YARA Cheatsheet¶
YARA ist eine leistungsstarke Muster-Anpassungs-Engine, die Malware-Forscher helfen, Malware-Proben zu identifizieren und zu klassifizieren. YARA entwickelt von Victor Alvarez bei VirusTotal, YARA ermöglicht es Ihnen, Beschreibungen von Malware-Familien basierend auf textuellen oder binären Mustern zu erstellen, so dass es ein wesentliches Werkzeug für Bedrohung Jagd, Vorfall Reaktion und Malware-Analyse.
Installation¶
Linux Installation¶
```bash
Ubuntu/Debian¶
sudo apt update sudo apt install yara
CentOS/RHEL¶
sudo yum install epel-release sudo yum install yara
From source¶
git clone https://github.com/VirusTotal/yara.git cd yara ./bootstrap.sh ./configure make sudo make install ```_
Windows Installation¶
```powershell
Download from GitHub releases¶
https://github.com/VirusTotal/yara/releases¶
Using Chocolatey¶
choco install yara
Using vcpkg¶
vcpkg install yara ```_
Python Integration¶
```bash
Install yara-python¶
pip install yara-python
Verify installation¶
python -c "import yara; print(yara.version)" ```_
Grundlegende Syntax und Struktur¶
Artikelstruktur¶
```c rule RuleName \\{ meta: description = "Description of what this rule detects" author = "Your Name" date = "2024-01-01" version = "1.0"
strings:
$string1 = "malicious string"
$string2 = \\\\{ 6A 40 68 00 30 00 00 \\\\}
$regex1 = /malware[0-9]\\\\{2,4\\\\}/
condition:
$string1 or $string2 or $regex1
\\} ```_
Streicharten¶
```c rule StringTypes \\{ strings: // Text strings $text1 = "Hello World" $text2 = "Case Insensitive" nocase $text3 = "Wide String" wide $text4 = "ASCII String" ascii
// Hexadecimal strings
$hex1 = \\\\{ 4D 5A \\\\} // MZ header
$hex2 = \\\\{ 4D 5A [0-100] 50 45 \\\\} // MZ...PE
$hex3 = \\\\{ 4D 5A ?? ?? ?? ?? 50 45 \\\\} // Wildcards
// Regular expressions
$regex1 = /md5:[a-f0-9]\\\\{32\\\\}/
$regex2 = /https?:\/\/[a-zA-Z0-9.-]+/
condition:
any of them
\\} ```_
Erweiterte Streichmuster¶
Wildcards und Jumps¶
```c rule WildcardsAndJumps \\{ strings: // Single byte wildcard $pattern1 = \\{ 4D 5A ?? ?? 50 45 \\}
// Multiple byte wildcards
$pattern2 = \\\\{ 4D 5A ?? ?? ?? ?? 50 45 \\\\}
// Variable length jumps
$pattern3 = \\\\{ 4D 5A [0-100] 50 45 \\\\}
$pattern4 = \\\\{ 4D 5A [10-50] 50 45 \\\\}
// Alternatives
$pattern5 = \\\\{ 4D 5A ( 90|91|92 ) 50 45 \\\\}
condition:
any of them
\\} ```_
String Modifiers¶
```c rule StringModifiers \\{ strings: $case_insensitive = "malware" nocase $wide_string = "malware" wide $ascii_string = "malware" ascii $fullword = "malware" fullword $xor_string = "malware" xor $base64_string = "malware" base64
condition:
any of them
\\} ```_
Bedingungen und Logik¶
Allgemeine Geschäftsbedingungen¶
```c rule BasicConditions \\{ strings: $string1 = "malware" $string2 = "virus" $string3 = "trojan"
condition:
// Boolean operators
$string1 and $string2
$string1 or $string2
not $string1
// String count
#string1 > 5
#string2 == 1
// Any/All of them
any of them
all of them
2 of them
// String sets
any of ($string*)
all of ($string1, $string2)
\\} ```_
Dateieigenschaften¶
```c rule FileProperties \\{ condition: // File size filesize > 1MB filesize < 10KB
// Entry point
entrypoint >= 0x1000
// String positions
$string1 at 0
$string2 in (0..100)
// String offsets
@string1[0] ``< 100
@string2[1] >`` 1000
\\} ```_
Module und Funktionen¶
PE-Modul¶
```c import "pe"
rule PEAnalysis \\{ condition: // PE file detection pe.is_pe
// Machine type
pe.machine == pe.MACHINE_I386
pe.machine == pe.MACHINE_AMD64
// Characteristics
pe.characteristics & pe.DLL
pe.characteristics & pe.EXECUTABLE_IMAGE
// Sections
pe.number_of_sections > 3
pe.sections[0].name == ".text"
pe.sections[0].characteristics & pe.SECTION_CNT_CODE
// Imports
pe.imports("kernel32.dll", "CreateFileA")
pe.imports("advapi32.dll", "RegSetValueExA")
// Resources
pe.number_of_resources > 0
pe.version_info["CompanyName"] contains "Microsoft"
\\} ```_
Hash Modul¶
```c import "hash"
rule HashChecks \\{ condition: // MD5 hash hash.md5(0, filesize) == "5d41402abc4b2a76b9719d911017c592"
// SHA1 hash
hash.sha1(0, filesize) == "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
// SHA256 hash
