$ matched_yara_fn rules/alg_crypto_rc4.yara samples/windows/ransomware/revil/win.revil
fcn.100064ee contains match for $ksa0
fcn.100064ee contains match for $ksa1
$ sha256sum samples/windows/ransomware/revil/win.revil
f74c7a605588db80b0812de54ae0f5bf26fcaef8e7dce830a64cbeaddbac7673 samples/windows/ransomware/revil/win.revil
Last active
January 5, 2022 12:12
-
-
Save shellcromancer/b6039d1c6da6328db699eedeae92e59f to your computer and use it in GitHub Desktop.
Find function definitions from YARA matches
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| matched_yara_fn() { | |
| match_w_rz_cmds=$(yara -s "$1" "$2" | awk -F ':' '/1/ {printf "%s,aac; afi. @ $(?P %s)\n", $2, $1}'); | |
| IFS=$'\n'; while IFS= read -r line; do | |
| oIFS=$IFS | |
| IFS=',' read -r match rzcmd <<< "${line}" | |
| echo "$(rizin -qc "$rzcmd" "$2") contains match for $match"; | |
| IFS="$oIFS" | |
| done <<< "$match_w_rz_cmds" | |
| } |
@silascutler yep! This also would work the same replacing Rizin with Radare2 given its a recent-ish fork. Just need to change this rizin call to r2 if you already have/use that toolchain
For info aac is very limited for example it won't applies signature, deal with golang function etc., I'd strongly advise using aaa. :)
Likewise, I recommend using aaa for the analysis.
Also, it might be helpful to find a solution that doesn't require you to analyze the binary per every matched string :) rzdb are there to help, and even rz scripts
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/rizinorg/rizin required install?