Releases · VirusTotal/yara · GitHub
Welcome to YARA's documentation! yara 4.2.0 documentation
yara是一个帮助恶意软件研究员识别和分类恶意软件样本的工具。使用这个工具可以描述不同家族的恶意软件特征,包含一系列的特征和识别规则,例如
rule silent_banker : banker
{
meta:
description = "This is just an example"
threat_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
Ubuntu22.04
sudo apt install yara
安装python-yara,这个时yara的python接口
pip install python-yara
运行第一个yara规则
echo "rule dummy { condition: true }" > my_first_rule
yara my_first_rule /bin/true
第一个参数是规则路径,第二个参数是要扫描的二进制文件
输出
dummy /bin/true
表示/bin/true符合dummy规则
strings规则
规则以rule关键字开始,后面跟随规则标识符,标识符和c标识符命名规则相同
注释和c的注释相同,包括/**/和//
一般包含两个节,strings和condition节,strings节可以没有
strings节使用$开头作为标识符,在condition节中使用
strings节可以有ascii字符串或hex形式的字符串
对于hex字符串,还有如下规则
如果某个字节或半字节不确定,可以写?,例如{ E2 34 ?? C8 A? FB }
还可以指定长度,例如{ F4 23 [4-6] 62 B4 },实际上以F4 23开头和62 B4结尾的长度4-6的字符串都可以匹配
以及{ F4 23 ( 62 B4 | 56 ) 45 }可以匹配两种情况
更多规则可以在用到的时候查看doc
condition规则
可以使用#代表某个字符串出现的次数,例如#a>10
可以指出某个字符串在某个位置出现的次数,#a in (filesize-500..filesize) == 2表示字符串a在filesize-500..filesize处出现的次数为2
at关键字表示字符串偏移
$a in (0..100) and $b in (100..filesize)表示字符串在对应范围内
entrypoint关键字表示程序入口
2 of ($a,$b,$c)表示字符串a,b,c中的两个
2 of ($foo*)表示所有名字匹配foo*字符串中的两个
yara关键字如下
| all | and | any | ascii | at | base64 | base64wide | condition |
|---|---|---|---|---|---|---|---|
| contains | endswith | entrypoint | false | filesize | for | fullword | global |
| import | icontains | iendswith | iequals | in | include | int16 | int16be |
| int32 | int32be | int8 | int8be | istartswith | matches | meta | nocase |
| none | not | of | or | private | rule | startswith | strings |
| them | true | uint16 | uint16be | uint32 | uint32be | uint8 | uint8be |
| wide | xor | defined |
condition节可以使用的操作符和含义如下
| Precedence | Operator | Description | Associativity |
|---|---|---|---|
| 1 | [] . | Array subscripting Structure member access | Left-to-right |
| 2 | - ~ | Unary minus Bitwise not | Right-to-left |
| 3 | * \ % | Multiplication Division Remainder | Left-to-right |
| 4 | + - | Addition Subtraction | Left-to-right |
| 5 | << >> | Bitwise left shift Bitwise right shift | Left-to-right |
| 6 | & | Bitwise AND | Left-to-right |
| 7 | ^ | Bitwise XOR | Left-to-right |
| 8 | | | Bitwise OR | Left-to-right |
| 9 | < <= > >= | Less than Less than or equal to Greater than Greater than or equal to | Left-to-right |
| 10 | == != contains icontains startswith istartswith endswith iendswith iequals matches | Equal to Not equal to String contains substring Like contains but case-insensitive String starts with substring Like startswith but case-insensitive String ends with substring Like endswith but case-insensitive Case-insensitive string comparison String matches regular expression | Left-to-right |
| 11 | not defined |
Logical NOT Check if an expression is defined |
Right-to-left |
| 12 | and | Logical AND | Left-to-right |
| 13 | or | Logical OR | Left-to-right |
除了以上规则,还有更多模块可以使用,以表示更多信息,例如PE模块
import "pe"
rule single_section
{
condition:
pe.number_of_sections == 1
}
rule control_panel_applet
{
condition:
pe.exports("CPlApplet")
}
rule is_dll
{
condition:
pe.characteristics & pe.DLL
}
rule is_pe
{
condition:
pe.is_pe
}
使用compile函数编译规则,返回Yara类
yara.compile(source='rule dummy { condition: true }')
yara.compile(filepath='/foo/bar/myrules')
使用save函数保存规则
使用match方法匹配规则
更多高级规则请查看文档
用于发现流量通信中的特定特征,这样当恶意软件和外界通信时就可以过滤。JA3提取客户端指纹,JA3S提取服务器响应指纹。虽然功能不仅限于此。
主要原理就是提取tls三次握手的流量特征。