Yara Corrupt Imports

Author: David Zimmer
Date: 03.11.20 - 6:28am

When Yara encounters a corrupted import table, it tries to get along as far as it can and skips what it must:

if (!pe_valid_dll_name(dll_name, pe->data_size - (size_t) offset))
      import_errors++; //dzzie

This can leave things like pe.imphash() and pe.number_of_imports in weird states with no way to detect that it has encountered errors.

I have submitted a proposed addition that would allow you to detect these errors through a new pe.import_errors member.

Since corrupt files can easily throw your signatures for a loop, but still be flagged by AV as malicious, corruption detection is a useful feature.

While researching this issue I also ended up adding a dll_imports[] array to get more insight into whats doing on.
This along with my dbg extension allows you to dump the partial info and watch it with a yara such as the following:

rule dumpImportState
            pe.dbg("imphash", pe.imphash()) and
            pe.dbg("import_errors", pe.import_errors) and
            pe.dbg("NumImports" , pe.number_of_imports-1) and 
            for all i in (0 .. pe.number_of_imports):(
                pe.dbg( pe.dll_imports[i].funcCount, pe.dll_imports[i].name) 

All of these extensions are already available in the latest Yara Workbench.

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 74 + 14 = ? followed by the letter: R 

About Me
More Blogs
Main Site
Posts: (All)
2020 (5)
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 (12)
     Yara WorkBench
     vbdec dbg updates
     vb6 PCode NOP
     vb6 API and call backs
     how pcode works Pt1
     Reversing PCode Args
     VB6 PCode Disassembly
     VB6 PCode Debugger
     UConnect Disable Cell Modem
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )