git issue 1224) //dzzie declare_integer("import_errors"); begin_struct_array("dll_imports"); declare_string("name"); declare_integer("funcCount"); end_struct("dll_imports"); declare_function("dbgw", "s", "i", dbgw); //wide string version for resource names declare_function("dbg", "s", "i", dbg); //name,arg,retType,func declare_function("dbg", "i", "i", dbgi); declare_function("dbg", "f", "i", dbgf); declare_function("dbg", "sf", "i", dbgsf); declare_function("dbg", "si", "i", dbgsi); declare_function("dbg", "is", "i", dbgis); declare_function("dbg", "ii", "i", dbgii); declare_function("dbg", "ss", "i", dbgss); declare_function("isdef", "s", "i", isdef); //dzzie Another one i found I wanted: declare_function("section_exists", "s", "i", section_name_exists); define_function(section_name_exists) { YR_OBJECT* module = module(); char* name = string_argument(1); int64_t n = get_integer(module, "number_of_sections"); int i; if (is_undefined(module, "number_of_sections")) return_integer(0); for (i = 0; i < yr_min(n, MAX_PE_SECTIONS); i++) { SIZED_STRING* sect = get_string(module, "sections[%i].name", i); if (sect != NULL && strcmp(name, sect->c_string) == 0) return_integer(1); } return_integer(0); } Comments: (0) |
About Me More Blogs Main Site
|
||||||||||||||||||||||||||||||