|
|
#9
07-10-2021, 02:47
|
|||
|
|||
|
Quote:
In the meantime, I’ve spent some time reading different papers on the strength of Yara and decided to try to write some rules for OnGuard, Matrix Decryption and TRegware for the start. It was during this time that I realized for the first time that x64Dbg at least up to the snapshot from March, 28 2019 had Yara implemented as dll. So I decided to test my attempts of the yara rules in it. It worked most of the times in x64Dbg if I don’t use the “pe” and “math” options in the rules, which I needed, to limit the scanning only to MZ header files. Also the version in x64Dbg only scans the file in its current active CPU, even if you select a different directory to scan, and this I presume could be the reason the "pe" option fails. So in the end I was able to write - thanks to some code snippets from the net - a wrapper in classic VB to execute and capture the result of the console version of the latest compiled yara32. Tries were made with single files as well as nested folders with pretty decent results in timing and hits in the results I have added rules of the signatures of these three modules to the “crypto_signatures.yara” found example @ https://github.com/Yara-Rules/rules/tree/master/crypto 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| RTPatch Most Current | Fyyre | General Discussion | 0 | 04-08-2020 07:45 |
| Current Server Capacity | lucky7456969 | General Discussion | 0 | 03-04-2004 15:50 |
| Kanal | koncool | General Discussion | 7 | 08-01-2003 04:56 |
Threaded Mode