【笔记】YARA学习笔记

发表于 更新于 阅读次数:

前言

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression which determine its logic.(Github

下载项目

1
2
3
certutil -urlcache -split -f https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip
"C:\Program Files\7-Zip\7z.exe" x yara-v4.5.2-2326-win64.zip -oyara-v4.5.2-2326-win64
cd yara-v4.5.2-2326-win64

规则文件

使用第三方规则集

1
git clone https://github.com/Yara-Rules/rules.git

自定义规则

meta:定义规则元数据
strings:定义规则变量

"":定义字符串变量

nocase:不区分大小写的字符串
base64:Base64编码的字符串
xor:异或后的字符串
wide:宽字符

{}:定义十六进制数变量
//:定义正则表达式变量

condition:定义匹配规则

all of them:所有变量需同时满足则匹配成功
any of them:所有变量只需满足其一则匹配成功
$hex and $str:两者需同时满足则匹配成功
$hex or $str:两者只需满足其一则匹配成功
not $str:不满足则匹配成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
rule 规则名 
{
  meta:
    tag="规则标签"
    description = "规则描述"
    author="规则作者"

  strings:
    $str1 = "字符串"
    $str2 = "不区分大小写的字符串" nocase
    $str3 = "Base64编码的字符串" base64
    $str4 = "异或后的字符串" xor
    $str5 = "宽字符" wide
    $hex = {FF FF}
    $reg = /正则表达式/

  condition:
    all of them
}

根据规则检测文件

<file>.yar:规则文件
<dir_or_file>:指定被检测的文件或目录,如果是目录则自动递归检测

1
.\yara64.exe <file>.yar -r <dir_or_file>

根据规则检测内存

<pid>:进程的PID

1
.\yara64.exe <file>.yar <pid>

完成