YARA Generator and Rule Update 240726

[Neo23x0]

• I tried for 3 hours to improve the rule generator and make it generate rules based on certificate information in cases the PE header info isn't enough just to find out that in all cases in which there is no PE info the sec directory structure is also not present and so I decided to give up

BUT, I re-run the generator and would like to use a different directory structure:

• / (root) contains rules we recommend to use
• /other contains variations of the rules that can be used in certain non-standard use cases

I also ran the generator to generate new rules but I noticed that you guys also removed some drivers.

[josehelps]

@Neo23x0 been out of town but should be able to test and merge this in next week, stand by apologies for taking a bit to get you a reply here.

[josehelps]

Hey yeah some got moved to the bootloader project and others were duplicates.

This ran smoothly looks good to me:

[INFO ] [+] Writing 507 YARA rules to the output file ../../detections/yara/other/yara-rules_vuln_drivers.yar
[INFO ] [+] Writing 22 YARA rules to the output file ../../detections/yara/yara-rules_mal_drivers.yar
[INFO ] [+] Writing 507 YARA rules to the output file ../../detections/yara/yara-rules_vuln_drivers_strict.yar
[INFO ] [+] Writing 22 YARA rules to the output file ../../detections/yara/other/yara-rules_mal_drivers_strict.yar
[INFO ] [+] Writing 507 YARA rules to the output file ../../detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar

matches the count on the files included in the PR as well

(loldrivers-py3.12) jhernandez in ~/magicsword/LOLDrivers/detections/yara on yara_update_240726 λ cat yara-rules_vuln_drivers_strict.yar| grep "rule "  | wc -l
     507

[josehelps]

We use the PE info to also extract the certificate using LIEF is is why likely is missing.