Yara Corrupt Imports


Author: David Zimmer
Date: 03.11.20 - 6:28am



When Yara encounters a corrupted import table, it tries to get along as far as it can and skips what it must:

if (!pe_valid_dll_name(dll_name, pe->data_size - (size_t) offset))
{
      import_errors++; //dzzie
      imports++;
      continue;
}


This can leave things like pe.imphash() and pe.number_of_imports in weird states with no way to detect that it has encountered errors.

I have submitted a proposed addition that would allow you to detect these errors through a new pe.import_errors member.

Since corrupt files can easily throw your signatures for a loop, but still be flagged by AV as malicious, corruption detection is a useful feature.

While researching this issue I also ended up adding a dll_imports[] array to get more insight into whats doing on.
begin_struct_array("dll_imports");
    declare_string("name");
    declare_integer("funcCount");
end_struct("dll_imports");
This along with my dbg extension allows you to dump the partial info and watch it with a yara such as the following:

rule dumpImportState
{
    condition:
            pe.dbg("imphash", pe.imphash()) and
            pe.dbg("import_errors", pe.import_errors) and
            pe.dbg("NumImports" , pe.number_of_imports-1) and 
            for all i in (0 .. pe.number_of_imports):(
                pe.dbg( pe.dll_imports[i].funcCount, pe.dll_imports[i].name) 
            )
}


All of these extensions are already available in the latest Yara Workbench.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 68 + 14 = ? followed by the letter: O 



About Me
More Blogs
Main Site
Posts: (All)
2023 ( 4 )
2022 ( 5 )
2021 ( 2 )
2020 (5)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Yara Corrupt Imports
     Yara Undefined values
2019 (6)
     Yara WorkBench
     SafeArrayGetVartype
     vb6 API and call backs
     PrintFile
     ImpAdCallNonVirt
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 ( 4 )
2015 ( 5 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )