Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for using the 'dotnet' module in YARA rules #749

Merged
merged 11 commits into from
Apr 23, 2020
Merged

Add support for using the 'dotnet' module in YARA rules #749

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1709aec
deps/yara: #747, enable .NET module
PeterMatula Apr 22, 2020
e1cab5d
support/yara_patterns/tools/pe/x86/packers: use .NET module
PeterMatula Apr 22, 2020
7051977
cpdetect: refactor formating - mosty long lines
PeterMatula Apr 22, 2020
c458fc1
cpdetect/raw_data: fix typo
PeterMatula Apr 22, 2020
d59bcd7
cpdetect: refactor Signatures
PeterMatula Apr 22, 2020
0c27a2d
cpdetect: remove version solver module
PeterMatula Apr 22, 2020
b3108cf
cpdetect: refactor
PeterMatula Apr 23, 2020
8b5cee3
cpdetect: do not use new and delete
PeterMatula Apr 23, 2020
02fda35
cpdetect: use YARA rules without matches as heuristic detections
PeterMatula Apr 23, 2020
92b9904
cpdetect: refactor YARA signature files selection
PeterMatula Apr 23, 2020
e5396c0
cpdetect: fix doxygen
PeterMatula Apr 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

* Enhancement: Improved detection of many packers in `retdec-fileinfo`, including Armadillo ([#733](/~https://github.com/avast/retdec/pull/733)), VMProtect ([#734](/~https://github.com/avast/retdec/pull/734)), Petite ([#735](/~https://github.com/avast/retdec/pull/735)), Enigma ([#741](/~https://github.com/avast/retdec/pull/741)), ASPack ([#743](/~https://github.com/avast/retdec/pull/743)), Eziriz ([#746](/~https://github.com/avast/retdec/pull/746)).
* Enhancement: Added a detection of PyInstaller to `retdec-fileinfo` ([#748](/~https://github.com/avast/retdec/pull/748)).
* Enhancement: Enable .NET module in RetDec's YARA ([#747](/~https://github.com/avast/retdec/issues/747)).
* Fix: Fixed build on some systems by adding missing includes of `<limits>` into `retdec-fileinfo` ([#745](/~https://github.com/avast/retdec/pull/745)).

# v4.0 (2020-04-07)
Expand Down
1 change: 1 addition & 0 deletions deps/yara/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ if(NOT MSVC)
COMMAND ./bootstrap.sh
COMMAND ./configure
--prefix=${YARA_INSTALL_DIR}
--enable-dotnet
--enable-macho
--disable-shared
--without-crypto
Expand Down
8 changes: 4 additions & 4 deletions deps/yara/patch.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ function(patch_vcxproj file)

string(REPLACE
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;CUCKOO_MODULE;HASH_MODULE;DOTNET_MODULE;HAVE_LIBCRYPTO;USE_WINDOWS_PROC;YR_BUILDING_STATIC_LIB;PROFILING_ENABLED</PreprocessorDefinitions>"
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;MACHO_MODULE;USE_WINDOWS_PROC</PreprocessorDefinitions>"
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;DOTNET_MODULE;MACHO_MODULE;USE_WINDOWS_PROC</PreprocessorDefinitions>"
new_content
"${new_content}"
)
Expand All @@ -18,7 +18,7 @@ function(patch_vcxproj file)
)
string(REPLACE
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;CUCKOO_MODULE;HASH_MODULE;DOTNET_MODULE;HAVE_LIBCRYPTO;USE_WINDOWS_PROC;YR_BUILDING_STATIC_LIBC;PROFILING_ENABLED</PreprocessorDefinitions>"
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;MACHO_MODULE;USE_WINDOWS_PROC</PreprocessorDefinitions>"
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;DOTNET_MODULE;MACHO_MODULE;USE_WINDOWS_PROC</PreprocessorDefinitions>"
new_content
"${new_content}"
)
Expand All @@ -30,13 +30,13 @@ function(patch_vcxproj file)
)
string(REPLACE
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;CUCKOO_MODULE;HASH_MODULE;DOTNET_MODULE;HAVE_LIBCRYPTO;USE_WINDOWS_PROC;YR_BUILDING_STATIC_LIB</PreprocessorDefinitions>"
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;MACHO_MODULE;USE_WINDOWS_PROC</PreprocessorDefinitions>"
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;DOTNET_MODULE;MACHO_MODULE;USE_WINDOWS_PROC</PreprocessorDefinitions>"
new_content
"${new_content}"
)
string(REPLACE
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;CUCKOO_MODULE;HASH_MODULE;DOTNET_MODULE;HAVE_LIBCRYPTO;USE_WINDOWS_PROC;YR_BUILDING_STATIC_LIB;NDEBUG=1</PreprocessorDefinitions>"
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;MACHO_MODULE;USE_WINDOWS_PROC;NDEBUG=1</PreprocessorDefinitions>"
"<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;DOTNET_MODULE;MACHO_MODULE;USE_WINDOWS_PROC;NDEBUG=1</PreprocessorDefinitions>"
new_content
"${new_content}"
)
Expand Down
31 changes: 7 additions & 24 deletions support/yara_patterns/tools/pe/x86/packers.yara
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*/

import "pe"
import "dotnet"

rule ep_exepack_10 {
meta:
Expand Down Expand Up @@ -108,33 +109,15 @@ rule eziriz_dotnet_reactor_62_or_newer {
name = "Eziriz .NET Reactor"
version = "6.2.0.0 or newer"
extra = ".NET protection"
strings:
$s01 = "{11111-22222-20001-00001}" wide
$s02 = "{11111-22222-30001-00001}" wide
$s03 = "{11111-22222-40001-00001}" wide
$s04 = "{11111-22222-50001-00001}" wide
condition:
pe.number_of_sections == 3 and
pe.imports("mscoree.dll") and
all of them
}

// TODO: When retdec's YARAC will be of a newer version
//rule eziriz_dotnet_reactor_62_or_newer {
// meta:
// tool = "P"
// name = "Eziriz .NET Reactor"
// version = "6.2.0.0 or newer"
// extra = ".NET protection"
// condition:
// pe.number_of_sections == 3 and
// pe.imports("mscoree.dll") and
// dotnet.number_of_user_strings > 8 and
// dotnet.user_strings[dotnet.number_of_user_strings - 8] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x002\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00\x00" and
// dotnet.user_strings[dotnet.number_of_user_strings - 6] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x003\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00\x00" and
// dotnet.user_strings[dotnet.number_of_user_strings - 4] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x004\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00\x00" and
// dotnet.user_strings[dotnet.number_of_user_strings - 2] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x005\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00\x00"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that there is something wrong with the new YARA rule as the following two tests are failing:

tools.fileinfo.detection.packers.eziriz.EzirizDotnetTest_002 (sample_6.2.0.0_dotnet.exe_ --js[..])  [ FAIL ]  (0.15s)
F
======================================================================
FAIL: test_fileinfo_json_output_is_correctly_parsed (tools.fileinfo.detection.packers.eziriz.EzirizDotnetTest_002)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/tcagent/work/c1867d72f67fc407/retdec-regression-tests/tools/fileinfo/detection/packers/eziriz/test.py", line 38, in test_fileinfo_json_output_is_correctly_parsed
    self.assertEqual(self.fileinfo.output['tools'][0]['name'], 'Eziriz .NET Reactor')
AssertionError: 'Microsoft' != 'Eziriz .NET Reactor'
- Microsoft
+ Eziriz .NET Reactor


----------------------------------------------------------------------
Ran 1 test in 0.002s

FAILED (failures=1)

tools.fileinfo.detection.packers.eziriz.EzirizDotnetTest_002 (sample_6.2.9.2_dotnet.exe_ --js[..])  [ FAIL ]  (0.16s)
F
======================================================================
FAIL: test_fileinfo_json_output_is_correctly_parsed (tools.fileinfo.detection.packers.eziriz.EzirizDotnetTest_002)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/tcagent/work/c1867d72f67fc407/retdec-regression-tests/tools/fileinfo/detection/packers/eziriz/test.py", line 38, in test_fileinfo_json_output_is_correctly_parsed
    self.assertEqual(self.fileinfo.output['tools'][0]['name'], 'Eziriz .NET Reactor')
AssertionError: 'Microsoft' != 'Eziriz .NET Reactor'
- Microsoft
+ Eziriz .NET Reactor


----------------------------------------------------------------------
Ran 1 test in 0.003s

FAILED (failures=1)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is worse. I think YARA rule is hitting, but for some reason we filter it out. I run it with vanilla yara and the rule was found.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@s3rvac, @ladislav-zezula, @metthal
Marek clarified some issues here. This new rule is fundamentally different from other existing rules and cpdetect (and maybe other tools) cannot deal with it. Other rules have strings to match. But this one gets detected, but there are no matches - cpdetect throws it away, This is what would be considered Heuristic rule and until now, we would hardcode it into a C++ source code. I will try to modify the toolchain to deal with it, but I don't know how hard it will be and how many issues I come accross.

//}
dotnet.number_of_user_strings > 8 and
dotnet.user_strings[dotnet.number_of_user_strings - 8] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x002\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00\x00" and
dotnet.user_strings[dotnet.number_of_user_strings - 6] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x003\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00\x00" and
dotnet.user_strings[dotnet.number_of_user_strings - 4] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x004\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00\x00" and
dotnet.user_strings[dotnet.number_of_user_strings - 2] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x005\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00\x00"
}

rule spirit_15_01 {
meta:
Expand Down