notareverser’s gists

notareverser / innosetup.yara

Created February 21, 2022 12:31

Rule to detect InnoSetup installers

	rule InnoSetup
	{
	strings:
	$integrity_check_merged = {b9 ?? ?? ?? ?? b2 01 b8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? c3 00 ff ff ff ff 47 00 00 00 54 68 65 20 73 65 74 75 70 20 66 69 6c 65 73 20 61 72 65 20 63 6f 72 72 75 70 74 65 64 2e 20 50 6c 65 61 73 65 20 6f 62 74 61 69 6e 20 61 20 6e 65 77 20 63 6f 70 79 20 6f 66 20 74 68 65 20 70 72 6f 67 72 61 6d 2e 00}
	$lzmadecompsmall = {53 83 c4 f8 8b d8 89 1c 24 c6 44 24 04 00 54 6a 00 b9 ?? ?? ?? ?? b2 01 b8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 5a 5b c3 00 ff ff ff ff 32 00 00 00 6c 7a 6d 61 64 65 63 6f 6d 70 73 6d 61 6c 6c 3a 20 43 6f 6d 70 72 65 73 73 65 64 20 64 61 74 61 20 69 73 20 63 6f 72 72 75 70 74 65 64 20 28 25 64 29 00}
	$lzma_merged = {53 83 c4 f8 8b d8 89 1c 24 c6 44 24 04 00 54 6a 00 b9 ?? ?? ?? ?? b2 01 ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 5a 5b c3 00 ff ff ff ff 27 00 00 00 6c 7a 6d 61 3a 20 43 6f 6d 70 72 65 73 73 65 64 20 64 61 74 61 20 69 73 20 63 6f 72 72 75 70 74 65 64 20 28 25 64 29 00}
	condition:

notareverser / code-signatures.treatise.txt

Created February 15, 2022 16:22

A brief treatise on code-based YARA signatures

	Today for #100DaysOfYARA I want to dive in to some of the dirty secrets of creating/maintaining code-based YARA signatures

	Let's use SQLite3 as an example. Go get the source here (I prefer the amalgamation):
	https://sqlite.org/download.html

	I would like to reliably detect when a file is using SQLite. I often look at Windows executables, so I'm going to first concentrate on x86 programs that use this library. The easiest way to find them is to first concentrate on cleartext strings. In this case, I'm gonna pop over to VirusTotal and search for an easily-identifiable string:


	content: "failed to allocate %u bytes of memory" type:pe

notareverser / generate-stackstrings-yara.py

Last active May 14, 2022 17:15

Script to generate stackstrings YARA signatures for common implementation patterns

	#!/usr/bin/env python3

	import sys, string, struct

	def strByByte(_strval):
	strval = bytearray(_strval.encode())
	for s in strval: yield s

	def strByDword(_strval):
	strval = bytearray(_strval.encode())

notareverser / kernel32.yara

Last active February 9, 2022 13:14

Another stack-string signature for kernel32

	rule stackstring_kernel32_large_stack
	{
	strings:
	$v = { c785[1-4]6b[3-4]
	c785[1-4]65[3-4]
	c785[1-4]72[3-4]
	c785[1-4]6e[3-4]
	c785[1-4]65[3-4]
	c785[1-4]6c[3-4]
	c785[1-4]33[3-4]

notareverser / A #100DaysOfYARA story

Created January 28, 2022 13:03

Here's a little story all about how my rules got flipped, turned upside down

	Let's do something a little different today and talk about WHY we use YARA signatures.
	I'm going to do this by walking through an example.
	If you want to play along, I've put all my #100DaysofYARA rules here

	https://gist.github.com/notareverser/d5f4f0d09285edca3ec027534c233271


	I was doing something unrelated and happened across this file:

	Filename: b1fcc3a7ca7a4829a9f9ce636b784656.virustotal

notareverser / YARA rules for #100DaysOfYARA

Created January 28, 2022 11:48

	import "pe"

	rule ASPack_PE
	{
	strings:
	$unpackStub = {60 e8 03 00 00 00 e9 eb 04 5d 45 55 c3 e8 01 00 00 00 eb 5d bb ed ff ff ff}
	condition:
	$unpackStub at pe.entry_point or (uint8(@unpackStub-1) == 0x90)
	}

notareverser / shannon-sig.py

Created January 19, 2022 16:37

A Python program to generate regular-expression YARA signatures for yes/no maps of shellcode under single-byte encodings

notareverser / yara-merge.py

Created January 13, 2022 13:44

Merge N YARA rules from a file, where the rules have a single string, and the strings are all of the same length

	#!/usr/bin/env python3

	# yes, this is crappy code
	# yes, it generally gets the job done


	import sys

	def countRules(data): return data.count('rule ')

French notareverser