weclome to ic0de.ws Check here


Thread Rating:
  • 1 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Quick introduction to Yara rules
#1
Information 
Tables of content

[Image: 6c7d219b382f2606a0fc9853a208625d.png]


Introduction to yara rules

- What are yara rules
- How yara rules save your time
- Why would you use yara rules

Getting your hands on yara
- Installing yara rules
- Build yara form source 

What do you need to know before writing yara rules
- How yara code looks like
- Rule Identifiers
- Important keywords
- Strings
- Conditions

Extra resources
- Links


~ what are yara rules ~

Yara was created to aid malware analysis to classify malware files based on rules using expressions, filesizes ,strings etc..


~ How yara rules save your time ~

Malware authors are getting better everyday changing their detection tactics , it becomes very hard to keep systems secured for an anti-virus and defenders but this is nothing new .To detect malware , defenders and anti-virus needs a plan and tools to detect a malware sample. Traditionally malware defenders used filehash signature like sha-256 checksomes,MD5 ,SHA-1.In  advanced malware test antivirus doesn’t  scan each file signature. They look for  certain chars in /programfiles ,To identify malware . using different configurations.

~ why would you use yara rules ~

Because anti-virus use file signature technique to look for files and compares the file hash to its signature database. These techniques are useless to detect a unknownss malware running on your computer. In order to stop this we can use yara rules to detect bad executables using “string signatures”.

~ Installing yara rules ~

On ubuntu and others linux based distros. yara has direct installation candidate. At this point installation becomes very easy.
Code:
sudo apt-get install yara -y

Verifying the installation

[Image: 30a963d03bc127261c997df32d06de22.png]

~ Build yara form source ~

Downloading the tar.gz form github
Code:
wget https://github.com/VirusTotal/yara/archive/v3.11.0.tar.gz
tar -xvzf v3.11.0.tar.gz
cd yara-3.11.0
./bootstrap.sh
./configure
sudo make
sudo make install

Before running bootstrap.sh make sure you have this packages installed on your linux distro
Automake, libtool ,make ,gcc
or bootstrap.sh errors out

Code:
sudo apt-get install automake libtool make gcc

Verifying yara by making a sample rule

Code:
echo “rule verifying_rules { condition=true }” > my_first_rule

Running my_first_rule to check if yara is working

Code:
yara my_first_rule my_first_rule


[Image: 76ea953f1f2b79ce83e8b8d6b37e9370.png]


~ How yara code looks like ~

[Image: eb53ac8b3e36a05b8897aac8448cb14e.png]

~ Rule Identifiers ~

Code:
rule im_arule { condition : false }

Rule identifiers the word which rule there it is im_arule
They can be in this format

- Alphanumeric chars
- Underscore chars
- first char shouldn't be a number
- case sensitive

~ Important keywords ~

[Image: be79311d7cace8bc44fe30cd5510ebdd.png]

Rules have two section defined strings and condition

~ strings ~

There three types of strings  hexadecimal strings ,regular expressions & text strings
Example code
Code:
rule im_string
{ strings :
            $text_string=”hello world”
            $hex_code=” 68 65 6c 6c 6f 20 77 6f 72 6c 64 20”
condition :
           $text_string or $hex_code

Hexadecimal strings

Hexadecimal strings allow three constructions they are wildcards, jumps & alternatives
Wildcards
Wildcards are going but place holders that you can put in a string indicating values are yet unknow .The place holder char is a question mark (?)
Code:
rule three_point
{
    strings:
       $hex_text = { 6F 20 C4 ?? ?? ??  }

    condition:
       $hex_text
}


Jump rules

In this  example numbers put are  in square brackets and separated  hyphen .In this sequence  numbers form 5-6 bytes can occupy the position of the jump.

Code:
rule musketeers
    {
        strings : 
           $hex_code = { 68 65 [5-6] 6F  }

        condition:
           $hex_code
    }

Alternatives

Sometimes there are situations where you want to give different alternative for a  hex_string .in such situations you can use expression which matches regular expression. Here numbers placed between circle brackets and separated by vertical bar.

Code:
rule i_lOokFimilar
{
    strings:
       $ hex_text = { E8 B6 ( 33 C4 | 43) 12 }

    condition:
       $hex_text

output as follows

Code:
E8B633C44312
E8B6331243

Text strings

Text strings look like this as shown in example .they are placed in double quotation marks like python

Code:
rule example
{
strings :
$im_string = “hello”
condition :
$im_string
}

Case-insensitive strings

Text strings are  are case sensitive by default But you can append nocase at end of string to make them case-insensitive

Code:
rule IamCaseInSensitive
{
Strings : 
$a4 = “bot update ” nocase
Condition :
$a4
}

Regular expressions
Regular expressions are powerful feature built in yara they are closed with backslashs /

Code:
rule md5
{
strings
$r4 = /md5 : [0-9a-zA-Z{32}/
condition :
$r4
}


conditions

conditions are nothing but Booleans they are found in every programming language out there

Code:
rule conditions
{
strings :
$a1 = “cat”
$a2 = “boatnet”
$a3 = “virustoal”
$a4 = “scanner”
condition :
( $a1 or $a2 ) and ($a3 or $a4 )
}

Resources

https://yara.readthedocs.io/
https://0x00sec.org/t/tutorial-creating-...ction/5453
https://github.com/InQuest/awesome-yara
https://github.com/AlienVault-OTX/yabin
https://github.com/Neo23x0/yarGen
https://www.kitploit.com/2020/01/yarasaf...ction.html
https://github.com/cuckoosandbox/cuckoo
https://www.youtube.com/watch?v=DdkLY99HgAA
[Image: BezlSXT.gif]
[-] The following 2 users Like 0xadmin's post:
  • Technic, Xyt0
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)