hash.sha256(0, filesize) == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
// Hash of specific sections
hash.md5(pe.sections[0].raw_data_offset, pe.sections[0].raw_data_size) == "hash_value"
\\} ```_
Mathematik¶
```c import "math"
rule MathOperations \\{ condition: // Entropy calculation math.entropy(0, filesize) > 7.0 math.entropy(pe.sections[0].raw_data_offset, pe.sections[0].raw_data_size) > 6.5
// Mean calculation
math.mean(0, filesize) > 128
// Standard deviation
math.deviation(0, filesize, math.mean(0, filesize)) > 50
\\} ```_
Malware-Erkennungsregeln¶
Generische Malware-Muster¶
```c rule Generic_Malware \\{ meta: description = "Generic malware detection" author = "Security Analyst" date = "2024-01-01"
strings:
$api1 = "CreateRemoteThread"
$api2 = "WriteProcessMemory"
$api3 = "VirtualAllocEx"
$api4 = "SetWindowsHookEx"
$string1 = "backdoor"
$string2 = "keylogger"
$string3 = "rootkit"
condition:
2 of ($api*) and any of ($string*)
\\} ```_
Ransomware Erkennung¶
```c rule Ransomware_Indicators \\{ meta: description = "Ransomware behavior indicators" author = "Security Analyst"
strings:
$encrypt1 = "CryptEncrypt"
$encrypt2 = "CryptGenKey"
$encrypt3 = "CryptAcquireContext"
$file_ext1 = ".encrypted"
$file_ext2 = ".locked"
$file_ext3 = ".crypto"
$ransom_note1 = "your files have been encrypted"
$ransom_note2 = "pay bitcoin"
$ransom_note3 = "decryption key"
condition:
2 of ($encrypt*) and (any of ($file_ext*) or any of ($ransom_note*))
\\} ```_
Banking Trojan¶
```c rule Banking_Trojan \\{ meta: description = "Banking trojan detection"
strings:
$bank1 = "online banking"
$bank2 = "credit card"
$bank3 = "account number"
$hook1 = "SetWindowsHookEx"
$hook2 = "GetAsyncKeyState"
$hook3 = "CallNextHookEx"
$network1 = "HttpSendRequest"
$network2 = "InternetConnect"
$network3 = "send"
condition:
any of ($bank*) and any of ($hook*) and any of ($network*)
\\} ```_
Erweiterte Techniken¶
Yara mit Python¶
```python import yara
Compile rules from file¶
rules = yara.compile(filepath='malware_rules.yar')
Compile rules from string¶
rule_source = ''' rule TestRule \\{ strings: $test = "malware" condition: $test \\} ''' rules = yara.compile(source=rule_source)
Scan file¶
matches = rules.match('/path/to/file') for match in matches: print(f"Rule: \\{match.rule\\}") print(f"Tags: \\{match.tags\\}") print(f"Meta: \\{match.meta\\}") print(f"Strings: \\{match.strings\\}")
Scan data¶
with open('/path/to/file', 'rb') as f: data = f.read() matches = rules.match(data=data)
Custom callback¶
def callback(data): print(f"Match found: \\{data\\}") return yara.CALLBACK_CONTINUE
rules.match('/path/to/file', callback=callback) ```_
Leistungsoptimierung¶
```c rule OptimizedRule \\{ meta: description = "Performance optimized rule"
strings:
// Use specific strings first
$specific = \\\\{ 4D 5A 90 00 03 00 00 00 \\\\}
// Avoid expensive regex
$simple_string = "malware" nocase
// Use fullword for exact matches
$exact = "CreateFile" fullword
condition:
// Check file size first
filesize > 1KB and filesize < 10MB and
// Check specific patterns first
$specific at 0 and
// Then check other strings
($simple_string or $exact)
\\} ```_
Mehrstufige Erkennung¶
```c rule Multi_Stage_Malware \\{ meta: description = "Multi-stage malware detection"
strings:
// Stage 1: Dropper
$stage1_1 = "temp.exe"
$stage1_2 = "CreateProcess"
// Stage 2: Payload
$stage2_1 = "payload.dll"
$stage2_2 = "LoadLibrary"
// Stage 3: Persistence
$stage3_1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
$stage3_2 = "RegSetValueEx"
condition:
(any of ($stage1_*) and any of ($stage2_*)) or
(any of ($stage2_*) and any of ($stage3_*))
\\} ```_
Verwendung der Befehlszeile¶
Grundlegende Befehle¶
```bash
Scan single file¶
yara rules.yar /path/to/file
Scan directory recursively¶
yara -r rules.yar /path/to/directory
Scan with multiple rule files¶
yara rules1.yar rules2.yar /path/to/file
Output matching strings¶
yara -s rules.yar /path/to/file
Output metadata¶
yara -m rules.yar /path/to/file
Set timeout¶
yara -a 60 rules.yar /path/to/file
Disable warnings¶
yara -w rules.yar /path/to/file ```_
Erweiterte Optionen¶
```bash
Define external variables¶
