yara的安装与使用——yara可以说是正则匹配的工具吧,一般用于病毒的静态检测

我的安装方法:

tar -zxf yara-4.0.0.tar.gz
cd yara-4.0.0
1.2 安装依赖
sudo apt-get install automake libtool make gcc pkg-config
sudo apt-get install flex bison
1.3 安装本体
./bootstrap.sh
./configure
make
sudo make install

 

yara的安装与使用

发表于 2019-05-24 |

yara可以说是正则匹配的工具吧,一般用于病毒的静态检测

下载

这里直接下载windows的

https://github.com/VirusTotal/yara/releases

也可以从这下

https://www.dropbox.com/sh/umip8ndplytwzj1/AADdLRsrpJL1CM1vPVAxc5JZa?dl=0&lst=

Ubuntu 懒得编译可以直接apt安装

sudo apt install yara

用官方最简单的示例测试是否可用

// 最简单的规则
echo "rule dummy { condition: true }" > my_first_rule
// 用规则测试规则
yara my_first_rule my_first_rule

获取yara规则

有开源的:https://github.com/Yara-Rules/rules

规则分11大类:

  1. Antidebug_AntiVM:反调试/反沙箱类yara规则
  2. Crypto:加密类yara规则
  3. CVE_Rules:CVE漏洞利用类yara规则
  4. email:恶意邮件类yara规则
  5. Exploit-Kits:EK类yara规则
  6. Malicious_Documents:恶意文档类yara规则
  7. malware:恶意软件类yara规则
  8. Mobile_Malware:移动恶意软件类yara规则
  9. Packers:加壳类yara规则
  10. utils:通用类yara规则
  11. Webshells:Webshell类yara规则

获取样本测试

https://github.com/ytisf/theZoo/tree/master/malwares/Binaries

我们随便下载一个,比如WannaCry的

https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry

我们看看他用了什么加密算法,可以看到使用了CRC32,以及AES算法

giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Crypto_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./Crypto/crypto_signatures.yar(12): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(24): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(36): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(48): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(60): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(72): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(93): warning: $c0 is slowing down scanning
../rules/./Crypto/crypto_signatures.yar(776): warning: $c0 is slowing down scanning
CRC32_poly_Constant ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
CRC32_table ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES_CHAR ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES_LONG ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

看看属于哪类恶意样本,判断还是比较准确

giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/malware_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./malware/APT_DPRK_ROKRAT.yar(47): warning: $b2 is slowing down scanning
../rules/./malware/RAT_Ratdecoders.yar(153): warning: $conf is slowing down scanning (critical!)
    Str_Win32_Winsock2_Library ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaDecryptor ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
ransom_telefonica ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wanna_Cry_Ransomware_Generic ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaCry_Ransomware ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaCry_Ransomware_Dropper ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
wannacry_static_ransom ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

看看加了什么壳

giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Packers_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./Packers/Javascript_exploit_and_obfuscation.yar(26): warning: $fff is slowing down scanning (critical!)
../rules/./Packers/peid.yar(672): warning: $a is slowing down scanning (critical!)
../rules/./Packers/peid.yar(900): warning: $a is slowing down scanning
。。。。。。。。
。。。。。。。。
。。。。。。。。
../rules/./Packers/peid.yar(68942): warning: $a is slowing down scanning
../rules/./Packers/peid.yar(68951): warning: $a is slowing down scanning
IsPE32 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
IsWindowsGUI ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
IsPacked ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
HasRichSignature ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v60 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v50v60_MFC_additional ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_50 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v50v60_MFC ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

有没有反调试反虚拟机

giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Antidebug_AntiVM_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
SEH_Init ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

简单总结

通过yara,还有一些开源的规则,我们可以简单快速地静态分析恶意软件

reference

https://yara.readthedocs.io/en/v3.7.0/gettingstarted.html
https://blog.csdn.net/m0_37552052/article/details/79012453

posted @   bonelee  阅读(784)  评论(0编辑  收藏  举报
相关博文:
· 使用 volatility 发现内存中的恶意软件——malfind的核心是找到可疑的可执行的内存区域,然后反汇编结果给你让你排查,yarascan是搜索特征码
· 谷歌YARA-L 2.0——EDR hips、沙箱里、或者云端规则引擎都是可以用的
· yara 实验
· 使用yara规则检测恶意软件
· 【THM】Yara(恶意样本检测工具)-学习
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· DeepSeek 开源周回顾「GitHub 热点速览」
历史上的今天:
2018-03-30 leetcode 387. First Unique Character in a String
2018-03-30 leetcode 237. Delete Node in a Linked List
2018-03-30 leetcode 455. Assign Cookies
2018-03-30 python dig 模拟—— DGA域名判定用
点击右上角即可分享
微信分享提示