yara的安装与使用
yara的安装与使用
用户1423082
发布于 2024-12-31 18:39:56
发布于 2024-12-31 18:39:56
代码可运行
运行总次数:0
代码可运行
yara可以说是正则匹配的工具吧,一般用于病毒的静态检测
下载
这里直接下载windows的
https://github.com/VirusTotal/yara/releases
也可以从这下
https://www.dropbox.com/sh/umip8ndplytwzj1/AADdLRsrpJL1CM1vPVAxc5JZa?dl=0&lst=
Ubuntu 懒得编译可以直接apt安装
sudo apt install yara用官方最简单的示例测试是否可用
// 最简单的规则
echo "rule dummy { condition: true }" > my_first_rule
// 用规则测试规则
yara my_first_rule my_first_rule获取yara规则
有开源的:https://github.com/Yara-Rules/rules
规则分11大类:
- Antidebug_AntiVM:反调试/反沙箱类yara规则
- Crypto:加密类yara规则
- CVE_Rules:CVE漏洞利用类yara规则
- email:恶意邮件类yara规则
- Exploit-Kits:EK类yara规则
- Malicious_Documents:恶意文档类yara规则
- malware:恶意软件类yara规则
- Mobile_Malware:移动恶意软件类yara规则
- Packers:加壳类yara规则
- utils:通用类yara规则
- Webshells:Webshell类yara规则
获取样本测试
https://github.com/ytisf/theZoo/tree/master/malwares/Binaries
我们随便下载一个,比如WannaCry的
https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry
我们看看他用了什么加密算法,可以看到使用了CRC32,以及AES算法
giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Crypto_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./Crypto/crypto_signatures.yar(12): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(24): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(36): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(48): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(60): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(72): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(93): warning: $c0 is slowing down scanning
../rules/./Crypto/crypto_signatures.yar(776): warning: $c0 is slowing down scanning
CRC32_poly_Constant ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
CRC32_table ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES_CHAR ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES_LONG ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe看看属于哪类恶意样本,判断还是比较准确
giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/malware_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./malware/APT_DPRK_ROKRAT.yar(47): warning: $b2 is slowing down scanning
../rules/./malware/RAT_Ratdecoders.yar(153): warning: $conf is slowing down scanning (critical!)
Str_Win32_Winsock2_Library ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaDecryptor ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
ransom_telefonica ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wanna_Cry_Ransomware_Generic ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaCry_Ransomware ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaCry_Ransomware_Dropper ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
wannacry_static_ransom ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe看看加了什么壳
giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Packers_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./Packers/Javascript_exploit_and_obfuscation.yar(26): warning: $fff is slowing down scanning (critical!)
../rules/./Packers/peid.yar(672): warning: $a is slowing down scanning (critical!)
../rules/./Packers/peid.yar(900): warning: $a is slowing down scanning
。。。。。。。。
。。。。。。。。
。。。。。。。。
../rules/./Packers/peid.yar(68942): warning: $a is slowing down scanning
../rules/./Packers/peid.yar(68951): warning: $a is slowing down scanning
IsPE32 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
IsWindowsGUI ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
IsPacked ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
HasRichSignature ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v60 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v50v60_MFC_additional ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_50 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v50v60_MFC ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe有没有反调试反虚拟机
giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Antidebug_AntiVM_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
SEH_Init ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe简单总结
通过yara,还有一些开源的规则,我们可以简单快速地静态分析恶意软件
reference
https://yara.readthedocs.io/en/v3.7.0/gettingstarted.html https://blog.csdn.net/m0_37552052/article/details/79012453
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2019-05-24,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
