⽤yara实现分析恶意样本_yara恶意软件检测简介
⽤yara实现分析恶意样本
Have you ever wondered how malware is detected? How do malware scanners work? How does Gmail know that the suspicious attachment you got was “dangerous”?
curl是什么命令您是否想过如何检测恶意软件? 恶意软件扫描程序如何⼯作? Gmail如何知道您收到的可疑附件是“危险的”?
After all, malware comes in all shapes and sizes, and there is no one characteristic that tells you whether a file can cause harm or not.
毕竟,恶意软件具有各种形状和⼤⼩,并且没有任何特征可以告诉您⽂件是否会造成损害。
如何检测到恶意软件? (How is Malware Detected?)
Malware detection is often done through the identification of certain features of known malicious files.
恶意软件检测通常是通过识别已知恶意⽂件的某些功能来完成的。
One way of detecting malware is to calculate a hash of the suspected file and compare it to the hashes of known malware.
检测恶意软件的⼀种⽅法是计算可疑⽂件的哈希值,并将其与已知恶意软件的哈希值进⾏⽐较。
Sometimes, antivirus software scans for a particular string in a file that identifies particular strains or entire families of malware. Antivirus software might also search for a sequence of bytes that are typical of a specific virus or trojan.
有时,防病毒软件会扫描⽂件中的特定字符串,以识别特定的病毒株或整个恶意软件家族。 防病毒软件可能还会搜索特定病毒或⽊马的典型字节序列。
The tool that we are going to talk about today, YARA, takes this latter approach. Let’s dive into how YARA detects malware files, how you can install and use YARA, and how to author your own YARA rules for customized malware detection!
我们今天要讨论的⼯具YARA采⽤了后⼀种⽅法。 让我们深⼊了解YARA如何检测恶意软件⽂件,如何安装和使⽤YARA以及如何编写⾃⼰的YARA规则以进⾏⾃定义恶意软件检测!
什么是YARA? (What is YARA?)
YARA is a tool that identifies malware by creating descriptions that look for certain characteristics. Each description can be either a text or a binary pattern. These descriptions are called “rules”. And by using rules that specify regex patterns, YARA enables the detection of specific patterns in files that might indicate that the file is malicious.
YARA是⼀种通过创建查某些特征的描述来识别恶意软件的⼯具。 每个描述可以是⽂本或⼆进制模式。 这些描述称为“规则”。 通过使⽤指定正则表达式模式的规则,YARA可以检测⽂件中可能表明该⽂件为恶意⽂件的特定模式。
By using hex patterns, plain text patterns, wild-cards, case-insensitive strings, and special operators, YARA rules can be incredibly diverse and effective at detecting a wide range of malware signatures.
通过使⽤⼗六进制模式,纯⽂本模式,通配符,不区分⼤⼩写的字符串和特殊运算符,YARA规则可以⾮常多样化,并且可以有效地检测各种恶意软件签名。
让我们看下⾯的例⼦。 (⽰例摘⾃YARA的官⽅⽂档, : : )
rule silent_banker : banker
{
meta:
description = "This is just an example"
threat_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
This above rule tells YARA that any file that contains one of the following strings:
上⾯的规则告诉YARA,任何⽂件包含以下字符串之⼀:
6A 40 68 00 30 00 00 6A 14 8D 91
8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9
"UVODFRYSIHLNWPEJXQZAKCBGMT"
Should be flagged as the Silent Banker Trojan. Note that the first two strings are hex patterns and the third one is a text pattern.
应该标记为Silent Banker Trojan。 请注意,前两个字符串是⼗六进制模式,第三个字符串是⽂本模式。
(The Silent Banker Trojan is a Trojan virus that steals banking credentials from your computer. Read more about it .)
(Silent Banker Trojan是⼀种特洛伊⽊马病毒,可以从您的计算机上窃取银⾏凭证。 详细了解。)
安装YARA (Installing YARA)
YARA is multiplatform and supports both Windows and Unix based systems. You can use it both as a command-line tool as well as a Python extension to use in your Python scripts.
YARA是多平台的,并且⽀持基于Windows和Unix的系统。 您既可以将其⽤作命令⾏⼯具,也可以在Python脚本中使⽤它作为Python扩展。
For a complete guide for installing YARA on different platforms and installing the Python extension, please refer to the official documentation . Let’s go through how to install YARA from the source tarball in this article.
有关在不同平台上安装YARA和安装Python扩展的完整指南,请参阅的官⽅⽂档。 让我们来看⼀下如何从源tarball安装YARA。
First, download the tarball for the latest version of YARA, and get it prepared for compilation:
⾸先,下载最新版本的YARA的压缩包,并准备进⾏编译:
tar -zxf yara-3.11.
cd yara-3.11.0
./bootstrap.sh
Next, download the dependencies that YARA needs. You’ll need automake, libtool, make, gcc, and pkg-config.
接下来,下载YARA所需的依赖项。 您将需要automake , libtool , make , gcc和pkg-config 。
sudo apt-get install automake libtool make gcc pkg-config
Next, compile and install YARA:
接下来,编译并安装YARA:
./configure
make
sudo make install
At last, check that everything is installed correctly by running the test cases:
最后,通过运⾏测试⽤例检查是否已正确安装所有组件:
make check
获取⼀组要使⽤的规则 (Getting a Set of Rules to use)
While you could write your own rules, there are plenty of well-defined YARA rules files available for download on Github.
虽然您可以编写⾃⼰的规则,但是可以在Github上下载许多定义明确的YARA规则⽂件。
For example, you can find a list of already-written YARA rules in the awesome-yara repository:
例如,您可以在awesome-yara存储库中到已编写的YARA规则的列表:
Besides analyzing malware, YARA can also be used to analyze the nature of files and classify file contents. The yara-forensics repository contains rules for determining file types by detecting magic bytes.
