$ matched_yara_fn rules/alg_crypto_rc4.yara samples/windows/ransomware/revil/win.revil
fcn.100064ee contains match for $ksa0
fcn.100064ee contains match for $ksa1
$ sha256sum samples/windows/ransomware/revil/win.revil
f74c7a605588db80b0812de54ae0f5bf26fcaef8e7dce830a64cbeaddbac7673 samples/windows/ransomware/revil/win.revil
Last active
January 5, 2022 12:12
-
-
Save shellcromancer/b6039d1c6da6328db699eedeae92e59f to your computer and use it in GitHub Desktop.
Find function definitions from YARA matches
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| matched_yara_fn() { | |
| match_w_rz_cmds=$(yara -s "$1" "$2" | awk -F ':' '/1/ {printf "%s,aac; afi. @ $(?P %s)\n", $2, $1}'); | |
| IFS=$'\n'; while IFS= read -r line; do | |
| oIFS=$IFS | |
| IFS=',' read -r match rzcmd <<< "${line}" | |
| echo "$(rizin -qc "$rzcmd" "$2") contains match for $match"; | |
| IFS="$oIFS" | |
| done <<< "$match_w_rz_cmds" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Likewise, I recommend using
aaafor the analysis.Also, it might be helpful to find a solution that doesn't require you to analyze the binary per every matched string :) rzdb are there to help, and even rz scripts