Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

YARA Generator and Rule Update 240726 #182

Merged
merged 5 commits into from
Aug 12, 2024
Merged

YARA Generator and Rule Update 240726 #182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
85abbd4
Update yara-generator.py
Neo23x0 Jul 26, 2024
1e7ee0f
refactor: generator update
Neo23x0 Jul 29, 2024
0d5983c
content: new yara detection rules
Neo23x0 Jul 29, 2024
48da875
Merge branch 'main' into yara_update_240726
Neo23x0 Aug 7, 2024
dc4633d
regenerated, fixed issues
Neo23x0 Aug 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions bin/yara-generator/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
pefile
47 changes: 38 additions & 9 deletions bin/yara-generator/yara-generator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,9 +151,34 @@ def generate_yara_rules(header_infos, yaml_infos, debug, driver_filter, strict,
for hi in header_infos:
# Get YAML info to determine the type of rule
yaml_info = get_yaml_info_for_sample(hi['sha256'][0], yaml_infos)

if yaml_info is None:
print(f"No YAML info found for file with SHA256: {hi['sha256'][0]}. Skipping this file.")
# If no YAML info is found, skip the rule generation
if not yaml_info:
Log.info("No YAML info found for %s - skipping YARA rule generation" % hi['file_names'])
continue
# Category and values
type_driver = "vulnerable driver"
type_string = "PUA_VULN"
type_desc = "vulnerable"
type_score = 40
if renamed:
type_score = 70
type_string = "PUA_VULN_Renamed"
# for malicious drivers
if 'Category' in yaml_info:
#print(yaml_info['Category'])
if yaml_info['Category'] == "malicious":
type_driver = "malicious"
type_string = "MAL_"
type_desc = "malicious"
type_score = 70
if strict:
type_score = 85
# File names (use the file names in field 'Tags' otherwise use the driver file names)
file_names = hi['file_names']
if 'Tags' in yaml_info:
file_names = yaml_info['Tags']
# Apply filter
if driver_filter is not type_driver:
continue

# Category and values
Expand Down Expand Up @@ -254,6 +279,7 @@ def get_yaml_info_for_sample(sample_hash, yaml_infos):
# Loop over YAML infos and find the sample using its hash
for yi in yaml_infos:
for sample_info in yi['KnownVulnerableSamples']:
# print(sample_info)
sample_hashes = []
if 'MD5' in sample_info:
sample_hashes.append(sample_info['MD5'])
Expand Down Expand Up @@ -320,6 +346,7 @@ def removeNonAsciiDrop(s):
parser.add_argument('-y', nargs='*',
help='Path to YAML files with information on the drivers (can be used multiple times)',
metavar='yaml-files', default=['../../yaml/'])
parser.add_argument('-f', help="Write a log file)", metavar='log-file', default='yara-generator.log')
parser.add_argument('-o', help="Output folder for rules", metavar='output-folder', default='../../detections/yara/')
parser.add_argument('--debug', action='store_true', default=False, help='Debug output')

Expand All @@ -332,6 +359,10 @@ def removeNonAsciiDrop(s):
Log.setLevel(logging.INFO)
if args.debug:
Log.setLevel(logging.DEBUG)
# File Handler
fileHandler = logging.FileHandler(args.f)
fileHandler.setFormatter(logFormatter)
Log.addHandler(fileHandler)
# Console Handler
consoleHandler = logging.StreamHandler()
consoleHandler.setFormatter(logFormatter)
Expand Down Expand Up @@ -360,8 +391,8 @@ def removeNonAsciiDrop(s):
yara_rules_vulnerable_drivers_strict_renamed = generate_yara_rules(file_infos, yaml_infos, args.debug, driver_filter="vulnerable driver", strict=True, renamed=True)

# Write the output files
# The sets
output_file = os.path.join(args.o, 'yara-rules_vuln_drivers.yar')
# we write the recommended files to the root folder and other sets to a sub folder named 'other'
output_file = os.path.join(args.o, 'other', 'yara-rules_vuln_drivers.yar')
with open(output_file, 'w') as fh:
Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers), output_file))
fh.write("\n".join(yara_rules_vulnerable_drivers))
Expand All @@ -373,15 +404,13 @@ def removeNonAsciiDrop(s):
with open(output_file, 'w') as fh:
Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers_strict), output_file))
fh.write("\n".join(yara_rules_vulnerable_drivers_strict))
output_file = os.path.join(args.o, 'yara-rules_mal_drivers_strict.yar')
output_file = os.path.join(args.o, 'other', 'yara-rules_mal_drivers_strict.yar')
with open(output_file, 'w') as fh:
Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_malicious_drivers_strict), output_file))
fh.write("\n".join(yara_rules_malicious_drivers_strict))
output_file = os.path.join(args.o, 'yara-rules_vuln_drivers_strict_renamed.yar')
output_file = os.path.join(args.o, 'other', 'yara-rules_vuln_drivers_strict_renamed.yar')
with open(output_file, 'w') as fh:
Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers_strict_renamed), output_file))
fh.write("\n".join(yara_rules_vulnerable_drivers_strict_renamed))
# The single rules for each driver
output_path_single_rules = os.path.join(args.o, '/single-rules')


Loading
Loading