def _generator(self):
layer = self.context.layers[self.config['primary']]
rules = None
if self.config.get('yara_rules', None) is not None:
rule = self.config['yara_rules']
if rule[0] not in ["{", "/"]:
rule = '"{}"'.format(rule)
if self.config.get('case', False):
rule += " nocase"
if self.config.get('wide', False):
rule += " wide ascii"
rules = yara.compile(sources = {'n': 'rule r1 {{strings: $a = {} condition: $a}}'.format(rule)})
elif self.config.get('yara_file', None) is not None:
rules = yara.compile(file = resources.ResourceAccessor().open(self.config['yara_file'], "rb"))
else:
vollog.error("No yara rules, nor yara rules file were specified")
filter_func = pslist.PsList.create_pid_filter([self.config.get('pid', None)])
for task in pslist.PsList.list_processes(context = self.context,
layer_name = self.config['primary'],
symbol_table = self.config['nt_symbols'],
filter_func = filter_func):
for offset, name in layer.scan(context = self.context,
scanner = yarascan.YaraScanner(rules = rules),
sections = self.get_vad_maps(task)):
yield format_hints.Hex(offset), name
def each_dump(self):
self.ignored_rules = list_value(self.ignored_rules)
# Create file containing rules
tmpdir = tempdir()
rules_path = os.path.join(tmpdir, "rules")
rules = open(rules_path, "w")
rules.write(self.rules)
rules.close()
# Build a VadYaraScan plugin instance
vad_yara_scan = self.configure_plugin(
"windows.vadyarascan.VadYaraScan",
yara_file="file://{}".format(rules_path))
rules = yarascan.YaraScan.process_yara_options(
dict(vad_yara_scan.config))
for task in pslist.PsList.list_processes(
context=vad_yara_scan.context,
layer_name=vad_yara_scan.config["primary"],
symbol_table=vad_yara_scan.config["nt_symbols"],
):
layer_name = task.add_process_layer()
layer = vad_yara_scan.context.layers[layer_name]
for offset, rule_name, name, value in layer.scan(
context=vad_yara_scan.context,
scanner=yarascan.YaraScanner(rules=rules),
sections=vad_yara_scan.get_vad_maps(task),
):
if rule_name not in self.ignored_rules:
self.results.append({
"rule":
rule_name,
"owner":
task.ImageFileName.cast(
"string",
max_length=task.ImageFileName.vol.count,
errors="replace"),
"pid":
task.UniqueProcessId,
"variable":
name,
"hexdump":
hexdump(value, result="return"),
})
self.add_tag(rule_name)
return len(self.results) > 0
def _generator(self):
rules = yarascan.YaraScan.process_yara_options(dict(self.config))
filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
for task in pslist.PsList.list_processes(context = self.context,
layer_name = self.config['primary'],
symbol_table = self.config['nt_symbols'],
filter_func = filter_func):
layer_name = task.add_process_layer()
layer = self.context.layers[layer_name]
for offset, rule_name, name, value in layer.scan(context = self.context,
scanner = yarascan.YaraScanner(rules = rules),
sections = self.get_vad_maps(task)):
yield 0, (format_hints.Hex(offset), task.UniqueProcessId, rule_name, name, value)
def _generator(self):
if not has_yara:
log.error("You must install yara")
return
config = dict()
if self.config.get('yara_file', None) is not None:
RULES = yara.compile(file=resources.ResourceAccessor().open(
self.config['yara_file'], "rb"))
else:
# https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
SIGS = {
'pony':
'''
rule pony {
meta:
author = "Brian Wallace @botnet_hunter"
author_email = "*****@*****.**"
date = "2014-08-16"
description = "Identify Pony"
strings:
$ = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
condition:
all of them
}
'''
}
RULES = yara.compile(sources=SIGS)
filter_func = pslist.PsList.create_pid_filter(
[self.config.get('pid', None)])
for task in pslist.PsList.list_processes(
context=self.context,
layer_name=self.config['primary'],
symbol_table=self.config['nt_symbols'],
filter_func=filter_func):
try:
proc_layer_name = task.add_process_layer()
except exceptions.InvalidAddressException:
continue
proc_layer = self.context.layers[proc_layer_name]
for offset, name in proc_layer.scan(
context=self.context,
scanner=yarascan.YaraScanner(rules=RULES),
sections=vadyarascan.VadYaraScan.get_vad_maps(task)):
log.debug("Got a Yara match!")
vad, vad_start, vad_end = self.get_vad(task, offset)
if vad is None:
log.debug("VAD not found")
return
full_pe = vaddump.vad_dump(self.context, proc_layer_name, vad)
config = self.get_config(full_pe)
if not config:
log.debug("Config extraction failed")
continue
yield (0, (format_hints.Hex(offset), task.UniqueProcessId,
str(config)))