用yara实现分析恶意样本_Yara –识别和分类恶意软件样本

最新推荐文章于 2024-07-12 16:16:27 发布

cunjiu9486

最新推荐文章于 2024-07-12 16:16:27 发布

阅读量1.6k

点赞数

文章标签： python java linux 正则表达式大数据

原文链接：https://www.poftut.com/yara-identify-classify-malware-samples/

版权

用yara实现分析恶意样本

Yara is a popular open source tool used to identify and classify Malware Samples. It is motto is Swiss knife for malware researchers and everyone else. I think it deserves this because of its features. In this tutorial we will look some features of yara.

Yara是一种流行的开源工具，用于识别和分类恶意软件样本。它是座右铭，是恶意软件研究人员和其他所有人的Swiss knife 。我认为它应有的功能。在本教程中，我们将介绍yara的一些功能。

安装 (Install)

Installation of Yara is very easy for Linux installations. We will just use package manager to obtain and install Yara.

对于Linux安装，安装Yara非常容易。我们将只使用包管理器来获取并安装Yara。

Fedora，CentOS，RedHat： (Fedora, CentOS, RedHat:)

$ sudo yum install yara -y

Ubuntu，Debian： (Ubuntu, Debian:)

$ apt install yara

帮帮我 (Help)

Yara help information can be listed simply like below.

Yara帮助信息可以像下面这样简单地列出。

$ yara -h

We can see also the usage of yara command like below. Yara supports target as binary file, directory or process id as we see below.

我们还可以看到yara命令的用法，如下所示。 Yara支持目标作为二进制文件，目录或进程ID，如下所示。

yara [OPTION]... RULES_FILE FILE | DIR | PID

Yara入门 (Getting Started with Yara)

Yara tool read rules from rule file and implement these rules to the specified binary file in specified configuration. After the implementation the result is printed to the terminal or console. We will start with a simple sample by defining a rule file.

Yara工具从规则文件中读取规则，并以指定的配置将这些规则实现到指定的二进制文件。实施后，结果将打印到终端或控制台。我们将通过定义规则文件以一个简单的示例开始。

创建规则文件 (Create Rule File)

In the example we will use rule file name myrule and this rules file contain following rules.

在示例中，我们将使用规则文件名myrule ，此规则文件包含以下规则。

myrule

Myrule

rule dummy { condition: true }

下载二进制样本 (Download Binary Sample)

We will download our binary samples from web. Our sample binary is popular ssh client named Putty . Download following link to get.

我们将从网络上下载二进制样本。我们的示例二进制文件是名为Putty流行ssh客户端。下载以下链接即可获取。

https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

We use wget for Linux for download operation.

我们将wget用于Linux进行下载操作。

$ wget https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

润雅拉 (Run Yara)

Now we can run our first rule with yara.

现在，我们可以使用yara运行第一个规则。

$ yara myrule putty.exe

The result is not se exiting but it works. This rule file simply print text dummy and the file name in this example putty.exe

结果不会自动退出，但可以正常工作。在此示例中，此规则文件仅打印文本dummy和文件名putty.exe

规则 (Rule)

Yara rule syntax is similar to C programming language. Here is a simple rule named myrule .

Yara规则语法类似于C编程语言。这是一个名为myrule的简单规则。

rule myrule
{
    strings:
        $my_text_string = "text here"
        $my_hex_string = { E2 34 A1 C8 23 FB }

    condition:
        $my_text_string or $my_hex_string
}

We have two main parts in the rule definition.

规则定义中有两个主要部分。

最低0.47元/天解锁文章

cunjiu9486

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
用yara实现分析恶意样本_Yara –识别和分类恶意软件样本

用yara实现分析恶意样本Yara is a popular open source tool used to identify and classify Malware Samples. It is motto is Swiss knife for malware researchers and everyone else. I think it deserves this because of...
复制链接

扫一扫