フォークがあるならナイフはどうだ(YARA)


アニメ『異世界食堂』

食と異世界。大好物の組み合わせです。

前回はforkネタでしたので、今回はknifeです。apt-cacheでknifeをサーチしてみます。

takk@deb9:~$ apt-cache search knife
aptly - Swiss army knife for Debian repository management
cassiopee - index and search tool in genomic sequences
chef - systems integration framework - clients
compass-toolkit-plugin - toolkit of awesome Sass stuff
exabgp - BGP swiss army knife of networking
fim - scriptable frame buffer, X.org and ascii art image viewer
geophar - Swiss army knife for the math teacher
gitmagic - guide about Git version control system
kanif - cluster management and administration swiss army knife
libmlpack-dev - intuitive, fast, scalable C++ machine learning library (development libs)
libmlpack2 - intuitive, fast, scalable C++ machine learning library (runtime library)
mlpack-bin - intuitive, fast, scalable C++ machine learning library (binaries)
mlpack-doc - intuitive, fast, scalable C++ machine learning library (documentation)
moap - Swiss army knife for project maintainers and developers
pd-zexy - General Purpose addon library for Pd
ruby-knife-acl - Knife plugin to manipulate Chef server access control lists
libserd-0-0 - lightweight RDF syntax library
sipsak - SIP Swiss army knife
libsox-fmt-mp3 - SoX MP2 and MP3 format library
swaks - SMTP command-line test tool
libswiss-perl - Perl API to the UniProt database
cups-tea4cups - Swiss Army's knife of advanced CUPS administrators
yara - Pattern matching swiss knife for malware researchers
takk@deb9:~$ 

一番最後に出てきた、yara。パターンマッチ十手ナイフとあります。
気になるので、インストールしてみます。

takk@deb9:~$ sudo apt-get install yara

はて。man yara。

yara(1)                     General Commands Manual                    yara(1)

NAME
       yara - find files matching patterns and rules written in a special-pur窶・
       pose language.

SYNOPSIS
       yara [OPTION]... RULES_FILE FILE | DIR | PID

DESCRIPTION
       yara scans the given FILE, all files contained in directory DIR, or the
       process  indentified  by  PID looking for matches of patterns and rules
       provided in  a  special  purpose-language.  The  rules  are  read  from
       RULES_FILE.

       The options to yara(1) are:

       -t tag --tag=tag
              Print  rules  tagged as tag and ignore the rest. This option can
              be used multiple times.

       -i identifier --identifier=identifier
              Print rules named identifier and ignore the  rest.  This  option
              can be used multiple times.

       -n  --negate
              Print rules that doesn't apply (negate)

       -D  --print-module-data
              Print module data.

       -g  --print-tags
              Print the tags associated to the rule.

       -m  --print-meta
              Print metadata associated to the rule.

       -s  --print-strings
              Print strings found in the file.

       -p number --threads=number
              Use the specified number of threads to scan a directory.

       -l number --max-rules=number
              Abort scanning after a number of rules matched.

       -a seconds --timeout=seconds
              Abort scanning after a number of seconds has elapsed.

       -k slots --stack-size=slots
              Set maximum stack size to the specified number of slots.

       -d identifier=value
              Define  an  external  variable. This option can be used multiple
              times.

       -x module=file
              Pass file's content as extra data to module. This option can  be
              used multiple times.

       -r  --recursive
              Scan files in directories recursively.

       -f  --fast-scan
              Speeds up scanning by searching only for the first occurrence of
              each pattern.

       -w  --no-warnings
              Disable warnings.

       -v  --version
              Show version information.

EXAMPLES
       $ yara /foo/bar/rules1 /foo/bar/rules2 .

              Apply rules on /foo/bar/rules1 and /foo/bar/rules2 to all  files
              on current directory. Subdirectories are not scanned.

       $ yara -t Packer -t Compiler /foo/bar/rules bazfile

              Apply  rules  on  /foo/bar/rules to bazfile.  Only reports rules
              tagged as Packer or Compiler.

       $ cat /foo/bar/rules1 | yara -r /foo

              Scan all files in the /foo  directory  and  its  subdirectories.
              Rules are read from standard input.

       $ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules
       bazfile

              Defines three external variables mybool myint and mystring.

       $ yara -x cuckoo=cuckoo_json_report /foo/bar/rules bazfile

              Apply rules on /foo/bar/rules to bazfile while passing the  con窶・
              tent of cuckoo_json_report to the cuckoo module.

AUTHOR
       Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>

Victor M. Alvarez             September 22, 2008                       yara(1)

面白そうなツールです。適当に使ってみました。

ruleファイルはこんな感じ。超テキトーなので、本来の使い方と違うかもしれません。

takk@deb9:~$ cat rule
rule BashScript{
	strings:
		$a="#!/bin/bash"
	condition:
		$a
}
rule PythonScript{
	strings:
		$a="#!/usr/bin/python"
	condition:
		$a
}
rule ELF{
	strings:
		$a={7F 45 4C 46}
	condition:
		$a
}
takk@deb9:~$ 

試すファイルは、2つのテキストファイルと実行ファイル(ELF)です。

takk@deb9:~$ cat test1.txt
#!/bin/bash
echo Hello
takk@deb9:~$ cat test2.txt
#!/usr/bin/python
print("Hello")
takk@deb9:~$ file a.out
a.out: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1206993d07fa5d7c349b67b9869c2e91ceca77d3, not stripped
takk@deb9:~$ 

さて、私が作ったルールで、各ファイルをチェックしてみましょう。

takk@deb9:~$ yara rule test1.txt
BashScript test1.txt
takk@deb9:~$ yara rule test2.txt
PythonScript test2.txt
takk@deb9:~$ yara rule a.out
ELF a.out
takk@deb9:~$ 

fileコマンドの代りにできそうです。
本来は、マルウェアとかの検出に使うようです。

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA