Yara Corrupt ImportsAuthor: David Zimmer Date: 03.11.20 - 6:28am When Yara encounters a corrupted import table, it tries to get along as far as it can and skips what it must: if (!pe_valid_dll_name(dll_name, pe->data_size - (size_t) offset)) { import_errors++; //dzzie imports++; continue; } This can leave things like pe.imphash() and pe.number_of_imports in weird states with no way to detect that it has encountered errors. I have submitted a proposed addition that would allow you to detect these errors through a new pe.import_errors member. Since corrupt files can easily throw your signatures for a loop, but still be flagged by AV as malicious, corruption detection is a useful feature. While researching this issue I also ended up adding a dll_imports[] array to get more insight into whats doing on.
begin_struct_array("dll_imports");
declare_string("name");
declare_integer("funcCount");
end_struct("dll_imports");
This along with my dbg extension allows you to dump the partial info and watch it with a yara such as the following:
rule dumpImportState
{
condition:
pe.dbg("imphash", pe.imphash()) and
pe.dbg("import_errors", pe.import_errors) and
pe.dbg("NumImports" , pe.number_of_imports-1) and
for all i in (0 .. pe.number_of_imports):(
pe.dbg( pe.dll_imports[i].funcCount, pe.dll_imports[i].name)
)
}
All of these extensions are already available in the latest Yara Workbench. Comments: (0) |
About Me More Blogs Main Site |