Yara Corrupt Imports


Author: David Zimmer
Date: 03.11.20 - 6:28am



When Yara encounters a corrupted import table, it tries to get along as far as it can and skips what it must:

if (!pe_valid_dll_name(dll_name, pe->data_size - (size_t) offset))
{
      import_errors++; //dzzie
      imports++;
      continue;
}


This can leave things like pe.imphash() and pe.number_of_imports in weird states with no way to detect that it has encountered errors.

I have submitted a proposed addition that would allow you to detect these errors through a new pe.import_errors member.

Since corrupt files can easily throw your signatures for a loop, but still be flagged by AV as malicious, corruption detection is a useful feature.

While researching this issue I also ended up adding a dll_imports[] array to get more insight into whats doing on.
begin_struct_array("dll_imports");
    declare_string("name");
    declare_integer("funcCount");
end_struct("dll_imports");
This along with my dbg extension allows you to dump the partial info and watch it with a yara such as the following:

rule dumpImportState
{
    condition:
            pe.dbg("imphash", pe.imphash()) and
            pe.dbg("import_errors", pe.import_errors) and
            pe.dbg("NumImports" , pe.number_of_imports-1) and 
            for all i in (0 .. pe.number_of_imports):(
                pe.dbg( pe.dll_imports[i].funcCount, pe.dll_imports[i].name) 
            )
}


All of these extensions are already available in the latest Yara Workbench.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 68 + 56 = ? followed by the letter: Y 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (All)
2020 (6)
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 ( 12 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )