security:malware:yara
Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Create a file on vulnerable Server
count sequences of printable characters with the minimum length of 7
strings --bytes=7 sample.exe | wc -l
Rule to detect cmd.exe
offset.yar
rule cmd_rule
{
strings:
$s = "cmd.exe /c \"%s\""
condition:
$s
}
sudo yara /home/student/Desktop/rules/offset.yar . -s
Rule to identify PE file type
pe.yar
rule IsPeFile {
strings:
$mz = "MZ"
condition:
$mz at 0 and uint32(uint32(0x3C)) == 0x4550
}
Rule to detect maleware in PE Files
generate_rule.sh
#!/bin/bash
echo "rule cmd_rule" > /home/student/Desktop/rules/malware.yar
echo "{" >> /home/student/Desktop/rules/malware.yar
echo " strings:" >> /home/student/Desktop/rules/malware.yar
count=1
while read s; do
p=${s//\"/\\\"}
echo " \$$count = \"$p\"" >> /home/student/Desktop/rules/malware.yar
count=$((count+1))
done </home/student/Desktop/intel/strings.txt
echo " \$mz = \"MZ\"" >> /home/student/Desktop/rules/malware.yar
echo "" >> /home/student/Desktop/rules/malware.yar
echo " condition:" >> /home/student/Desktop/rules/malware.yar
echo " any of them and" >> /home/student/Desktop/rules/malware.yar
echo " \$mz at 0 and uint32(uint32(0x3C)) == 0x4550" >> /home/student/Desktop/rules/malware.yar
echo "}" >> /home/student/Desktop/rules/malware.yar
Rule to detect maleware in PE Files
malware.yar
…
yara /home/student/Desktop/rules/malware.yar /home/student/Desktop/suspicious -s
security/malware/yara.1624696560.txt.gz · Zuletzt geändert: von wikiadm