除了分析恶意软件外,YARA还可以⽤于分析⽂件的性质和分类⽂件内容。 yara取证存储库包含⽤于通过检测魔术字节确定⽂件类型的规则。
You can simply go to these repositories, find the rules that scan for the signatures that you are looking for and use that file as your YARA command input. You can download a rules file host on Github by using the command:
您可以简单地转到这些存储库,到扫描正在寻的签名的规则,然后将该⽂件⽤作YARA命令输⼊。 您可以使⽤以下命令在Github上下载主机的规则⽂件:
curl -o FILENAME LINK_TO_FILE
Where FILENAME is the local file name that the downloaded file is going to be saved as, and the LINK_TO_FILE is the address of the file online.
其中FILENAME是下载⽂件将另存为的本地⽂件名,⽽LINK_TO_FILE是在线⽂件的地址。
下载特定的规则⽂件 (Downloading a specific rule file)
For example, let’s say you want to use VirusTotal’s .
例如,假设您要使⽤VirusTotal的 。
Once you open the file on Github, you will see a window like this:
在Github上打开⽂件后,您将看到如下所⽰的窗⼝:
Image for post
Simply run the command below to download a copy to your computer:
只需运⾏以下命令即可将副本下载到您的计算机:
curl -o Desktop/sample.yara
Now, you have a copy of the rules stored in the sample.yara file on your desktop!
现在,您已经在桌⾯的sample.yara⽂件中存储了规则的副本!
运⾏YARA (Running YARA)
To run YARA from the command line, run the command:
要从命令⾏运⾏YARA,请运⾏以下命令:
yara [OPTIONS] RULES_FILE TARGET
The RULES_FILE points to a file that stores the YARA rules that you want to use, while TARGET points to a file, a folder or a process to be scanned.
RULES_FILE指向存储要使⽤的YARA规则的⽂件,⽽TARGET指向要扫描的⽂件,⽂件夹或进程。
For example, let’s analyze if a random file is a PDF using YARA!
例如,让我们使⽤YARA分析随机⽂件是否为PDF!
We would first need to download the rules file that identifies a PDF from the yara_forensics repository:
我们⾸先需要从yara_forensics存储库下载可识别PDF的规则⽂件:
curl -o Desktop/pdf.yara
We can then run the YARA rules against the file we want to analyze:
然后,我们可以对要分析的⽂件运⾏YARA规则:
yara
如何编写⾃⼰的YARA规则 (How to Write your own YARA rules)
Of course, if you can’t find YARA rules published online that suits your needs, you’ll need to write your own rules
instead!
当然,如果不到符合您需要的在线发布的YARA规则,则需要编写⾃⼰的规则!
YarGen is a tool for generating YARA rules. YarGen is able to generate YARA rules given a malware file. It generates YARA rules by identifying the strings found in the malware file, while also removing known strings that also appear in non-malicious files. YarGen includes a big database of strings and opcode that are known to also appear in non-malicious files.
YarGen是⽤于⽣成YARA规则的⼯具。 给定恶意软件⽂件,YarGen能够⽣成YARA规则。 它通过识别在恶意软件⽂件中到的字符串来⽣成YARA规则,同时还删除在⾮恶意⽂件中也出现的已知字符串。 YarGen包含⼀个庞⼤的字符串和操作码数据库,已知它们也会出现在⾮恶意⽂件中。
You can find YarGen on Github here:
您可以在Github上到YarGen:
安装YarGen (Installing YarGen)
First, download the latest version of YarGen in the of its Github page and unzip the archive. The source code is available as a zip file or a tarball.
⾸先,在其Github页⾯的中下载最新版本的YarGen并解压缩存档。 源代码以zip⽂件或tarball的形式提供。
Next, make sure you have all the dependencies installed. You can run these commands:
接下来,确保已安装所有依赖项。 您可以运⾏以下命令:
sudo pip install pefile cdsudo pip install scandir lxml naiveBayesClassifier
Finally, cd into the YarGen directory and run the following command to download the built-in databases. The databases are saved into the ./dbs subdirectory.
最后,使⽤cd进⼊YarGen⽬录并运⾏以下命令以下载内置数据库。 数据库将保存到./dbs⼦⽬录中。
python yarGen.py —-update
运⾏YarGen (Running YarGen)
YarGen has many options for rule generation. To see the command line parameters, run:
YarGen有许多⽤于规则⽣成的选项。 要查看命令⾏参数,请运⾏:
python yarGen.py —-help
To use the included database for rules generation, you can simply run the command:
要将包含的数据库⽤于规则⽣成,只需运⾏以下命令:
python yarGen.py -m PATH_TO_MALWARE_DIRECTORY
This command will scan and create rules for the malware files under PATH_TO_MALWARE_DIRECTORY. A file named yargen_rules.yar will be created in the current directory, containing the rules generated.
该命令将扫描并在PATH_TO_MALWARE_DIRECTORY下创建恶意软件⽂件的规则。 将在当前⽬录中创建⼀个名为yargen_rules.yar的⽂件,其中包含⽣成的规则。
祝好运! (Good Luck!)
There are many more ways of detecting malware, but YARA is a powerful way to detect and classify many different kinds of malicious files. Good luck with your journey of using YARA!
检测恶意软件的⽅法还有很多,但是YARA是检测和分类许多不同类型恶意⽂件的有效⽅法。 祝您使⽤YARA的旅途好运!
谢谢阅读。 我有什么想念的吗? 随时在Twitter上告诉我: : 。
Follow for more such awesome write-ups.
关注以获得更多此类出⾊的⽂章。
⽤yara实现分析恶意样本

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。