yara的安装与使用

yara可以说是正则匹配的工具吧,一般用于病毒的静态检测

下载

这里直接下载windows的

https://github.com/VirusTotal/yara/releases

也可以从这下

https://www.dropbox.com/sh/umip8ndplytwzj1/AADdLRsrpJL1CM1vPVAxc5JZa?dl=0&lst=

Ubuntu 懒得编译可以直接apt安装

1
sudo apt install yara

用官方最简单的示例测试是否可用

1
2
3
4
// 最简单的规则
echo "rule dummy { condition: true }" > my_first_rule
// 用规则测试规则
yara my_first_rule my_first_rule

获取yara规则

有开源的:https://github.com/Yara-Rules/rules

规则分11大类:

  1. Antidebug_AntiVM:反调试/反沙箱类yara规则
  2. Crypto:加密类yara规则
  3. CVE_Rules:CVE漏洞利用类yara规则
  4. email:恶意邮件类yara规则
  5. Exploit-Kits:EK类yara规则
  6. Malicious_Documents:恶意文档类yara规则
  7. malware:恶意软件类yara规则
  8. Mobile_Malware:移动恶意软件类yara规则
  9. Packers:加壳类yara规则
  10. utils:通用类yara规则
  11. Webshells:Webshell类yara规则

获取样本测试

https://github.com/ytisf/theZoo/tree/master/malwares/Binaries

我们随便下载一个,比如WannaCry的

https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry

我们看看他用了什么加密算法,可以看到使用了CRC32,以及AES算法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Crypto_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./Crypto/crypto_signatures.yar(12): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(24): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(36): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(48): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(60): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(72): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(93): warning: $c0 is slowing down scanning
../rules/./Crypto/crypto_signatures.yar(776): warning: $c0 is slowing down scanning
CRC32_poly_Constant ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
CRC32_table ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES_CHAR ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES_LONG ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

看看属于哪类恶意样本,判断还是比较准确

1
2
3
4
5
6
7
8
9
10
11
giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/malware_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./malware/APT_DPRK_ROKRAT.yar(47): warning: $b2 is slowing down scanning
../rules/./malware/RAT_Ratdecoders.yar(153): warning: $conf is slowing down scanning (critical!)
Str_Win32_Winsock2_Library ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaDecryptor ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
ransom_telefonica ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wanna_Cry_Ransomware_Generic ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaCry_Ransomware ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaCry_Ransomware_Dropper ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
wannacry_static_ransom ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

看看加了什么壳

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Packers_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./Packers/Javascript_exploit_and_obfuscation.yar(26): warning: $fff is slowing down scanning (critical!)
../rules/./Packers/peid.yar(672): warning: $a is slowing down scanning (critical!)
../rules/./Packers/peid.yar(900): warning: $a is slowing down scanning
。。。。。。。。
。。。。。。。。
。。。。。。。。
../rules/./Packers/peid.yar(68942): warning: $a is slowing down scanning
../rules/./Packers/peid.yar(68951): warning: $a is slowing down scanning
IsPE32 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
IsWindowsGUI ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
IsPacked ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
HasRichSignature ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v60 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v50v60_MFC_additional ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_50 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v50v60_MFC ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

有没有反调试反虚拟机

1
2
giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Antidebug_AntiVM_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
SEH_Init ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

简单总结

通过yara,还有一些开源的规则,我们可以简单快速地静态分析恶意软件

reference

https://yara.readthedocs.io/en/v3.7.0/gettingstarted.html
https://blog.csdn.net/m0_37552052/article/details/79012453

自愿打赏专区