yara -d filename="malware.exe" rules.yar /path/to/file
Print tags only¶
yara -t rules.yar /path/to/file
Print rule names only¶
yara -n rules.yar /path/to/file
Count matches¶
yara -c rules.yar /path/to/file
Fast mode (no string matching)¶
yara -f rules.yar /path/to/file
Scan process memory (Linux)¶
yara rules.yar /proc/PID/mem
Maximum number of strings per rule¶
yara -l 1000 rules.yar /path/to/file ```_
Integrationsbeispiele¶
Integration der Volatilität¶
```python
Volatility plugin example¶
import volatility.plugins.common as common import yara
class YaraScan(common.AbstractWindowsCommand): def init(self, config, *args, **kwargs): common.AbstractWindowsCommand.init(self, config, *args, **kwargs) self.rules = yara.compile(filepath='malware_rules.yar')
def calculate(self):
addr_space = utils.load_as(self._config)
for proc in tasks.pslist(addr_space):
proc_space = proc.get_process_address_space()
if proc_space:
data = proc_space.read(proc.Peb.ImageBaseAddress, 0x1000)
matches = self.rules.match(data=data)
if matches:
yield proc, matches
```_
Cuckoo Sandbox Integration¶
```python
Cuckoo processing module¶
from lib.cuckoo.common.abstracts import Processing import yara
class YaraProcessing(Processing): def run(self): self.key = "yara" results = []
rules = yara.compile(filepath='rules/malware.yar')
# Scan dropped files
for file_path in self.results.get("dropped", []):
matches = rules.match(file_path["path"])
if matches:
results.append(\\\\{
"file": file_path["path"],
"matches": [match.rule for match in matches]
\\\\})
return results
```_
Best Practices¶
Leitlinien für Regelschreiben¶
```c rule BestPracticeExample \\{ meta: description = "Example of best practices" author = "Security Team" date = "2024-01-01" version = "1.0" reference = "https://example.com/analysis" hash = "md5hash"
strings:
// Use descriptive variable names
$mz_header = \\\\{ 4D 5A \\\\}
$pe_header = \\\\{ 50 45 00 00 \\\\}
// Group related strings
$api_process = "CreateProcess"
$api_thread = "CreateThread"
$api_file = "CreateFile"
// Use specific patterns
$specific_string = "unique_malware_string"
condition:
// Check file type first
$mz_header at 0 and
$pe_header and
// Then check specific indicators
$specific_string and
2 of ($api_*)
\\} ```_
Leistungsbetrachtungen¶
```c rule PerformanceOptimized \\{ strings: // Anchor strings to specific positions when possible $header = \\{ 4D 5A \\} at 0
// Use fullword for API names
$api = "CreateFile" fullword
// Avoid overly broad regex
$url = /https?:\/\/[a-zA-Z0-9.-]\\\\{5,50\\\\}\.[a-z]\\\\{2,4\\\\}/
condition:
// Check file size constraints
filesize > 1KB and filesize < 5MB and
// Use specific checks first
$header and
// Then broader checks
($api or $url)
\\} ```_
Fehlerbehebung¶
```python import yara
try: # Compile rules with error handling rules = yara.compile(filepath='rules.yar') except yara.SyntaxError as e: print(f"Syntax error in rules: \\{e\\}") except yara.Error as e: print(f"YARA error: \\{e\\}")
try: # Scan with timeout matches = rules.match('/path/to/file', timeout=60) except yara.TimeoutError: print("Scan timed out") except yara.Error as e: print(f"Scan error: \\{e\\}") ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Rule compilation errors¶
yara -w rules.yar # Check for warnings
Memory issues with large files¶
yara -f rules.yar /large/file # Fast mode
Timeout issues¶
yara -a 300 rules.yar /path/to/file # Increase timeout
String encoding issues¶
Use 'wide' modifier for Unicode strings¶
Use 'ascii' modifier for ASCII strings¶
Performance issues¶
Use more specific conditions¶
Avoid expensive regex patterns¶
Use file size constraints¶
```_
Debugging Rules¶
```c rule DebugRule \\{ meta: description = "Debug rule with verbose conditions"
strings:
$debug1 = "test string"
$debug2 = \\\\{ 41 42 43 \\\\}
condition:
// Add file size check for debugging
filesize > 0 and
// Check each string individually
($debug1 and #debug1 > 0) or
($debug2 and #debug2 > 0)
\\} ```_
Ressourcen¶
- YARA Offizielle Dokumentation
- (YARA Rules Repository)(LINK_5)
- [VirusTotal YARA](LINK_5__
- (YARA Exchange)(LINK_5_)
- (Awesome YARA)(LINK_5_)