[ wiki.netzadresse.ch ]

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen:
security:malware:yara

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
Nächste Überarbeitung		Vorhergehende Überarbeitung
security:malware:yara [2021/06/26 10:43] wikiadmsecurity:malware:yara [2021/07/03 15:52] (aktuell) wikiadm
Zeile 35: Zeile 35:
  
 ====== Rule to detect maleware in PE Files ====== ====== Rule to detect maleware in PE Files ======
 +===== Generate Rule from Strings =====
 generate_rule.sh generate_rule.sh
 <code> <code>
 #!/bin/bash #!/bin/bash
  
-echo "rule cmd_rule" > /home/student/Desktop/rules/malware.yar+echo "rule mw_rule" > /home/student/Desktop/rules/malware.yar
 echo "{" >> /home/student/Desktop/rules/malware.yar echo "{" >> /home/student/Desktop/rules/malware.yar
-echo "  strings:" >> /home/student/Desktop/rules/malware.yar 
  
 +echo "  strings:" >> /home/student/Desktop/rules/malware.yar
 count=1 count=1
 while read s; do while read s; do
   p=${s//\"/\\\"}   p=${s//\"/\\\"}
-  echo "    \$s$count = \"$p\"" >> /home/student/Desktop/rules/malware.yar+  echo "    \$s$count = \"$p\" fullword ascii" >> /home/student/Desktop/rules/malware.yar
   count=$((count+1))   count=$((count+1))
 done </home/student/Desktop/intel/strings.txt done </home/student/Desktop/intel/strings.txt
- 
-echo "    \$mz = \"MZ\"" >> /home/student/Desktop/rules/malware.yar 
  
 echo "" >> /home/student/Desktop/rules/malware.yar echo "" >> /home/student/Desktop/rules/malware.yar
 +
 echo "  condition:" >> /home/student/Desktop/rules/malware.yar echo "  condition:" >> /home/student/Desktop/rules/malware.yar
-echo "    any of (\$s*)  and" >> /home/student/Desktop/rules/malware.yar +echo "    any of them and" >> /home/student/Desktop/rules/malware.yar 
-echo "    \$mz at 0 and uint32(uint32(0x3C)) == 0x4550" >> /home/student/Desktop/rules/malware.yar+echo "    uint16(0) == 0x5A4D and" >> /home/student/Desktop/rules/malware.yar 
 +echo "    uint32(uint32(0x3C)) == 0x4550" >> /home/student/Desktop/rules/malware.yar
  
 echo "}" >> /home/student/Desktop/rules/malware.yar echo "}" >> /home/student/Desktop/rules/malware.yar
 </code> </code>
-=====Rule to detect maleware in PE Files ======+===== Final Rule =====
 malware.yar malware.yar
-<code> +--> generated, but left only relevant string 
---> generated + 
-</code> +rule mw_rule 
-...+
 +  strings: 
 +    $s176 = "cmd.exe /c \"%s\"" fullword ascii 
 + 
 +  condition: 
 +    $s176 and 
 +    uint16(0) == 0x5A4D and 
 +    uint32(uint32(0x3C)) == 0x4550 
 +
 <code> <code>
 yara /home/student/Desktop/rules/malware.yar /home/student/Desktop/suspicious -s yara /home/student/Desktop/rules/malware.yar /home/student/Desktop/suspicious -s
 </code> </code>
security/malware/yara.1624697008.txt.gz · Zuletzt geändert: von wikiadm
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki