vmware突然间不能上网了,主机能上网。很奇怪,cmd下ipconfig /all 发现 vmware 的DHCP 没启用,各种服务也都开启了。症状是ubuntu10.04下找不到网络图标且不能上网,听说图标是被隐藏起来了,反正我是找不到了,各种恢复也没用,又不想自己去配置网络(明明有DHCP自动网络连接,再去配置不蛋疼吗),所以我到主机这边,发现vmware的两个网卡都没有网络访问权限,于是把“本地连接”和vmware8网卡连接在一起(鼠标选中这两个图标,右键选择“桥接”),竟然能够上网了,图标也找到了。。好神奇啊。。
===================================================================================
今天开始给jsunpack-n添加新的规则,研究资料是YARA的手册: http://download.csdn.net/detail/xihuanqiqi/4600532
Ps:jsunpackn都是以rule的形式添加拓展检测规则的,这些rule写在jsunpackn文件夹的一个叫rule的文件中,我们通过在rule文件中添加新的rule,就能实现对最新恶意代码的检测功能了。
在我们开始写rule之前,先学习yara的rule怎么个书写?
1 Writing rules 书写规则
范例:
rule ExampleRule
{
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
$my_text_string or $my_hex_string
}
rule 类似于c的结构体,分为两部分:strings 和 condition,其中strings不一定要有,但是condition一定要有。
strings 是由 '$'字符起头的一个字符串
rule也定义了一些关键字,和c一样,这些关键字不能来当成strings的标识符:
all and any ascii at condition contains entrypoint false
filesize fullword for global in include index indexes int8 int16 int32
matches meta nocase not or of private rule rva section strings them true
uint8 uint16 uint32wide
而在condition中: 类似这种 :$my_text_string or $my_hex_string 意味着如果存在$my_text_string或者存在$my_hex_string,那么就返回一个布尔为真的表达式,否则为false
2 Comments 注释
和c一样
/*段注释*/
//行注释
3 Strings 字符串
3.1 Hexadecimal strings 16进制字符串
有三种符号: 占位符,跳跃符,选择符
占位符 ?? (可以是 4? ?4 ??):
rule WildcardExample
{
strings:
$hex_string = { E2 34 ?? C8 A? FB }
condition:
$hex_string
}
跳跃符([4-6]):
rule JumpExample
{
strings:
$hex_string = { F4 23 [4-6] 62 B4 }
condition:
$hex_string
}
这个$hex_string = { F4 23 [4-6] 62 B4 } 能够匹配到:
F4 23 01 02 03 04 62 B4
F4 23 00 00 00 00 00 62 B4
F4 23 15 82 A3 04 45 22 62 B4
说明:
[a - b] 中 a>=0 a<b b<=255 ,
可以是单字符如[6],如FE 39 45 [6] 89 00
表示匹配 FE 39 45 ?? ?? ?? ?? ?? ?? 89 00
选择符(62 B4 | 56 ):
rule AlternativesExample1
{
strings:
$hex_string = { F4 23 ( 62 B4 | 56 ) 45 }
condition:
$hex_string
}
$hex_string = { F4 23 ( 62 B4 | 56 ) 45 } 可以匹配: F42362B445 or F4235645.
3.2 Text strings 文本字符串
不匹配大小写
rule CaseInsensitveTextExample
{
strings:
$text_string = "foobar" nocase
condition:
$text_string
}
匹配宽字符
/*这里的宽字符单指那些占两个字节,且第二个字节为00的字符*/
rule WideCharTextExample
{
strings:
$wide_string = "Borland" wide
condition:
$wide_string
}
匹配ascii宽字符
/* If you want to search for strings in both ASCII and wide form*/
rule WideCharTextExample
{
strings:
$wide_and_ascii_string = "Borland" wide ascii //这两个关键字不计前后顺序
condition:
$wide_and_ascii_string
}
匹配全字
/*For example the string "domain", if defined as fullword, don't matches
"www.mydomain.com" but it matches "www.my-domain.com" and "www.domain.com".*/
rule WideCharTextExample
{
strings:
$wide_and_ascii_string = "domain" fullword
condition:
$wide_and_ascii_string
}
3.3 Regular expressions 正则表达式
rule RegExpExample1
{
strings:
$re1 = /md5: [0-9a-zA-Z]{32}/
$re2 = /state: (on|off)/
condition:
$re1 and $re2
}
这个有点类似于strings的写法,nocase和wide和fullword等都能使用,和strings的区别就在于 "" 和 //。
4 Conditions 条件
布尔操作符 and or not
逻辑操作符 >=, <=, <, >, == and !=
算术操作符 (+,-,*,\)
位运算操作符 (&, |, <<, >>, ~) 都能使用。
Counting strings 计数 (#:字符串出现的次数)
rule CountExample
{
strings:
$a = "dummy1"
$b = "dummy2"
condition:
#a == 6 and #b > 10
}
String offsets or virtual addresses 字符串偏移或虚拟地址(at)
/*if string $a is found at offset
100 within the file (or at virtual address 100 if applied to a running process)*/
rule AtExample
{
strings:
$a = "dummy1"
$b = "dummy2"
condition:
$a at 100 and $b at 200
}
这些都是10进制的哦,如果加个前缀0x就能变成16进制,和c一样哦~~
at 100的100 是地址哦~~
rule InExample
{
strings:
$a = "dummy1"
$b = "dummy2"
condition:
$a in (0..100) and $b in (100..filesize)
}
就是in offset的一定范围内,其中filesize就是the end
You can also get the offset or virtual address of the i-th occurrence of string $a by using
@a[i]. 如果i超出index就会返回NaN(Not a Number)
File size 文件大小
rule FileSizeExample
{
condition:
filesize > 200KB
}
后缀可以为 KB MB 哦。。filesize大小以byte计算
Executable entry point 可执行文件的入口点
rule EntryPointExample1
{
strings:
$a = { E8 00 00 00 00 }
condition:
$a at entrypoint
}
rule EntryPointExample2
{
strings:
$a = { 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 }
condition:
$a in (entrypoint..entrypoint + 10)
}
Portable Executable (PE) or Executable and Linkable Format (ELF) 文件用到哦~~
Accessing data at a given position 在一个给定的位置上访问数据
int8(<offset or virtual address>)
int16(<offset or virtual address>)
int32(<offset or virtual address>)
uint8(<offset or virtual address>)
uint16(<offset or virtual address>)
uint32(<offset or virtual address>)
The intXX functions read 8, 16, and 32 bits signed integers from <offset or virtual
address>, while functions uintXX read unsigned integers.
这是一个判断是否是一个PE文件的rule:
rule IsPE
{
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}
Sets of strings 字符串的集
并不是所有的字符串都需要出现,但是至少的有字符串出现,可以用of来表示,比如说2 of ($a,$b,$c)表示至少得出现2个字符串,任意两个。
rule OfExample1
{
strings:
$a = "dummy1"
$b = "dummy2"
$c = "dummy3"
condition:
2 of ($a,$b,$c)
}
支持占位符表示变量
rule OfExample2
{
strings:
$foo1 = "foo1"
$foo2 = "foo2"
$foo3 = "foo3"
condition:
/* ($foo*) is equivalent to ($foo1,$foo2,$foo3) */
2 of ($foo*)
}
rule OfExample3
{
strings:
$foo1 = "foo1"
$foo2 = "foo2"
$bar1 = "bar1"
$bar2 = "bar2"
condition:
3 of ($foo*,$bar1,$bar2)
}
甚至可以用 $*来表示全部,也可以用关键字them来表示
rule OfExample4
{
strings:
$a = "dummy1"
$b = "dummy2"
$c = "dummy3"
condition:
1 of them /* equivalent to 1 of ($*) */
}
all of them /*all strings in the rule */
any of them /*any string in the rule */
all of ($a*) /*all strings whose identifier starts by $a */
any of ($a,$b,$c) /*any of $a, $b or $c */
1 of ($*) /*same that "any of them" */
Applying the same condition to many strings 相同的条件下的许多字符串
语法: for expression of string_set : ( boolean_expression )
举例:for any of ($a,$b,$c) : ( $ at entrypoint) 表示这个表达式any of ($a,$b,$c) 的筛选出来的字符串也满足 $ at entrypoint 这个表达式。。
其中$会先是 $a,然后是$b,最后是$c。
这两个字符串等价:
any of ($a,$b,$c)
for any of ($a,$b,$c) : ( $ )
这两个字符串很有意思:
for all of them : ( # > 3 ) #表示number出现的次数
for all of ($a*) : ( @ > @b ) @表示字符串第一个offset
Using anonymous strings with "of" and "for..of" 使用匿名的字符串
rule AnonymousStrings
{
strings:
$ = "dummy1"
$ = "dummy2"
condition:
1 of them
}
Iterating over string occurrences 遍历出现的字符串
rule Ocurrences
{
strings:
$a = "dummy1"
$b = "dummy2"
condition:
for all i in (1,2,3) : (@a[i] + 10 == @b[i])
}
其中的for all i in (1,2,3) : (@a[i] + 10 == @b[i])
可以写成:for all i in (1..3) : (@a[i] + 10 == @b[i])
如果不知道a的出现次数:for all i in (1..#a) : (@a[i] < 100)
如果只是想某些字符串满足条件:
for any i in (1..#a): ( @a[i] < 100 )
for 2 i in (1..#a): ( @a[i] < 100 ) //表示第二个字符串的第一个字符 < 100
Referencing other rules 引用其他规则
rule Rule1
{
strings:
$a = "dummy1"
condition:
$a
}
rule Rule2
{
strings:
$a = "dummy2"
condition:
$a and Rule1
}
5 More about rules
Global rules 全局规则
表示所有的rule都要满足哦~~
global rule SizeLimit
{
condition:
filesize < 2MB
}
/*表示在所有的rule中加入了 满足文件大小<2MB的限制*/
Private rules 私有规则
md,看不懂:
Private rules are a very simple concept. That are just rules that are not reported by YARA
when they match on a given file. Rules that are not reported at all may seem sterile at first
glance, but when mixed with the possibility offered by YARA of referencing one rule from
another (see section 4.5) they become useful. Private rules can serve as building blocks
for other rules, and at the same time prevent cluttering YARA's output with irrelevant
information. For declaring a rule as private just add the keyword private before the rule
declaration.
Rule tags 规则标签
就是普通的tag,方便用户查看感兴趣的tag的rule
rule TagsExample1 : Foo Bar Baz
{
...
}
rule TagsExample2 : Bar
{
...
}
Metadata 元数据
存储规则的 额外的有关信息
rule MetadataExample
{
meta:
my_identifier_1 = "Some string data"
my_identifier_2 = 24
my_identifier_3 = true
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
$my_text_string or $my_hex_string
}
External variables 外部变量
rule ExternalVariableExample1
{
condition:
ext_var == 10
}
其中的ext_var是外部变量哦~~
In this case ext_var is an external variable whose value is assigned at run-time (see -d
option of command-line tool, and externals parameter of compile and match methods in
yara-python)