analitics

Pages

Showing posts with label yara. Show all posts
Showing posts with label yara. Show all posts

Monday, September 18, 2017

YARA another python module - part 002 .

This is another part of YARA python tutorial and the goal of this part is to install the Yara modules.
This is another python module about Yara named yara-python from VirusTotal.
The last tutorial uses the Yara python module.
The YARA modules provide extending features to allow us to define data structures and functions which can be used in your rules to express more complex conditions.
You can also write your own modules.
Some known modules used by YARA are:
  • PE
  • ELF
  • Cuckoo
  • Magic
  • Hash
  • Math
First, you need to install or reinstall YARA to the last version:
>>> yara.__version__
'3.6.3'
The Cuckoo module enables you to create YARA rules based on behavioral information generated by a Cuckoo sandbox.
C:\Python27\Scripts>pip install yara-python
Collecting yara-python
  Downloading yara_python-3.6.3-cp27-cp27m-win32.whl (606kB)
    100% |################################| 614kB 1.3MB/s
Installing collected packages: yara-python
Successfully installed yara-python-3.6.3
pip install cuckoo
Collecting cuckoo
  Downloading Cuckoo-2.0.4.4.tar.gz (3.1MB)
    100% |################################| 3.1MB 255kB/s
...
Successfully installed Mako-1.0.7 alembic-0.8.8 androguard-3.0.1 beautifulsoup4-4.5.3 
capstone-windows-3.0.4 chardet-2.3.0 click-6.6 colorama-0.3.7 cuckoo-2.0.4.4 django-1.8.4 
django-extensions-1.6.7 dpkt-1.8.7 ecdsa-0.13 egghatch-0.2.1 elasticsearch-5.3.0 
flask-sqlalchemy-2.1 httpreplay-0.2.1 jsbeautifier-1.6.2 jsonschema-2.6.0 olefile-0.43 
oletools-0.42 peepdf-0.3.6 pefile2-1.2.11 pillow-3.2.0 pyelftools-0.24 pymisp-2.4.54 
pymongo-3.0.3 python-dateutil-2.4.2 python-editor-1.0.3 python-magic-0.4.12 pythonaes-1.0 
requests-2.13.0 sflock-0.2.16 sqlalchemy-1.0.8 tlslite-ng-0.6.0 unicorn-1.0.1 wakeonlan-0.2.2
Let's test this python module:
>>> import cuckoo
>>> from cuckoo import *
>>> dir(cuckoo)
['__builtins__', '__doc__', '__file__', '__name__', '__package__', '__path__', '__version__',
 'auxiliary', 'common', 'compat', 'core', 'machinery', 'misc', 'plugins', 'processing', 
'reporting', 'signatures', 'web']
Let's test some yara modules:
>>> import yara
>>> rule = yara.compile(source='import \"pe\"')
>>> rule = yara.compile(source='import \"elf\"')
>>> rule = yara.compile(source='import \"cuckoo\"')
>>> rule = yara.compile(source='import \"math\"')
I could not use the YARA modules: hash and magic.
I will solve this problem in the future.
You can also write your own modules ( see this webpage ).

Saturday, November 29, 2014

YARA python module - part 001 .

You can also see more python tutorial on free-tutorials.org.
YARA is a multi-platform program running on Windows, Linux and Mac OS X.
More about yara python module can be see it here
YARA used this keywords with rules under files.
all  and  any  ascii  at  condition  contains
entrypoint  false  filesize  fullword  for  global  in
import  include  int8  int16  int32  int8be  int16be
int32be  matches  meta  nocase  not  or  of
private  rule  strings  them  true  uint8  uint16
uint32  uint8be  uint16be  uint32be  wide

The Yara documentation can be found in this link.
The yara python module use version 1.7.7 and this will need to use when make rules.
Instalation with pip :
C:\Python34>cd Scripts
C:\Python34\Scripts>pip install yara
Downloading/unpacking yara
Installing collected packages: yara
  Running setup.py install for yara

    Installing yara-ctypes-script.py script to C:\Python34\Scripts
    Installing yara-ctypes.exe script to C:\Python34\Scripts
Successfully installed yara
Cleaning up...
Let's see this in action.
First you need to make your user under your_user account.
I make one folder named yara to keep the my rules, see:
C:\\Users\\your_user\\Dropbox\\yara\\
and I test this file named doc_data.txt, from here:
C:\\Users\\your_user\\Dropbox\\
The file has this text :
InfoKey: Creator
InfoValue: TeX
InfoKey: Producer
InfoValue: pdfTeX-1.40.3
InfoKey: PTEX.Fullbanner
InfoValue: This is pdfTeX using libpoppler, Version 3.141592-1.40.3-2.2 (Web2C 7.5.6) kpathsea version 3.5.6
InfoKey: ModDate
InfoValue: D:20110210185614-08'00'
InfoKey: CreationDate
InfoValue: D:20110210185614-08'00'
PdfID0: 5691a9b61e98f4c329d4f9f6deb5363c
PdfID1: 5691a9b61e98f4c329d4f9f6deb5363c
NumberOfPages: 24
and the rule file detectstring has this rule:
rule detectstring
{
    strings:
        $my_text_string = "5691a9b61e98f4c329d4f9f6deb5363c"

    condition:
        $my_text_string 
}
You can use python shell with this source code:
import yara
from yara import *
dir(yara)
['CALLBACK_ABORT', 'CALLBACK_CONTINUE', 'INCLUDE_PATH', 'Rules', 'YARA_RULES_ROO
T', 'YaraSyntaxError', '__builtins__', '__cached__', '__doc__', '__file__', '__l
oader__', '__name__', '__package__', '__path__', '__spec__', '__version__', 'com
pile', 'libyara_wrapper', 'load_rules', 'preprocessor', 'rules', 'version']
print(yara.version.__version__)
1.7.7
rules=yara.compile("C:\\Users\\your_user\\Dropbox\\yara\\detectstring")
matches=rules.match("C:\\Users\\your_user\\Dropbox\\doc_data.txt")
print(matches)
{'main': [{'tags': [], 'matches': True, 'rule': 'detectstring', 'meta': {}, 'str
ings': [{'flags': 19, 'identifier': '$my_text_string', 'data': '5691a9b61e98f4c3
29d4f9f6deb5363c', 'offset': 326}, {'flags': 19, 'identifier': '$my_text_string'
, 'data': '5691a9b61e98f4c329d4f9f6deb5363c', 'offset': 367}]}]}
The above rule is telling YARA that the file containing the string must be reported.
The print will show the rule compiled and the result.