Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- security:malware:yara [2021/06/26 11:00] – wikiadm
+++ security:malware:yara [2021/07/03 15:52] (aktuell) – wikiadm
@@ Zeile 35: / Zeile 35: @@
 ====== Rule to detect maleware in PE Files ======
+===== Generate Rule from Strings =====
 generate_rule.sh
 <code>
 #!/bin/bash
-echo "rule cmd_rule" > /home/student/Desktop/rules/malware.yar
+echo "rule mw_rule" > /home/student/Desktop/rules/malware.yar
 echo "{" >> /home/student/Desktop/rules/malware.yar
-echo "  strings:" >> /home/student/Desktop/rules/malware.yar
+echo "  strings:" >> /home/student/Desktop/rules/malware.yar
 count=1
 while read s; do
@@ Zeile 51: / Zeile 52: @@
 echo "" >> /home/student/Desktop/rules/malware.yar
 echo "  condition:" >> /home/student/Desktop/rules/malware.yar
 echo "    any of them and" >> /home/student/Desktop/rules/malware.yar
@@ Zeile 58: / Zeile 60: @@
 echo "}" >> /home/student/Desktop/rules/malware.yar
 </code>
-====== Rule to detect maleware in PE Files ======
+===== Final Rule =====
 malware.yar
-<code>
+--> generated, but left only relevant string
---> generated
-</code>
+rule mw_rule
-...
+{
+  strings:
+    $s176 = "cmd.exe /c \"%s\"" fullword ascii
+  condition:
+    $s176 and
+    uint16(0) == 0x5A4D and
+    uint32(uint32(0x3C)) == 0x4550
+}
 <code>
 yara /home/student/Desktop/rules/malware.yar /home/student/Desktop/suspicious -s
 </code>