Yara Workbench AutomationAuthor: David Zimmer Date: 12.29.23 - 1:23pm in previous posts we have talked about how to get yara workbench to spit out some analysis results using the pe.dbg feature (now the console.log class in public release yara). rule sect_entropy { condition: pe.dbg("sect_entropy") and for all i in (0 .. pe.number_of_sections -1):( pe.dbg( pe.sections[i].name, math.entropy( pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size ) ) ) }When I updated the yara engine to 4.3.1 I also added in a javascript automation feature. There are a couple sample automation scripts to get you started (along with a object browser and basic intellisense). Below is a quick script I used the other day to extract the seed values used in a sample set of api hashers. if(!main.curResults) throw( new Error("No Results yet") ) hashs = {} for(i=1; i <= main.curResults.count() ; i++){ yf = main.curResults(i) //YaraFile class tmp = [] tb.fopen(yf.file) tmp.push(fso.filenamefrompath(yf.file)) for(j=1; j <= yf.TotalMatches();j++){ ym = yf.matches(j ) //YaraMatch mr = ym.results(1) //known only one result no need to loop off = mr.offset //MatchResult seed = "0x" + tb.h(tb.uint32(off+15)) cnt = hashs[seed] hashs[seed] = cnt == undefined ? 1 : cnt + 1 tmp.push(tb.h(off)) tmp.push(seed) tb.t(tmp.join(",")) } tb.fclose() } //tb.t(" Seed hit counts: ") //for(var propt in hashs){tb.t(propt + ': ' + hashs[propt]);} Another one: (note my blog is eats some slash chars you will have to tweak) rule = "rule test{ strings: $keys = {8B C683 E0 030F B6 CA0F B6 80} condition:$keys }" //file = "D:\_ftp_root_3lob4_03A41000.mem" file = dlg.opendialog("D:\_ftp_root_3") main.doScan(file,rule) if(!main.curResults) throw( new Error("No Results yet") ) tmp = [] try{ for(i=1; i <= main.curResults.count() ; i++){ yf = main.curResults(i) //YaraFile class tb.fopen(yf.file) for(j=1; j <= yf.TotalMatches();j++){ ym = yf.matches(j) //YaraMatch for(k=1;k<=ym.results.count();k++){ mr = ym.results(k) off = mr.offset //MatchResult key = "0x" + tb.h(tb.uint32(off+11)) //tmp.push(tb.h(off)) tmp.push(key) } } tb.fclose() } }catch(e){} tb.t(tmp.join(",")) Still need to test some of the stuff but handy addition anyway... Comments: (0) |
About Me More Blogs Main Site
|
||||||||||||||||||||||||||||||