Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- security:malware:yara [2021/06/19 13:33] – angelegt wikiadm
+++ security:malware:yara [2021/07/03 15:52] (aktuell) – wikiadm
@@ Zeile 1: / Zeile 1: @@
 ====== Create a file on vulnerable Server ======
-count printable characters with the minimum length of 7
+count sequences of printable characters with the minimum length of 7
 <code>
 strings --bytes=7 sample.exe | wc -l
@@ Zeile 16: / Zeile 16: @@
        $s
 }
+</code>
+<code>
+sudo yara /home/student/Desktop/rules/offset.yar . -s
 </code>
@@ Zeile 31: / Zeile 35: @@
 ====== Rule to detect maleware in PE Files ======
+===== Generate Rule from Strings =====
+generate_rule.sh
+<code>
+#!/bin/bash
+echo "rule mw_rule" > /home/student/Desktop/rules/malware.yar
+echo "{" >> /home/student/Desktop/rules/malware.yar
+echo "  strings:" >> /home/student/Desktop/rules/malware.yar
+count=1
+while read s; do
+  p=${s//\"/\\\"}
+  echo "    \$s$count = \"$p\" fullword ascii" >> /home/student/Desktop/rules/malware.yar
+  count=$((count+1))
+done </home/student/Desktop/intel/strings.txt
+echo "" >> /home/student/Desktop/rules/malware.yar
+echo "  condition:" >> /home/student/Desktop/rules/malware.yar
+echo "    any of them and" >> /home/student/Desktop/rules/malware.yar
+echo "    uint16(0) == 0x5A4D and" >> /home/student/Desktop/rules/malware.yar
+echo "    uint32(uint32(0x3C)) == 0x4550" >> /home/student/Desktop/rules/malware.yar
+echo "}" >> /home/student/Desktop/rules/malware.yar
+</code>
+===== Final Rule =====
 malware.yar
+--> generated, but left only relevant string
+rule mw_rule
+{
+  strings:
+    $s176 = "cmd.exe /c \"%s\"" fullword ascii
+  condition:
+    $s176 and
+    uint16(0) == 0x5A4D and
+    uint32(uint32(0x3C)) == 0x4550
+}
 <code>
-...
+yara /home/student/Desktop/rules/malware.yar /home/student/Desktop/suspicious -s
 </code>